4-5 Site Risk Management

A site security review must be performed for each site hosting sensitive-enhanced, sensitive, or critical information resources and may be required for business partner and vendor sites requesting connectivity to the Postal Service intranet to:

  1. Identify the location of the facility and structure-specific strengths and weaknesses.
  2. Identify the sensitive-enhanced, sensitive, and critical information resources hosted by that facility.
  3. Identify the threat events that could occur, including physical threats (e.g., power failure, fire, building collapse, water damage from plumbing failure and roof leak); environmental threats (e.g., earthquake, flooding, tornadoes, lightning, and sink hole); and human threats (e.g., union lockouts, riot, disgruntled employee or customer, and armed theft).
  4. Evaluate threats and vulnerabilities to determine the frequency and amount of harm that could possibly occur as a result of a physical, environmental, or human event.
  5. Identify possible additional administrative, technical, and physical security safeguards.
  6. Analyze the costs and benefits of the safeguards in reducing the risks.

A site security review is conducted at the following times:

  1. Before a new site becomes operational.
  2. After significant changes at the site, including significant changes in information resources located there.
  3. Every 3 years, unless an earlier site security review is warranted.

Risks categorized as high must be mitigated by using a continuous process that reduces risk by implementing cost-effective security measures. The risk mitigation process consists of the following:

  1. Selecting the appropriate safeguards (or countermeasures) that will reduce exposure to the risk.
  2. Assigning a priority ranking to the implementation of the safeguards.
  3. Assigning financial and technical responsibility for implementing the safeguards.
  4. Implementing and documenting the safeguards.
  5. Maintaining the continued effectiveness of the mitigation strategy by reassessing the threats, vulnerabilities, effectiveness of the safeguards, and the residual risk.

If the level of residual risk is not acceptable, then further safeguards and security controls should be implemented to reduce exposure to acceptable levels. The installation head is responsible for acknowledging and accepting the residual site risk.

The site security review will be performed by the manager CISO and the Chief Inspector or their designees. All site risk management documentation must be treated as “restricted information” and delivered to and retained by the Inspection Service and the appropriate installation head.