Title

The E-mail Administrator role is not assigned and authorized by the IAO. (Cat III impact)

Discussion

Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the E-Mail Administrator, must be carefully regulated and monitored. All appointments to Information Assurance (IA) roles, such as Designated Approving Authority (DAA), Information Assurance Manager (IAM), and Information Assurance Officer (IAO) are in writing, and include assigned duties and appointment criteria such as training, clearance and IT designation. The E-mail Administrator role is assigned and controlled by the IAM. The IAM role owns the responsibility to document responsibilities, privileges, training and scope for the E-mail Administrator role. It is with this definition that the IAO is able to monitor assigned resources, ensuring that intended tasks are completed, and that elevated privileges are not used for purposes beyond their intended tasks.

Check Content

Procedure: Review the documented procedures for approval and granting of E-mail Administrator Privileges. Review implementation evidence for the procedures. Criteria: If the E-mail Administrator role is documented and authorized by the IAO, this is not a finding.

Fix Text

Procedure: Establish a procedure that ensures the E-mail Administrator role is defined and authorized (assigned) as documented by the IAO.

Additional Identifiers

Rule ID: SV-20646r1_rule

Vulnerability ID: V-18865

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.