Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-25022 | WIR-MOS-iOS-007 | SV-30786r2_rule | ECWM-1 | Medium |
Description |
---|
DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. |
STIG | Date |
---|---|
Apple iOS 5 Security Technical Implementation Guide (STIG) | 2012-07-20 |
Check Text ( C-31203r5_chk ) |
---|
The following banner is required: “I've read & consent to terms in IS user agreem't.” Check Procedure: On the iOS device, complete the following: Check a sample of devices (3-4). The procedure will vary, depending on the MDM server used. For iOS, the banner is only displayed when logging into the security container. The banner must exactly match the required phrase. If the Good server is used, complete the following: 1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure: -Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server. --Log into the Good Mobile Control console. --Click on the Policies tab. --View all policy sets on the server. -Note: STIG-compliant policy sets should be identified as such in the policy title. It is recommended that all non-STIG/ISCG policy sets be deleted. 2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set. -Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database. -Launch the Good Mobile Control Web console and click on the Policies tab. -Select a policy set to review and click on the policy. -On the left tab, select Compliance Manager. -Verify a "Custom" or "iOS DoD Login Banner" rule is listed. (Note the rule title does not have to be exact.) -Open the rule by checking the box next to the rule and then click Edit. -Verify "Failure Action" is set to "Quit Good for Enterprise". -Verify "Check Every" is set to "1 hour". -Verify Rule File = disclaimer.xml Mark as a finding if configuration is not set as required. |
Fix Text (F-27693r1_fix) |
---|
Display the required banner during device unlock/logon. |