10 Hardware and Software Security

10 Hardware and Software Security

10-1 Policy

10-2 Hardware Security

10-2.1 Mainframes

10-2.2 Network Devices

10-2.3 Servers

10-2.3.1 Hardening Servers

10-2.3.2 Web Servers

10-2.3.3 Database Servers

10-2.3.4 Combined Web and Database Servers

10-2.4 Workstations and Mobile Computing Devices

10-2.4.1 Physical Security

10-2.4.2 Password-Protected or Token-Protected Screen Saver

10-2.5 Mobile Computing Devices

10-2.6 Bring Your Own Device

10-3 Software and Applications Security

10-3.1 Software Safeguards

10-3.2 Complying With Copyright and Licensing

10-3.3 Secure-Transaction Compliance

10-3.3.1 Financial Requirements

10-3.3.2 Medical Information Requirements

10-3.4 Version Control

10-3.4.1 Updating Software

10-3.4.2 Distributing Software

10-3.4.3 Prohibited Software

10-3.4.4 Unapproved Software

10-3.4.5 Source Code

10-3.5 Operating Systems

10-3.6 Application Software

10-3.7 Database Management Systems

10-3.7.1 DBMS Activity Journals

10-3.7.2 DBMS Security Features and Views

10-3.8 Web-Based PCI Applications

10-3.9 COTS Software

10-3.9.1 COTS Software Security Evaluation and Vulnerability Assessment

10-3.9.2 COTS Independent Code Review

10-3.10 Browser Software

10-3.10.1 Approved Browser Software

10-3.10.2 Cookies

10-3.11 Third-Party Software

10-3.11.1 Ownership

10-3.11.2 Licensing and Escrow of Custom-Built Applications

10-3.11.3 Assurance of Integrity

10-4 General Policies for Hardware and Software

10-4.1 Securing the Postal Service Computing Infrastructure

10-4.2 Acquiring Hardware and Software

10-4.3 Using Approved Hardware and Software

10-4.3.1 General Acquisition Policy

10-4.3.2 Shareware and Freeware

10-4.3.3 Teleworking

10-4.4 Testing of Hardware and Software

10-4.5 Tracking Hardware and Software Vulnerabilities

10-4.6 Scanning Hardware and Software for Vulnerabilities

10-4.7 Maintaining Inventories

10-4.7.1 Corporate Software Inventory

10-4.7.2 Individual Information Resource Inventories

10-4.8 Isolation of Postal Service Information

10-4.9 Using Diagnostic Hardware and Software

10-4.10 Controlling Preventive and Regular Maintenance

10-4.11 Controlling Maintenance Tools

10-5 Configuration and Change Management

10-5.1 Significant Changes

10-6 Protection Against Viruses and Malicious Code

10-6.1 Virus Protection Software

10-6.1.1 Installation

10-6.1.2 Scanning

10-6.1.3 Updating

10-6.2 Other Protection Measures

10-6.2.1 Protecting Shared and Retrieved Files

10-6.2.2 Evaluating Dynamic Code

10-6.2.3 Protecting Applications

10-6.2.4 Creating Backups before Installation

10-6.2.5 Checking for Viruses Before Distribution

10-6.2.6 Intrusion Detection/Prevention

10-6.2.7 Automated Mechanisms

10-7 Operating System, Database Management System, and Application Audit Log Requirements

10-7.1 Operating System Audit Logs

10-7.2 Database Management System Audit Logs

10-7.3 Application Audit Logs

10-7.4 PCI Audit Logs