Email acceptable use policy must be renewed annually.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33389	EMG0-093 EMail	SV-43808r2_rule		Low

Description
An Email Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to email services. Formal creation and use of an Email Acceptable Use policy protects both organization and users by declaring boundaries, operational processes, and user training surrounding helpdesk procedures, legal constraints and email based threats that may be encountered. The Email Acceptable Use Policy must be annually updated, then subject to renewal by users. Requiring signed acknowledgement of the policy would constitute continued access to the email system.

Description

An Email Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to email services. Formal creation and use of an Email Acceptable Use policy protects both organization and users by declaring boundaries, operational processes, and user training surrounding helpdesk procedures, legal constraints and email based threats that may be encountered. The Email Acceptable Use Policy must be annually updated, then subject to renewal by users. Requiring signed acknowledgement of the policy would constitute continued access to the email system.

STIG	Date
Email Services Policy STIG	2015-08-07

Details

Check Text ( C-41596r2_chk )
Access the EDSP documentation that describes the Email Acceptable Use Policy. Verify there is a stated requirement for users to renew annually. If the Email Acceptable Use Policy requires annual user renewal with signature acknowledgement, this is not a finding.

Fix Text (F-37315r2_fix)
Implement a review and renewal process for the Email Acceptable Use Policy that requires annual renewal and signature acknowledgement. Document the process in the EDSP.