The mobile operating system must enable a system administrator to select which data fields will be available to applications outside of the contact database application.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33296 | SRG-OS-999999-MOS-000139 | SV-43715r1_rule | Low |
| Description |
|---|
| The contact database often contains a significant amount of information beyond each person's name and phone number. The records may contain addresses and other identifying or sensitive information that should not be revealed. There may be cases in which an organization has determined that it is an acceptable risk to distribute parts of person's contact record but not others. Enabling the system administrator to select which fields are available outside the contact database application assists with management of the risk. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2012-10-01 |
Details
| Check Text ( C-41593r1_chk ) |
|---|
| Review system documentation to determine if this capability is present. If it is not, this is a finding. If the capability is alleged to be present, ask the systems administrator to disable access to one of the fields in the contact database (e.g., organization name). This may be accomplished using an MDM system. Find an application that can access the contact database and verify the blocked field is inaccessible. If it is accessible, this is a finding. |
| Fix Text (F-37226r1_fix) |
|---|
| Configure the operating system to enable a system administrator to select which data fields will be available to applications outside of the contact database application. |