STIGQter STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 10 Benchmark Date: 26 Oct 2018: Deficient SOP for, enforcement, usage, or configuration of the auto-answer feature.

DISA Rule

SV-18723r1_rule

Vulnerability Number

V-17596

Group Title

RTS-VTC 1060.00 [IP][ISDN]

Rule Version

RTS-VTC 1060.00

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

[IP][ISDN]; Perform the following tasks:
In the event the auto-answer feature is approved for use, perform the following tasks:
- Maintain full documentation on the validation of the mission requirement and the DAA approval to use the auto-answer feature
- Develop and enforce a SOP regarding the proper use of the auto-answer feature.
- Configure the auto-answer feature to answer with the microphone muted.
- Ensure the camera is covered by the user or otherwise disabled automatically while waiting for a call.
- Ensure the VTU provides a visual indication that a call has been answered.
- Train users to ensure the ringer or audible notification volume is set and maintained at an easily audible level or the VTU automatically satisfies this requirement.
- Train the user(s) to which the feature is available in its proper use as reflected in the SOP and in the vulnerabilities it presents.

Check Contents

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

In the event the auto-answer feature is available and/or used, ensure a policy and procedure is in place and enforced such that, all of the following occurs:

- The auto-answer feature is configured to answer with the microphone muted.
- The camera is covered or otherwise disabled while waiting for a call.
- The VTU provides a visual indication that a call has been answered.
- The user will ensure the ringer or audible notification volume is set to an easily audible level or the VTU will automatically satisfy this requirement.
- The user(s) to which the feature is available is trained in its proper use as reflected in the SOP and in the vulnerabilities it presents.

Note: During APL testing, this is a finding in the event “auto-answer with microphone muted” is not configurable on the VTU. It is also desirable that this setting will ensure the audible notification is at a level to be easily heard.

Determine if this requirement is covered in a SOP and user training/agreements. Interview a sampling of users to determine their awareness and implementation of the requirement. Verify that, if supported, the VTU auto-answer feature is configured to answer with microphone muted.

Vulnerability Number

V-17596

Documentable

False

Rule Version

RTS-VTC 1060.00

Severity Override Guidance

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

In the event the auto-answer feature is available and/or used, ensure a policy and procedure is in place and enforced such that, all of the following occurs:

- The auto-answer feature is configured to answer with the microphone muted.
- The camera is covered or otherwise disabled while waiting for a call.
- The VTU provides a visual indication that a call has been answered.
- The user will ensure the ringer or audible notification volume is set to an easily audible level or the VTU will automatically satisfy this requirement.
- The user(s) to which the feature is available is trained in its proper use as reflected in the SOP and in the vulnerabilities it presents.

Note: During APL testing, this is a finding in the event “auto-answer with microphone muted” is not configurable on the VTU. It is also desirable that this setting will ensure the audible notification is at a level to be easily heard.

Determine if this requirement is covered in a SOP and user training/agreements. Interview a sampling of users to determine their awareness and implementation of the requirement. Verify that, if supported, the VTU auto-answer feature is configured to answer with microphone muted.

Check Content Reference

I

Potential Impact

The inadvertent disclosure of sensitive or
classified information to a caller of a VTU that may not have an
appropriate need-to-know or proper security
clearance.

Responsibility

Other

Target Key

1418

Comments