STIG ID - BACF1010: Store Backup and Recovery Data Sets on a Separate Volume from the
ACF2
Database

Severity
: 2 - Medium
The
ACF2
backup and recovery files provide the only means of recovery if the
ACF2
database becomes damaged. In the case where the primary
ACF2
database and the alternate
ACF2
backup and recovery files are stored on the same volume and damage occurs to the volume, complete recovery of the
ACF2
database could be compromised. Consideration of file location is often an overlooked in system integrity. It is important to ensure that the effects of hardware failures on system integrity and availability are minimized. Avoid co-location of files such as primary and alternate databases.
This STIG article shows how to determine if the
ACF2
database is not located on the same volume as the alternate or backup files.
Your organization will ensure that placement of the primary
ACF2
database files are on a separate volume from alternate backup and recover data sets. Doing so allows a clean backup and recovery in the event of physical damage to a volume.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Identify if there is a plan in place to ensure primary
    ACF2
    databases are not stored on the same volume as the alternate backup databases and recovery data sets.
  2. Determine if the primary
    ACF2
    databases are not stored on the same volume as the alternate backup databases and recovery data sets. From TSO, select option 3.4 to list the
    ACF2
    Security databases and online backup files. Ensure backup files are allocated on separate DASD volumes from the live
    ACF2
    database files.
  3. If a documented plan does not exist,
    your organization has an audit finding
    . See Remediate Audit Finding.
  4. If a documented plan exists and it is determined that the primary
    ACF2
    databases are stored on the same volume as the alternate backup databases and recovery data sets,
    your organization has an audit finding
    . See Remediate Audit Finding.
  5. If a documented plan exists,
    your organization does not have an audit finding
    .
Remediate Audit Finding
The responsible Systems Programmer ensures that placement of the
ACF2
databases and data sets are on a separate volume from the backup and recovery data sets to provide backup and recovery in the event of physical damage to a volume.
Follow these steps:
  1. Develop a plan to store the primary
    ACF2
    databases on a separate, physical volume from where the alternate backup databases and recovery data sets are stored. Your organization's systems programmer and Information System Security Officer (ISSO) develop the plan.
  2. Execute on the plan to move the identified primary
    ACF2
    databases to a separate, physical volume where the alternate backup databases and recovery data sets are stored.
Your organization is prepared for a recovery in the event of physical damage to a DASD volume.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-00549
CCI
:
CCI-000549
Published Date
:
2009-09-21
Definition
:
The organization maintains a redundant secondary information system that is not collocated with the primary system.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CP-9 (6)
NIST: NIST SP 800-53 Revision 4 (v4): CP-9 (6)
NIST: NIST SP 800-53A (v1): CP-9 (6).1 (i)