Trained staff are not available to respond to web server or web content problems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-23833	WEBPL050	SV-28769r1_rule	COMS-2	Low

Description
Many web sites are available 24 hours per day, 7 days a week, and the potential for problems relating to the web server operations are significant. Operating staff may discover a problem with the organization’s web server operation or web content. Points-of-contact (staff) with the appropriate access and training must be available to respond to immediate operational needs to correct the problem.

Description

Many web sites are available 24 hours per day, 7 days a week, and the potential for problems relating to the web server operations are significant. Operating staff may discover a problem with the organization’s web server operation or web content. Points-of-contact (staff) with the appropriate access and training must be available to respond to immediate operational needs to correct the problem.

STIG	Date
Web Policy STIG	2011-10-03

Details

Check Text ( C-29180r1_chk )
The reviewer will verify that an appropriate training program is in place and that web server personnel are either certified or in the process of certification. The following elements will be reviewed: 1. A training program is in place that addresses DoD publication 8570.01M with respect to either the IAT or the IAM certification of the web server staff at the appropriate certification level, according to job roles and responsibilities. 2. Web server staff will either be DoD IAT- or IAM- certified according to their roles or be in the process of achieving DoD IA certification. 3. Training records are maintained. 4. DoD IA certification must remain active. 5. Web server staff will be CE certified. CE certification should be specific to operating systems, server hosts, etc. If web server staff administers multiple technologies, current guidance suggests that CE certification should be achieved for all supported technology. At a minimum, certification should be achieved for the technology he or she spends the most time supporting. 6. The certification program may be instructor-led, given through a CBT, or be blended. It may be vendor-specific or a component-developed equivalent certification. Testing or proof of knowledge and skill is required. It is highly suggested that, with respect to web server administration, emphasis be given to the expected functional duties of the web server staff. This emphasis should concentrate in areas that may include, but are not limited to: • Security threat and mitigation techniques. • Securing critical files and processes. • Back up and recovery techniques. • OS and the web server software administration. • OS and web server hardening techniques. • The application of access controls. • Disaster recovery. • Incident response and analysis. If elements listed above are not in place or the web server staff is not certified or is in the process of certification, this is a finding.

Check Text ( C-29180r1_chk )

The reviewer will verify that an appropriate training program is in place and that web server personnel are either certified or in the process of certification.

The following elements will be reviewed:
1. A training program is in place that addresses DoD publication 8570.01M with respect to either the IAT or the IAM certification of the web server staff at the appropriate certification level, according to job roles and responsibilities.
2. Web server staff will either be DoD IAT- or IAM- certified according to their roles or be in the process of achieving DoD IA certification.
3. Training records are maintained.
4. DoD IA certification must remain active.
5. Web server staff will be CE certified. CE certification should be specific to operating systems, server hosts, etc. If web server staff administers multiple technologies, current guidance suggests that CE certification should be achieved for all supported technology. At a minimum, certification should be achieved for the technology he or she spends the most time supporting.
6. The certification program may be instructor-led, given through a CBT, or be blended. It may be vendor-specific or a component-developed equivalent certification. Testing or proof of knowledge and skill is required. It is highly suggested that, with respect to web server administration, emphasis be given to the expected functional duties of the web server staff. This emphasis should concentrate in areas that may include, but are not limited to:
• Security threat and mitigation techniques.
• Securing critical files and processes.
• Back up and recovery techniques.
• OS and the web server software administration.
• OS and web server hardening techniques.
• The application of access controls.
• Disaster recovery.
• Incident response and analysis.

If elements listed above are not in place or the web server staff is not certified or is in the process of certification, this is a finding.

Fix Text (F-26191r1_fix)
Assign certified staff to respond to operational and content issues.