Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-70355 | APSC-DV-003070 | SV-84977r1_rule | Medium |
Description |
---|
Without proper backups, the application is not protected from the loss of data or the operating environment in the event of hardware or software failure. |
STIG | Date |
---|---|
Application Security and Development Security Technical Implementation Guide | 2017-01-09 |
Check Text ( C-70809r1_chk ) |
---|
Interview the application and system admins and review documented backup procedures. Check the following based on the risk level of the application. For low risk applications: Validate backup procedures exist and are performed at least weekly. A sampling of system backups should be checked to ensure compliance with the control. For medium risk applications: Validate backup procedures exist and are performed at least daily. Validate recovery media is stored at an off-site location and ensure the data is protected in accordance with its risk category and confidentiality level. This validation can be performed by examining an SLA or MOU/MOA that states the protection levels of the data and how it should be stored. A sampling of system backups should be checked to ensure compliance with the control. Verify that the organization tests backup information to ensure media reliability and information integrity. Verify that the organization selectively uses backup information in the restoration of information system functions as part of annual contingency plan testing. For high risk applications: Validate that the procedures have been defined for system redundancy and they are properly implemented and are executing the procedures. Verify that the redundant system is properly separated from the primary system (i.e., located in a different building or in a different city). This validation should be performed by examining the secondary system and ensuring its operation. Examine the SLA or MOU/MOA to ensure redundant capability is addressed. Finding details should indicate the type of validation performed. Examine the mirror capability testing procedures and results to insure the capability is properly tested at 6 month minimum intervals. If any of the requirements above for the associated risk level of the application are not met, this is a finding. |
Fix Text (F-76591r1_fix) |
---|
Develop and implement backup procedures based on risk level of the system and in accordance with DoD policy. |