The Good Mobility Suite must implement separation of administrator duties by requiring a specific role to be assigned to each administrator account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-53019	GOOD-00-000010	SV-67235r1_rule		High

Description
Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and a non-privileged account. It is recommended that the following or similar roles be supported: 1) Good Mobility Suite administrative account administrator is responsible for server installation, initial configuration, and maintenance functions. 2) Security configuration policy administrator (IA technical professional) is responsible for security configuration of the server and setting up and maintenance of mobile device security policies. 3) Device management administrator (Technical operator) is responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. 4) Auditor (internal auditor or reviewer) is responsible for reviewing and maintaining server and mobile device audit logs.

Description

Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and a non-privileged account. It is recommended that the following or similar roles be supported: 1) Good Mobility Suite administrative account administrator is responsible for server installation, initial configuration, and maintenance functions. 2) Security configuration policy administrator (IA technical professional) is responsible for security configuration of the server and setting up and maintenance of mobile device security policies. 3) Device management administrator (Technical operator) is responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. 4) Auditor (internal auditor or reviewer) is responsible for reviewing and maintaining server and mobile device audit logs.

STIG	Date
Good for Enterprise 8.x Security Technical Implementation Guide	2014-08-18

Details

Check Text ( C-54519r2_chk )
Review the Good Mobility Suite configuration to determine if separation of administrator duties has been implemented by assigning a specific role to each administrator account. Otherwise, this is a finding.

Fix Text (F-57829r2_fix)
Configure the Good Mobility Suite to implement separation of administrator duties by requiring a specific role to be assigned to each administrator account. - Launch the Good Mobile Control Web console, select the roles tab. - Validate that administrative users are assigned to different roles based upon job function as defined by local policy. Service Administrator - Service account super-user Administrator - Server administrator Helpdesk - Add/remove users Self-service - Users take action on their own devices - DO NOT USE

Fix Text (F-57829r2_fix)

Configure the Good Mobility Suite to implement separation of administrator duties by requiring a specific role to be assigned to each administrator account.

- Launch the Good Mobile Control Web console, select the roles tab.

- Validate that administrative users are assigned to different roles based upon job function as defined by local policy.

Service Administrator - Service account super-user
Administrator - Server administrator
Helpdesk - Add/remove users
Self-service - Users take action on their own devices - DO NOT USE