STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Data backup must be performed at required intervals in accordance with DoD policy.

DISA Rule

SV-222638r508029_rule

Vulnerability Number

V-222638

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003070

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Develop and implement backup procedures based on risk level of the system and in accordance with DoD policy.

Check Contents

Interview the application and system admins and review documented backup procedures.

Check the following based on the risk level of the application.

For low risk applications:

Validate backup procedures exist and are performed at least weekly.

A sampling of system backups should be checked to ensure compliance with the control.

For medium risk applications:

Validate backup procedures exist and are performed at least daily.

Validate recovery media is stored at an off-site location and ensure the data is protected in accordance with its risk category and confidentiality level. This validation can be performed by examining an SLA or MOU/MOA that states the protection levels of the data and how it should be stored.

A sampling of system backups should be checked to ensure compliance with the control.

Verify that the organization tests backup information to ensure media reliability and information integrity.

Verify that the organization selectively uses backup information in the restoration of information system functions as part of annual contingency plan testing.

For high risk applications:

Validate that the procedures have been defined for system redundancy and they are properly implemented and are executing the procedures.

Verify that the redundant system is properly separated from the primary system (i.e., located in a different building or in a different city). This validation should be performed by examining the secondary system and ensuring its operation.

Examine the SLA or MOU/MOA to ensure redundant capability is addressed. Finding details should indicate the type of validation performed. Examine the mirror capability testing procedures and results to insure the capability is properly tested at 6 month minimum intervals.

If any of the requirements above for the associated risk level of the application are not met, this is a finding.

Vulnerability Number

V-222638

Documentable

False

Rule Version

APSC-DV-003070

Severity Override Guidance

Interview the application and system admins and review documented backup procedures.

Check the following based on the risk level of the application.

For low risk applications:

Validate backup procedures exist and are performed at least weekly.

A sampling of system backups should be checked to ensure compliance with the control.

For medium risk applications:

Validate backup procedures exist and are performed at least daily.

Validate recovery media is stored at an off-site location and ensure the data is protected in accordance with its risk category and confidentiality level. This validation can be performed by examining an SLA or MOU/MOA that states the protection levels of the data and how it should be stored.

A sampling of system backups should be checked to ensure compliance with the control.

Verify that the organization tests backup information to ensure media reliability and information integrity.

Verify that the organization selectively uses backup information in the restoration of information system functions as part of annual contingency plan testing.

For high risk applications:

Validate that the procedures have been defined for system redundancy and they are properly implemented and are executing the procedures.

Verify that the redundant system is properly separated from the primary system (i.e., located in a different building or in a different city). This validation should be performed by examining the secondary system and ensuring its operation.

Examine the SLA or MOU/MOA to ensure redundant capability is addressed. Finding details should indicate the type of validation performed. Examine the mirror capability testing procedures and results to insure the capability is properly tested at 6 month minimum intervals.

If any of the requirements above for the associated risk level of the application are not met, this is a finding.

Check Content Reference

M

Target Key

4093

Comments