Title: Database recovery procedures must be developed, documented, implemented, and periodically tested.
Vulnerability ID: V-32434
IA Controls: None
Description: Information system backup is a critical step in maintaining data assurance and availability.
User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user generated data is backed up at a defined frequency. This includes data stored on file systems, within databases or within any other storage media.
Applications performing backups must be capable of backing up user-level information per the DoD defined frequency.
Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provides the opportunity to discover oversights, conflicts, or other issues in the backup procedures or use of media designed to be used.
Check Text: Review the testing and verification procedures documented in the system documentation. Review evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation. Logs may be in electronic form or hardcopy and may include email or other notification. If testing and verification of backup and recovery procedures is not documented in the system documentation, this is a finding.
If evidence of testing and verification of backup and recovery procedures does not exist, this is a finding.
Fix Text: Develop, document, and implement testing and verification procedures for database backup and recovery. Include requirements for documenting database backup and recovery testing and verification activities in the procedures.[divider]