UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Email Services Policy STIG


Overview

Date Finding Count (20)
2013-01-07 CAT I (High): 2 CAT II (Med): 11 CAT III (Low): 7
STIG Description
Email Services Policy STIG requirements must be evaluated on each system review, regardless of the email product or release level. These policies ensure conformance to DoD requirements that govern email services deployment and operations. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-19546 High Email domains must be protected by an Edge Server at the email transport path.
V-19548 High Email domains must be protected by transaction proxy at the client access path.
V-18857 Medium Annual procedural reviews must be conducted at the site.
V-18884 Medium Email critical software copies must be stored offsite in a fire rated container.
V-18877 Medium Email Administrator Groups must ensure least privilege.
V-18883 Medium Email backups must meet schedule and storage requirements.
V-18882 Medium Email backup and recovery data must be protected.
V-18880 Medium Audit logs must be documented and included in backups.
V-18864 Medium Email Configuration Management (CM) procedures must be implemented.
V-18879 Medium Email audit records must be retained for 1 year.
V-18867 Medium Email Services must be documented in the EDSP (Email Domain Security Plan).
V-35227 Medium Transaction proxies protecting email domains must interrupt and inspect web traffic on the client access path prior to its entry to the enclave.
V-18858 Medium Exchange 2003 with Outlook Web Access must be deployed as Front-end/Back-end Architecture.
V-18868 Low Email software installation account usage must be logged.
V-18881 Low The email backup and recovery strategy must be documented and tested on an INFOCON compliant frequency.
V-18865 Low Email Administrator role must be assigned and authorized by the IAO.
V-18885 Low Email acceptable use policy must be documented in the Email Domain Security Plan (EDSP).
V-18869 Low Email audit trails must be reviewed daily.
V-18886 Low Email Acceptable Use Policy must contain required elements.
V-33389 Low Email acceptable use policy must be renewed annually.