UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The mobile operating system must enable a system administrator to (i) select which data fields will be available to applications outside of the contact database application and (ii) limit the number of contact database fields accessible outside of a work persona in the case of dual persona phones.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33296 SRG-OS-999999-MOS-000139 SV-43715r2_rule Low
Description
The contact database often contains a significant amount of information beyond each person's name and phone number. The records may contain addresses and other identifying or sensitive information that should not be revealed. There may be cases in which an organization has determined that it is an acceptable risk to distribute parts of person's contact record but not others. Enabling the system administrator to select which fields are available outside the contact database application (or to applications outside the work persona in the case of a dual persona device) assists with management of the risk.
STIG Date
Mobile Operating System Security Requirements Guide 2013-07-03

Details

Check Text ( C-41593r2_chk )
Review system documentation to determine if this capability is present. If it is not, this is a finding. If the capability is alleged to be present, ask the systems administrator to disable access to one of the fields in the contact database (e.g., organization name). This may be accomplished using an MDM system. Find an application that can access the contact database and verify the blocked field is inaccessible. If the phone is dual persona, repeat the prior test and attempt to access the contact database from an application external to the work persona. If it is accessible, this is a finding.
Fix Text (F-37226r2_fix)
Configure the operating system to enable a system administrator to select which data fields will be available to (i) applications outside of the contact database application and (ii) the work persona in the case of a dual persona phone.