From Web Policy STIG
Part of Documented testing of web server software.
Associated with IA controls: ECSD-2, ECSD-1
This requirement only addresses the physical web server software (e.g., IIS, Apache, etc.) and web server software configuration changes. It is not related to web site application code, web content, or changes to the OS that are governed by other vulnerabilities or STIGs.
When the web server software is going to be changed, updated, or patched, or when the web server software configurable settings are going to be changed, a process must exist to document, test, and receive approval for the change prior to its implementation on the production web server. This check focuses on the review, testing, documentation, and approval aspects of the change management process. Ask the SA, or a member of the Change Control Board (CCB), to show proof that a documented Change Management (CM) process exists to test changes to a production web server, prior to implementation. Key requirements of the process should include the following: 1. A documented security impact assessment. 2. The names of those individuals who completed the security impact assessment. 3. A plan developed to test the change. 4. The names of those individuals who tested the change. These individuals should not be the same individuals who designed the test plan. 5. An indication of what was being tested. 6. A description of how the test was performed. 7. A summation of the testing results. 8. An indication of testing success or failure. 9. An indication of any residual IA concerns. 10. The names of the approving authority that reviewed and accepted the testing results, including their commentary and/or their concerns. The provided proofs of the CM process should include the CM policy and those documents required by the policy. The policy should substantially address the elements listed above. If proof that the CM process does not substantially include the elements listed above, particularly with regard to testing, this is a finding.
Include testing documentation in the CM process.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer