4-6.4 Activities

4-6.4.1 Conduct Security Code Review

To protect the infrastructure, a documented security code review is required for:

  1. Any externally facing or DMZ-hosted information resource containing custom programming or scripting, regardless of the designation of sensitivity or criticality.
  2. Information resources designated as sensitive-enhanced, sensitive, and critical that contain dynamic code or COTS custom programming or scripts.
  3. Internally and externally facing PCI applications containing customs code. The code review can be conducted by a knowledgeable independent individual or by a third-party vendor.

The security code review will be (1) based on the Postal Service Information Security Code Review Standards or an acceptable equivalent, and (2) appropriately documented. This security code review will not be required if an independent security code review is conducted. (See 5-1, Independent Security Code Reviews.)

4-6.4.2 Conduct the Security Test and Evaluation

4-6.4.2.1 Conduct Security Test Process

Security testing must be conducted for all information resources.

Security testing is conducted using the approved ST&E plan. Following the ST&E plan reduces the risk of false or faulty test results; yields more consistent, comparable, and repeatable evaluation of security controls; and results in more complete and reliable information for authorizing officials.

The information resource technical control mechanisms and the surrounding administrative controls are evaluated to establish the extent to which the information resource meets the security requirements.

Stakeholders who may participate in the testing include, but are not limited to, the ISSO, ISSR, developers, and contractors.

If a modification to a control is required, the change should be reflected in the security plan and the ST&E plan before the test is re-executed.

4-6.4.2.2 Develop Security Test and Evaluation Report

Upon completion of the testing, the development team develops a ST&E report and reviews the findings to determine whether the security controls and processes are adequate to protect the information resource or whether modifications to the security controls and processes are warranted. If modifications are warranted, the security plan and the ST&E plan are amended and testing reinitiated.

4-6.4.3 Conduct Vulnerability Scans

Vulnerability scans are recommended for all information resources and are required for the following information resources:

  1. Annually for externally facing information resources.
  2. Quarterly for PCI information resources (i.e., information resources utilizing credit card transactions).

Scanning procedures must ensure adequate scan coverage of at least the Production and Customer Acceptance Test environments for sensitive-enhanced, sensitive, law enforcement, and PCI applications and the Production environment for non-sensitive applications. The list of vulnerabilities must be updated.

4-6.4.4 Conduct Penetration Test

A penetration test must be conducted for all externally facing applications and PCI applications and recommended for sensitive-enhance, sensitive, and law enforcement applications. In addition the ISSO may recommend other tests such as network scanning, data loss prevention scanning, or wireless access point mapping where applicable.

4-6.4.5 Conduct Independent Reviews

The following independent reviews may be required during Phase 3 to determine the effectiveness of the security controls and processes:

  1. Independent security code reviews.
  2. Independent risk assessments.
  3. Independent penetration testing and vulnerability scans.
  4. Independent security test validations.

These reviews are discussed in Chapter 5, Independent Reviews.

4-6.4.6 Assess Risks

A risk assessment must be conducted for all information resources to identify security concerns (e.g., threats, vulnerabilities, and control weaknesses), risk ranking, additional controls, and residual risk.

Risk analysis is a continual process throughout this phase; it depends on the configuration of the information resource, the users, and the implementation environment. Risks to information resources and facilities are evaluated with the following processes:

  1. Risk assessment.
  2. Site security review conducted by an ISSO and the Postal Inspection Service. See Section 4-3.4.7, Conduct Site Security Review.
  3. External independent information security risk assessment (if requested).

Standard templates that serve as a framework for the risk assessments are incorporated in the risk assessment processes.

4-6.4.7 Conduct Risk Assessment and Develop Risk Mitigation Plan

The risk assessment is an ongoing process designed to minimize risk to applications by identifying additional security controls (i.e., beyond those initially established) to be deployed that are commensurate with the relative values of the assets to be protected, the vulnerabilities associated with those assets, and threats to the application. The risk assessment instructions are available on the CISO Web site.

4-6.4.7.1 Risk Assessment and Mitigation Activities

A risk assessment will do the following:

  1. Identify general administrative data and assets.
  2. Identify possible threats that could adversely affect the information resource.
  3. Identify security vulnerabilities that could be exploited by threat events affecting the information resource.
  4. Analyze implemented and planned controls against requirements.
  5. Identify the probability that a vulnerability may be exploited.
  6. Identify the adverse impact resulting from a successful exploitation of a vulnerability.
  7. Determine the overall risk to the information resource and document in the Risk Assessment document.
  8. Identify possible additional mitigating controls that, if applied, could be expected to mitigate the risks identified for the information resource.
  9. Document the mitigating controls and the overall risk status of the information resource in a Risk Mitigation Plan.
4-6.4.7.2 Risk Assessment and Mitigation Roles and Responsibilities

 

Roles

Responsibilities

Executive sponsor

Ensures completion of the risk assessment for information resources under their purview.

Provides personnel and financial resources to support risk assessment activities.

Business Relationship Management portfolio manager

Supports executive sponsor and development team.

ISSR

Supports executive sponsor and Business Relationship Management portfolio manager as requested.

ISSO

Provides guidance on applicability of threats or vulnerabilities and appropriate choice of countermeasures; coordinates completion of risk assessment.

ISSO and Development team

Complete the risk assessment and the risk mitigation plan.

VP IT and VP of functional business area

Accept any unmitigated medium or high residual risks associated with an information resource.

Accreditor

Acknowledge any unmitigated medium or high residual risks associated with an information resource.

Chief Privacy Officer

Acknowledge any unmitigated medium or high residual risks associated with a sensitive-enhanced or sensitive information resource.

4-6.4.7.3 Risk Mitigation Strategies

Medium and high risks must follow one of the following strategies:

  1. Risk assumption: VP IT and VP of functional business area assume the risk by preparing and signing an acceptance of risk responsibility letter and then forwards it to the accreditor.
  2. Risk avoidance: The VP IT and VP of functional business area recommend that the portion of the project that is causing the risk exposure should not be implemented as planned or at this time.
  3. Risk limitation: The VP IT and VP of functional business area limit the exposure to the threat (e.g., limit the number of users with privileged access or implement two-factor authentication).
  4. Risk planning: The VP IT and VP of functional business area concede that the Postal Service will have to accept a certain amount of loss in order to take advantage of the increased functionality or income associated with the information resource. Risk planning will define the acceptable amount of loss.
  5. Acknowledgement and research: The VP IT and VP of functional business area acknowledge the risk and task research be conducted to find appropriate cost-effective controls that can be implemented in the future.
  6. Implement additional controls: The VP IT and VP of functional business area approve the implementation of additional controls to further mitigate the risks.
  7. Risk transfer: The VP IT and VP of functional business area transfer the risk to another organization (e.g., business partner).
4-6.4.7.4 Develop a Risk Mitigation Plan

For each medium or high vulnerability, adopt of the above risk mitigation strategies and document in the Risk Mitigation Plan (RMP). Assign responsibility for the remediation and identify a remediation completion date (if applicable).

4-6.4.8 ISSO Evaluates C&A Documentation

The ISSO initiates the evaluation of the C&A documentation package early in the C&A process. This enables the C&A core team to be proactive in identifying and addressing information security concerns. The C&A documentation package includes:

  1. Information resource characterization
  2. BIA.
  3. Architecture diagram.
  4. Security specifications.
  5. Security plan.
  6. SOPs.
  7. SLAs or TPAs, if applicable.
  8. ST&E plan.
  9. ST&E report.
  10. POA&M.
  11. Code review, if applicable.
  12. Vulnerability scans, if applicable.
  13. Penetration test, if applicable
  14. Independent reviews, if applicable.
  15. Risk assessment.
  16. Risk mitigation plan.

4-6.4.9 ISSO Prepares C&A Evaluation Report

4-6.4.10 ISSO Escalates Security Concerns or Forwards C&A Package

Upon completion of the C&A evaluation report, the ISSO escalates security concerns to the executive sponsor and Business Relationship portfolio manager or signs the C&A evaluation report and forwards the report and supporting C&A documentation to the certifier (manager, C&A process) for review.

If the ISSO decides not to proceed with certification, he or she will indicate the C&A Phase to return to for rework.

4-6.4.11 Certifier Escalates Security Concerns or Certifies Information Resource

The certifier (program manager, C&A process) reviews the C&A evaluation report and the supporting C&A documentation package, escalates security concerns to the executive sponsor and Business Relationship portfolio manager or prepares and signs a certification letter, and forwards the certification letter and C&A evaluation report to the accreditor.

If the certifier decides not to certify the information resource, he or she will indicate the C&A Phase to return to for rework.

4-6.4.12 Accreditor Escalates Security Concerns or Accredits Information Resource

The accreditor (manager, CISO) reviews the certification letter, the C&A evaluation report, and risk mitigation plan and takes one of the following actions:

  1. Escalates security concerns to the VP IT and the VP functional business area and indicates the C&A Phase to return to for rework.
  2. Prepares and signs a Full Accreditation Letter, and forwards the Full Accreditation Letter to the VP IT and the VP functional business area.
  3. Prepares and signs a Conditional Accreditation Letter with some requirements that need to be met within a certain time frame and forwards the Conditional Accreditation Letter to the VP IT and the VP functional business area. If the requirements are not met in the indicated time frame, the accreditor will issue a Failure To Comply Letter to the VP IT and the VP functional business area.

4-6.4.13 VP IT and VP Functional Business Area Prepare and Sign Risk Acceptance Letter (if Required)

If a documented vulnerability associated with the medium or high residual risk will not be mitigated, [1] the VP IT and VP functional business area prepare and sign a Risk Acceptance Letter and forward the letter to the accreditor or [2] if the VP IT and VP functional business area decide not to sign a Risk Acceptance Letter, the accreditor will issue a Failure To Comply Letter.

Exhibit 4-6 

Phase 6, CAT, (p. 1 of 4)

Exhibit 4-6, Phase 6, CAT, (p. 1 of 4)

Exhibit 4-6 

Phase 6, CAT, (p. 2 of 4)

Exhibit 4-6, Phase 6, CAT, (p. 2 of 4)

Exhibit 4-6 

Phase 6, CAT, (p. 3 of 4)

Exhibit 4-6, Phase 6, CAT, (p. 3 of 4)

Exhibit 4-6 

Phase 6, CAT, (p. 4 of 4)

Exhibit 4-6, Phase 6, CAT, (p. 4 of 4)