Profile Applicability:
 Level 1

Description:
 Configure the Source Code Management (SCM) system to send email notifications only to recipients with verified and authorized email domains. This restriction helps prevent sensitive information from being inadvertently shared outside the trusted organizational boundaries and reduces the risk of phishing or social engineering attacks.

Rationale:
 Limiting SCM email notifications to verified domains ensures that only authorized users within approved domains receive potentially sensitive notifications such as commit alerts, pull request updates, and issue tracking messages. This control protects the confidentiality of development activities and supports compliance with organizational security policies.

Impact:
 Pros:

  • Protects sensitive project information from unauthorized disclosure.

  • Reduces risk of phishing and social engineering through email.

  • Supports compliance with privacy and security requirements.

Cons:

  • May require ongoing management of allowed email domains.

  • Could restrict communication with external collaborators if not properly configured.

Default value:
 By default, some SCM platforms may send notifications to any email address without domain restrictions.

Audit:
 Review SCM notification settings and email recipient logs to confirm that emails are sent only to verified domains. Verify configuration of allowed domains and check for any unauthorized recipients.

Remediation:
 Implement domain filtering or whitelisting in SCM email notification settings. Maintain and regularly update the list of approved domains. Communicate policies to users and external collaborators.

References:

  1. GitHub Notification Settings: https://docs.github.com/en/account-and-profile/managing-subscriptions-and-notifications-on-github/configuring-your-notifications

  2. GitLab Notification Preferences: https://docs.gitlab.com/ee/user/profile/notifications.html

  3. CIS Controls v8, Control 14 - Controlled Access Based on the Need to Know: https://www.cisecurity.org/controls/controlled-access-based-on-the-need-to-know/