9 Information Security Services

9 Information Security Services

9-1 Policy

9-2 Security Services Overview

9-3 Authorization

9-3.1 Authorization Principles

9-3.1.1 Clearances

9-3.1.2 Need to Know

9-3.1.3 Separation of Duties

9-3.1.4 Least Privilege

9-3.2 Authorization Management

9-3.2.1 Requesting Authorization

9-3.2.2 Temporary Information Services

9-3.2.3 Expiration of Temporary Access Authorization

9-3.2.4 Approving Requests

9-3.2.5 Periodic Review of Access Authorization

9-3.2.6 Implementing Changes

9-3.2.7 Revoking Access

9-3.2.8 Sudo (Pseudo) Access

9-3.2.9 User and Resource Registration Management

9-3.2.10 Special Account Registration Management

9-3.2.11 Emergency Access when Individual is not Available

9-3.2.12 Emergency Access to Production Information

9-3.3 Authorization Requirements

9-4 Accountability

9-4.1 Types of Accountability

9-4.1.1 Site Accountability

9-4.1.2 Network Accountability

9-4.1.3 Individual Accountability

9-4.2 Types of Accounts

9-4.2.1 User Accounts

9-4.2.2 Privileged Accounts

9-4.2.3 Service Accounts

9-4.2.4 Shared Accounts

9-4.2.5 Supplier and Vendor Default and Maintenance Accounts

9-4.2.6 Guest Accounts

9-4.3 Account Management

9-4.3.1 Establishing Accounts

9-4.3.2 Documenting Account Information

9-4.3.3 Configuring Account Time-Outs

9-4.3.4 Local Accounts

9-4.3.5 Departing Personnel

9-4.3.6 Vendor Maintenance Accounts

9-4.3.7 Handling Compromised Accounts

9-5 Identification

9-5.1 Issuing Log-on IDs

9-5.2 Protecting Log-on IDs

9-5.3 Suspending Log-on IDs

9-5.4 Failed Log-on Attempts

9-5.4.1 Recording Failed Log-on Attempts

9-5.4.2 User Notification of Failed Log-on Attempt

9-5.5 Terminating Log-on IDs

9-5.6 Identification Requirements

9-6 Authentication

9-6.1 Passwords

9-6.1.1 Password Selection Requirements

9-6.1.2 Password Selection Recommendations

9-6.1.3 Initial Password

9-6.1.4 Password Suspension

9-6.1.5 Reset Passwords

9-6.1.6 Password Expiration

9-6.1.7 Requests for Use of Nonexpiring Password Accounts

9-6.1.8 Requests for Use of Nonexpiring Service Accounts

9-6.1.9 Password Protection

9-6.1.10 Password Storage

9-6.1.11 Vendor Default Passwords

9-6.1.12 Password Requirements

9-6.2 Personal Identification Numbers

9-6.2.1 PIN Generation and Selection Requirements

9-6.2.2 PIN Distribution

9-6.2.3 PIN Protection

9-6.2.4 Forgotten PINs

9-6.2.5 Suspension

9-6.2.6 PIN Cancellation and Destruction

9-6.2.7 PINs Used for Financial Transactions

9-6.3 Shared Secrets

9-6.4 Digital Certificates and Signatures

9-6.4.1 Digital Certificate

9-6.4.2 Digital Signature

9-6.4.3 Certificate and Signature Standards

9-6.4.4 Digitized Signatures

9-6.4.5 Certificate Stores

9-6.4.6 Naming Constraints

9-6.4.7 Meaningful Names

9-6.4.8 Rules for Constructing Various Name Forms

9-6.4.9 Name Claim Dispute Resolution Procedure

9-6.5 Smart Cards and Tokens

9-6.6 Biometrics

9-6.7 Strong Authentication

9-6.8 Nonrepudiation

9-6.8.1 Information Resource Nonrepudiation Requirements

9-6.9 Remote-Access Authentication

9-6.10 Session Management

9-6.10.1 Session Establishment

9-6.10.2 Session Expiration

9-6.10.3 Time-Out Requirements (Re-authentication)

9-6.11 Single Sign-On

9-6.12 Authentication Requirements

9-7 Confidentiality

9-7.1 Encryption

9-7.1.1 Minimum Encryption Standards

9-7.1.2 Required for Transmission and Storage

9-7.1.3 Recommended for Storage on Postal Service Servers and Mainframes

9-7.1.4 Required for Workstations and Laptops

9-7.2 Use of Encryption Products

9-7.3 Key Management

9-7.3.1 Protecting Encryption Keys

9-7.3.2 Recommended Key Management Practices

9-7.3.3 Key Management Requirements

9-7.3.4 Public and Private Key Management Agreement

9-7.4 Cryptographic Hash Function

9-7.5 Elimination of Residual Data

9-8 Integrity

9-8.1 Information Resource Integrity

9-8.2 Data Integrity Requirements

9-8.3 Application Requirements

9-8.4 Management Requirements

9-8.5 End-User Computing Requirements

9-9 Availability

9-9.1 Capacity Planning and Scalability

9-9.2 Redundancy

9-9.3 Relationship of Criticality, Recovery-Time Objective, and Recovery-Point Objective

9-9.3.1 Criticality

9-9.3.2 Recovery-Time Objective

9-9.3.3 Recovery-Point Objective

9-9.4 Assuring Availability

9-9.4.1 Data Replication

9-9.4.2 Remote Tape Vaulting

9-9.4.3 Application Database Replication and Journaling

9-9.4.4 Alternate Backup Requirements

9-9.5 Information Resource Recovery and Reconstitution

9-9.6 High Availability

9-10 Security Administration

9-10.1 Security Administration Requirements

9-10.2 Security Administration Documentation Requirements

9-11 Audit Logging

9-11.1 Audit Logging Functionality Requirements

9-11.2 Audit Log Events

9-11.3 Audit-Log Contents

9-11.4 Audit-Log Protection

9-11.5 Audit-Log Reviews

9-11.6 Audit-Log Retention