2-7 Executive Sponsors

The executive sponsors, as representatives of the VPs of the functional business areas, are responsible for ensuring the completion of all security-related tasks throughout the life cycle of an information resource. Some information resources are developed under the direction of one executive sponsor in one organization and transferred to an executive sponsor in another organization for production. Executive sponsors are responsible for the following:

  1. Completing a business impact assessment (BIA) to determine the sensitivity and criticality of information resources under their purview.
  2. Funding the C&A process for information resources under their purview.
  3. Appointing, if desired, an information systems security representative (ISSR) to serve as a development team point of contact to perform security-related activities.
  4. Implementing security controls that satisfy the security requirements defined in the BIA.
  5. Ensuring that all documentation required by the C&A process is submitted to the ISSO.
  6. Maintaining appropriate security during the production phase by controlling access to sensitive-enhanced, sensitive, and critical information.
  7. Ensuring that the C&A documentation package is securely stored and kept current for the information resource life cycle.
  8. If the vice president functional business area delegated this responsibility to the executive sponsor, the executive sponsor will work jointly with the VP IT (or the Business Relationship Management portfolio manager if this responsibility is delegated) to accept, in writing, the residual risk [1] associated with information resources under their control and [2] requests to host or remove sensitive-enhanced/sensitive/non-publicly available data from Postal Service premises.
  9. Re-initiating the C&A process in accordance with the criteria specified in Chapter 6.