Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-24957 | WIR-SPP-003-02 | SV-30694r4_rule | VIIR-1 VIIR-2 | High |
Description |
---|
If required procedures are not followed after a data spill, classified data could be exposed to unauthorized personnel. |
STIG | Date |
---|---|
Smartphone Policy Security Technical Implementation Guide | 2011-06-20 |
Check Text ( C-31115r4_chk ) |
---|
Detailed Policy Requirements: If a data spill occurs on a smartphone, the following actions must be completed: - The smartphone management server and email servers (e.g., Exchange, Oracle mail, etc.) are handled as classified systems until they are sanitized according to appropriate procedures. (See NSA/CSS Storage Device Declassification Manual 9-12 for sanitization procedures.) - The smartphone is handled as a classified device and destroyed according to DoD guidance for destroying classified equipment or sanitized as directed in Check WIR-SPP-003-01. Check Procedures: Interview the IAO. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. Mark as a finding if the site had a data spill within the previous 24 months and required procedures were not followed. |
Fix Text (F-27583r1_fix) |
---|
If a data spill occurs on a wireless email device or system at a site, the site must follow required procedures. |