3-5 Protection of Postal Service Information and Media

All Postal Service information must be properly handled and controlled. While the focus of information security is on protecting sensitive-enhanced and sensitive information which is driven by government regulation and industry standards, the Postal Service must also protect nonpublicly available information. Nonpublicly available information must be protected by the same controls as sensitive and sensitive-enhanced information, e.g., encryption. If there are questions concerning the appropriate security controls to implement, consult with CISO.

The level of protection must be based on the information’s sensitivity and criticality, e.g., full and partial social security numbers must only be used for tax purposes and must not be used for identification purposes and must not be printed on reports.

Labeling, retention, storage, encryption, release, and destruction of information must comply with the Postal Service policies specified in this section and in Handbook AS-353, Guide to Privacy, the Freedom of Information Act, and Records Management.

  1. Labeling of information, media, and devices.
  2. Controlling access to information.
  3. Retention and storage of information.
  4. Encryption of information.
  5. Mandatory requirements and procedures for authorized removal of Postal Service nonpublicly available information from Postal Service or business partner premises.
  6. Release of information.
  7. Handling biohazard contaminated information resources.
  8. Disposal and destruction of information and media.
  9. Protection of Postal Service information during international travel.
  10. Inclusion of protection requirements in contracts.
  11. Additional PCI requirements.
  12. Additional PII requirements.
  13. Protection of financial information.