Check: AAMV0430
zOS RACF STIG:
AAMV0430
(in versions v6 r43 through v6 r30)
Title
System DASD backups are not performed on a regularly scheduled basis. (Cat II impact)
Discussion
If backups of the operating environment are not properly processed, implementation of a contingency plan would not include the data necessary to fully recover from any outage.
Check Content
a) Refer to Vulnerability Questions within the SRRAUDIT Dialog Management document. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0430) b) If, based on the information provided, it can be determined that system DASD backups are performed on a regularly scheduled basis, there is NO FINDING. c) If it cannot be determined that system DASD backups are performed on a regularly scheduled basis, this is a FINDING.
Fix Text
The IAO will ensure that procedures are in place to backup the operating system and all its subsystems on a regularly scheduled interval as required to recover the environment. Review all documented processes for the backup of the operating environment. Ensure that these include a regularly scheduled backup of the entire operating system and its related subsystems, both at individual data set and full volume levels. Adequate backup scheduling is also an often overlooked integrity exposure. Back up system files on a regular schedule. Store the backups off site to prevent concurrent loss of the live production system and the backup files. Backup scheduling will vary depending on the requirements and capabilities of the individual data center. While the requirements of Data Owners may necessitate more frequent backups, a recommended schedule is as follows: - Weekly and monthly full volume backup of volumes with low update activity, such as the operating system volumes - Nightly backup of high update activity data sets and volumes, such as application system databases and user data volumes
Additional Identifiers
Rule ID: SV-106r2_rule
Vulnerability ID: V-106
Group Title: AAMV0430
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000537 |
The organization conducts backups of system-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. |
Controls
Number | Title |
---|---|
CP-9 |
Information System Backup |