STIG ID - BACF1010: Store Backup and Recovery Data Sets on a Separate Volume from the ACF2 Database
Severity: 2 - Medium
ACF2backup and recovery files provide the only means of recovery if the
ACF2database becomes damaged. In the case where the primary
ACF2database and the alternate
ACF2backup and recovery files are stored on the same volume and damage occurs to the volume, complete recovery of the
ACF2database could be compromised. Consideration of file location is often an overlooked in system integrity. It is important to ensure that the effects of hardware failures on system integrity and availability are minimized. Avoid co-location of files such as primary and alternate databases.
This STIG article shows how to determine if the
ACF2database is not located on the same volume as the alternate or backup files.
Your organization will ensure that placement of the primary
ACF2database files are on a separate volume from alternate backup and recover data sets. Doing so allows a clean backup and recovery in the event of physical damage to a volume.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- Identify if there is a plan in place to ensure primaryACF2databases are not stored on the same volume as the alternate backup databases and recovery data sets.
- Determine if the primaryACF2databases are not stored on the same volume as the alternate backup databases and recovery data sets. From TSO, select option 3.4 to list theACF2Security databases and online backup files. Ensure backup files are allocated on separate DASD volumes from the liveACF2database files.
- If a documented plan does not exist,your organization has an audit finding. See Remediate Audit Finding.
- If a documented plan exists and it is determined that the primaryACF2databases are stored on the same volume as the alternate backup databases and recovery data sets,your organization has an audit finding. See Remediate Audit Finding.
- If a documented plan exists,your organization does not have an audit finding.
Remediate Audit Finding
The responsible Systems Programmer ensures that placement of the
ACF2databases and data sets are on a separate volume from the backup and recovery data sets to provide backup and recovery in the event of physical damage to a volume.
Follow these steps:
- Develop a plan to store the primaryACF2databases on a separate, physical volume from where the alternate backup databases and recovery data sets are stored. Your organization's systems programmer and Information System Security Officer (ISSO) develop the plan.
- Execute on the plan to move the identified primaryACF2databases to a separate, physical volume where the alternate backup databases and recovery data sets are stored.
Your organization is prepared for a recovery in the event of physical damage to a DASD volume.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
The organization maintains a redundant secondary information system that is not collocated with the primary system.
NIST: NIST SP 800-53 (v3): CP-9 (6)
NIST: NIST SP 800-53 Revision 4 (v4): CP-9 (6)
NIST: NIST SP 800-53A (v1): CP-9 (6).1 (i)