Email Administrator role must be assigned and authorized by the ISSO.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18865	EMG0-056 EMail	SV-20646r3_rule	DCSD-1	Low

Description
Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the Email Administrator, must be carefully regulated and monitored. All appointments to Information Assurance (IA) roles, such as Authorizing Officer (AO), System Security Manager (ISSM), and Information Systems Security Officer (ISSO) must be in writing, and include assigned duties and appointment criteria such as training, clearance and IT designation. The Email Administrator role is assigned and controlled by the ISSM. The ISSM role owns the responsibility to document responsibilities, privileges, training and scope for the Email Administrator role. It is with this definition that the ISSO is able to monitor assigned resources, ensuring that intended tasks are completed, and that elevated privileges are not used for purposes beyond their intended tasks.

Description

Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the Email Administrator, must be carefully regulated and monitored. All appointments to Information Assurance (IA) roles, such as Authorizing Officer (AO), System Security Manager (ISSM), and Information Systems Security Officer (ISSO) must be in writing, and include assigned duties and appointment criteria such as training, clearance and IT designation. The Email Administrator role is assigned and controlled by the ISSM. The ISSM role owns the responsibility to document responsibilities, privileges, training and scope for the Email Administrator role. It is with this definition that the ISSO is able to monitor assigned resources, ensuring that intended tasks are completed, and that elevated privileges are not used for purposes beyond their intended tasks.

STIG	Date
Email Services Policy STIG	2015-08-07

Details

Check Text ( C-22458r6_chk )
Review the documented procedures for approval of Email Administrator Privileges. Review implementation evidence for the procedures. If the Email Administrator role is documented and authorized by the ISSO, this is not a finding.

Fix Text (F-19386r5_fix)
Establish a procedure that ensures the Email Administrator role is defined and authorized (assigned) as documented by the ISSO.