8-5.3 Phase 3 — Design

Based on the security requirements defined in the BIA, the security controls and processes for the information resource are defined. The information security activities of Phase 3 are described in the following paragraphs.

8-5.3.1 Develop High-Level Architecture

A high-level architectural diagram is developed and maintained current for all information resources documenting hardware, communication services and ports used, security devices, and interconnected resources. The architectural diagram is used by the manager, CISO ISS to determine the impact on the infrastructure and the need for additional security controls such as an enclave (see 11-3.7, Determining When a Secure Enclave Is Required).

8-5.3.2 Identify Internal and External Dependencies

Internal and external dependencies must be identified and documented in the eC&A process.

8-5.3.3 Document Security Specifications

If information resource is contracted, security specifications are documented to satisfy the security requirements defined by the BIA.

8-5.3.4 Select and Design Security Controls

Identify potential security controls (safeguards) based on the information security requirements and in light of business requirements including project schedule and budget.

An analysis of potential controls is conducted to determine their potential effectiveness to remove, transfer, or otherwise mitigate risk to information resources. The controls analysis identifies any residual risk to the information resource.

A cost-benefit analysis is performed and documented to facilitate the implementation of cost-effective protection for information resources.

Safeguards are selected or designed based on the controls analysis and the cost-benefit analysis.

8-5.3.5 Develop Security Plan

A security plan must be developed for all information resources. A security plan is a blueprint for designing, building, and maintaining an information resource that can be defended against threats, including intruders, both internal and external. The security plan covers both the nonproduction and production environments and describes all information security controls that have been implemented or planned.

8-5.3.6 Conduct a Site Security Review

The site security review assesses the physical security controls of facilities hosting sensitive-enhanced, sensitive, and critical information resources. The lack of adequate physical security controls could affect the availability, confidentiality, and integrity of Postal Service applications and the information resources hosting them. A site security review may not be required if the site is accredited by a government agency.

Site security reviews of non-Postal sites storing PCI cardholder information must be conducted annually but should be conducted more frequently if it is deemed there is increased risk.

The site security review results in a report and not a Postal Service certification or accreditation.