The BlackBerry Device Service server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
BBDS-00-000100	BBDS-00-000100	BBDS-00-000100_rule		High

Description
Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. It is recommended that the following or similar roles be supported: - MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

Description

Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. It is recommended that the following or similar roles be supported: - MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

STIG	Date
BlackBerry Device Service 6.2 STIG	2013-05-03

Details

Check Text ( C-BBDS-00-000100_chk )
Review the BlackBerry Device Service server configuration to ensure there are accounts associated with the following roles: - MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs. If this separation of duties is not present, this is a finding. Roles are assigned during the creation of the Administrator account as follows: 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator user. 2. Click Create an administrator user. 3. In the Display name field, type a name for the administrator account. 4. Configure the login information that the administrator account uses to log in to the BlackBerry Administration Service. 5. In the Role drop-down list, click the role that you want to assign to the administrator account. 6. Click Create an administrator user. The role can also be updated after account creation by selecting "Manage Users" under the "Administrator Users" option.

Check Text ( C-BBDS-00-000100_chk )

Review the BlackBerry Device Service server configuration to ensure there are accounts associated with the following roles:

- MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.
- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.
- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.
- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

If this separation of duties is not present, this is a finding.

Roles are assigned during the creation of the Administrator account as follows:

1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Administrator
user.
2. Click Create an administrator user.
3. In the Display name field, type a name for the administrator account.
4. Configure the login information that the administrator account uses to log in to the BlackBerry Administration
Service.
5. In the Role drop-down list, click the role that you want to assign to the administrator account.
6. Click Create an administrator user.

The role can also be updated after account creation by selecting "Manage Users" under the "Administrator Users" option.

Fix Text (F-BBDS-00-000100_fix)
Create and configure accounts to be aligned with the following roles: - MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.

Fix Text (F-BBDS-00-000100_fix)

Create and configure accounts to be aligned with the following roles:

- MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions.
- Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies.
- Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.
- Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.