Blackberry accounts will not be assigned to the default IT policy on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19226	WIR1340-01	SV-21115r6_rule	ECSC-1	High

Description
The Blackberry default policy on the BES does not include many DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) IT policy.

STIG	Date
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide	2011-07-14

Details

Check Text ( C-23164r4_chk )
Detailed Policy Requirements: 1. Separate STIG compliant IT policies will be set up on the BES: one for users that have been issued an approved Bluetooth headset/handsfree device and one of users that have not been issued an approved Bluetooth headset/handsfree device. 2. All user accounts will be assigned to a STIG compliant IT policy. Check Procedures: Interview the BlackBerry system administrator. Ask the administrator to identify the default IT policy on the BES (usually labeled “Default”) and any other non-STIG compliant IT policies set up on the BES. You can view the list of IT policies set up on the BES as follows: For BES 5.0 BAS > BlackBerry solution management box > Policy > Manage IT policies. For BES 4.1.x - In the BlackBerry Manager, click BlackBerry Domain (left pane). - On the Global tab, click Edit Properties. - Click IT Policy. - In the IT Policy Administration section, double click IT Policies. Verify that no users are assigned to the default IT policy or any other non-STIG IT policy by performing the following steps for each policy. For BES 5.0 For the default IT policy and other non-STIG compliant policies, look at each IT policy listed under Manage IT policies to be checked, -Click on the policy name, - Click on “View users with IT policy,” - Click Search. A list of all users assigned to the policy will be shown. For BES 4.1.x - In BlackBerry Manager, click on BlackBerry Domain. - Select the “All Users” tab. - If “IT Policy Name” is not listed as one of the column headings, do the following: o Right click on the “Name” column heading. o In the “Column Chooser” dialog box, add “IT Policy Name” to the list of columns listed under the “Visible columns” window. o Move the “IT Policy Name” column up the list until it is listed immediately after the “Name” column. o Click “OK” to close the dialog box. The “IT Policy Name” column should now be shown. - Click on the “IT Policy Name” column heading to sort the list of users by IT policy. - Determine if any users have been assigned to the default or other non-STIG compliant IT policy. If yes, mark as a finding. Note: IT policies identified by the BES administrator as STIG compliant should be reviewed to verify compliance when reviewing the WIR14xx series of checks.

Check Text ( C-23164r4_chk )

Detailed Policy Requirements:

1. Separate STIG compliant IT policies will be set up on the BES: one for users that have been issued an approved Bluetooth headset/handsfree device and one of users that have not been issued an approved Bluetooth headset/handsfree device.

2. All user accounts will be assigned to a STIG compliant IT policy.

Check Procedures:
Interview the BlackBerry system administrator. Ask the administrator to identify the default IT policy on the BES (usually labeled “Default”) and any other non-STIG compliant IT policies set up on the BES. You can view the list of IT policies set up on the BES as follows:

For BES 5.0
BAS > BlackBerry solution management box > Policy > Manage IT policies.

For BES 4.1.x
- In the BlackBerry Manager, click BlackBerry Domain (left pane).
- On the Global tab, click Edit Properties.
- Click IT Policy.
- In the IT Policy Administration section, double click IT Policies.

Verify that no users are assigned to the default IT policy or any other non-STIG IT policy by performing the following steps for each policy.

For BES 5.0
For the default IT policy and other non-STIG compliant policies, look at each IT policy listed under Manage IT policies to be checked,
-Click on the policy name,
- Click on “View users with IT policy,”
- Click Search. A list of all users assigned to the policy will be shown.

For BES 4.1.x
- In BlackBerry Manager, click on BlackBerry Domain.
- Select the “All Users” tab.
- If “IT Policy Name” is not listed as one of the column headings, do the following:
o Right click on the “Name” column heading.
o In the “Column Chooser” dialog box, add “IT Policy Name” to the list of columns listed under the “Visible columns” window.
o Move the “IT Policy Name” column up the list until it is listed immediately after the “Name” column.
o Click “OK” to close the dialog box. The “IT Policy Name” column should now be shown.

- Click on the “IT Policy Name” column heading to sort the list of users by IT policy.
- Determine if any users have been assigned to the default or other non-STIG compliant IT policy. If yes, mark as a finding.

Note: IT policies identified by the BES administrator as STIG compliant should be reviewed to verify compliance when reviewing the WIR14xx series of checks.

Fix Text (F-23379r1_fix)
User accounts will only be assigned a STIG compliant IT policy.