STIGQter STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 10 Benchmark Date: 26 Oct 2018: Inadequate “operator/facilitator/administrator” access control for remote monitoring of a VTU connected to an IP network.

DISA Rule

SV-18727r1_rule

Vulnerability Number

V-17600

Group Title

RTS-VTC 1162.00 [IP]

Rule Version

RTS-VTC 1162.00

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

[IP]; Perform the following tasks:
If IP remote monitoring is activated, configure the VTU to require a password before permitting access to the remote monitoring and associated control functions.

Check Contents

[IP]; Interview the IAO to validate compliance with the following requirement:

In the event the VTU is connected to an IP network ensure access to IP remote monitoring and associated control functions of the VTU is minimally protected by a password.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., remote monitoring must be able to have a password set in order to access remote monitoring features.

Verify that an administrator password is required to access remotely accessible VTU. Have the IAO or SA demonstrate compliance with the requirement.

Vulnerability Number

V-17600

Documentable

False

Rule Version

RTS-VTC 1162.00

Severity Override Guidance

[IP]; Interview the IAO to validate compliance with the following requirement:

In the event the VTU is connected to an IP network ensure access to IP remote monitoring and associated control functions of the VTU is minimally protected by a password.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., remote monitoring must be able to have a password set in order to access remote monitoring features.

Verify that an administrator password is required to access remotely accessible VTU. Have the IAO or SA demonstrate compliance with the requirement.

Check Content Reference

I

Potential Impact

The inadvertent disclosure of sensitive or
classified information to a SA that is monitoring a VTU that may
not have an appropriate need-to-know or proper security
clearance.

Responsibility

Information Assurance Officer

Target Key

1418

Comments