Email Services must be documented in System Security Plan.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18867	EMG3-050 EMail	SV-20650r1_rule	DCSD-1	Medium

Description
A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). It includes definition of responsibilities and qualifications for those responsible for administering the security of the AIS. For email services, this includes specifically the email Administrator in addition to the standard System Administration (SA) and Information Assurance Officer (IAO) roles. Without a System Security Plan, unqualified personnel may be assigned responsibilities that they are incapable of meeting and email security is prone to an inconsistent or incomplete implementation. Security controls applicable to email services may not be documented, tracked, or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of email services vulnerabilities. The Email Domain Security Plan (EDSP) defines the security settings and configurations of the email system.

Description

A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). It includes definition of responsibilities and qualifications for those responsible for administering the security of the AIS. For email services, this includes specifically the email Administrator in addition to the standard System Administration (SA) and Information Assurance Officer (IAO) roles. Without a System Security Plan, unqualified personnel may be assigned responsibilities that they are incapable of meeting and email security is prone to an inconsistent or incomplete implementation. Security controls applicable to email services may not be documented, tracked, or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of email services vulnerabilities. The Email Domain Security Plan (EDSP) defines the security settings and configurations of the email system.

STIG	Date
Email Services Policy	2012-01-31

Details

Check Text ( C-22675r1_chk )
Interview the IAO. Review the Email Domain Security Plan (EDSP) for email services. Review coverage of the following in the EDSP: Technical, administrative, and procedural IA program and policies that govern email services Identification of all IA roles and assignments (IAM, IAO, DBA, SA) Specific IA requirements and objectives such as unique security considerations, tuning parameters and outage contingency plans If email services are documented in the EDSP, this is not a finding.

Check Text ( C-22675r1_chk )

Interview the IAO. Review the Email Domain Security Plan (EDSP) for email services. Review coverage of the following in the EDSP:
Technical, administrative, and procedural IA program and policies that govern email services

Identification of all IA roles and assignments (IAM, IAO, DBA, SA)

Specific IA requirements and objectives such as unique security considerations, tuning parameters and outage contingency plans

If email services are documented in the EDSP, this is not a finding.

Fix Text (F-19571r1_fix)
Establish an Email Domain Security Plan section of the overall System Security Plan to document email services components