2-2.15 Installation Heads

Installation heads are in charge of Postal Service facilities or organizations, such as areas, districts, Post Offices, mail processing facilities, parts depots, vehicle maintenance facilities, computer service centers, or other installations. Installation heads are responsible for the following:

  1. Designating a security control officer (SCO) who is responsible for personnel and physical security at that facility, including the physical protection of computer systems, equipment, and information located therein.
  2. Implementing physical and environmental security support for information security, such as the protection of workstations, portable devices, and media containing sensitive-enhanced, sensitive, or critical information.
  3. Controlling physical access to the facility, including the establishment and implementation of controlled areas, access lists, physical access control systems, and identification badges.
  4. Funding building security equipment and security-related building modifications.
  5. Maintaining an accurate inventory of Postal Service information resources at their facilities and implementing appropriate hardware security and configuration management.
  6. Maintaining and upgrading all security investigative equipment, as necessary.
  7. Ensuring completion of a site security review, providing assistance to the Inspection Service and CISO as required, and accepting site residual risk.
  8. Ensuring that the Postal Service security policy, standards, and procedures are followed in all activities related to information resources (including procurement, development, and operation) at their facility.
  9. Ensuring that all employees who use or are associated with the information resources in the facility are provided information security training commensurate with their responsibilities and taking appropriate action in response to employees who violate established security policy or procedures.
  10. Cooperating with the Inspection Service to ensure the physical protection of the network infrastructure located at the facility.
  11. Developing, maintaining, and testing:
    1. Emergency Action Plans required for each facility to ensure personnel are safely evacuated and provides for the protection of the employees.
    2. Incident Management Facility Recovery Plan required for each major IT site.
    3. Workgroup Recovery Plan required for each business function.
    4. Disaster Recovery Plan (DRP) (business information systems disaster) documents required for each critical system that supports essential (core) business functions.
  12. Implementing and managing the following plans and team members:
    1. Emergency Action Plan.
    2. Incident Management Facility Recovery Plan.
    3. Workgroup Recovery and “Beyond” Continuity of Operations (COOP) Plans.
    4. DRP (business information systems disaster) documents.
  13. Reporting information security incidents to CyberSafe immediately, containing the incident, following continuity plans for disruptive incidents, and assessing damage caused by the incident.
  14. Resolving identified vulnerabilities.