Check: WEBPL134
Web Policy STIG:
WEBPL134
(in version v1 r1)
Title
Documented procedures and processes exist to recover the production web server and its associated web sites and are included as a part of the COOP. (Cat II impact)
Discussion
In the event that a production web site or server needs to be recovered, a current and complete process exists to recover the web server and its associated web sites. Formed as an integral part of the risk management framework and a requirement within the DoD, a Continuity of Operations Plan (COOP) is the basis by which guidance may be given in order to recover a production web server and its associated web sites from significant incidents. The COOP’s procedures and associated recovery check-off lists, the contact information for both internal personnel and vendor-specific assistance, Service Level Agreements (SLAs), warranties, and licensing information, provide the mechanisms for success during the recovery process.
Check Content
Recovery of a web server or site can be as relatively simple as renewing a license to as complex an issue as rebuilding a server or site from scratch. Within the COOP for the Information System (IS) under review, a detailed plan should have been developed that completely spells out the procedures necessary to affect recovery. These procedures and check lists should be as complete as possible in order to achieve organizational goals with respect to availability, integrity, and confidentiality. Ask the SA or the web master to produce the COOP and specific recovery procedures for the IS (i.e., web server, web site, etc.) under review. The hosting activity that administers the web server is ultimately responsible for its recovery procedures. These procedures should include all necessary steps and information required to recover the OS, the web server software (i.e., IIS, Apache, etc.), and all supporting software and utilities. The activity that owns the hosted application or web site is ultimately responsible for its recovery unless a MOU or an SLA exists that indicates an alternate responsible party. Regardless of responsibility, the procedures necessary to recover a web site will be provided to the hosting agency and available for review. Key elements that should be addressed in recovery procedures: 1. A copy of supporting MOU or SLA, if applicable. 2. Contact information for recovery personnel including their roles and responsibilities. 3. Contact information for vendor-specific support and assistance. 4. Information about vendor license and vendor support agreements. 5. Information about specific IS components and their inter-relationships that are within the scope of the recovery. 6. The readily accessible location of current vendor-specific documentation that is necessary to the recovery effort. 7. Procedural check-off lists that appear to be logically ordered and complete. 8. Procedures for the re-verification or testing of the functionality of security controls after a recovery has been affected. Ask the SA or the web administrator if these procedures have ever been tested in an appropriate test environment and how frequently the process is reviewed and re-tested. If the listed elements are not addressed in the recovery procedures, this is a finding.
Fix Text
Ensure that current recovery procedures exist and are included as a part of the COOP.
Additional Identifiers
Rule ID: SV-28786r1_rule
Vulnerability ID: V-23840
Group Title: Recovery Procedures
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |