The MEM client must enable a system administrator to select which data fields in the contacts data base will be available to applications outside of the contact database.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32807	WIR-WMS-MEM-26	SV-43153r1_rule	ECAN-1	Low

Description
Sensitive contact information could be exposed to unauthorized people.

STIG	Date
Mobile Email Management (MEM) Server Security Technical Implementation Guide (STIG)	2013-05-08

Details

Check Text ( C-41140r3_chk )
Verify the MEM server supports the capability to limit the fields in the email client contacts list can be exported to the mobile device contacts list, if this capability is supported. This feature is usually implemented via a security policy pushed from the MEM server to the email client. Transferred email contact information should be limited to contact name and telephone numbers. Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation. Mark as a finding if the MEM server does not have required features.

Check Text ( C-41140r3_chk )

Verify the MEM server supports the capability to limit the fields in the email client contacts list can be exported to the mobile device contacts list, if this capability is supported. This feature is usually implemented via a security policy pushed from the MEM server to the email client. Transferred email contact information should be limited to contact name and telephone numbers.

Talk to the site system administrator and have them show this capability exists in the MEM server. Also, review MEM product documentation.

Mark as a finding if the MEM server does not have required features.

Fix Text (F-36688r2_fix)
Use a MEM product that supports the capability to limit what fields in the email client contacts list can be exported to the mobile device contacts list.