Hardware security must be implemented based on Postal Service published standards on all computer hardware including, but not limited to, the following:
a. Mainframes. b. Network devices. c. Servers.
d. Workstations.
e. Mobile computing devices.
10-2.1
Mainframes
Appropriate security controls must be enabled. For mainframe
implementation of this security policy, contact the manager, Host Computing Services.
10-2.2
Network Devices
Appropriate security controls must be enabled on all network devices, including routers, hubs, and switches (see 11-3, Protecting the Network Infrastructure).
10-2.3
Servers
Postal Service servers must be protected commensurate with the level of sensitivity and criticality of the information and business function. Server installation and deployment must comply with standard configuration and deployment standards unique to the individual server platform. Implement only one primary function per server [e.g., a Web server, database server, and domain name server (DNS) should be implemented on separate servers). Configuration standards for servers in the mail processing and mail handling equipment (MPE/MHE) nonroutable address space environment are defined by Engineering.
10-2.3.1
Hardening Servers
All information resources must be implemented on servers hardened to Postal Service standards. Hardening standards must be implemented specific to each platform. These standards must delineate restricted and prohibited functions, port, protocols, and services and include details on how to configure systems with approved security parameter settings. Server hardening standards must require the removal of unnecessary functionality such as drivers, scripts, subsystems, and file systems.
Hardening standards must be updated as new vulnerabilities are uncovered and updates are available. Hardening standards must be reviewed and updated at least annually. This requirement includes hardening standards for mainframes, servers, networks, and firewalls.
Operating system and database software configurations, including services, protocols and functionality, must be reviewed on a periodic basis
commensurate with the level of sensitivity and criticality of the information and business function. Operating system software configuration reviews are performed on a semi-annual basis for UNIX. Unnecessary services and protocols must be disabled. All unnecessary functionality such as scripts, drivers, features, subsystems, and file systems must be removed. Vendor supplied default passwords must be removed and common parameters must be set to prevent misuse or compromise.
Servers must not be deployed to a production environment prior to hardening. Servers must be updated when the server hardening standards are updated for that platform.
Note: The manager, Corporate Information Security Office (CISO) Information Systems Security (ISS), is responsible for the update and distribution of server hardening standards
10-2.3.2
Using Web Servers
All Postal Service Web servers, regardless of location, must use approved hardware and software with standard configurations to reduce likelihood of
Hardware and Software Security 10-2.4
Web or Internet projects under the direct control of the Postal Service, the development and testing must be conducted on specifically designated development Web servers. Web servers must not be implemented on individual workstations without prior written approval by the manager, CISO ISS.
10-2.3.3
Using Database Servers
Database servers must use security controls appropriate for the level of sensitivity and criticality of the information they contain. Database servers must be separate from other servers, including Web and application servers (see 10-2.3.4, Combined Web and Database Servers, for an exception). Database servers located inside Postal Service firewalls must not be directly accessible from Web servers or other systems located outside firewalls. All database servers must be approved by the network connectivity review board (NCRB) prior to being deployed to the demilitarized zones.
Database servers must not be deployed to a production environment before hardening.
10-2.3.4
Combined Web and Database Servers
A Web server and database server may be placed on the same host if all the following requirements are met:
a. Application is not sensitive-enhanced, sensitive, or critical. b. Application is not Internet accessible.
c. Application is not on the DMZ.
d. Application is not enclaved with sensitive-enhanced, sensitive, or critical applications.
e. Application is operationally standalone, that is, does not interact with other database servers.
f. Host meets Postal Service server hardening standards.
10-2.4
Workstations and Mobile Computing Devices
All workstations and mobile computing devices including desktops, laptop computers, notebook computers, and tablet computers must have
appropriate security controls. Workstation and mobile computing device installation and deployment must comply with standard configuration and deployment standards unique to that platform. All personnel are responsible for protecting the information resources at their individual work location and abiding by all information security policies and procedures that apply to their individual environment.
All Postal Service workstations and laptops must have an approved personal firewall installed and personnel must connect to the Postal Service intranet at least once per week to receive the latest software patches, antivirus pattern recognition files, and personal firewall patterns. Appropriate configuration of the workstations and laptops to receive these patches and pattern updates is required.
All workstations processing PCI information and all laptop computers, notebook computers and tablets must implement full disk encryption. In
computing devices must be protected (e.g., encrypted) when leaving a secure environment. All media subject to loss or removal from Postal Services premises must be encrypted. Only procure Postal Service approved devices from approved sources. Only use USB flash drives and removable media that are capable of encryption.
10-2.4.1
Physical Security
All Postal Service workstations and mobile computing devices must be protected, at a minimum, by secure physical access to the facility or room. Other physical security controls may include, but are not limited to: unique platform identification (inventory control), identification card reader, screen protector or positioning screen to restrict viewing from passersby, lockable keyboard, physical lock, and desk-fastening security equipment.
10-2.4.2
Password-Protected or Token-Protected Screen Saver
Where feasible, all workstations and mobile computing devices must be configured prior to deployment to use password-protected or token-protected screen savers. After a period with no activity, password-protected screen savers will blank the screen; a password or token is then required to resume work. Users must protect the screen saver password or token just as they protect all other system passwords.
10-2.5
Mobile Computing Devices
Mobile computing information resources must be protected against damage, unauthorized access, and theft. All personnel who use or have custody of mobile computing devices, such as, handheld computers, smart phones devices, wireless telephones, and removable storage media devices, are responsible for their safekeeping and the protection of any sensitive- enhanced, sensitive, and critical information stored on them.
All laptop and notebook computers must implement hard disk encryption. In addition, sensitive-enhanced and sensitive information on other portable devices must be protected (e.g., encrypted) when leaving a secure environment. All media subject to loss or removal from Postal Services premises must be encrypted. Only procure Postal Service approved devices from approved sources. Only use USB flash drives that are capable of encryption.
All mobile computing devices must be managed by a Mobile Device Management (MDM) solution. The MDM solution must be vetted and approved by CISO.
10-2.6
Bring Your Own Device
Personnel must not load Postal Service information on their own computing device or connect their own computing device to the Postal Service network.
Hardware and Software Security 10-3.1