Title

E-mail Services are not documented in System Security Plan. (Cat II impact)

Discussion

A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). It includes definition of responsibilities and qualifications for those responsible for administering the security of the AIS. For E-mail services, this includes specifically the E-mail Administrator in addition to the standard System Administration (SA) and Information Assurance Officer (IAO) roles. Without a System Security Plan, unqualified personnel may be assigned responsibilities that they are incapable of meeting and E-mail security is prone to an inconsistent or incomplete implementation. Security controls applicable to E-mail services may not be documented, tracked, or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of E-mail services vulnerabilities.

Check Content

Interview the IAO. Review the System Security Plan for E-mail services. Review coverage of the following in the System Security Plan: - technical, administrative, and procedural IA program and policies that govern E-mail services - identification of all IA roles and assignments(IAM, IAO, DBA, SA) - specific IA requirements and objectives such as unique security considerations and outage contingency plans. Criteria: If E-mail services are documented in the System Security Plan, this is not a finding.

Fix Text

Procedure: Establish a System Security Plan E-mail services component.

Additional Identifiers

Rule ID: SV-20650r1_rule

Vulnerability ID: V-18867

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.