9-4.2 Types of Accounts

Access to information resources is managed through the use of multiple types of accounts, including the following:

  1. User.
  2. Privileged.
  3. Service.
  4. Shared.
  5. Vendor default and vendor maintenance.
  6. Guest.

Ownership for privileged, shared, and maintenance log-on IDs must be documented and administered in a secured manner.

9-4.2.1 User Accounts

User accounts provide application/platform users with a minimum level of information resources and application functionality needed to perform their duties (i.e., least privilege) and do not carry special privileges above those required to perform the user’s business function. This includes limited access accounts that exist for a specific purpose (e.g., an auditor account).

Application user accounts are used to log into the application via a front-end interface, and the account privileges and roles are restricted by the approved access. Platform user accounts (i.e., database and operating system) are used to access platform-level resources and are limited to nonprivileged access rights.

9-4.2.2 Privileged Accounts

Privileged accounts (e.g., administrator or maintenance accounts) are accounts that allow entitled users access to change data, alter configuration settings, run programs, or permits unrestricted access to view data. Assignment must be restricted to a unique individual whose duties require these additional privileges (e.g., system, network, database administrators). Use is restricted to performing those job functions required by the privileged account (e.g., creating new user profiles or altering the rights of existing nonprivileged users); individuals must use their regular user accounts to perform nonprivileged functions such as Internet access and Postal Service email.

Privileged accounts include Enterprise Admins, Schema Admins, Domain Admins, Administrators, Account Operators, Server Operators, Print Operators, and Backup Operators. Permission inheritance must be disabled for all privileged accounts.

Privileged uses must use two-factor authentication. An audit trail must be maintained on all privileged account usage.

Application accounts must not have the capability to run as “root.”

9-4.2.3 Service Accounts

Service accounts are assigned to an information resource (e.g., server, application) or other automated process/service (not an individual) used to process data and/or identify actions or requests. Normally, the operating system uses this account when it hosts a service. Service accounts must be placed under management control. Service accounts must be created with the minimum access rights and privileges required to perform the necessary business function. These accounts must not be allowed root or administrative privileges. They are managed by the Postal Service entity responsible for the life cycle of the account from creation, deployment, usage, and retirement when no longer needed. See 9-6.1.8, Requests for Use of Nonexpiring Service Accounts for use of service accounts with nonexpiring passwords.

9-4.2.4 Shared Accounts

There are two types of shared accounts:

  1. Shared accounts (e.g., training accounts) have a single log-on ID and password that is used by more than one individual. A shared account must be used only for qualifying circumstances and when deemed necessary by the CISO. This approach to account usage is highly discouraged and requires the appropriate level of management approval via eAccess as well as approval by the CISO. The use of shared accounts must be tracked (e.g., logged) to manage individual accountability. The requesting manager is responsible for undocumented usage of the shared accounts and is responsible for password management. Shared accounts must not include access to Postal Service production systems, the Internet or the PCI environment. System operators must not share identification or authentication materials of any kind, nor allow any other person to operate any information systems by employing that user’s identity. Generic accounts must not be used to administer PCI system components.
  2. Managed email accounts are used to provide a single email mailbox that can be shared by multiple users. This mailbox is in addition to their personal regular mailboxes. The account is controlled by the account custodian. The custodian must send an email to the Postal Service Special Account Administrator to request access for a user. “Send As” allows a user to send emails from the name of the mailbox. The password is never shared and each user logs on to his or her workstation with his or her own User ID and password.

9-4.2.5 Supplier and Vendor Default and Maintenance Accounts

Supplier and vendor default accounts are accounts that are pre-installed on a product and must be removed or disabled. Supplier and vendor maintenance accounts are user accounts for the maintenance of their products to resolve issues related to the product and must be enabled only when needed, monitored, and controlled by a responsible Postal Service organization. Supplier and vendor maintenance personnel must not have access (including remote access) to any PCI cardholder data environment or PCI systems without documented business justification and CISO approval.

9-4.2.6 Guest Accounts

Guest accounts are not allowed for access to Postal Service network information resources. Guest accounts expose information resources to risk by allowing access to information resources through the use of a generic log-on ID that either uses no password or a widely known password. Guest accounts incorporated into any software or established through any other means must be deleted or disabled. This policy does not apply to guest networks isolated from the Postal Service intranet that are used to support non-Postal Service external access.