UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Email Services must be documented in System Security Plan.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18867 EMG3-050 EMail SV-20650r1_rule DCSD-1 Medium
Description
A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). It includes definition of responsibilities and qualifications for those responsible for administering the security of the AIS. For email services, this includes specifically the email Administrator in addition to the standard System Administration (SA) and Information Assurance Officer (IAO) roles. Without a System Security Plan, unqualified personnel may be assigned responsibilities that they are incapable of meeting and email security is prone to an inconsistent or incomplete implementation. Security controls applicable to email services may not be documented, tracked, or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of email services vulnerabilities. The Email Domain Security Plan (EDSP) defines the security settings and configurations of the email system.
STIG Date
Email Services Policy 2012-01-31

Details

Check Text ( C-22675r1_chk )
Interview the IAO. Review the Email Domain Security Plan (EDSP) for email services. Review coverage of the following in the EDSP:
Technical, administrative, and procedural IA program and policies that govern email services

Identification of all IA roles and assignments (IAM, IAO, DBA, SA)

Specific IA requirements and objectives such as unique security considerations, tuning parameters and outage contingency plans

If email services are documented in the EDSP, this is not a finding.
Fix Text (F-19571r1_fix)
Establish an Email Domain Security Plan section of the overall System Security Plan to document email services components