10 Hardware and Software Security
10-1 Policy
10-2 Hardware Security
10-2.1 Mainframes
10-2.2 Network Devices
10-2.3 Servers
10-2.3.1 Hardening Servers
10-2.3.2 Web Servers
10-2.3.3 Database Servers
10-2.3.4 Combined Web and Database Servers
10-2.4 Workstations and Mobile Computing Devices
10-2.4.1 Physical Security
10-2.4.2 Password-Protected or Token-Protected Screen Saver
10-2.5 Mobile Computing Devices
10-2.6 Bring Your Own Device
10-2.7 Hardware Asset Inventory
10-2.7.1 Active Hardware Discovery
10-2.7.2 Passive Hardware Discovery
10-2.7.3 DHCP Logging
10-2.7.4 Hardware Asset Removal
10-2.7.5 Network Access Control
10-2.7.6 Client Certificate Authentication
10-3 Software and Applications Security
10-3.1 Software Safeguards
10-3.2 Complying With Copyright and Licensing
10-3.3 Secure-Transaction Compliance
10-3.3.1 Financial Requirements
10-3.3.2 Medical Information Requirements
10-3.4 Version Control
10-3.4.1 Updating Software
10-3.4.2 Distributing Software
10-3.4.3 Prohibited Software
10-3.4.4 Unapproved Software
10-3.4.5 Source Code
10-3.5 Operating Systems
10-3.6 Application Software
10-3.7 Database Management Systems
10-3.7.1 DBMS Activity Journals
10-3.7.2 DBMS Security Features and Views
10-3.8 Web-Based PCI Applications
10-3.9 COTS Software
10-3.9.1 COTS Software Security Evaluation and Vulnerability Assessment
10-3.9.2 COTS Independent Code Review
10-3.10 Browser Software
10-3.10.1 Approved Browser Software
10-3.10.2 Cookies
10-3.11 Third-Party Software
10-3.11.1 Ownership
10-3.11.2 Licensing and Escrow of Custom-Built Applications
10-3.11.3 Assurance of Integrity
10-4 General Policies for Hardware and Software
10-4.1 Securing the Postal Service Computing Infrastructure
10-4.2 Acquiring Hardware and Software
10-4.3 Using Approved Hardware and Software
10-4.3.1 General Acquisition Policy
10-4.3.2 Shareware and Freeware
10-4.3.3 Teleworking
10-4.4 Testing of Hardware and Software
10-4.5 Tracking Hardware and Software Vulnerabilities
10-4.6 Scanning Hardware and Software for Vulnerabilities
10-4.7 Maintaining Inventories
10-4.7.1 Corporate Software Inventory
10-4.7.2 Individual Information Resource Inventories
10-4.7.3 Vendor Software Support
10-4.7.4 Dynamic Software Discovery
10-4.7.5 Asset Inventory Integration
10-4.7.6 Application Software Whitelisting
10-4.7.7 Software Library Whitelisting
10-4.7.8 Software Script Whitelisting
10-4.7.9 Software Segregation
10-4.8 Isolation of Postal Service Information
10-4.9 Using Diagnostic Hardware and Software
10-4.10 Controlling Preventive and Regular Maintenance
10-4.11 Controlling Maintenance Tools
10-5 Configuration and Change Management
10-5.1 Significant Changes
10-6 Protection Against Viruses and Malicious Code
10-6.1 Virus Protection Software
10-6.1.1 Installation
10-6.1.2 Scanning
10-6.1.3 Updating
10-6.2 Other Protection Measures
10-6.2.1 Protecting Shared and Retrieved Files
10-6.2.2 Evaluating Dynamic Code
10-6.2.3 Protecting Applications
10-6.2.4 Creating Backups before Installation
10-6.2.5 Checking for Viruses Before Distribution
10-6.2.6 Intrusion Detection/Prevention
10-6.2.7 Automated Mechanisms
10-7 Operating System, Database Management System, and Application Audit Log Requirements
10-7.1 Operating System Audit Logs
10-7.2 Database Management System Audit Logs
10-7.3 Application Audit Logs
10-7.4 PCI Audit Logs