Email Administrator role must be assigned and authorized by the IAO.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18865	EMG0-056 EMail	SV-20646r2_rule	DCSD-1	Low

Description
Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the Email Administrator, must be carefully regulated and monitored. All appointments to Information Assurance (IA) roles, such as Designated Approving Authority (DAA), Information Assurance Manager (IAM), and Information Assurance Officer (IAO) must be in writing, and include assigned duties and appointment criteria such as training, clearance and IT designation. The Email Administrator role is assigned and controlled by the IAM. The IAM role owns the responsibility to document responsibilities, privileges, training and scope for the Email Administrator role. It is with this definition that the IAO is able to monitor assigned resources, ensuring that intended tasks are completed, and that elevated privileges are not used for purposes beyond their intended tasks.

Description

Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the Email Administrator, must be carefully regulated and monitored. All appointments to Information Assurance (IA) roles, such as Designated Approving Authority (DAA), Information Assurance Manager (IAM), and Information Assurance Officer (IAO) must be in writing, and include assigned duties and appointment criteria such as training, clearance and IT designation. The Email Administrator role is assigned and controlled by the IAM. The IAM role owns the responsibility to document responsibilities, privileges, training and scope for the Email Administrator role. It is with this definition that the IAO is able to monitor assigned resources, ensuring that intended tasks are completed, and that elevated privileges are not used for purposes beyond their intended tasks.

STIG	Date
Email Services Policy STIG	2013-07-11

Details

Check Text ( C-22458r5_chk )
Review the documented procedures for approval of Email Administrator Privileges. Review implementation evidence for the procedures. If the Email Administrator role is documented and authorized by the IAO, this is not a finding.

Fix Text (F-19386r4_fix)
Establish a procedure that ensures the Email Administrator role is defined and authorized (assigned) as documented by the IAO.