Title

E-mail acceptable use policy is not documented in the System Security Plan or does not require annual user review. (Cat III impact)

Discussion

E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin. For inbound messages, that point is at the perimeter, where the Edge Transport Role server performs authentication and sanitization measures on the messages. For outbound messages, that point is the human user, who (with assistance from a client application such as Outlook) must use care with actions taken when reading or creating E-mail messages. An E-mail Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to E-mail services. Formal creation and use of an E-mail Acceptable Use policy protects both organization and users by declaring boundaries, operational processes, and user training surrounding HelpDesk procedures, legal constraints and E-mail based threats that may be encountered. The Acceptable Use Policy should be distributed to each new E-mail user, as a requirement for obtaining an E-mail account. The policy must also be annually updated, then subject to repeat review by users. Requiring signed acknowledgement of the rules should be a condition of continued access to the E-mail system.

Check Content

Procedure: Interview the IAO. Access the documentation that describes the E-mail Acceptable Use Policy that is followed at the site. The Acceptable Use Policy serves as training for users and sets expectations for E-mail parameters. Criteria: If the E-mail Acceptable Use Policy is documented in the System Security Plan and requires annual user review with signature acknowledgement, this is not a finding.

Fix Text

Procedure: Implement an E-mail Acceptable Use Policy that is documented in the System Security Plan or at the organizational level, and requires signed annual review by users.

Additional Identifiers

Rule ID: SV-20683r1_rule

Vulnerability ID: V-18885

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.