From Application Security and Development Security Technical Implementation Guide
Part of ASDV-PL-003070
Associated with: CCI-000537
Without proper backups, the application is not protected from the loss of data or the operating environment in the event of hardware or software failure.
Interview the application and system admins and review documented backup procedures. Check the following based on the risk level of the application. For low risk applications: Validate backup procedures exist and are performed at least weekly. A sampling of system backups should be checked to ensure compliance with the control. For medium risk applications: Validate backup procedures exist and are performed at least daily. Validate recovery media is stored at an off-site location and ensure the data is protected in accordance with its risk category and confidentiality level. This validation can be performed by examining an SLA or MOU/MOA that states the protection levels of the data and how it should be stored. A sampling of system backups should be checked to ensure compliance with the control. Verify that the organization tests backup information to ensure media reliability and information integrity. Verify that the organization selectively uses backup information in the restoration of information system functions as part of annual contingency plan testing. For high risk applications: Validate that the procedures have been defined for system redundancy and they are properly implemented and are executing the procedures. Verify that the redundant system is properly separated from the primary system (i.e., located in a different building or in a different city). This validation should be performed by examining the secondary system and ensuring its operation. Examine the SLA or MOU/MOA to ensure redundant capability is addressed. Finding details should indicate the type of validation performed. Examine the mirror capability testing procedures and results to insure the capability is properly tested at 6 month minimum intervals. If any of the requirements above for the associated risk level of the application are not met, this is a finding.
Develop and implement backup procedures based on risk level of the system and in accordance with DoD policy.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer