3 Information Designation and Control

3 Information Designation and Control

3-1 Policy

3-2 Information Designation and Categorization

3-2.1 Designation Categories and Levels

3-2.2 Sensitivity and Criticality Category Independence

3-2.3 Definitions of Classified, Sensitive, and Critical Information

3-2.3.1 Classified Information

3-2.3.2 Sensitive-Enhanced Information

3-2.3.3 Sensitive Information

3-2.3.4 Nonsensitive Information

3-2.3.5 Critical (High) Information

3-2.3.6 Critical (Moderate) Information

3-2.3.7 Noncritical Information

3-3 Determination of the Categorization of Information Resources

3-3.1 Business Impact Assessment

3-3.1.1 Aggregation

3-3.1.2 System Functionality

3-3.1.3 Critical National Infrastructure

3-3.2 Approving Information Resource Classification and Categories of Information Processed

3-3.3 Recording Information Resource Classification and Categories of Information Processed

3-4 Security Requirement Categories

3-5 Protection of Postal Service Information and Media

3-5.1 Labeling of Information, Media, and Devices

3-5.1.1 Electronic Media and Hardcopy Output

3-5.1.2 Applications Processing

3-5.1.3 Devices

3-5.2 Controlling Access to Information

3-5.3 Retention and Storage of Information

3-5.4 Encryption of Information

3-5.5 Mandatory Requirements and Procedures for Authorized Removal of Postal Service Non-Publicly Available Information from Postal Service or Business Partner Premises

3-5.5.1 Definition of Non-Publicly Available Information

3-5.5.2 Definition of Removal from Postal Service or Business Partner Premises

3-5.5.3 Mandatory Requirements and Procedures for Authorized Removal of Electronic and Hard-copy Information

3-5.6 Release of Information

3-5.6.1 Releasing Information on Factory-Fresh or Degaussed Media

3-5.6.2 Precautions Prior to Maintenance

3-5.7 Handling Biohazard Contaminated Information Resources

3-5.7.1 Sensitive-Enhanced and Sensitive Information

3-5.7.2 Data Eradication on Contaminated Information Resources

3-5.7.3 Reporting of Contaminated Information Resources

3-5.8 Disposal and Destruction of Information and Media

3-5.8.1 Electronic Hardware and Media

3-5.8.2 Data Residue

3-5.8.3 Nonelectronic Information

3-5.9 Protection of Postal Service Information During International Travel

3-5.9.1 General Security Requirements While Traveling Outside of the United States

3-5.9.2 Substitution of Temporary Computer Equipment and Communication Devices

3-5.10 Inclusion of Protection Requirements in Contracts

3-5.10.1 All Business Partners and Suppliers

3-5.10.2 Payment-Card Business Partners and Suppliers

3-5.11 Additional PCI Requirements

3-5.12 Additional PII Requirements

3-5.13 Protection of Financial information

3-6 Protection of Non-Postal Service Information

3-6.1 Third-Party Information

3-6.2 National Security Classified Information