STIGQter: STIG Summary: IBM MaaS360 with Watson v10.x MDM Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 26 Apr 2019:

The MaaS360 MDM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.

DISA Rule

SV-96881r1_rule

Vulnerability Number

V-82167

Group Title

PP-MDM-311058

Rule Version

M360-10-007100

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002226 - The organization defines the personnel or roles to whom privileged accounts are to be restricted on the information system.
• CCI-002227 - The organization restricts privileged accounts on the information system to organization-defined personnel or roles.

Weight

10

Fix Recommendation

On the MaaS360 console, complete the following steps for each role:
1. Go to Setup >> Roles.
2. Select the "Add Role" button.
3. Under "Basic Information", input the Role Name and Role Description.
4. Under "Select Mode of Creation", click on the "Create new" bubble and then click "Next".
5. Under "Grant Access Rights", select the appropriate rights for the role and then click "Save".

Check Contents

Review the MaaS360 server console and confirm that different roles (administrator, auditor, user) are created with different levels of privileges, providing separation of duties for different users/groups.

On the MaaS360 console, complete the following steps:
1. Go to Setup >> Roles.
2. Verify all required roles are listed. (Note: Role titles may be different than listed in the requirement statement.)
3. Select applicable role and select "edit", and then verify the role has the appropriate rights to access based on vulnerability description of this requirement statement (check).

If the MaaS360 server does not have all required roles and the roles do not have appropriate rights, this is a finding.

Vulnerability Number

V-82167

Documentable

False

Rule Version

M360-10-007100

Severity Override Guidance

Review the MaaS360 server console and confirm that different roles (administrator, auditor, user) are created with different levels of privileges, providing separation of duties for different users/groups.

On the MaaS360 console, complete the following steps:
1. Go to Setup >> Roles.
2. Verify all required roles are listed. (Note: Role titles may be different than listed in the requirement statement.)
3. Select applicable role and select "edit", and then verify the role has the appropriate rights to access based on vulnerability description of this requirement statement (check).

If the MaaS360 server does not have all required roles and the roles do not have appropriate rights, this is a finding.

Check Content Reference

M

Target Key

3403

Comments