Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-33296 | SRG-OS-999999-MOS-000139 | SV-43715r2_rule | Low |
Description |
---|
The contact database often contains a significant amount of information beyond each person's name and phone number. The records may contain addresses and other identifying or sensitive information that should not be revealed. There may be cases in which an organization has determined that it is an acceptable risk to distribute parts of person's contact record but not others. Enabling the system administrator to select which fields are available outside the contact database application (or to applications outside the work persona in the case of a dual persona device) assists with management of the risk. |
STIG | Date |
---|---|
Mobile Operating System Security Requirements Guide | 2013-07-03 |
Check Text ( C-41593r2_chk ) |
---|
Review system documentation to determine if this capability is present. If it is not, this is a finding. If the capability is alleged to be present, ask the systems administrator to disable access to one of the fields in the contact database (e.g., organization name). This may be accomplished using an MDM system. Find an application that can access the contact database and verify the blocked field is inaccessible. If the phone is dual persona, repeat the prior test and attempt to access the contact database from an application external to the work persona. If it is accessible, this is a finding. |
Fix Text (F-37226r2_fix) |
---|
Configure the operating system to enable a system administrator to select which data fields will be available to (i) applications outside of the contact database application and (ii) the work persona in the case of a dual persona phone. |