Title

Email Administrator role must be assigned and authorized by the ISSO. (Cat III impact)

Discussion

Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the Email Administrator, must be carefully regulated and monitored. All appointments to Information Assurance (IA) roles, such as Authorizing Officer (AO), System Security Manager (ISSM), and Information Systems Security Officer (ISSO) must be in writing, and include assigned duties and appointment criteria such as training, clearance and IT designation. The Email Administrator role is assigned and controlled by the ISSM. The ISSM role owns the responsibility to document responsibilities, privileges, training and scope for the Email Administrator role. It is with this definition that the ISSO is able to monitor assigned resources, ensuring that intended tasks are completed, and that elevated privileges are not used for purposes beyond their intended tasks.

Check Content

Review the documented procedures for approval of Email Administrator Privileges. Review implementation evidence for the procedures. If the Email Administrator role is documented and authorized by the ISSO, this is not a finding.

Fix Text

Establish a procedure that ensures the Email Administrator role is defined and authorized (assigned) as documented by the ISSO.

Additional Identifiers

Rule ID: SV-20646r3_rule

Vulnerability ID: V-18865

Group Title: EMG0-056 E-mail Administrator Role

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.