Check: BBDS-00-000100
BBDS10 2 X STIG:
BBDS-00-000100
(in version v1 r5)
Title
The BlackBerry Device Service server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account. (Cat I impact)
Discussion
Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. It is recommended that the following or similar roles be supported: - MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.
Check Content
Review the BlackBerry Device Service server configuration to ensure there are multiple administrator roles configured as assigned by the site. Otherwise, this is a finding.
Fix Text
Create and configure accounts to be aligned with the following roles as assigned by the site. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Administrator users > Manage users > <User Name> > Roles" and verify the roles required by the site are assigned. Note: The roles in BlackBerry Device services are as follows: Security Administrator - This role has permission to perform all tasks in the BlackBerry Device Service. Enterprise Administrator - This role has permission to perform all tasks in the BlackBerry Device Service except changing role assignments. This role can only view role assignments. Senior Helpdesk Administrator - This role has permission to perform advanced administrative tasks in the BlackBerry Device Service. Junior Helpdesk Administrator - This role has permission to perform basic administrative tasks in the BlackBerry Device Service. Server Only Administrator - This role has permissions to perform system management tasks in the BlackBerry Device Service. User Only Administrator - This role has permission to perform user management tasks in the BlackBerry Device Service.
Additional Identifiers
Rule ID:
Vulnerability ID: V-48503
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000037 |
The organization implements separation of duties through assigned information system access authorizations. |
Controls
Number | Title |
---|---|
No controls are assigned to this check |