8 Development and Operations Security

8 Development and Operations Security

8-1 Policy

8-2 Development Security

8-2.1 Life-Cycle Approach

8-2.2 Risk Management

8-2.3 Quality Assurance

8-2.4 Configuration and Change Management

8-2.4.1 Configuration Component Inventory

8-2.4.2 Configuration Hardening Standards

8-2.4.3 Change and Version Control

8-2.4.4 Patch Management

8-2.4.5 Security Testing of the Configuration

8-2.5 Separation of Duties

8-2.6 Application Source Code

8-2.7 Developers

8-2.8 Application Security

8-3 Operations Security

8-3.1 Distributed Postal Computing Environments

8-3.2 Environment Restrictions

8-3.2.1 Development Environment

8-3.2.2 SIT Environment

8-3.2.3 CAT Environment

8-3.2.4 Production Environment

8-3.2.5 Other Environments

8-3.3 Testing Restrictions

8-3.3.1 Development and Testing in the Production Environment

8-3.3.2 Testing With Nonsensitive Production Data

8-3.3.3 Testing with Sensitive-Enhanced and Sensitive Production Data

8-3.3.4 Testing at Non-Postal Service Facilities with Production Data

8-3.4 Compensating Controls in lieu of Production Data Usage Letters

8-4 Certification and Accreditation

8-4.1 What the C&A Process Covers

8-4.2 When C&A Is Required

8-4.3 Value of C&A Process to the Postal Service

8-4.4 Access to Information Resources and Related Documentation

8-4.5 Independent Processes

8-4.6 Contractual Terms and Conditions

8-5 Information Resource C&A

8-5.1 Phase 1 — Initiate and Plan

8-5.2 Phase 2 — Requirements

8-5.2.1 Conduct Business Impact Assessment

8-5.3 Phase 3 — Design

8-5.3.1 Develop High-Level Architecture

8-5.3.2 Identify Internal and External Dependencies

8-5.3.3 Document Security Specifications

8-5.3.4 Select and Design Security Controls

8-5.3.5 Develop Security Plan

8-5.3.6 Conduct a Site Security Review

8-5.4 Phase 4 — Build

8-5.4.1 Develop, Acquire, and Integrate Security Controls

8-5.4.2 Harden Information Resources

8-5.4.3 Develop Security Operating Procedures

8-5.4.4 Develop Operational Security Training

8-5.4.5 Incorporate Security Requirements in Service Level Agreements and Trading Partner Agreements

8-5.4.6 Register Information Resource in eAccess

8-5.4.7 Develop Business Continuity and Facility Plans

8-5.4.8 Identify Connectivity Requirements

8-5.5 Phase 5 — System Integration Testing

8-5.5.1 Develop Security Test Plan

8-5.5.2 Conduct Operational Security Training

8-5.5.3 Conduct Development of Contingency Plans

8-5.6 Phase 6 — Customer Acceptance Testing

8-5.6.1 Conduct Security Test and Document Results

8-5.6.2 Conduct Security Code Review

8-5.6.3 Conduct Vulnerability Scan

8-5.6.4 Conduct Risk Assessment

8-5.6.5 Conduct Independent Risk Assessment

8-5.6.6 Conduct Independent Security Code Review

8-5.6.7 Conduct Independent Penetration Testing and Vulnerability Scans

8-5.6.8 Conduct Independent Validation of Security Testing

8-5.6.9 Project Manager and ISSO Develop C&A Documentation Package

8-5.6.10 Project Manager, Executive Sponsor, and ISSO Prepare Risk Mitigation Plan

8-5.6.11 ISSO Reviews C&A Documentation Package and Prepares Evaluation Report

8-5.6.12 Certifier Escalates Security Concerns or Certifies Information Resource

8-5.6.13 Accreditor Escalates Security Concerns or Accredits Information Resource

8-5.7 Phase 7 – Governance and Compliance

8-5.8 Phase 8 — Release Management and Production

8-5.8.1 Data Conversion

8-5.8.2 Deploy Information Resource

8-5.8.3 Information Resource Maintenance

8-5.8.4 Follow Security-Related Plans and Continually Monitor Operations

8-5.8.5 Periodically Review, Test, and Audit

8-5.8.6 Reassess Risks and Upgrade Security Controls

8-5.8.7 Update Security-Related Plans

8-5.8.8 Reinitiate C&A

8-5.8.9 Disposition C&A Documentation

8-5.9 Phase 9 - Retire

8-5.9.1 Dispose of Data

8-5.9.2 Sanitize Equipment and Media