10-2.4 Workstations and Mobile Computing Devices

All workstations and mobile computing devices including desktops, laptop computers, notebook computers, and tablet computers must have appropriate security controls. Workstation and mobile computing device installation and deployment must comply with standard configuration and deployment standards unique to that platform. All personnel are responsible for protecting the information resources at their individual work location and abiding by all information security policies and procedures that apply to their individual environment.

All Postal Service workstations and laptops must have an approved personal firewall installed and personnel must connect to the Postal Service intranet at least once per week to receive the latest software patches, antivirus pattern recognition files, and personal firewall patterns. Appropriate configuration of the workstations and laptops to receive these patches and pattern updates is required.

All workstations processing PCI information and all laptop computers, notebook computers and tablets must implement full disk encryption. In addition, sensitive-enhanced, sensitive, and critical information on other mobile computing devices must be protected (e.g., encrypted) when leaving a secure environment. All media subject to loss or removal from Postal Services premises must be encrypted. Only procure Postal Service approved devices from approved sources. Only use USB flash drives and removable media that are encrypted. Back up critical information frequently and send backups offsite in accordance with Postal Service procedures. Critical information must not be backed up on the same device as the primary information.

10-2.4.1 Physical Security

All Postal Service workstations and mobile computing devices must be protected, at a minimum, by secure physical access to the facility or room. Other physical security controls may include, but are not limited to: unique platform identification (inventory control), identification card reader, screen protector or positioning screen to restrict viewing from passersby, lockable keyboard, physical lock, and desk-fastening security equipment.

10-2.4.2 Password-Protected or Token-Protected Screen Saver

Where feasible, all workstations and mobile computing devices must be configured prior to deployment to use password-protected or token-protected screen savers. After a period with no activity, password-protected screen savers will blank the screen; a password or token is then required to resume work. Users must protect the screen saver password or token just as they protect all other system passwords.