Title

Email acceptable use policy must be renewed annually. (Cat III impact)

Discussion

An Email Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to email services. Formal creation and use of an Email Acceptable Use policy protects both organization and users by declaring boundaries, operational processes, and user training surrounding helpdesk procedures, legal constraints and email based threats that may be encountered. The Email Acceptable Use Policy must be annually updated, then subject to renewal by users. Requiring signed acknowledgement of the policy would constitute continued access to the email system.

Check Content

Access the EDSP documentation that describes the Email Acceptable Use Policy. Verify there is a stated requirement for users to renew annually. If the Email Acceptable Use Policy requires annual user renewal with signature acknowledgement, this is not a finding.

Fix Text

Implement a review and renewal process for the Email Acceptable Use Policy that requires annual renewal and signature acknowledgement. Document the process in the EDSP.

Additional Identifiers

Rule ID: SV-43808r2_rule

Vulnerability ID: V-33389

Group Title: EMG0-093 Email Acceptable Use Policy

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.