3-4 Security Requirement Categories

The Postal Service uses several categories of security requirements to protect information resources (see Exhibit 3-4).

A security requirement is a type or level of protection that must be implemented to secure an information resource. A control consists of safeguards designed to respond to a security requirement. A control may satisfy more than one requirement, or several controls may be needed to satisfy a security requirement depending on the sensitivity and criticality of the information resource and its operating environment. If a requirement cannot be addressed, compensating controls can be implemented to mitigate the risk.

Exhibit 3-4 

Security Requirement Categories

 

Security Requirement Category

Control(s)

Baseline

All information resources must implement controls sufficient to satisfy the baseline security requirements. Baseline security requirements have been established to protect the Postal Service computing environment and infrastructure from intentional or unintentional unauthorized use, modification, disclosure, or destruction.

Sensitive-Enhanced, Sensitive, PCI, Law Enforcement, Critical (High), and Critical (Moderate)

Additional security is needed to adequately protect sensitive-enhanced, sensitive, and critical information resources. These requirements are based on the following:

Conditional

Requirements requested by the executive VP and CIO; VP IT Solutions; Director IT Operations; manager, CISO; or the functional VP or requirements based on specific criteria such as the development and operating environment.

Recommended

ISSOs may recommend additional security requirements during the BIA process to better protect the information resource against threats and vulnerabilities. Recommended security requirements are based on generally accepted industry practices. The executive sponsor assumes the risks associated with not implementing the recommended security requirements.