10-6.2 Other Protection Measures

10-6.2.1 Protecting Shared and Retrieved Files

All personnel must run virus protection software prior to using shared or retrieved files from workstations, laptops, removable media, and other information resources.

10-6.2.2 Evaluating Dynamic Code

A code review must be conducted on sensitive-enhanced, sensitive, or critical information resources that contain dynamic code such as ASP, JavaScript, PLSQL, or CGI scripts (see 8-5.6.2, Conduct Security Code Review). In addition to the code review, information resources that contain dynamic code may be subject to an independent code review (see 8-5.6.6, Conduct Independent Security Code Review).

10-6.2.3 Protecting Applications

All application software and supporting files must be protected such that an error will be generated if there is an unauthorized attempt to modify the software. All activities involving modification of software must be logged.

10-6.2.4 Creating Backups before Installation

To assist with the post-virus restoration of normal computer activities, all computer software must be copied prior to its initial usage, and such copies must be stored in a secure location. These copies must not be used for ordinary business activities but must be reserved for recovery from computer virus infections, hard-disk crashes, and other computer problems.

10-6.2.5 Checking for Viruses Before Distribution

All software, information, or any other type of digital media must be tested to identify the presence of computer viruses and other malicious code prior to distributing to Postal Service organizations, personnel, businesses, or the public.

10-6.2.6 Intrusion Detection/Prevention

All information resources within the Postal Service must be protected against the introduction of malicious code. A layered-defense must be implemented combining antispyware software, anti-virus software, a personal firewall, host anomaly detection/intrusion prevention software, spam and content filtering for inbound e-mail, pop-up blocker protection, and user education. Unauthorized personnel must not modify the configuration of host-based protection software.

10-6.2.7 Automated Mechanisms

Information resources must provide automated mechanisms to support the handling of information security incidents.