E-mail acceptable use policy must be documented in the System Security Plan and does require annual user review.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18885	EMG0-090 EMail	SV-20683r1_rule	PRRB-1	Low

Description
E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin. For inbound messages, that point is at the perimeter, where the Edge Transport Role server performs authentication and sanitization measures on the messages. For outbound messages, that point is the human user, who (with assistance from a client application such as Outlook) must use care with actions taken when reading or creating E-mail messages. An E-mail Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to E-mail services. Formal creation and use of an E-mail Acceptable Use policy protects both organization and users by declaring boundaries, operational processes, and user training surrounding HelpDesk procedures, legal constraints and E-mail based threats that may be encountered. The Acceptable Use Policy should be distributed to each new E-mail user, as a requirement for obtaining an E-mail account. The policy must also be annually updated, then subject to repeat review by users. Requiring signed acknowledgement of the rules should be a condition of continued access to the E-mail system.

Description

E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin. For inbound messages, that point is at the perimeter, where the Edge Transport Role server performs authentication and sanitization measures on the messages. For outbound messages, that point is the human user, who (with assistance from a client application such as Outlook) must use care with actions taken when reading or creating E-mail messages. An E-mail Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to E-mail services. Formal creation and use of an E-mail Acceptable Use policy protects both organization and users by declaring boundaries, operational processes, and user training surrounding HelpDesk procedures, legal constraints and E-mail based threats that may be encountered. The Acceptable Use Policy should be distributed to each new E-mail user, as a requirement for obtaining an E-mail account. The policy must also be annually updated, then subject to repeat review by users. Requiring signed acknowledgement of the rules should be a condition of continued access to the E-mail system.

STIG	Date
Email Services Policy	2012-01-31

Details

Check Text ( C-22539r1_chk )
Procedure: Interview the IAO. Access the documentation that describes the E-mail Acceptable Use Policy that is followed at the site. The Acceptable Use Policy serves as training for users and sets expectations for E-mail parameters. Criteria: If the E-mail Acceptable Use Policy is documented in the System Security Plan and requires annual user review with signature acknowledgement, this is not a finding.

Check Text ( C-22539r1_chk )

Procedure: Interview the IAO. Access the documentation that describes the E-mail Acceptable Use Policy that is followed at the site. The Acceptable Use Policy serves as training for users and sets expectations for E-mail parameters.

Criteria:
If the E-mail Acceptable Use Policy is documented in the System Security Plan and requires annual user review with signature acknowledgement, this is not a finding.

Fix Text (F-19581r1_fix)
Procedure: Implement an E-mail Acceptable Use Policy that is documented in the System Security Plan or at the organizational level, and requires signed annual review by users.