V-19546 | High | Email domains must be protected by an Edge Server at the email transport path. | Separation of roles supports operational security for application and protocol services. Since 2006, Microsoft best practices had taken the direction of creating operational “roles” for servers... |
V-19548 | High | Email domains must be protected by transaction proxy at the client access path. | Separation of email server roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them,... |
V-18857 | Medium | Annual procedural reviews must be conducted at the site. | A regular review of current email security policies and procedures is necessary to maintain the desired security posture of Email services. Policies and procedures should be measured against... |
V-18884 | Medium | Email critical software copies must be stored offsite in a fire rated container. | There is always potential that accidental loss can cause system loss and that restoration will be needed. In the event that the installation site is compromised, damaged or destroyed copies of... |
V-18877 | Medium | Email Administrator Groups must ensure least privilege. | When an oversight responsibility is assigned to the same person performing the actions being overseen, the function of oversight is compromised. When the responsibility to manage or control one... |
V-18883 | Medium | Email backups must meet schedule and storage requirements. | Hardware failures or other (sometimes physical) disasters can cause data loss to active applications, and precipitate the need for expedient recovery. Ensuring backups are conducted on an agreed... |
V-18882 | Medium | Email backup and recovery data must be protected. | All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the backup and recovery data exposes it to risk of potential... |
V-18880 | Medium | Audit logs must be documented and included in backups. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit logs are essential to the... |
V-18864 | Medium | Email Configuration Management (CM) procedures must be implemented. | Uncontrolled, untested, or unmanaged changes can result in an unreliable security posture. All software libraries related to email services must be reviewed, considered, and the responsibility for... |
V-18879 | Medium | Email audit records must be retained for 1 year. | Audit data retention serves as a history that can aid in determining actions executed by users and administrators. Reasons for such research include both malicious actions that may have been... |
V-18867 | Medium | Email Services must be documented in the EDSP (Email Domain Security Plan). | A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). The Email Domain Security Plan (EDSP) defines the security settings and... |
V-35227 | Medium | Transaction proxies protecting email domains must interrupt and inspect web traffic on the client access path prior to its entry to the enclave. | Separation of email server roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them,... |
V-18858 | Medium | Exchange 2003 with Outlook Web Access must be deployed as Front-end/Back-end Architecture. | Microsoft® Exchange 2003 supports a server architecture that distributes server tasks among front-end and back-end servers. Front-end/back-end architecture provides for logical separation of... |
V-18868 | Low | Email software installation account usage must be logged. | Email Administrator or application owner accounts are granted more enhanced privileges than non-privileged users. It is especially important to grant access to privileged accounts to only those... |
V-18881 | Low | The email backup and recovery strategy must be documented and tested on an INFOCON compliant frequency. | A disaster recovery plan exists that provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of... |
V-18865 | Low | Email Administrator role must be assigned and authorized by the IAO. | Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the Email Administrator, must be carefully... |
V-18885 | Low | Email acceptable use policy must be documented in the Email Domain Security Plan (EDSP). | Email is only as secure as the recipient, which is ultimately person who is receiving messages. Also to consider, the surest way to prevent SPAM and other malware from entering the email message... |
V-18869 | Low | Email audit trails must be reviewed daily. | Access to email servers and software are logged to establish a history of actions taken in the system. Unauthorized access or use of the system could indicate an attempt to bypass established... |
V-18886 | Low | Email Acceptable Use Policy must contain required elements. | Email is only as secure as the recipient, which is ultimately the person who is receiving messages. Also to consider, the surest way to prevent SPAM and other malware from entering the email... |
V-33389 | Low | Email acceptable use policy must be renewed annually. | An Email Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to email services. Formal creation and use of an Email Acceptable Use policy... |