The operating system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33203 | SRG-OS-000210-NA | SV-43603r1_rule | Medium |
| Description |
|---|
| When it comes to data review and data release, there must be a correlation between the reviewed data and the person who performs the review. If the reviewer is a human or if the review function is automated but separate from the release/transfer function, the operating system associates the identity of the reviewer of the information to be released with the information and the information label. Rationale for non-applicability: For the purposes of this SRG, a mobile operating system is assumed to support a single human-accessible user account. Therefore, the chain of custody is not relevant to activities on the device itself. Chain of custody is critical to the handling of audit records in the context of the enterprise audit logging system. The Mobile Device Management SRG addresses enterprise logging requirements. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41466r1_chk ) |
|---|
| This requirement is NA for the Mobile OS SRG. |
| Fix Text (F-37106r1_fix) |
|---|
| The requirement is NA. No fix is required. |