13-4.2 CyberSafe Incident Process

13-4.2.1 Incident Categorization

Incidents must be categorized based on severity and associated response times. The severity of the incident will determine the appropriate notification process and escalation procedure. Incident severity levels and response times are defined as follows (per the Postal Service CyberSafe severity code procedures):

  1. Severity 1 — National Impact: Incidents with the greatest negative impact on the Postal Service. Severity level 1 is assigned when an incident has national impact or when multiple systems or sites are down or seriously affected.
  2. Severity 2— Site Impact: Incidents impacting a major IT or field site or local area network (LAN) segment.
  3. Severity 3 — Customer Impact: Incidents impacting one or more workstations, employees, contractors, or customers.
  4. Severity 4 — Minimal Impact: Incidents with minimal or no impact.

13-4.2.2 Processing Incidents Reports

CyberSafe is responsible for the following:

  1. Categorizing incidents.
  2. Protecting the confidentiality of information contained in the incident report and subsequent information identified in the analysis.
  3. Ensuring legal issues, requirements, and restraints caused by criminal and civil investigations are appropriated addressed.
  4. Logging and tracking security incident reports.
  5. Monitoring incidents to ensure appropriate response and immediate resolution of security incidents.
  6. Engaging appropriate organizational resources (e.g., virus response team, OIG, and Inspection Service).
  7. Notifying the CPO and responsible functional VP (data steward) of any suspected breaches involving sensitive or sensitive-enhanced information.
  8. Evaluating and escalating incident reports requiring further action.
  9. Retaining incident reports, supporting evidence, and journals for 1 year or for a time period determined by the OIG.
  10. Providing Inspection Service and OIG access to all reported information security incidents.
  11. Complying with federal sector security incident reporting requirements.

13-4.2.3 Incident Investigation

A member of the OIG-CCU team is co-resident with CyberSafe and investigates, along with the Inspection Service, violations of state and federal laws enacted to protect the authenticity, privacy, integrity, and availability of electronically stored and transmitted information.

13-4.2.4 Incident Analysis

CyberSafe analyzes security incidents and prepares reports summarizing the causes, frequency, and damage assessments of information security incidents.

CyberSafe management analyzes CyberSafe reports to improve the information security program and keep Postal Service executive management apprised on the state of information security.

13-4.2.5 Incident Escalation

It may be necessary to escalate an individual incident up the management chain based on the following criteria:

  1. Number of sites and systems under attack.
  2. Type of data at risk.
  3. Severity of the attack.
  4. State of the attack.
  5. Source or target of the attack.
  6. Impact on the integrity of the infrastructure or cost of recovery.
  7. Attack on a seemingly “secure” information resource.
  8. Personnel awareness of the attack.
  9. New attack method use.

13-4.2.6 Incident Closure

Before an incident is closed the incident must be categorized; the root cause must be determined; damage must be assessed and reported to management and one or more of the national CyberSafes if required; and the incident’s closure confirmed with the initiator.