Email Acceptable Use Policy must contain required elements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18886	EMG0-092 EMail	SV-20685r3_rule	PRRB-1	Low

Description
Email is only as secure as the recipient, which is ultimately the person who is receiving messages. Also to consider, the surest way to prevent SPAM and other malware from entering the email message transport path is by using secure IA measures at the point of origin. Here again, this is ultimately a person, who is sending messages. Email Acceptable Use Policy statements must include user education and expectations, as well as penalties and legal ramifications surrounding noncompliance. Examples of elements may include such items as classification and sensitivity labeling, undesirable message recognition such as for SPAM, Phishing, or bogus certificates. There should also be process information, such as the Email Acceptable Use Policy location, review frequency, email services offered (Outlook, web based email), and email services forbidden (such as access via alternate email products). Users may also need to know other useful information, such as mailbox size quotas, attachment limitations, and procedural steps for making help desk requests. Email tools, rules, and alerts descriptions plus official formats of email based announcements that may originate from the Email Administration team should be documented to prevent users being fooled or compromised by social engineering exploits. It may also be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them.

Description

Email is only as secure as the recipient, which is ultimately the person who is receiving messages. Also to consider, the surest way to prevent SPAM and other malware from entering the email message transport path is by using secure IA measures at the point of origin. Here again, this is ultimately a person, who is sending messages. Email Acceptable Use Policy statements must include user education and expectations, as well as penalties and legal ramifications surrounding noncompliance. Examples of elements may include such items as classification and sensitivity labeling, undesirable message recognition such as for SPAM, Phishing, or bogus certificates. There should also be process information, such as the Email Acceptable Use Policy location, review frequency, email services offered (Outlook, web based email), and email services forbidden (such as access via alternate email products). Users may also need to know other useful information, such as mailbox size quotas, attachment limitations, and procedural steps for making help desk requests. Email tools, rules, and alerts descriptions plus official formats of email based announcements that may originate from the Email Administration team should be documented to prevent users being fooled or compromised by social engineering exploits. It may also be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them.

STIG	Date
Email Services Policy STIG	2015-08-07

Details

Check Text ( C-22540r3_chk )
Access the EDSP documentation that describes the Email Acceptable Use Policy elements. Included should be elements such as the following: User education User expectations Penalties for non-conformance Legal ramifications Classification labeling SPAM and Phishing recognition Bogus certificates Review frequency Services offered or not offered Message and attachment size quotas Help desk and other support information If the Email Acceptable Use Policy contains required elements, this is not a finding.

Check Text ( C-22540r3_chk )

Access the EDSP documentation that describes the Email Acceptable Use Policy elements.
Included should be elements such as the following:

User education
User expectations
Penalties for non-conformance
Legal ramifications
Classification labeling
SPAM and Phishing recognition
Bogus certificates
Review frequency
Services offered or not offered
Message and attachment size quotas
Help desk and other support information

If the Email Acceptable Use Policy contains required elements, this is not a finding.

Fix Text (F-19582r3_fix)
Revise or supplement the Email Acceptable Use Policy so it contains the required elements. Document the email acceptable use policy elements in the EDSP.