STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

Deficient SOP or enforcement regarding the approval and deployment of VTC capabilities.

DISA Rule

SV-18882r2_rule

Vulnerability Number

V-17708

Group Title

RTS-VTC 3620.00 [IP][ISDN]

Rule Version

RTS-VTC 3620.00

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

[IP][ISDN]; Perform the following tasks:
- Develop, document and enforce a policy regarding the justification for the installation of office-based VTUs, desktop VTUs, and PC software based VTC applications
- Document the justification for the installation of all office-based VTUs, desktop VTUs, and PC software based VTC applications
- Maintain this documentation for inspection by auditors.

Check Contents

[IP][ISDN]; Interview the IAO and validate compliance with the following requirement:

Ensure local policies are developed and enforced regarding the approval and deployment of office-based VTUs, desktop VTUs, and PC software based VTC applications. Such policies will include and/or address the following:
- Validation and justification of the need for VTC endpoint installation to include annual revalidation.
- Approval of VTC endpoint deployment on a case by case basis.
- Documentation regarding the validation, justification, and approvals.

Inspect the documentation regarding the policy for justifying the installation of office-based VTUs, desktop VTUs, and PC software based VTC applications. Inspect the documentation regarding the justification and re-justification of the need for all VTC endpoint installations. This is a finding if there is no documented policy, or if installation justifications have not been documented.

Vulnerability Number

V-17708

Documentable

False

Rule Version

RTS-VTC 3620.00

Severity Override Guidance

[IP][ISDN]; Interview the IAO and validate compliance with the following requirement:

Ensure local policies are developed and enforced regarding the approval and deployment of office-based VTUs, desktop VTUs, and PC software based VTC applications. Such policies will include and/or address the following:
- Validation and justification of the need for VTC endpoint installation to include annual revalidation.
- Approval of VTC endpoint deployment on a case by case basis.
- Documentation regarding the validation, justification, and approvals.

Inspect the documentation regarding the policy for justifying the installation of office-based VTUs, desktop VTUs, and PC software based VTC applications. Inspect the documentation regarding the justification and re-justification of the need for all VTC endpoint installations. This is a finding if there is no documented policy, or if installation justifications have not been documented.

Check Content Reference

I

Potential Impact

Without a local policy giving guidance to proper use and deployment of office-based VTUs, desktop VTUs, and PC software based VTC applications could lead to the disclosure of sensitive or classified information to individuals that may not have an appropriate need-to-know or proper security clearance.

Responsibility

Information Assurance Officer

Target Key

1418

Comments