4-9.4 Activities

4-9.4.1 Dispose of Sensitive-Enhanced or Sensitive Data

Postal Service sensitive-enhanced or sensitive information that is no longer needed, whether in electronic or nonelectronic format, must be transferred, archived, or destroyed in accordance with official Postal Service policies and procedures.

4-9.4.2 Dispose of Equipment and Associated Electronic Storage

Postal Service hardware and associated electronic storage containing sensitive-enhanced or sensitive information that is no longer needed must be completely erased (sanitized) or destroyed prior to disposal.

4-9.4.3 Retire Information Resource

Information resources may eventually be retired. Upon determination that an information resource has reached the end of its life cycle, the executive sponsor ensures all data is completely removed from the assets being retired and retires the information resource in accordance with Handbook AS-805, Information Security.

Exhibit 4-9

Retire

Exhibit 4-9, Retire

Exhibit 4-10

C&A Templates

 

Template Name

Applicability

Purpose

Plan of Action and Milestones (POA&M)

For all information resources.

To identify tasks needing to be accomplished with resources required, responsibilities, milestones and completion dates. Also known as the TSLC Project Plan.

Application Characterization

For all information resources.

To provide the background information required to secure the application and Postal Service information.

Business Impact Assessment (BIA)

For all information resources.

To determine level of sensitivity and criticality and the information security requirements.

Security Plan

For all information resources.

To create a blueprint for designing, building, and maintaining an information resource that can be defended against threats and intruders, both internal and external.

Contingency Planning documents

For critical information resources.

To provide cost-effective recovery of an information resource and protection of assets in the event of a significant interruption of computing services.

Security Test and Evaluation (ST&E) Plan

For all information resources.

To evaluate technical/nontechnical security controls/safeguards to establish extent to which an information resource meets security requirements.

Independent Risk Assessment Report

May be recommended if information resource is publicly accessible; developed, hosted, managed primarily by non-Postal Service personnel; highly visible or has high impact. May be required at any time by the CIO; VP IT; Mgr., CISO; or VP of the functional business area.

To provide a standard report format to document results of independent risk assessment; i.e., one conducted by an entity outside the development organization.

Risk Assessment

For all information resources.

To identify assets at risk and their value and weaknesses and vulnerabilities, evaluate threats and vulnerabilities to determine risks, identify additional controls, analyze costs and benefits of the controls, and complete the risk assessment report.

Risk Mitigation Plan

For all information resources where residual risk is “High” or “Medium”.

For the project manager to describe the plan to mitigate the “High” or “Medium” residual risks.

C&A Evaluation Report

For all information resources.

To document the ISSO’s evaluation of technical and nontechnical security features and other safeguards to establish extent to which an information resource meets security requirements.

Certification Letter

For sensitive-enhanced, sensitive, or critical information resources.

For the certifier to recommend approval for an information resource to be deployed if the “High” and “Medium” residual risks are mitigated.

Accreditation Letter

For sensitive-enhanced, sensitive, or critical information resources.

For the accreditor to recommend approval for an information resource to operate in given operational concept and environment at a documented level of residual risk.

Risk Acceptance Letter for Documented Vulnerability

For all information resources to document a vulnerability that will not be mitigated.

For the VP IT and VP functional business area to accept responsibility for a documented vulnerability that will not be mitigated.

Exhibit 4-11

C&A Requirements for Information Resources

 

Phase

C&A Deliverable

New & Major Information Resource Modifications

Recertifications

Service Based Contracts

NS & NC

All Other Information Resources

Deliverables

Responsible

Deliverables

Responsible

Deliverables

Responsible

Deliverables

Responsible

2

Information Resource Characterization

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

2

BIA

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

3

Security Specs

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

3

Security Plan

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

3

Site Security Review

 

 

Yes

ISSO & USPIS

If applicable

ISSO & USPIS

Yes

ISSO & USPIS

4

SOPs

 

 

If applicable

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

4

Operation Training Materials

 

 

If applicable

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

4-5

Contingency Plans

 

 

Yes

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

4

NCRB Request

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

5

ST&E Plan

Yes

Project Mgr.

Yes

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

6

Security Code Review

Based on Requirements

Project Mgr.

Based on Policy Requirements

Project Mgr.

If applicable

Project Mgr.

Based on Policy Requirements

Project Mgr.

6

ST&E Testing & Report

Yes

Project Mgr.

Yes

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

6

Vulnerability Scan

Yes

CISO

Yes

CISO

Yes

CISO

Yes for Sensitive

CISO

6

Penetration Test

 

 

If applicable

CISO

If applicable

CISO

If applicable

CISO

6

Independent Reviews

 

 

If applicable

Project Mgr.

If applicable

Project Mgr.

If applicable

Project Mgr.

6

Risk Assessment

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

6

Risk Mitigation Plan

Yes for High/ Mod Risk

Project Mgr.

Yes for High/ Moderate Risk

Project Mgr.

Yes for High/ Mod Risk

Project Mgr.

Yes for High/ Mod Risk

ISSO

6

Evaluation Report

YES

ISSO

Yes

ISSO

Yes

ISSO

 

 

6

Certification Letter

YES

ISSO Mgr

Yes

Certifier

Yes

Certifier

 

 

6

Accreditation Letter

YES

Mgr CISO

Yes

Accreditor

Yes

Accreditor

 

 

6

Risk Acceptance Letter

Yes for vulnerability that will not be mitigated

VP IT and VP Functional Business Area

Yes for vulnerability that will not be mitigated

VP IT and VP Functional Business Area

Yes for vulnerability that will not be mitigated

VP IT and VP Functional Business Area

Yes for vulnerability that will not be mitigated

VP IT and VP Functional Business Area

8

Contingency Test Results

 

 

Yes

Business Relationship Management Portfolio Mgr. & Executive Sponsor

Yes

Business Relationship Management Portfolio Mgr. & Executive Sponsor

Yes

Business Relationship Management Portfolio Mgr. & Executive Sponsor

8

Revised C&A Documents

As needed or every 3 years

ISSO & Project Mgr

As needed or every 2 years; yearly for PCI

ISSO & Project Mgr

As needed or every 2 years; yearly for PCI

ISSO & Project Mgr

As needed or every 2 years

ISSO & Project Mgr

9

Retirement Request

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

9

Retirement Certification

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.