E-mail Acceptable Use Policy must contain required elements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18886	EMG0-092 EMail	SV-20685r1_rule	PRRB-1	Low

Description
E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin. For inbound messages, that point is at the perimeter, where the Edge Transport Role server performs authentication and sanitization measures on the messages. For outbound messages, that point is the human user, who (with assistance from a client application such as Outlook) must use care with actions taken when reading or creating E-mail messages. E-mail Acceptable Use Policy statements must include, among other items, user education and expectations, as well as penalties and legal ramifications surrounding noncompliance. User education elements should include such elements as: Classification and Sensitivity Labeling; A user’s electronic signature is the stamp of authenticity that enables information to be trusted. SPAM and PHISHING recognition; The ability to recognize non-authentic messages is key to protecting the organization against user manipulation that results from false information. Acceptable and non-acceptable text content; Users should also be acquainted with legal responsibilities surrounding harassment, soliciting, or distribution of inappropriate content as outlined by the organization. Security Constraints; Forbidden attachment types and security reasons for each. “Personal business” usage policy; Message content guidelines, attention to CC: lists, information sensitivity, chain letters, and spillage prevention. Request help; how to report if you are a witnesses or victim of misuse, phone numbers for support, troubleshooting, how to request an account for a new user. User expectations elements should include such elements as: Acceptable Use Policy location; for ongoing reference if needed. E-mail types of services offered; for example, Outlook, OWA and Public Folders included, access from POP3 clients is not allowed, etc. E-mail tools, rules, and alerts; descriptions and official formats of E-mail based announcements that may originate from the E-mail Administration team (to prevent users being SPAMMED or compromised by social engineering exploits). Because there are known social engineering techniques that SPAM users in the form of ‘Administrator Requests’ to end users, it may be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them. Legal issues; what constitutes harassment, threats, or inappropriate language. E-mail Administration processes; how to add, remove, and manage the e-mail user population, report problems or abuse, compromise. Constraints; Mailbox, message, and attachment size limitations. Policies; Data retention, type of servers, server uptime and maintenance schedules Penalties for violating E-mail Acceptable Use Policy Schedule for Periodic review, format for signoff

Description

E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin. For inbound messages, that point is at the perimeter, where the Edge Transport Role server performs authentication and sanitization measures on the messages. For outbound messages, that point is the human user, who (with assistance from a client application such as Outlook) must use care with actions taken when reading or creating E-mail messages. E-mail Acceptable Use Policy statements must include, among other items, user education and expectations, as well as penalties and legal ramifications surrounding noncompliance. User education elements should include such elements as: Classification and Sensitivity Labeling; A user’s electronic signature is the stamp of authenticity that enables information to be trusted. SPAM and PHISHING recognition; The ability to recognize non-authentic messages is key to protecting the organization against user manipulation that results from false information. Acceptable and non-acceptable text content; Users should also be acquainted with legal responsibilities surrounding harassment, soliciting, or distribution of inappropriate content as outlined by the organization. Security Constraints; Forbidden attachment types and security reasons for each. “Personal business” usage policy; Message content guidelines, attention to CC: lists, information sensitivity, chain letters, and spillage prevention. Request help; how to report if you are a witnesses or victim of misuse, phone numbers for support, troubleshooting, how to request an account for a new user. User expectations elements should include such elements as: Acceptable Use Policy location; for ongoing reference if needed. E-mail types of services offered; for example, Outlook, OWA and Public Folders included, access from POP3 clients is not allowed, etc. E-mail tools, rules, and alerts; descriptions and official formats of E-mail based announcements that may originate from the E-mail Administration team (to prevent users being SPAMMED or compromised by social engineering exploits). Because there are known social engineering techniques that SPAM users in the form of ‘Administrator Requests’ to end users, it may be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them. Legal issues; what constitutes harassment, threats, or inappropriate language. E-mail Administration processes; how to add, remove, and manage the e-mail user population, report problems or abuse, compromise. Constraints; Mailbox, message, and attachment size limitations. Policies; Data retention, type of servers, server uptime and maintenance schedules Penalties for violating E-mail Acceptable Use Policy Schedule for Periodic review, format for signoff

STIG	Date
Email Services Policy	2012-01-31

Details

Check Text ( C-22540r1_chk )
Procedure: Interview the IAO. Access documentation that describes the elements included in the E-mail Acceptable Use policy. User education elements should include such elements as: • Classification and Sensitivity Labeling; A user’s electronic signature is the stamp of authenticity that enables information to be trusted. • SPAM and PHISHING recognition; The ability to recognize non-authentic messages is key to protecting the organization against user manipulation that results from false information. • Acceptable and non-acceptable text content; Users should also be acquainted with legal responsibilities surrounding harassment, soliciting, or distribution of inappropriate content as outlined by the organization. • Security Constraints; Forbidden attachment types and security reasons for each. •“Personal business” usage policy; Message content guidelines, attention to CC: lists, information sensitivity, chain letters, and spillage prevention. • Request help; how to report if you are a witnesses or victim of misuse, phone numbers for support, troubleshooting, how to request an account for a new user. User expectations elements should include such elements as: • Acceptable Use Policy location; for ongoing reference if needed. • E-mail types of services offered; for example, Outlook, OWA and Public Folders included, access from POP3 clients is not allowed, etc. • E-mail tools, rules, and alerts; descriptions and official formats of E-mail based announcements that may originate from the E-mail Administration team (to prevent users being SPAMMED or compromised by social engineering exploits). Because there are known social engineering techniques that SPAM users in the form of ‘Administrator Requests’ to end users, it may be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them. • Legal issues; what constitutes harassment, threats, or inappropriate language. • E-mail Administration processes; how to add, remove, and manage the e-mail user population, report problems or abuse, compromise. • Constraints; Mailbox, message, and attachment size limitations. • Policies; Data retention, type of servers, server uptime and maintenance schedules • Penalties for violating E-mail Acceptable Use Policy • Schedule for Periodic review, format for signoff Criteria: If the E-mail Acceptable Use Policy contains required elements, this is not a finding.

Check Text ( C-22540r1_chk )

Procedure: Interview the IAO. Access documentation that describes the elements included in the E-mail Acceptable Use policy.

User education elements should include such elements as:

• Classification and Sensitivity Labeling; A user’s electronic signature is the stamp of authenticity that enables information to be trusted.
• SPAM and PHISHING recognition; The ability to recognize non-authentic messages is key to protecting the organization against user manipulation that results from false information.
• Acceptable and non-acceptable text content; Users should also be acquainted with legal responsibilities surrounding harassment, soliciting, or distribution of inappropriate content as outlined by the organization.
• Security Constraints; Forbidden attachment types and security reasons for each.
•“Personal business” usage policy; Message content guidelines, attention to CC: lists, information sensitivity, chain letters, and spillage prevention.
• Request help; how to report if you are a witnesses or victim of misuse, phone numbers for support, troubleshooting, how to request an account for a new user.

User expectations elements should include such elements as:
• Acceptable Use Policy location; for ongoing reference if needed.
• E-mail types of services offered; for example, Outlook, OWA and Public Folders included, access from POP3 clients is not allowed, etc.
• E-mail tools, rules, and alerts; descriptions and official formats of E-mail based announcements that may originate from the E-mail Administration team (to prevent users being SPAMMED or compromised by social engineering exploits). Because there are known social engineering techniques that SPAM users in the form of ‘Administrator Requests’ to end users, it may be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them.
• Legal issues; what constitutes harassment, threats, or inappropriate language.
• E-mail Administration processes; how to add, remove, and manage the e-mail user population, report problems or abuse, compromise.
• Constraints; Mailbox, message, and attachment size limitations.
• Policies; Data retention, type of servers, server uptime and maintenance schedules
• Penalties for violating E-mail Acceptable Use Policy
• Schedule for Periodic review, format for signoff

Criteria: If the E-mail Acceptable Use Policy contains required elements, this is not a finding.

Fix Text (F-19582r1_fix)
Revise or supplement the E-mail Acceptable Use Policy so that it contains the required elements.