4-3.4 Activities

4-3.4.1 Analyze Requirements

Analyze the business and security requirements established for the information resource in the application characterization and the BIA.

4-3.4.2 Develop Network Architecture Diagrams

Develop network architecture diagrams which document physical layer 1 topology including what ports are listening on each device, firewalls, routers, switches, communication protocols and devices, security devices, and interconnected resources.

The architectural diagram should include (on that diagram or on separate attached diagrams) all connectivity, data flow, business flow, and supporting functions. Data flow descriptions should include the proposed servers, protocols, networks, and projected data repositories. The network component diagram(s) should include, but are not limited to:

  1. End-user workstations and other applicable devices.
  2. Servers, including hardware type, operating system level, and hosted applications.
  3. Firewalls, including details on interfaces, ports, proxies, and protocols.
  4. Routers, including interfaces, access control lists, and configurations.
  5. Switches (VLAN information).
  6. Intrusion detection system (include vendor, release levels, host, or network based).
  7. Network monitoring equipment, include vendor and release levels.
  8. If multiple IDSs and/or firewalls exist and are centrally managed, the location(s) of the management station(s) should be identified.
  9. If data is encrypted at any point in the data flow, identify the type of encryption used. If encryption or a tunnel is used, specify that mechanism and both the encryption and key exchange protocols.
  10. Where data is stored. The data should be identified based on data type, the defined sensitivity and criticality levels of that data, and whether it is encrypted.
  11. If user authentication is required for the use of this application, explain how that is accomplished and where the authentication database resides.

4-3.4.3 Document Security Specifications

Security specifications are documented to satisfy the security requirements defined by the BIA. The security specifications will be included in contracts and acquisitions as appropriate.

4-3.4.4 Identify Potential Security Controls

Identify potential security controls in light of business and security requirements, Postal Service policies, project schedule, budget, and cost versus benefit of the various control options.Security controls include countermeasures and safeguards. A countermeasure is a control against known threats where as a safeguard is a control against future unknown threats. Security controls can be characterized as preventive, detective, corrective, deterrent, compensating, continuous, management, and technical.

Security controls will be selected or designed, purchased or built, integrated, and configured to address the security requirements and bring residual risk to an acceptable level by reducing the likelihood that vulnerabilities will be exploited and/or by reducing the amount of harm that could occur if a given vulnerability is exploited.

4-3.4.5 Select/Design Security Controls

4-3.4.5.1 General

Security controls for the information resource are selected to satisfy the privacy and security requirements identified in the BIA and to mitigate the risks identified in the Risk Assessment.

Security controls include the following:

  1. Management controls:
    1. Background screening and clearances.
    2. Job descriptions.
    3. Performance appraisals.
    4. Progressive sanctions.
    5. Condition of employment.
    6. Separation of duties and responsibilities.
    7. Dual control of “critical” processes and keys.
    8. Risk management.
    9. Configuration/change management.
    10. Independent reviews.
  2. Operational controls:
    1. Personnel security.
    2. Media protection.
    3. Physical protection (e.g., badges, controlled areas, visitors, and equipment and media removal).
    4. Environmental protection.
    5. Contingency planning.
    6. Incident response process.
    7. Hardware/system software maintenance.
    8. Network connectivity review board.
    9. Operational security training.
    10. Security awareness training.
    11. Audit logging.
    12. Testing of security controls.
    13. Continuous monitoring.
  3. Technical controls:
    1. Platform hardening.
    2. Identification and authentication.
    3. Logical access.
    4. Communications.
    5. Encryption
    6. Integrity checking.
    7. Vulnerability scans.
    8. Penetration testing.
    9. Hardware and media sanitization.

Multiple information security controls may be needed to satisfy a particular information security requirement, or one control may satisfy more than one information security requirement.

4-3.4.5.2 Selecting Security Controls

Information security controls are selected based on their capability to be implemented, their effectiveness in safeguarding the information resource and the information processed, their compatibility with other Postal Service security controls and processes and business needs. Circumstances peculiar to the information resource, the computing environment, changes in technologies, or the discovery of new vulnerabilities in what had been considered “safe” products may lead to additional security controls.

Perform Controls Analysis: An analysis of identified controls is conducted to determine their potential effectiveness to remove, transfer, or otherwise mitigate risk to the information resource. The controls analysis identifies any residual risk to the information resource.

Perform Cost Benefit Analysis: A cost benefit analysis is performed and documented to facilitate the implementation of cost-effective protection for information resources and continuity of business operations.

4-3.4.6 Develop Security Plan

4-3.4.6.1 General

A security plan must be developed for all information resources.

A security plan is a blueprint for protecting the information resource against threats, both internal and external. The security plan covers both the development and production environment. The plan describes all information security controls and processes that have been implemented or planned and delineates responsibilities and expected behavior of all individuals who access the information resource.

The security plan documents the security requirements identified in the BIA and the information security controls that are tailored to the security requirements.

4-3.4.6.2 Security Plan Roles and Responsibilities

 

Roles

Responsibilities

Executive sponsor

Provides personnel and financial resources to supports development of a security plan.

Business Relationship Management portfolio manager

Provides guidance and assistance.

ISSR

Support executive sponsor and Business Relationship Management portfolio manager as requested.

ISSO

Provides guidance and consulting support and coordinates completion of the security plan.

Development team

Defines specific security controls and processes, completes security plan, and keeps C&A core team informed of progress.

4-3.4.7 Conduct Site Security Review

All business partner sites connecting to a Postal Service information infrastructure are subject to a site security review performed by the CISO and the Inspection Service. A site security review may be conducted at any time as long as connectivity exists between the business partner and Postal.

A site security review must be conducted if a facility is hosting enhanced sensitive, sensitive, or critical information resources unless the facility has been accredited by a governmental agency.

4-3.4.7.1 Site Security Review Areas

The site security review evaluates risks in the following areas as they relate to the physical security of applications and the information resources hosting them:

  1. Location security.
  2. Facility security.
  3. Personnel security.
  4. Controlled area security.
  5. Environmental security.
  6. Communications security.
  7. Hardware security.
  8. Software security.
  9. Information security.
  10. Administrative security.
  11. Emergency response and contingency planning.
  12. Auditing and monitoring.
4-3.4.7.2 Site Security Review Roles and Responsibilities

The Inspection Service and the ISSO complete the site security review.

Exhibit 4-3 

Phase 3, Design

Exhibit 4-3, Phase 3, Design