Establish and maintain a policy on whether to allow web-based e-mail and instant messaging services.

UCF ID: 04577
Control Type: Behavior
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a policy for establishing access policies and procedures. [UCF Control ID 00512]

This control has the following supporting controls:

    Establish and maintain an instant messaging standard for acceptable usage, if instant messaging will be allowed. [UCF Control ID 04578]

Authority documents complied with:

Army Regulation 380-19: Information Systems Security, February 27, 1998, App D-4; The Standard of Good Practice for Information Security, SM6.3.7, UE5.1.1, UE5.2.4, UE5.3.4, UE5.4.6; DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 2.1, App B; DoD Instruction 8500.2 Information Assurance (IA) Implementation, ECIM-1

US Federal Security Guidance

E-mail and Internet accounts should not be shared. [App D-4, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Establish a policy on whether to allow web-based e-mail and instant messaging services. [ECIM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Other Configuration Guidance

Webmail applications must be configured to limit the number of commercial addresses entering the website. This can be accomplished by restricting source and destination addresses. When limited access users use personal PCs, they must delete downloaded e-mail attachments that are no longer required. [§ 2.1, App B, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

General Guidance

The organization should specifically prohibit users from using web-based e-mail or instant messaging services, automatically forwarding e-mail to an external address, opening attachments from unknown senders, using a private encryption program to encrypt e-mails and instant messages, using offensive language, sending messages to unknown recipients, inserting unauthorized advertising in the e-mail, and using unauthorized web browsers. [SM6.3.7, UE5.1.1, UE5.2.4, UE5.3.4, UE5.4.6, The Standard of Good Practice for Information Security]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.