STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

Deficient SOP or enforcement for user validation that encryption is on when required

DISA Rule

SV-18860r1_rule

Vulnerability Number

V-17686

Group Title

RTS-VTC 1260.00 [IP][ISDN]

Rule Version

RTS-VTC 1260.00

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

[IP][ISDN]; Perform the following tasks:
Define and enforce policy and procedure that addresses user activation and verification of encryption use when encryption is required based on the sensitivity of the information discussed or presented. The following must be included:
- The user must check that all participants are using encryption and have enabled the encryption on their devices if manual activation necessary.
- When the conference has begun, the user must ensure that the VTU is displaying the “conference is encrypted” indication.

Check Contents

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure a policy and procedure is in place and enforced that addresses user activation and verification of encryption use when encryption is required based on the sensitivity of the information discussed or presented. The following must be included:
- The user must check that all participants are using encryption and have enabled the encryption on their devices if manual activation necessary.
- When the conference has begun, the user must ensure that the VTU is displaying the “conference is encrypted” indication.
Note: This requirement must be reflected in user training, agreements and guides.

Verify that there is a policy and procedure in place that enforces and guides users on how and what to check when participants are required to use encryption.

Vulnerability Number

V-17686

Documentable

False

Rule Version

RTS-VTC 1260.00

Severity Override Guidance

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure a policy and procedure is in place and enforced that addresses user activation and verification of encryption use when encryption is required based on the sensitivity of the information discussed or presented. The following must be included:
- The user must check that all participants are using encryption and have enabled the encryption on their devices if manual activation necessary.
- When the conference has begun, the user must ensure that the VTU is displaying the “conference is encrypted” indication.
Note: This requirement must be reflected in user training, agreements and guides.

Verify that there is a policy and procedure in place that enforces and guides users on how and what to check when participants are required to use encryption.

Check Content Reference

I

Potential Impact

The inadvertent disclosure of sensitive or classified information to a caller of a VTU that may not have an appropriate need-to-know or proper security clearance.

Responsibility

Other

Target Key

1418

Comments