STIGQter STIGQter: STIG Summary: Web Policy STIG

Version: 1

Release: 1 Benchmark Date: 28 Oct 2011

SV-28754r1_ruleThe production web server staff will have a formal migration plan for removing or upgrading production web server software prior to the date the vendor drops security patch support.
SV-28757r1_ruleIncident Response procedures must exist for web servers and sites.
SV-28765r1_ruleProduction web server scripts are tested before implementation.
SV-28769r1_ruleTrained staff are not available to respond to web server or web content problems.
SV-28770r1_ruleAll interactive CGI programs used on the production web server will be documented.
SV-28771r1_ruleThe sensitivity level of all data for publication on a production web site is known and documented.
SV-28772r1_ruleConfiguration management policies are available to the SA and the web administrator.
SV-28774r1_ruleA current baseline configuration for the web server is maintained at all times.
SV-28775r1_ruleChange on a production web site is controlled.
SV-28786r1_ruleDocumented procedures and processes exist to recover the production web server and its associated web sites and are included as a part of the COOP.
SV-28787r1_ruleThe SA and the web administrator are aware of mobile code technology deployed on servers under their administration.
SV-28788r1_ruleA process must exist to ensure changes to a production web server’s software or a production web server’s configurable settings are tested and documented before being implemented.
SV-28790r1_ruleWeb server access logs are generated and retained according to DoDI 8500.2 requirements.
SV-28795r1_ruleInformation on public web servers is reviewed before publication and periodically reviewed after publication.