4-4.4 Activities

4-4.4.1 Develop, Acquire, and Integrate Information Security Controls

A member of the C&A core team serves as the liaison between the executive sponsor and the development team on the required information security controls and processes. The development team acquires, builds, and integrates these controls and processes and keeps the C&A core members informed of their progress. The software should be built in accordance with secure coding standards.

4-4.4.2 Harden Information Resources

Information resources hosting applications designated as sensitive- enhanced, sensitive, or critical must be hardened to meet or exceed the requirements documented in Postal Service hardening standards. Hardening refers to the process of implementing additional software, hardware, or physical security controls.

4-4.4.3 Develop Standard Operating Procedures

Standard operating procedures (SOPs) must be developed for information resources designated as sensitive-enhanced, sensitive, or critical to handle the operating support required for the information resource. These procedures cover such topics as separation of duties, manual processes, computer operations, input and output validation, and report distribution.

4-4.4.4 Develop Operational Security Training Materials

Appropriate materials must be developed for training users, system administrators, managers, and other personnel on the correct use of the information resource and its security controls.

4-4.4.5 Incorporate Security Requirements in Service Level Agreements and Trading Partner Agreements

Service level agreements (SLAs) are often developed for in-house managed and/or developed information resources. Trading partner agreements (TPAs) are often developed for externally managed and/or developed information resources. If SLAs or TPAs are developed, incorporate information security requirements.

4-4.4.6 Register Information Resources in eAccess

The information resource must be registered in eAccess, which is the Postal Service’s application for managing the authorization process for personnel needing to access an information resource and the associated information. Registration is also required for the use of managed accounts (i.e., machine accounts, etc.).

4-4.4.7 Initiate Contingency Planning

If the BIA determines that contingency planning is required based on the criticality determination, it should be initiated at this stage. Contingency planning continues throughout the life cycle of the information resource.

4-4.4.7.1 Contingency Planning Roles and Responsibilities

 

Roles

Responsibilities

Executive sponsor

Consults with the DRS on the contingency planning documents, the recovery time objective (RTO), and recovery point objective (RPO).

Coordinates with other managers in planning contingency planning activities.

Fund information resource contingency planning activities.

Business Relationship Management portfolio manager

Provide guidance and assistance.

ISSR

Support executive sponsor and Business Relationship Management portfolio manager as requested.

ISSO

Provide guidance and consulting support.

Development Team

Develop and maintain the contingency planning documents.

DRS

Consult with the executive sponsor on the contingency planning documents and validates the RTO and RPO, based on overall Postal Service resources, to ensure it is realistic and achievable.

4-4.4.7.2 Develop Contingency Planning Documents

Contingency planning documents are required for information resources designated as critical (i.e., high or moderate). The development of the contingency planning documents is begun during Phase 4 in coordination with the DRS. Contingency plans are tested and updated in Phase 7. Contingency planning templates are available on the IT Web site. Select Corporate Information Security, select Business Continuance Management page, select Business Continuance Management, and then select Business Continuance Management documents.

The Application Disaster Recovery Plan (ADRP) is a primary component of contingency planning. An ADRP is required for applications designated as critical.

4-4.4.8 Identify Connectivity Requirements

Identify connectivity requirements and submit a request to the Network Connectivity Review Board (NCRB). See Section 11-7, Business Partner Connectivity Requirements, in Handbook AS-805, Information Security.

Exhibit 4-4 

Phase 4, Build, (p. 1 of 2)

Exhibit 4-4, Phase 4, Build (p. 1 of 2)

Exhibit 4-4 

Phase 4, Build, (p. 2 of 2)

Exhibit 4-4, Phase 4, Build (p. 2 of 2)