Incident Response procedures must exist for web servers and sites.

From Web Policy STIG

Part of Incident Response procedures

Associated with IA controls: VIIR-1, VIIR-2

SV-28757r1_rule Incident Response procedures must exist for web servers and sites.

Vulnerability discussion

It is a requirement that all DoD information sites have developed and implemented Incident Response (IR) policies and procedures. In the event that an unexpected occurrence disrupts the web server’s function, a mechanism will be in place to guide the SA or the web administrator through the process of determining the cause and effect of such an event. This may involve, among other things, the use of forensic techniques (such as log file research as well as file and directory modification analysis), and may include specific reporting and coordination requirements as well as specific steps necessary to begin recovery of an affected server. The IAO, SAs, and web administrators should have a copy of these procedures and be knowledgeable about their roles and responsibilities.

Check content

Even if the IR, with regard to the production web server is governed by an MOU or SLA, the majority of the elements listed in this check must still be addressed within those documents. Assurances will be provided by the application owners to the hosting administration. Assurance and any supporting documentation will be made available to an authorized reviewer. Ask the IAO, the SA, or the web administrator if an IR plan exists for the production web server being reviewed. If a plan exists, then determine if the plan contains the following elements: 1. The IR plan addresses specific requirements with respect to the data types on the server such as reporting requirements for the loss or compromise of public, private, or classified data. 2. The IR plan addresses policy and procedures that may be documented in the COOP that will contain specific procedures necessary to recover the server, the hosted sites, and any data that may have been lost. 3. The IR plan should name specific individuals with incident and response responsibilities. Assurance should be documented that these individuals have received IR training. 4. The IR plan addresses notification and coordination of incidents with regard to reporting chains such as security officers and management personnel. Other items to consider are as follows: Have any of the listed procedures actually been tested with regard to mock incidents, data recovery, and server/site recovery? If they were tested, are they then performed on a periodic basis? If an IR plan cannot be produced, or if the web administrative staff is not aware of the IR policies and procedures, this is a finding.

Fix text

Establish and maintain a documented IR plan that addresses the IR procedures for the production web server.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer