Deficient IA training for VTC system/endpoint users, administrators, and helpdesk representatives.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17710	RTS-VTC 3660.00	SV-18884r1_rule	PRTN-1	Medium

Description
DoDI 8500.2 IA control PRTN-1 regarding “Personnel/Information Assurance Training” states “A program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related plans such as incident response, configuration management and COOP or disaster recovery.” An “assigned IA responsibility” of any user or administrator of a DoD Information System (IS) is to operate the system or device in a secure and IA conscious or aware manner. This means that administrators have an “assigned IA responsibility” to configure systems and devices in a manner that mitigates vulnerabilities and other IA issues to the greatest extent possible. This also means that users have an “assigned IA responsibility” to use and operate systems and devices in the same manner. Under this IA control, users and administrators of VTC systems and endpoints must receive training that covers the vulnerabilities and other IA issues associated with operating a VTC system and/or endpoint. Additionally, users and administrators must be trained in the proper configuration, installation techniques, and approved connections for the VTC system and/or endpoint that are applicable to their exposure to the system. Furthermore, users and administrators must be trained in the proper operating procedures for the system so that meeting information is properly protected as well as other non-meeting related information in the area near a VTC endpoint is not improperly disclosed or compromised. Helpdesk representatives supporting a VTC system or endpoints must also be appropriately trained in all aspects of VTC operation and IA. This may be accomplished within a typical tiered helpdesk organization, but all representatives must be made aware of the IA vulnerabilities and issues.

Description

DoDI 8500.2 IA control PRTN-1 regarding “Personnel/Information Assurance Training” states “A program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related plans such as incident response, configuration management and COOP or disaster recovery.” An “assigned IA responsibility” of any user or administrator of a DoD Information System (IS) is to operate the system or device in a secure and IA conscious or aware manner. This means that administrators have an “assigned IA responsibility” to configure systems and devices in a manner that mitigates vulnerabilities and other IA issues to the greatest extent possible. This also means that users have an “assigned IA responsibility” to use and operate systems and devices in the same manner. Under this IA control, users and administrators of VTC systems and endpoints must receive training that covers the vulnerabilities and other IA issues associated with operating a VTC system and/or endpoint. Additionally, users and administrators must be trained in the proper configuration, installation techniques, and approved connections for the VTC system and/or endpoint that are applicable to their exposure to the system. Furthermore, users and administrators must be trained in the proper operating procedures for the system so that meeting information is properly protected as well as other non-meeting related information in the area near a VTC endpoint is not improperly disclosed or compromised. Helpdesk representatives supporting a VTC system or endpoints must also be appropriately trained in all aspects of VTC operation and IA. This may be accomplished within a typical tiered helpdesk organization, but all representatives must be made aware of the IA vulnerabilities and issues.

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18980r1_chk )
[IP][ISDN]; Interview the IAO and validate compliance with the following requirement: Ensure VTC system/endpoint users, administrators, and helpdesk representatives receive training as follows: - Administrators, helpdesk representatives, and users are trained in all VTC system and endpoint vulnerabilities, IA issues, risks to both meeting and non-meeting related information, and “Assured Service” capabilities. - Users, administrators, and helpdesk representatives are trained in all aspects of VTC system and endpoint vulnerability/risk mitigation and operating procedures. This training may be tailored to the specific VTC system or devices the user is receiving, will receive, (e.g., office VTU, desktop VTU, or PC soft-VTU) or is authorized to use (e.g., a conference room system). - Administrators and helpdesk representatives are trained in all aspects of VTC system and endpoint configuration and implementation to include approved connections. Furthermore ensure such training includes the requirements in this STIG and other DoD policies that address acceptable use and secure/proper operation and configuration of the various VTC endpoint types and their associated systems. Topics to be covered in such training are, but are not limited to, the following: -The details contained in the SOPs intended to mitigate the vulnerabilities and risks associated with the configuration and operation of the specific VTC system or devices to include: > Protection of the information discussed or presented in the meeting such as the technical measures to prevent disclosure as well as the inadvertent disclosure of sensitive or classified information to individuals within view or earshot of the VTU. >The inadvertent disclosure of non-meeting related information to other conference attendees while sharing a presentation or other information from a PC workstation. >The inadvertent capture and dissemination of non-meeting related information from the area around the VTC endpoint to the other conference attendees. >The ability of the specific VTC system and network to provide or not to provide “Assured Service”. - Other training topics mentioned elsewhere in this document, are not listed here. Note: Documentation is maintained regarding users, administrators, and helpdesk representative’s receipt of training. Training is refreshed annually and may be incorporated into other IA training received annually. Note: The site may modify these items in accordance with local site policy however these items must be addressed in the training materials. Note: The site may adopt or incorporate appropriate training materials developed by another organization providing the required topics are covered. - Inspect training materials to assess the coverage of the topics listed in the requirement. - Inspect training records to determine if training is being provided on a recurring basis to all users, administrators, and helpdesk representatives. - Interview a random sampling of users, administrators, and helpdesk representatives to determine if training has been received as required.

Check Text ( C-18980r1_chk )

[IP][ISDN]; Interview the IAO and validate compliance with the following requirement:

Ensure VTC system/endpoint users, administrators, and helpdesk representatives receive training as follows:
- Administrators, helpdesk representatives, and users are trained in all VTC system and endpoint vulnerabilities, IA issues, risks to both meeting and non-meeting related information, and “Assured Service” capabilities.
- Users, administrators, and helpdesk representatives are trained in all aspects of VTC system and endpoint vulnerability/risk mitigation and operating procedures. This training may be tailored to the specific VTC system or devices the user is receiving, will receive, (e.g., office VTU, desktop VTU, or PC soft-VTU) or is authorized to use (e.g., a conference room system).
- Administrators and helpdesk representatives are trained in all aspects of VTC system and endpoint configuration and implementation to include approved connections.
Furthermore ensure such training includes the requirements in this STIG and other DoD policies that address acceptable use and secure/proper operation and configuration of the various VTC endpoint types and their associated systems. Topics to be covered in such training are, but are not limited to, the following:
-The details contained in the SOPs intended to mitigate the vulnerabilities and risks associated with the configuration and operation of the specific VTC system or devices to include:
> Protection of the information discussed or presented in the meeting such as the technical measures to prevent disclosure as well as the inadvertent disclosure of sensitive or classified information to individuals within view or earshot of the VTU.
>The inadvertent disclosure of non-meeting related information to other conference attendees while sharing a presentation or other information from a PC workstation.
>The inadvertent capture and dissemination of non-meeting related information from the area around the VTC endpoint to the other conference attendees.
>The ability of the specific VTC system and network to provide or not to provide “Assured Service”.
- Other training topics mentioned elsewhere in this document, are not listed here.

Note: Documentation is maintained regarding users, administrators, and helpdesk representative’s receipt of training. Training is refreshed annually and may be incorporated into other IA training received annually.
Note: The site may modify these items in accordance with local site policy however these items must be addressed in the training materials.

Note: The site may adopt or incorporate appropriate training materials developed by another organization providing the required topics are covered.

- Inspect training materials to assess the coverage of the topics listed in the requirement.
- Inspect training records to determine if training is being provided on a recurring basis to all users, administrators, and helpdesk representatives.
- Interview a random sampling of users, administrators, and helpdesk representatives to determine if training has been received as required.

Fix Text (F-17607r1_fix)
([IP][ISDN]; Perform the following tasks: Develop training materials that cover the following: - Administrators, helpdesk representatives, and users are trained in all VTC system and endpoint vulnerabilities, IA issues, risks to both meeting and non-meeting related information, and “Assured Service” capabilities. - Users, administrators, and helpdesk representatives are trained in all aspects of VTC system and endpoint vulnerability/risk mitigation and operating procedures. This training may be tailored to the specific VTC system or devices the user is receiving, will receive, (e.g., office VTU, desktop VTU, or PC soft-VTU) or is authorized to use (e.g., a conference room system). - Administrators and helpdesk representatives are trained in all aspects of VTC system and endpoint configuration and implementation to include approved connections. Furthermore ensure such training includes the requirements in this STIG and other DoD policies that address acceptable use and secure/proper operation and configuration of the various VTC endpoint types and their associated systems. Topics to be covered in such training are, but are not limited to, the following: -The details contained in the SOPs intended to mitigate the vulnerabilities and risks associated with the configuration and operation of the specific VTC system or devices to include: > Protection of the information discussed or presented in the meeting such as the technical measures to prevent disclosure as well as the inadvertent disclosure of sensitive or classified information to individuals within view or earshot of the VTU. >The inadvertent disclosure of non-meeting related information to other conference attendees while sharing a presentation or other information from a PC workstation. >The inadvertent capture and dissemination of non-meeting related information from the area around the VTC endpoint to the other conference attendees. >The ability of the specific VTC system and network to provide or not to provide “Assured Service”. - Other training topics mentioned elsewhere in this document, are not listed here. Provide training to users, administrators, and helpdesk representatives initially and on an annually recurring basis. Maintain documentation on who received training and when.

Fix Text (F-17607r1_fix)

([IP][ISDN]; Perform the following tasks:
Develop training materials that cover the following:
- Administrators, helpdesk representatives, and users are trained in all VTC system and endpoint vulnerabilities, IA issues, risks to both meeting and non-meeting related information, and “Assured Service” capabilities.
- Users, administrators, and helpdesk representatives are trained in all aspects of VTC system and endpoint vulnerability/risk mitigation and operating procedures. This training may be tailored to the specific VTC system or devices the user is receiving, will receive, (e.g., office VTU, desktop VTU, or PC soft-VTU) or is authorized to use (e.g., a conference room system).
- Administrators and helpdesk representatives are trained in all aspects of VTC system and endpoint configuration and implementation to include approved connections.
Furthermore ensure such training includes the requirements in this STIG and other DoD policies that address acceptable use and secure/proper operation and configuration of the various VTC endpoint types and their associated systems. Topics to be covered in such training are, but are not limited to, the following:
-The details contained in the SOPs intended to mitigate the vulnerabilities and risks associated with the configuration and operation of the specific VTC system or devices to include:
> Protection of the information discussed or presented in the meeting such as the technical measures to prevent disclosure as well as the inadvertent disclosure of sensitive or classified information to individuals within view or earshot of the VTU.
>The inadvertent disclosure of non-meeting related information to other conference attendees while sharing a presentation or other information from a PC workstation.
>The inadvertent capture and dissemination of non-meeting related information from the area around the VTC endpoint to the other conference attendees.
>The ability of the specific VTC system and network to provide or not to provide “Assured Service”.
- Other training topics mentioned elsewhere in this document, are not listed here.

Provide training to users, administrators, and helpdesk representatives initially and on an annually recurring basis.
Maintain documentation on who received training and when.