From Web Policy STIG
Part of Recovery Procedures
Associated with IA controls: COTR-1
In the event that a production web site or server needs to be recovered, a current and complete process exists to recover the web server and its associated web sites.
Recovery of a web server or site can be as relatively simple as renewing a license to as complex an issue as rebuilding a server or site from scratch. Within the COOP for the Information System (IS) under review, a detailed plan should have been developed that completely spells out the procedures necessary to affect recovery. These procedures and check lists should be as complete as possible in order to achieve organizational goals with respect to availability, integrity, and confidentiality. Ask the SA or the web master to produce the COOP and specific recovery procedures for the IS (i.e., web server, web site, etc.) under review. The hosting activity that administers the web server is ultimately responsible for its recovery procedures. These procedures should include all necessary steps and information required to recover the OS, the web server software (i.e., IIS, Apache, etc.), and all supporting software and utilities. The activity that owns the hosted application or web site is ultimately responsible for its recovery unless a MOU or an SLA exists that indicates an alternate responsible party. Regardless of responsibility, the procedures necessary to recover a web site will be provided to the hosting agency and available for review. Key elements that should be addressed in recovery procedures: 1. A copy of supporting MOU or SLA, if applicable. 2. Contact information for recovery personnel including their roles and responsibilities. 3. Contact information for vendor-specific support and assistance. 4. Information about vendor license and vendor support agreements. 5. Information about specific IS components and their inter-relationships that are within the scope of the recovery. 6. The readily accessible location of current vendor-specific documentation that is necessary to the recovery effort. 7. Procedural check-off lists that appear to be logically ordered and complete. 8. Procedures for the re-verification or testing of the functionality of security controls after a recovery has been affected. Ask the SA or the web administrator if these procedures have ever been tested in an appropriate test environment and how frequently the process is reviewed and re-tested. If the listed elements are not addressed in the recovery procedures, this is a finding.
Ensure that current recovery procedures exist and are included as a part of the COOP.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer