9-4.3 Account Management

Accounts must be established in a manner that ensures access is granted based on clearances, need to know, separation of duties, and least privilege basis. Accounts unused for 90 days must be disabled. Accounts unused for 1 year must be deleted.

9-4.3.1 Establishing Accounts

To establish an account, personnel must request an account from their manager or supervisor via eAccess at http://eaccess.

9-4.3.2 Documenting Account Information

The account information, or database, must contain the following information for each user account: log-on ID, group memberships, access control privileges, authentication information, and security-relevant roles. Any security-related attributes that are maintained must be stored securely to protect their confidentiality and integrity.

9-4.3.3 Configuring Account Time-Outs

Accounts must be configured to log the workstation off the network or disable the session after a predetermined period of inactivity and enforce re-authentication. This requirement should be automated where possible. The Postal Service default standard period of inactivity is a maximum of 30 minutes. This action reduces the amount of time Postal Service information resources are vulnerable to compromise. Any deviation from this standard is the responsibility of the executive sponsor and must be documented and approved by the CISO.

9-4.3.4 Local Accounts

All access to information resources will be through Active Directory accounts/passwords or Active Directory enforced two-factor authentication protocols. Local accounts are prohibited on all servers, workstations, laptops, and other end-user computing devices. Users and operations staff will use individually issued and identifiable Active Directory accounts for access.

Exceptions to this policy are the following:

  1. The local built-in administrator account will be retained on all servers, workstations, and laptops but is restricted to operations personnel working on servers or workstations that are disconnected from the network and unable to authenticate to the directory. The local built-in administrator accounts and their passwords will be maintained in accordance with requirements for elevated privileged accounts. These accounts are part of the standard server build/configuration and do not require separate approval or management through eAccess.
  2. Mobile computing device access is granted a blanket exception as the current models are restricted to local accounts only. These accounts are part of the standard device build/configuration and do not require separate approval or management through eAccess.

Other exceptions may be granted on case-by-case bases by the CISO and the manager IT Desktop Computing (ITDC) where a COTS product will not work without a local account or there is a compelling business or operational need.

Requests for exceptions to the policy prohibiting local accounts other than the built-in Administrator and mobile computing devices accounts must be made through eAccess. The approving manager must be a PCES manager; CISO will be the FSC; and ITDC will be the log administrator. The eAccess system serves as the archive for requests, approvals/denials, and implementation if approved.

9-4.3.5 Departing Personnel

Accounts must be deleted or passwords changed when personnel leave the organization.

9-4.3.6 Vendor Maintenance Accounts

Vendor maintenance accounts must be managed, enabled only when needed by the vendor, and monitored while being used.

9-4.3.7 Handling Compromised Accounts

Information resources must provide automated mechanisms to support identifying and handling information security incidents. All personnel who suspect an account has been compromised must immediately notify management and follow the incident reporting process (see 13-3.2, Incident Reporting).