| V-19546 | High | E-mail services and servers must be protected by routing all SMTP traffic through an Edge Transport Server. | Separation of roles supports operational security for application and protocol services. Since 2006, Microsoft best practices had taken the direction of creating operational “roles” for servers... |
| V-19548 | High | E-mail web services must be protected by having an application proxy server outside the enclave. | Separation of roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is... |
| V-18857 | Medium | Annual procedural reviews must be conducted at the site. | A regular review of current E-mail security policies and procedures is necessary to maintain the desired security posture of E-mail services. Policies and procedures should be measured against... |
| V-18884 | Medium | E-mail critical software copies must be stored offsite in a fire rated container. | There is always potential that accidental loss can cause system loss and that restoration will be needed. In the event that the installation site is compromised, damaged or destroyed, copies of... |
| V-18877 | Medium | E-mail Administrator Groups must ensure least privilege. | When an oversight responsibility is assigned to the same person performing the actions being overseen, the function of oversight is compromised. When the responsibility to manage or control one... |
| V-18883 | Medium | E-mail backups must meet schedule or storage requirements. | Hardware failures or other (sometimes physical) disasters can cause data loss to active applications, and the need for expedient recovery. Ensuring that backups are conducted on an agreed... |
| V-18882 | Medium | E-mail backup and recovery data must be protected. | All automated information systems are at risk of data loss due to disaster or compromise.
Failure to provide adequate protection to the backup and recovery data exposes it to risk of potential... |
| V-18880 | Medium | Audit logs must be included in weekly backups. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit logs are essential to the... |
| V-18864 | Medium | E-Mail Configuration Management (CM) procedures must be implemented. | Uncontrolled, untested, or unmanaged changes can result in an unreliable security posture. All software libraries related to E-mail services must be reviewed, considered, and the responsibility... |
| V-18879 | Medium | E-mail audit records must be retained for 1 year. | Audit data retention serves as a history that can aid in determining actions executed by users and administrators. Reasons for such research include both malicious actions that may have been... |
| V-18867 | Medium | Email Services must be documented in System Security Plan. | A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). It includes definition of responsibilities and qualifications for those... |
| V-18868 | Low | E-mail software installation account usage must be logged. | E-mail Administrator or application owner accounts are granted more enhanced privileges than non-privileged users. It is especially important to grant access to privileged accounts to only those... |
| V-18881 | Low | The E-mail backup and recovery strategy must be documented and tested on an INFOCON compliant frequency. | A disaster plan exists that provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational... |
| V-18865 | Low | The E-mail Administrator role must be assigned and authorized by the IAO. | Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the E-Mail Administrator, must be... |
| V-18885 | Low | E-mail acceptable use policy must be documented in the System Security Plan and does require annual user review. | E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message... |
| V-18869 | Low | E-mail audit trails must be reviewed daily. | Access to E-mail services and software is logged to establish a history of actions taken in the system. Unauthorized access or use of the system could indicate an attempt to bypass established... |
| V-18886 | Low | E-mail Acceptable Use Policy must contain required elements. | E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message... |
