UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Web server content and configuration files must be part of a routine backup program.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6485 WA140 IIS6 SV-38172r1_rule CODB-1 CODB-2 CODB-3 Low
Description
Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determine and recover from subsequent unauthorized changes to the software and data. A tested and verifiable backup strategy will be implemented for web server software as well as all web server data files. Backup and recovery procedures will be documented and the Web Manager or SA for the specific application will be responsible for the design, test, and implementation of the procedures. The site will have a contingency processing plan/disaster recovery plan that includes web servers. The contingency plan will be periodically tested in accordance with DoDI 8500.2 requirements. The site will identify an off-site storage facility in accordance with DoDI 8500.2 requirements. Off-site backups will be updated on a regular basis and the frequency will be documented in the contingency plan.
STIG Date
IIS6 Server 2011-09-26

Details

Check Text ( C-37554r1_chk )
The reviewer should query the Information Assurance Officer (IAO) SA, Web Manager, Webmaster or developers as necessary to determine whether or not a tested and verifiable backup strategy has been implemented for web server software as well as all web server data files.

Proposed Questions:

Who maintains the backup and recovery procedures?
Do you have a copy of the backup and recovery procedures?
Where is the off-site backup location?
Is the contingency plan documented?
When was the last time the contingency plan was tested?
Are the test dates and results documented?

If there is not a backup and recovery process for the web server, this is a finding.

NOTE: Backup media containing sensitive data needs to be compliant with DoD Memorandum: "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media", dated 3 Jul 2007.
Fix Text (F-32800r1_fix)
Document the backup procedures.