Transcription of Contents
1 February 2018iContents1 Introduction: Corporate Information security ..11-1 Purpose .. 11-2 Scope .. 21-3 Policy .. 21-4 Supporting Documentation .. 31-5 Policy Owner .. 31-6 Infrastructure Components/Systems .. Technology Solutions .. Contract Solution.. Solution .. Solution .. Technology Solution security and Privacy Assessments.. Contract Solution security and Privacy Assessment .. Solution security and Privacy Assessment .. Solution security and Privacy Assessment .. 51-7 Information Resources .. 61-8 Organizations and Personnel .. 81-9 Importance of Compliance .. Public Trust .. Business Operations .. Postal Service Investment.. by Federal Regulations .. 91-10 Policy Exception and Review.. an Exception to the Policies .. Review .. 102 security Roles and Responsibilities ..112-1 Policy .. 112-2 Consolidated Roles and Responsibilities.
2 Information Officer and Executive Vice President .. Postal Inspector .. President, Information Technology .. , Computer Operations .. Information security Officer .. security Executive Council .. Presidents, Functional Business Areas.. 15 Information SecurityiiHandbook President, Engineering .. President, Network Operations.. and Managers .. Sponsors .. System Coordinators .. Relationship Management Portfolio Managers (formerly Portfolio Managers) .. of Information Technology Solution Centers .. Heads .. Privacy Officer .. General .. , Business Continuance Management .. , Telecommunications Services .. Responsible for Computing Operations .. , Corporate Information security Office Information Systems security .. , Help Desks .. Officers and Contracting Officer Representatives .. Counsel .. Partners .. Control Officers .. Systems security Representatives.
3 Systems security Officers .. and Network Administrators .. Administrators .. Personnel .. 353 Information Designation and Control ..373-1 Policy .. 373-2 Information Designation and Categorization .. Categories and Levels .. and Criticality Category Independence .. of Classified, Sensitive, and Critical Information .. Information .. Information .. Information .. Information .. (High) Information.. (Moderate) Information.. Information .. 403-3 Determination of the Categorization of Information Resources.. Impact Assessment.. 41 ContentsFebruary .. Functionality .. National Infrastructure .. Information Resource Classification and Categories of Information Processed .. Information Resource Classification and Categories ofInformation Processed .. 423-4 security Requirement Categories .. 433-5 Protection of Postal Service Information and Media.
4 Of Information, Media, and Devices .. Media and Hardcopy Output .. Processing.. Access to Information .. and Storage of Information .. of Information .. Requirements and Procedures for Authorized Removal of Postal Service Non-Publicly Available Information from Postal Service or Business Partner Premises .. of Non-Publicly Available Information .. of Removal from Postal Service or Business Partner Premises .. Requirements and Procedures for Authorized Removal of Electronic and Hard-copy Information.. of Information .. Information on Factory-Fresh or Degaussed Media .. Prior to Maintenance .. Biohazard Contaminated Information Resources .. and Sensitive Information .. Eradication on Contaminated Information Resources .. of Contaminated Information Resources .. and Destruction of Information and Media .. Hardware and Media.. Residue.
5 Information .. of Postal Service Information During International Travel .. security Requirements While Traveling Outside of the United States .. of Temporary Computer Equipment and Communication Devices.. of Protection Requirements in Contracts .. All Business Partners and Suppliers .. Payment-Card Business Partners and Suppliers.. PCI Requirements .. PII Requirements .. of Financial information .. 54 Information SecurityivHandbook AS-8053-6 Protection of Non-Postal Service Information .. Information.. security Classified Information.. 544 security Risk Management ..554-1 Policy .. 554-2 Types of Risk Management .. 554-3 Information Resource Risk Management.. 554-4 Independent Risk Management .. 574-5 Site Risk Management .. 574-6 Risk-Based Information security Framework .. 585 Acceptable Use ..595-1 Policy .. 595-2 Personal Use of Government Office Equipment Including Information Technology.
6 595-3 Electronic Mail and Messaging .. Use .. 625-4 Internet: Access and Prohibited Activities .. 625-5 Prohibited Uses of Information Resources .. 635-6 Protection of Sensitive Data and Privacy-Related Data .. 645-7 Use of Social Media .. 656 Personnel security ..676-1 Policy .. 676-2 Employee Accountability .. of Duties and Responsibilities .. Descriptions.. Appraisals .. of Continued Employment .. 686-3 Sensitive Positions .. 686-4 Background Investigations and Clearances .. Requirements .. Privileges .. IDs .. Resources Processing Sensitive-Enhanced or Sensitive Information .. Areas .. Nationals .. 696-5 Information security Awareness and Training .. security Awareness.. and Monitoring Individual Information security Training .. Requirements .. 70 ContentsFebruary 2018v6-6 Departing Personnel .. Separation .. Termination.
7 , Network, or Database Administrator Departure .. 727 Physical and Environmental security ..737-1 Policy .. 737-2 Physical Access Controls .. to Controlled Areas .. of Controlled Areas .. of Information Resources Stored in Controlled Areas .. of Access Control Lists .. for Controlled Areas .. of Physical Access Control Devices .. of Identification Badges .. 757-3 Physical Protection of Information Resources.. Equipment, Network Servers, and Mainframes .. Service Workstations and Portable Devices .. Service Portable Electronic Devices .. , Sensitive, and Critical Media .. 777-4 Environmental security .. 777-5 Facility Continuity Planning .. 787-6 Facility Contracts .. 788 Development and Operations security ..798-1 Policy .. 798-2 Development security .. Approach .. Management .. Assurance .. and Change Management .. Component Inventory.
8 Hardening Standards .. and Version Control .. Management .. Testing of the Configuration .. of Duties .. Source Code .. security .. 848-3 Operations security .. Postal Computing Environments .. 84 Information SecurityviHandbook Restrictions .. Environment.. Environment.. Environment .. Environment .. Environments .. Restrictions .. and Testing in the Production Environment .. With Nonsensitive Production Data .. with Sensitive-Enhanced and Sensitive Production Data .. at Non-Postal Service Facilities with Production Data .. Controls in lieu of Production Data Usage Letters.. 898-4 Certification and Accreditation .. the C&A Process Covers .. C&A Is Required .. of C&A Process to the Postal Service .. to Information Resources and Related Documentation.. Processes .. Terms and Conditions.. 918-5 Information Resource C&A.
9 1 Initiate and Plan .. 2 Requirements .. Business Impact Assessment .. 3 Design .. High-Level Architecture .. Internal and External Dependencies .. security Specifications .. and Design security Controls .. security Plan .. a Site security Review.. 4 Build .. , Acquire, and Integrate security Controls .. Information Resources .. security Operating Procedures .. Operational security Training .. security Requirements in Service Level Agreements and Trading Partner Agreements .. Information Resource in eAccess .. Business Continuity and Facility Plans .. Connectivity Requirements .. 5 System Integration Testing .. security Test Plan .. Operational security Training .. Development of Contingency Plans .. 95 ContentsFebruary 6 Customer Acceptance Testing.. security Test and Document Results .. security Code Review.
10 Vulnerability Scan .. Risk Assessment .. Independent Risk Assessment .. Independent security Code Review .. Independent Penetration Testing and Vulnerability Scans .. Independent Validation of security Testing .. Manager and ISSO Develop C&A Documentation Package .. Project Manager, Executive Sponsor, and ISSO Prepare Risk Mitigation Plan.. ISSO Reviews C&A Documentation Package and Prepares Evaluation Report . Certifier Escalates security Concerns or Certifies Information Resource .. Accreditor Escalates security Concerns or Accredits Information Resource .. 7 Governance and Compliance .. 8 Release Management and Production.. Conversion .. Information Resource .. Resource Maintenance .. security -Related Plans and Continually Monitor Operations .. Review, Test, and Audit .. Risks and Upgrade security Controls .. security -Related Plans.
