2-2 Access Control

Access control guidelines are the following:

  1. Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
  2. Limit system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Control the flow of Postal Service information in accordance with approved authorizations.
  4. Implement separation of duties of individuals to reduce the risk of malevolent activities without collusion.
  5. Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. Use non-privileged accounts or roles when accessing non-security functions.
  7. Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
  8. Limit the number of allowed unsuccessful logon attempts.
  9. Provide privacy and security notices consistent with applicable Postal Service information rules.
  10. Use session lock with pattern-hiding displays to prevent access and viewing of data after periods of inactivity.
  11. Automatically terminate a user session after a defined condition (e.g., maximum period of inactivity, time-of-day restrictions).
  12. Monitor and control remote access sessions.
  13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
  14. Route remote access via managed access control points.
  15. Authorize remote execution of privileged commands and remote access to security-relevant information.
  16. Authorize wireless access prior to allowing such connections.
  17. Protect wireless access using authentication and encryption.
  18. Control connection of mobile devices.
  19. Encrypt Postal Service information on mobile devices and mobile computing platforms.
  20. Verify and control/limit connections to and use of external systems.
  21. Limit use of organizational portable storage devices on external systems.