Information Technology (Continued)

12-5.2.2 Application Disaster Recovery Plan Requirements

ADRPs must meet the following requirements:

a. An ADRP must be developed, tested, and maintained for critical and business-controlled criticality applications.

b. Completed ADRPs must be reviewed and accepted by Business Continuance Management before testing can be scheduled.

c. The ADRP completion date and the scheduled ADRP test date must be documented in the EIR.

12-5.1 Scope

The DRP must be implemented for all critical and business- controlled criticality information resources.

12-5.2. Application Disaster Recovery Plan

An ADRP addresses the requirements for restoring the application at a facility other than the primary facility.

12-5.2.1 Application Disaster Recovery Plan Templates

ADRP templates are available on the IT Web site, under Support and Disaster Recovery Services.

d. The ADRP test must be certified by the development organization, the executive sponsor, and the BCM manager.

e. At the completion of the ADRP testing cycle, the ADRP test completion date must be documented in the EIR.

f. ADRPs for critical and business-controlled criticality applications must be tested within 180 days of going into production.

g. Critical applications must complete a fully operational recovery test of the ADRP every 18 months.

h. Business-controlled criticality applications must complete either a tabletop walkthrough to test the application or an operational recovery test of the ADRP every 36 months.

i. ADRPs must be stored in the designated plan repository.

j. A hard copy of each ADRP must be securely stored off-site with the facility recovery plan of the facility where the application is housed.

k. All copies of ADRPs must be protected as restricted information.

12-6 Relationship of Criticality and Recovery Time Objective

The criticality of an application is determined during the Application BIA. The RTO, which is the maximum allowable downtime for an application, is determined for applications designated as critical or business-controlled criticality. The RTO must be commensurate with the level of criticality. If there is a significant mismatch between the RTO and the criticality designation, the RTO and criticality designation must be reviewed. As a general rule, the more critical the application the lower the RTO. A lower RTO often requires a larger investment in BCM resources, which, in turn, results in higher costs.

The EIR is updated with the criticality and RTO at the completion of the BIA process. The RTO may be adjusted later, in consultation with the DR service provider, as the DR strategy is defined. Also at this time, the data currency requirements/recovery point objective (RPO) will be determined. The DR service provider uses the EIR to identify which applications require the development and testing of an ADRP.

12-7 Mainframe Recovery Testing for Computer Operations Service Centers

Full recovery testing of mainframe applications for the IT Computer Operations Service Centers located at San Mateo, California, and Eagan, Minnesota, is required every 36 months. Testing requirements for critical and business-controlled criticality applications are unchanged by this requirement.

12-8 Backup of Information Resources

All information resources must implement backup procedures. The responsible Postal Service manager must define the appropriate backup media and frequency.

However, applications determined by the BIA to be critical or business-controlled criticality must implement backup and recovery strategies sufficient to meet the RTO and data currency requirements.

12-8.1 What to Back Up

All essential components of an information resource required for continued operations must be backed up. Backups will include, but are not limited to, operating systems, configuration files, general utilities, application software, data, supporting files and tables, scripts, standard operating procedures, specialized equipment, and related documentation.

12-8.2 Backup Schedules

All essential components must be backed up on a schedule that is sufficient to meet the RTO and RPO of the application or information resource as defined by the executive sponsor that controls the essential component.

12-8.3 Backup Inventory

An inventory of critical and business-controlled criticality applications backup media and supporting materials must be maintained. A copy of the inventory must be securely stored off-site or stored in a fireproof container at the facility that hosts the application. An inventory of backup media and materials is recommended for all other information resources.

12-8.4 Backup Storage Requirements

Backup media must be stored in a secure location (such as a locked cabinet or room with controlled access).

12-8.5 Off-Site Backup Storage Requirements

Backup media for critical and business-controlled criticality applications must be stored off-site at a location that is not subject to the same threats as the original media. Off-site storage of backup media is recommended for all other information resources.

12-8.6 Backup Verification

Backup media for critical and business-controlled criticality applications must be verified to ensure that backups are complete and can be read. From time to time, the application and associated backup hardware and software should be tested with the backup media to ensure the application can be successfully restored and used. Verification of backup media is recommended for all other information resources.

12-8.7 Backup Disposal

All unneeded electronic backup media or hardware containing sensitive and business-controlled sensitivity electronic media must be erased using a method that complies with the most current Postal Service policy and processes on the disposal of sensitive and business-controlled sensitivity media.

12-9 BCM Plan Maintenance and Testing Requirements Summary

12-10 Operational Workarounds

For essential components of an information resource, operational workaround procedures should be developed (where possible) for use whenever the RTO cannot be met for recovery of the application or information resource. If implemented, these manual workaround procedures will be sustained until the essential components are fully restored at the host facility.

12-11 Continuity of Operations Planning

It is the policy of the Postal Service to respond quickly at all levels in the event of an emergency or threat, including human, natural, technological, and other emergencies or threats, to continue critical operations. Each Postal Service organizational element must be prepared to continue to function and to resume critical operations efficiently and effectively if they are interrupted.

We must plan for meeting the demands of a wide spectrum of emergency scenarios to ensure the continuance and uninterrupted delivery of critical services to the public, other federal agencies, tenants, clients, and employees. Continuity of operations planning must be maintained at a high level of readiness, be capable of being activated both with and without warning, achieve operational status no later than 12 hours after activation, and maintain sustained operations for up to 30 days or until termination. COOP plans must be stored in the Postal Emergency Management System (PEMS). Contact the Office of Emergency Preparedness for additional information on COOP plans.

Each facility designated by the VP/CTO as a major information technology site must include COOP plan requirements in their IMT and FRP to provide the processes and guidance to ensure the safety of personnel and the continuance of critical operations in the event of an emergency or threat of an emergency.

13 Incident Management

[Revise text of chapter 13 to read as follows:]

13-1 Policy

Postal Service information resources must be protected against events that may jeopardize information security by contaminating, damaging, or destroying information resources. All information security incidents must be reported in accordance with the policies and procedures provided below regardless of whether or not damage appears to have been incurred.

13-2 Roles and Responsibilities

Specific Postal Service roles and responsibilities for incident management are defined in the sections below and are depicted in Exhibit 13.2.

13-2.1 Inspector General

The inspector general, Office of the Inspector General (OIG), is responsible for the following:

a. Conducting independent financial audits and evaluations of the operation of the Postal Service to ensure that its assets and resources are fully protected.

b. Preventing, detecting, and reporting fraud, waste, and program abuse.

c. Investigating computer intrusions as per the designation of functions between the OIG and the Postal Service Inspection Service.

d. Funding CISO investigative efforts outside of those normally required.

13-2.2 Manager, Office of the Inspector General, Computer Crimes Unit

The manager, Office of the Inspector General (OIG), Computer Crimes Unit (CCU) is responsible for the following:

a. Functioning as an ongoing liaison with the Computer Incident Response Team (CIRT).

b. Serving as a point of contact between the CIRT and law enforcement agencies.

c. Conducting criminal investigations of attacks upon Postal Service networks and computers.

13-2.3 Chief Inspector

The chief inspector, Postal Inspection Service, is responsible for the following:

a. Providing physical protection and incident containment assistance during the investigation of information security incidents, as appropriate.

b. Investigating reported violations of security regulations.

c. Conducting revenue/financial investigations of such crimes as theft, embezzlement, or fraudulent activity.

d. Investigating information security incidents, as appropriate.

e. Funding CISO investigative effort outside of that normally required.

13-2.4 Manager, Corporate Information Security Office

The manager, Corporate Information Security Office (CISO), is responsible for the following:

a. Ensuring that a process for managing information security incidents is implemented.

b. Escalating information security incidents to executive management as appropriate.

c. Ensuring that lessons learned from information security incidents are incorporated into ongoing computer security awareness and training programs.

d. Providing support to the OIG and the Inspection Service as requested.

e. Assessing and ensuring compliance with information security incident management policies through inspections, reviews, and evaluations.

13-2.5 Managers, Computing Operations and Advanced Computing Environment Infrastructure

The managers, computing operations and advanced computing environment (ACE) infrastructure are responsible for the following:

a. Creating and maintaining a timely patch management process.

b. Deploying patches to resources under their control.

c. Protecting information resources at risk during security incidents, if feasible.

d. Implementing virus containment.

e. Providing guidance and education on virus response.

f. Assisting in restoring information resources following a virus attack.

g. Reporting suspected information security incidents to the CIRT in a timely manner.

h. Deploying anti-virus software and updates, as required.

i. Deploying anti-virus pattern file updates, as required.

j. Disseminating security awareness and warning advisories to local users.

k. Ensuring the completion of a PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

13-2.6 Program Manager, Secure Infrastructure Services

The program manager, Secure Infrastructure Services (SIS), is responsible for the following:

a. Providing security incident detection through perimeter virus scanning and intrusion detection services.

b. Approving, managing, and ensuring appropriate perimeter virus scanning, penetration testing, and network vulnerability scans and testing.

c. Managing the CIRT to assist the Postal Service to contain, eradicate, document, and recover following a computer security incident, and return to a normal operating state.

d. Implementing necessary corrective measures learned from incidents or from other sources.

e. Providing network intrusion detection services (IDS).

f. Providing network vulnerability testing and analysis services.

13-2.7 Computer Incident Response Team

The CIRT is responsible for the following:

a. Providing timely and effective response to computer security incidents as they occur based on an established priority for handling incidents.

b. Working with an affected organization to contain, eradicate, document, and recover following a computer security incident.

c. Engaging other Postal Service organizations including, but not limited to, the OIG and Inspection Service.

d. Escalating information security issues up the management chain, as required.

e. Conducting a post-incident analysis, where appropriate, and recommending preventive actions.

f. Maintaining a system for tracking incidents until they are closed.

g. Maintaining a repository for documenting and analyzing Postal Service-wide security incidents.

h. Interfacing with other governmental agencies and private sector computer incident response organizations.

i. Participating in and providing information for Postal Service security awareness.

j. Providing support to the OIG and the Inspection Service, as requested.

13-2.8 Manager, Telecommunications Services

The manager, Telecommunications Services, is responsible for the following:

a. Conducting perimeter scanning for viruses, malicious code, and usage of nonstandard network protocols and immediately reporting suspected information security incidents to the CIRT.

b. Monitoring network traffic for anomalies and immediately reporting anomalies to the CIRT.

c. Protecting information resources at risk during security incidents, if feasible.

d. Providing support to the CIRT for incident containment and response, as requested.

e. Ensuring the completion of a PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

13-2.9 Executive Sponsors

Executive sponsors are responsible for the following:

a. Reporting suspected information security incidents to the CIRT in a timely manner.

b. Protecting information resources at risk during security incidents, if feasible.

c. Assisting in the containment of security incidents, as required.

d. Following contingency plans for disruptive incidents.

e. Assessing damage caused by the incident and taking corrective and preventive measures.

f. Documenting conversations and actions taken to handle the incident.

g. Ensuring the completion of a PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

h. Providing resources to correct the damage and remove the vulnerability identified by the incident.

13-2.10 All Managers

Managers at all levels are responsible for the following:

a. Reporting suspected information security incidents to the CIRT in a timely manner.

b. Protecting information resources at risk during security incidents, if feasible.

c. Assisting in the containment of security incidents, as directed by the CIRT.

d. Following contingency plans for disruptive incidents.

e. Assessing damage caused by the incident and taking appropriate corrective and preventive measures.

f. Documenting conversations and actions taken to handle the incident.

g. Ensuring the completion of PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

h. Participating on calls to the CIRT or designating a responsible party to call in.

13-2.11 Security Control Officers

Security control officers (SCOs) are responsible for the following:

a. Reporting suspected information security incidents to the CIRT in a timely manner.

b. Providing support to the CIRT for incident containment and response as requested.

c. Ensuring the completion of a PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

d. Responding to physical security incidents.

e. Reporting physical security incidents to the Inspection Service.

f. Interfacing with CIRT, Inspection Service, ISS, or OIG, as required.

13-2.12 System Administrators

System administrators, including network, firewall, and database administrators, are responsible for the following:

a. Reviewing audit and operational logs and maintaining records of the reviews.

b. Identifying anomalies and possible internal and external attacks on Postal Service information resources and immediately reporting them to the CIRT.

c. Protecting information resources at risk during information security incidents, if feasible.

d. Assisting in the containment of security incidents, as required.

e. Taking action, as directed by the CIRT, to eradicate the incidents and recover from them.

f. Participating in follow-up calls with the CIRT.

g. Fixing issues identified following an incident.

h. Initiating a PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

i. Ensuring that security patches and bug fixes are updated and kept current for resources under their control.

j. Ensuring that virus protection software and signature files are updated and kept current for resources under their control.

13-2.13 Managers, Help Desks

The managers, Help Desks, are responsible for the following:

a. Creating the entry for the problem tracking management system for security incidents reported to the Help Desks.

b. Providing technical assistance for responding to suspected virus incidents reported to the Help Desks.

c. Escalating unresolved suspected virus events to the CIRT.

13-2.14 All Personnel

All personnel are responsible for the following:

a. Protecting information resources at risk during security incidents, if feasible.

b. Calling the appropriate Help Desk for technical assistance for response to suspected virus incidents.

c. Reporting suspected information security incidents immediately to the CIRT, their immediate supervisor or manager, and system administrator.

d. Taking action, as directed by the CIRT, to protect against information security incidents, to contain and eradicate them when they occur, and to recover from them.

e. Documenting all conversations and actions regarding the security incident.

f. Completing PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

13-2.15 Business Partners

Business partners are responsible for the following:

a. Protecting information resources at risk during security incidents, if feasible.

b. Reporting suspected information security incidents promptly to the CIRT, the executive sponsor, and the information systems security officer (ISSO) assigned to their project.

c. Taking action, as directed by the CIRT, to protect against information security incidents; to contain, eradicate, and document them when they occur; and to recover from them.

d. Documenting all conversations and actions regarding the security incident.

e. Completing PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

f. Maintaining information security "best practices" on all information resources connecting to the Postal Service infrastructure to include security patches and anti-virus pattern recognition files.

Exhibit 13.2 Incident Management Responsibilities

Other managers and organizations with responsibilities for incident management include: CIRT; OIG-CCU; business partners; and managers, Help Desks (see Appendix A, Consolidated Roles and Responsibilities, for details).

13-3 Information Security Incidents

13-3.1 Overview

Information security incidents are events, whether suspected or proven, deliberate or inadvertent, that threaten the integrity, availability, or confidentiality of information resources. The reporting of incidents enables the responsible organizations to review the security controls and procedures; establish additional, appropriate corrective measures, if required; and reduce the likelihood of recurrence. To protect the Postal Service computing environment, the manager, CISO, may get involved at any point on any level for information security related incidents impacting the Postal Service.

13-3.2 Reportable Incidents

Reportable incidents include, but are not limited to, the following:

a. Physical loss, theft, or unauthorized destruction of Postal Service information resources; e.g., missing or damaged hardware, software, or electronic media.

b. Unauthorized disclosure, modification, misuse, or inappropriate disposal of Postal Service information.

c. Internal or external unauthorized access attempts to access information or the facility where it resides.

d. Unauthorized activity or transmissions using Postal Service information resources.

e. Internal or external intrusions or interference with Postal Service networks, such as denial-of-service attacks, unauthorized activity on restricted systems, unauthorized modification or deletion of files, or unauthorized attempts to control information resources.

f. Information resources with system software that is not patched to the current level.

g. Information resources with virus protection software that is not patched to the current level or is disabled.

h. Information resources with virus pattern recognition files that are not current.

i. Sudden unavailability of files or data normally accessible.

j. Unexpected processes, such as e-mail transmissions, that start without user input.

k. Files being modified, though no changes in them should have occurred.

l. Files appearing, disappearing, or undergoing significant and unexpected changes in size.

m. Systems displaying strange messages or mislabel files and directories.

n. Systems becoming slow, unstable, or inaccessible (e.g., will not boot properly).

o. Data altered or destroyed, or access denied outside of normal business procedures.

p. Detection of unauthorized personnel in controlled information security areas.

q. Security violation, suspicious actions, or suspicion or occurrence of embezzlement or other fraudulent activities.

r. Suspected bribery, kickbacks, and conflicts of interest.

s. Revenue loss involving an information system.

t. Prohibited mass electronic mailings.

u. Potentially dangerous activities or conditions.

v. Illegal activities.

w. Violation of Postal Service information security policies and procedures.

13-4 Incident Prevention

The following actions by Postal Service personnel can help prevent information security incidents:

a. Display proper badge when in any Postal Service facility.

b. Be aware of your physical surroundings, including weaknesses in physical security and the presence of any unauthorized visitor.

c. Use only approved computer hardware and software with the latest patches installed.

d. Install and maintain an updated virus protection software and pattern recognition files.

e. Do not download, install, or run a program unless you know it to be authored by a person or company that you trust.

f. E-mail users should be wary of unexpected attachments.

g. E-mail users should be wary of URLs, because they can link to malicious content. A common social engineering technique known as phishing uses misleading URLs to entice users to visit malicious Web sites.

h. Install a personal firewall.

i. Use a strong password of at least eight characters composed of upper- and lower-case alphabetic, numeric, and special characters.

j. Encrypt information physically removed from a Postal Service facility or transmitted over a non-secure network such as the Internet.

k. Back up data stored on local workstation.

l. Follow best practices, including the following:

1. Be wary of unexpected attachments. Know the source of the attachment before opening it. Remember that many viruses originate from a familiar e-mail address.

2. Be wary of URLs in e-mail or instant messages. URLs can link to malicious content that, in some cases, may be executed without your intervention.

3. Be wary of social engineering attempts to solicit restricted information, such as account numbers and passwords.

4. Users of technology such as instant messaging and file-sharing services should be careful of following links or running software sent by other users. These are commonly used methods among intruders attempting to build networks of distributed denial-of-service agents.

5. Use strong passwords of at least eight characters composed of upper- and lower-case alphabetic, numeric, and special characters.

13-5 Preliminary CIRT Activities

The following preliminary activities can improve the CIRT's ability to respond to information security incidents:

a. Develop an incident response plan. Predetermine necessary actions and responses to specific classes of incidents to facilitate the making of decisions under pressure with minimal information.

b. Implement secure connections to make Intrusion Detection System (IDS) policy changes and attack signature updates.

c. Verify automated responses from IDS, etc.

d. Conduct penetration testing at times known only to personnel with a need to know.

e. Regularly review available information sources such as advisories and research findings to maintain currency.

f. Notify management of potentially harmful events.

g. Prioritize the severity of information security incidents.

h. Document lessons learned to improve CIRT operations.

13-6 Incident Response

13-6.1 Incident Reporting

Information security incidents must be immediately reported to the CIRT via telephone at 1-866-USPS-CIR(T) or 1-866-877-7247 or via an e-mail to uspscirt@usps.gov. The CIRT telephone number is a 24 X 7 hotline. Do not dismiss a suspected incident or discount its seriousness.

In addition to the CIRT, the following personnel may be notified, as appropriate:

a. Help Desk at 1-800-USPS-HELP or 1-800-877-7435.

b. Immediate supervisor or manager.

c. Local system administrator or local technical support.

d. Corporate Information Security Office (CISO) at 1-919-501-9350.

e. Security Control Officer (SCO).

f. Inspection Service.

g. Office of the Inspector General (OIG) at 1-888-877-7644.

A PS Form 1360 must be completed and submitted to the CIRT. An acceptable facsimile containing the same information required on the form may be submitted.

13-6.2 Information Resource Protection

When an information security-related situation or incident is suspected or discovered, personnel must take steps, as directed by the CIRT, to protect the information resource(s) at risk. Appropriate actions are:

a. Do not shut down or power off a system after a computer incident occurs.

b. Do not make any changes to the equipment or network in question without direction from the CIRT.

c. Do not discuss or e-mail anyone about the situation or incident unless directed to do so by the CIRT.

d. Follow CIRT instructions with regard to options and strategies for containment and recovery from the incident.

e. Close and lock doors to protect unattended equipment.

f. Turn off computer monitor so screen cannot be viewed.

g. Challenge personnel without badges.

13-6.3 Incident Containment

Supervisors or managers who suspect, discover, or are notified of a security-related event must immediately notify the CIRT and initiate appropriate response procedures to contain the incident, protect the confidentiality and integrity of Postal Service information, and ensure business continuity. Appropriate actions following the identification of a security incident include, but are not limited to, the following:

a. Notifying CIRT for assistance to contain, eradicate, and recover from the security incident.

b. Notifying the Inspection Service of a physical security incident.

c. Documenting in a journal or log all conversations and actions taken during the incident handling and response process and making this log available to management personnel on request.

d. Ensuring personnel follow contingency plans for recovering from disruptive incidents.

e. Ensuring the completion of a PS Form 1360.

13-6.4 Processing Incident Reports

The CIRT is responsible for the following:

a. Logging and tracking security incident reports.

b. Ensuring appropriate response and resolution of security incidents.

c. Engaging appropriate organizational resources, such as the Virus Response Team (VRT), OIG, Inspection Service, etc.

d. Evaluating and escalating incident reports requiring further action.

e. Retaining incident reports, supporting evidence, and journals for 1 year or for a time period determined by the OIG.

f. Providing Inspection Service and OIG access to all reported information security incidents.

g. Complying with federal sector security incident reporting requirements.

13-6.5 Incident Investigation

A member of the OIG-CCU team is co-resident with the CIRT and investigates, along with the Inspection Service, violations of state and federal laws enacted to protect the authenticity, privacy, integrity, and availability of electronically stored and transmitted information.

13-6.6 Incident Analysis

The CIRT will analyze security incidents and prepare reports summarizing the causes, frequency, and damage assessments of information security incidents.

CIRT management will analyze the CIRT reports to improve the information security program and keep Postal Service executive management apprised as to the state of information security.

13-6.7 Incident Escalation

It may be necessary to escalate an individual incident up the management chain based on the following criteria:

a. Number of sites and systems under attack.

b. Type of data at risk.

c. Severity of the attack.

d. State of the attack.

e. Source or target of the attack.

f. Impact on the integrity of the infrastructure or cost of recovery.

g. Attack on a seemingly "secure" information resource.

h. Personnel awareness of the attack.

i. New attack method use.

* * * * *

Appendix A, Consolidated Roles and Responsibilities

[Revise the text of Appendix A to read as follows:]

1 Chief Inspector

The chief inspector is the security officer for the Postal Service and has delegated authority for the information security program to the vice president, Chief Technology Officer. For a complete description of Postal Inspection Service responsibilities, see the Administrative Support Manual. The chief inspector is responsible for the following:

a. Establishing policies and procedures for personnel security, including criteria for clearances and criteria and the identification of sensitive positions.

b. Determining whether a position is sensitive.

c. Establishing policies and procedures for physical and environmental security.

d. Issuing security requirements for personnel, physical, and environmental security.

e. Conducting background investigations and granting personnel clearances.

f. Conducting site security reviews, surveys, and investigations of sites to evaluate all aspects of physical, environmental, and personnel security.

g. Ensuring the physical security of facilities containing Postal Service computer and telecommunications equipment, and monitoring physical access as deemed necessary.

h. Providing technical guidance on physical and environmental security activities that support information security, such as controlled areas, access lists, physical access control systems, and identification badges; providing protection of workstations, portable devices, and sensitive, critical, and business-controlled media.

i. Directing the use of the Postal Service Security Force.

j. Providing security consultation and guidance during system, application, and product development to assure that security concerns are addressed and information and/or evidence that may be needed for an investigation is retained by the information resource.

k. Assisting the manager, Corporate Information Security Office (CISO), with reviews, as appropriate.

l. Investigating reported violations of security regulations.

m. Conducting revenue/financial investigations including theft, embezzlement, or fraudulent activity.

n. Providing physical protection and containment assistance and investigating information security incidents as appropriate.

o. Funding CISO investigative efforts outside of those normally required.

p. Managing, securing, scanning, monitoring, and supporting the Inspection Service's own network and information technology (IT) infrastructure.

2 Vice President, Chief Technology Officer

The vice president, Chief Technology Officer (VP/CTO) is responsible for the following:

a. Ensuring the implementation of information security assurance processes.

b. Identifying and authorizing baseline information resource services for personnel.

c. Ensuring that data is assigned to an organizational entity for stewardship.

d. Ensuring that financial, personnel, and physical resources are available for completing security tasks.

e. Ensuring the protection and secure implementation of the Postal Service information technology infrastructure.

f. Together with the vice presidents of the functional business areas, accepting, in writing, residual risk of information resources and approving deployment.

3 Manager, Corporate Information Security Office

The chief inspector has delegated to the VP/CTO responsibility for the information security program. The VP/CTO, in turn, has delegated authority for development, implementation, and management of the information security program to the manager, CISO. The manager, CISO, is responsible for the following:

a. Setting the overall strategic and operational direction of the Postal Service information security program and its implementation strategies.

b. Engaging at any point on any level for issues related to information security that impact the Postal Service.

c. Recommending members to the Information Security Executive Council.

d. Developing information security policies, processes, and procedures.

e. Managing the Information Security Assurance (ISA) process.

f. Managing and providing guidance to the information systems security officers (ISSOs).

g. Reviewing ISA evaluation reports and documentation packages and forwarding both to the accreditors.

h. Maintaining an inventory of all information resources that have completed the ISA process.

i. Managing the network connectivity review process (see Handbook AS-805-D, Information Security Network Connectivity Process).

j. Designating chairpersons for the Network Connectivity Review Board (NCRB) and the Information Security Policy Review Board.

k. Ensuring secure and appropriate connectivity to the Postal Service intranet.

l. Conducting site security reviews, as requested, or providing support to the Postal Inspection Service during its site security reviews, as requested.

m. Providing consulting support regarding physical, administrative, and technical security controls and processes that safeguard the availability and integrity of the Postal Service intranet.

n. Providing consulting support for securing the network perimeter, infrastructure, integrity controls, asset inventory, identification, authentication, authorization, intrusion detection, penetration testing, and audit logs.

o. Designating the chairperson of the Network Connectivity Review Board (NCRB).

p. Providing leadership of the Security Forum for the Enterprise Architecture (EA) Forum.

q. Developing and implementing a comprehensive information security training and awareness program.

r. Serving as the central point of contact for all information security issues, and providing overall consultation and advice on information security policies, processes, requirements, controls, services, and issues.

s. Assessing the adequacy of information security processes in a changing information infrastructure and updating those processes as necessary.

t. Assessing the adequacy of physical, environmental, and administrative security controls in a changing information technology environment and recommending changes as necessary.

u. Providing guidance and oversight for information security architecture, technologies, procedures, and controls.

v. Establishing evaluation criteria and recommending security hardware, software, and audit tools.

w. Providing guidance and oversight on application security.

x. Approving the establishment of shared accounts.

y. Certifying the adequacy of security controls implemented on sensitive, critical, and business-controlled information resources developed for, endorsed by, or operated on behalf of the Postal Service.

z. Implementing a system for information security incident handling and reporting.

aa. Ensuring that a process for managing information security incidents is implemented.

ab. Incorporating lessons learned from information security incidents into ongoing computer security awareness and training programs.

ac. Ensuring compliance to information security policies through inspections, reviews, and evaluations.

ad. Providing support to the Office of the Inspector General and the Inspection Service during the conduct of investigative activities concerning information security, the computing infrastructure, and network intrusion, as requested.

ae. Providing support to the chief inspector during the conduct of facility/site security reviews, as requested.

af. Escalating security issues to executive management and promulgating security issues and recommended corrective actions across the Postal Service.

ag. Authorizing monitoring and surveillance activities of information resources.

ah. Authorizing (in case of threats to our infrastructure, network, or operations) appropriate actions that may include viewing and/or disclosing data to protect Postal Service resources or the nation's communications infrastructure.

ai. Confiscating and removing any information resource suspected of inappropriate use or violation of Postal Service information security policies to preserve evidence that might be used in forensic analysis of a security incident.

aj. Reviewing and approving information security policy for mail processing equipment / mail handling equipment.

4 Information Security Executive Council

The Information Security Executive Council consists of appropriate Postal Service representatives and serves as a steering committee advising the CISO on the following:

a. Prioritizing security issues based on business requirements.

b. Funding information security programs.

c. Promulgating information security throughout the Postal Service.

5 Vice Presidents, Functional Business Areas

The vice presidents of Postal Service functional business areas are responsible for the following:

a. Approving and funding the development of information resources.

b. Ensuring resources are available for completing information security tasks.

c. Ensuring the security of all information resources within their organization.

d. Together with the VP/CTO, accepting, in writing, residual risks associated with information resources under their control and approving deployment.

e. Ensuring that contractual agreements require all contractors, vendors, and business partners to adhere to Postal Service information security policies.

6 Vice President, Emergency Preparedness

The vice president, Emergency Preparedness, is responsible for the following:

a. Developing, implementing, and coordinating emergency preparedness plans to protect Postal Service employees, customers, operations, and the mail during disasters and national emergencies.

b. Functioning as the Postal Service Emergency Response Coordinator.

7 Vice President, Engineering

The vice president, Engineering, is responsible for ensuring the security of information resources used in support of the mail processing environment and mail handling environment (MPE/MHE), including technology acquisition, development, and maintenance.

8 Vice President, Network Operations Management

The vice president, Network Operation Management, is responsible for the security of the mail and information resources utilized in support of MPE/MHE strategies and logistics.

9 All Officers and Managers

All officers, business and line managers, and supervisors, regardless of functional area, are responsible for the following:

a. Implementing information security policies and ensuring compliance with information security policies by organizations and information resources under their direction.

b. Ensuring that information security is a part of business decisions.

c. Promptly elevating problems, requirements, and matters requiring establishment or refinement of information security policies to the level necessary for resolution.

d. Identifying sensitive information positions in their organizations, ensuring that personnel occupying sensitive positions hold the appropriate level of clearance, and funding background investigations and clearances.

e. Managing access authorizations and documenting information security responsibilities for all personnel under their supervision.

f. Ensuring that personnel under their supervision who access information resources receive information security training commensurate with their position and responsibilities, including policies on acceptable use of information resources.

g. Providing resources, including personnel, financial, and physical assets, to meet information security requirements.

h. Promulgating information security awareness to all personnel under their supervision, ensuring that their personnel comply with Postal Service information security policies and procedures, and invoking user sanctions as required.

i. Including employee information security performance in performance evaluations.

j. Supervising the information security responsibilities of their contractor personnel in the absence of a contracting officer.

k. Processing departing personnel appropriately and notifying the appropriate system and database administrators when personnel no longer require access to information resources.

l. Initiating a written request for message and data content monitoring and send to the Chief Privacy Officer (CPO) for approval.

m. Approving or denying requests, by personnel under their supervision, for access to information resources beyond baseline information resource services and reviewing those access authorizations on a semiannual basis.

n. Ensuring that all hardware and software are obtained in accordance with official Postal Service processes.

o. Protecting information resources.

p. Ensuring the development, exercise, and maintenance of all business continuity planning (BCP) plans and assuring those plans are exercised yearly.

q. Planning for the resumption of their normal business functions when notified that the facility can be safely occupied.

r. Complying with emergency preparedness policies and processes.

s. Participating in and ensuring that their personnel participate in BCM awareness and training, testing, and exercising.

t. Providing the funding, people (e.g., site facility recovery team manager, application testers), and time necessary to develop, exercise, and maintain the BCP and DRP plans.

u. Ensuring the development, exercise, and maintenance of all ADRPs and assuring those plans are exercised as designated by their criticality.

v. Ensuring information resources under their control are available and appropriate backups are maintained.

w. Ensuring the development, testing, and maintenance of operational workarounds for essential components of an information resource under their control for use in the event that the RTO cannot be met.

x. Ensuring compliance with Postal Service information security policy and procedures.

y. Reporting suspected information security incidents to the CIRT in a timely manner, protecting information resources at risk during security incidents, containing the incident, and following contingency plans for disruptive incidents.

z. Assessing damage caused by the incident and taking appropriate corrective and preventive measures.

aa. Documenting conversations and actions taken to handle the incident and completing a PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

ab. Participating on calls to the CIRT or designating a responsible party to call in.

ac. Responding to, and complying with, audit findings in their areas of responsibility.

10 Executive Sponsors

Executive sponsors, as representatives of the vice president of the functional business area, are the business managers with oversight (funding, development, production, and maintenance) of the information resource and are responsible for the following:

a. Consulting with the Chief Privacy Officer (CPO) on determining information sensitivity and Privacy Act applicability.

b. Conducting a business impact assessment (BIA) to determine the sensitivity and criticality of each information resource under his or her control and to determine the potential consequences of information resource unavailability.

c. Providing resources to ensure that security requirements are properly addressed.

d. Ensuring completion of an information resource risk assessment for all sensitive, critical, and business- controlled information resources under their purview.

e. Ensuring completion of a site security review, if the facility hosts a sensitive, critical, or business-controlled information resource.

f. Ensuring that contract personnel under their supervision comply with Postal Service information security policies and procedures.

g. Ensuring that all information security requirements are included in contracts and strategic alliances.

h. Ensuring compliance with, and implementation of, the Postal Service privacy policy, data collection policy, and customer privacy statement.

i. Appointing, in writing, an information systems security representative (ISSR).

j. Ensuring completion of security-related activities throughout the application ISA life cycle.

k. Ensuring that information resources within their purview are capable of enforcing appropriate levels of information security services to assure data integrity.

l. Implementing encryption to protect restricted information, as required.

m. Preventing residual data from being exposed to unauthorized users as information resources are released or reallocated.

n. Authorizing access to the information resources under their control and reviewing those access authorizations on a semiannual basis.

o. Ensuring information resource availability through planning for capacity, scalability, and redundancy.

p. Maintaining an accurate inventory of Postal Service information resources and coordinating hardware and software upgrades.

q. Implementing configuration management for information resources.

r. Implementing hardware, software, and application security.

s. Ensuring software is licensed and that information resources under their control are obtained in accordance with official Postal Service processes.

t. Ensuring appropriate funding for proposed business partner connectivity, including costs associated with the continued support for the life of the connection.

u. Initiating and complying with the network connectivity request requirements and process as documented in Handbook AS-805-D, Information Security Network Connectivity Process.

v. Notifying the NCRB when the business partner trading agreement ends or when network connectivity is no longer required.

w. Identifying essential business functions that support the mission of the Postal Service and determining the applications that are required to support these essential business functions.

x. Ensuring the implementation of appropriate backup and backup verification of applications.

y. Funding application recovery (including but not limited to hardware/software licenses required, ADRP development, testing, and maintenance) for applications.

z. Protecting information resources.

aa. Reporting suspected information security incidents to the CIRT in a timely manner, protecting information resources at risk during the security incident, containing the incident, and following contingency plans for disruptive incidents.

ab. Assessing damage caused by the incident; documenting conversations and actions taken to handle the incident; completing a PS Form 1360, Information Security Incident Report, or an acceptable facsimile; and providing resources to correct the damage and remove the vulnerability identified by the incident.

11 Portfolio Managers

Portfolio managers are responsible for the following:

a. Functioning as the liaison between executive sponsors and IT providers.

b. Supporting the executive sponsor in the development of information resources and the ISA process, including the BIA, risk assessment, and BCM.

c. Ensuring that the information resource is entered in the Enterprise Information Repository (EIR) and updated as required.

d. Providing coordination and support to executive sponsors for all matters relating to disaster recovery (DR) processes, e.g., coordinate and support DR costing models.

e. Functioning as the liaison between executive sponsors and DR service providers in the planning and execution of DR requirements.

f. Functioning as an accreditor for information resources under his or her purview.

12 Managers of Major Information Technology Sites

Managers of major information technology sites are responsible for the following:

a. Functioning as the Incident Management Team (IMT) leader for their facility.

b. Identifying and training key technical personnel to provide support in BCP and DRP for their facility and information resources housed in their facility and the alternate DR facilities.

13 Installation Heads

Installation heads are in charge of Postal Service facilities or organizations, such as areas, districts, Post Offices, mail processing facilities, parts depots, vehicle maintenance facilities, computer service centers, or other installations. Installation heads are responsible for the following:

a. Designating a security control officer (SCO) who will be responsible for both personnel and physical security at that facility, including the physical protection of computer systems, equipment, and information located therein.

b. Implementing physical and environmental security support for information security, such as the protection of workstations, portable devices, and sensitive, critical, and business-controlled media.

c. Controlling physical access to the facility, including the establishment and implementation of controlled areas, access lists, physical access control systems, and identification badges.

d. Funding building security equipment and security-related building modifications.

e. Maintaining an accurate inventory of Postal Service information resources at their facilities and implementing appropriate hardware security and configuration management.

f. Maintaining and upgrading all security investigative equipment, as necessary.

g. Ensuring completion of a site security review, providing assistance to the Inspection Service and ISSO as required, and accepting site residual risk.

h. Ensuring that the Postal Service security policy, guidelines, and procedures are followed in all activities related to information resources (including procurement, development, and operation) at their facility.

i. Ensuring that all employees who use or are associated with the information resources in the facility are provided information security training commensurate with their responsibilities.

j. Taking appropriate action in response to employees who violate established security policy or procedures.

k. Cooperating with the Inspection Service to ensure the physical protection of the network infrastructure located at the facility.

l. Providing consulting support for information resource backup, providing facility recovery procedures to each of the site's business units, and supporting the development and maintenance of facility recovery plans (FRPs).

m. Reporting information security incidents to the CIRT in a timely manner, containing the incident, and following contingency plans for disruptive incidents.

n. Assessing damage caused by the incident, documenting conversations and actions taken to handle the incident, and completing a PS 1360, Information Security Incident Report, or an acceptable facsimile.

14 Chief Privacy Officer

The CPO is responsible for the following:

a. Developing policy relating to defining information sensitivity and determining information sensitivity designations.

b. Developing policy on Postal Service privacy issues.

c. Providing guidance to ensure Postal Service compliance with the Privacy Act, Gramm-Leach-Bliley Act, Children's Online Privacy Protection Act, and Freedom of Information Act.

d. Developing privacy compliance standards, customer privacy statement, and customer data collection standards, including cookies and Web transfer notifications.

e. Approving requests for message and data content monitoring.

f. Consulting on and reviewing the BIA during and following completion.

g. Ensuring compliance with the determination of information resource sensitivity policy.

h. Developing appropriate data record retention, disposal, and release guidelines.

15 Inspector General

The inspector general is responsible for the following (for a description of the Office of Inspector General responsibilities, see Administrative Support Manual, Chapter 2):

a. Conducting independent financial audits and evaluation of the operation of the Postal Service to ensure that its assets and resources are fully protected.

b. Preventing, detecting, and reporting fraud, waste, and program abuse.

c. Promoting efficiency in the operation of the Postal Service.

d. Investigating computer intrusions, as per the designation of functions between the OIG and the Postal Service Inspection Service.

e. Funding CISO investigative efforts outside of those normally required.

16 Manager, Office of the Inspector General, Technical Crimes Unit

The manager, Office of the Inspector General (OIG), Technical Crimes Unit (TCU) is responsible for the following:

a. Functioning as an ongoing liaison with the CIRT.

b. Serving as a point of contact between the CIRT and law enforcement agencies.

c. Conducting criminal investigations of attacks upon Postal Service networks and computers.

17 Manager, Business Continuance Management

The manager, BCM, is responsible for the following:

a. Defining, planning, developing, implementing, managing, testing, exercising, and monitoring for compliance of a sustainable BCM Program for the Postal Service.

b. Ensuring that appropriate business continuity plans (Incident Management Team, Facility Recovery, and Workgroup Response) are developed, tested, and exercised for business functions and information technology services.

c. Ensuring that appropriate ADRPs are developed and tested for all critical and business-controlled criticality information resources that support critical business functions and services.

d. Developing and implementing lines of communication to the Chief Technology Officer organization, executive sponsors, and business units, and providing consulting services concerning matters of BCM.

e. Providing BCM awareness and training for Postal Service personnel.

f. Ensuring compliance with BCM and information security policies.

g. Providing DR services and processes that enhance the ability of the Postal Service to reduce interruptions to IT services at major IT sites.

18 Manager, Telecommunications Services

The manager, Telecommunications Services, is responsible for the following:

a. Implementing and maintaining operational information security throughout the infrastructure.

b. Managing network addressing and virtual private networks (VPNs).

c. Recommending and deploying network hardware and software based on the Postal Service security architecture.

d. Monitoring and tracking all physical connections between any component of the Postal Service telecommunications infrastructure and any associated information resource not under Postal Service control.

e. Ensuring secure and appropriate management of the Postal Service intranet.

f. Implementing security controls and processes that will safeguard the availability and integrity of the Postal Service intranet and will support the confidentiality of sensitive information.

g. Implementing the network perimeter, including firewalls, demilitarized zones (DMZs), and secure enclaves.

h. Implementing secure methods of remote access and appropriate remote access controls.

i. Implementing strong authentication, digital certificates, digital signatures, biometrics, smart cards, tokens, and the associated infrastructure for network management.

j. Implementing appropriate security administration and managing accounts appropriately.

k. Maintaining the integrity of data and network information resources.

l. Deploying and managing perimeter virus scanning.

m. Maintaining an accurate inventory of Postal Service network information resources.

n. Creating and maintaining a timely patch management process for network information resources.

o. Deploying patches to information resources under his or her control.

p. Implementing and managing wireless local area networks (WLANs) connectivity.

q. Conducting capacity planning.

r. Ensuring that recovery plans and sufficient capacity are in place for the recovery of the telecommunications infrastructure for the IT-supported Postal Service sites.

s. Identifying and training key technical personnel to provide support in the BCP and DRP for information resources housed in IT-supported Postal Service sites.

t. Conducting perimeter scanning for viruses, malicious code, and usage of nonstandard network protocols and immediately reporting suspected information security incidents to the CIRT.

u. Monitoring network traffic for anomalies and immediately reporting anomalies to the CIRT.

v. Protecting information resources at risk during security incidents, if feasible.

w. Providing support for CIRT incident containment and response, as requested.

x. Ensuring the completion of a PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

19 Managers, Computing Operations and ACE Infrastructure

The managers, computing operations and ACE infrastructure, are responsible for the following:

a. Implementing and maintaining security throughout the mainframe and distributed infrastructure.

b. Recommending and deploying mainframe and distributed hardware and software based on the Postal Service security architecture.

c. Coordinating and implementing standard platform configurations based on the Postal Service security architecture.

d. Creating and maintaining a timely patch management process and deploying patches to resources under their control.

e. Maintaining an accurate inventory of Postal Service information resources, tracking and reacting to security vulnerability alerts, coordinating hardware and software upgrades, and maintaining appropriate records.

f. Implementing information security policies, procedures, and hardening standards.

g. Defining acceptable thresholds for anti-virus software and recognition patterns.

h. Deploying and maintaining software to scan for malicious code and usage of nonstandard network protocols.

i. Functioning as an accreditor for internally managed information resources.

j. Ensuring that mainframe remote access is appropriately managed.

k. Implementing appropriate security administration and ensuring that accounts are managed appropriately.

l. Maintaining the integrity of data and information resources and ensuring the appropriate level of information resource availability.

m. Ensuring information resource availability through planning for capacity, scalability, and redundancy.

n. Ensuring the installation of the authorized internal warning banner.

o. Ensuring the compliance with Postal Service information security policy and procedures.

p. Protecting information resources at risk during security incidents and implementing virus containment.

q. Providing guidance and education on virus response.

r. Assisting in restoring information resources following a virus attack.

s. Reporting suspected information security incidents to the CIRT in a timely manner.

t. Distributing anti-virus software and updates, as required.

u. Distributing anti-virus pattern file updates, as required.

v. Disseminating security awareness and warning advisories to local users.

w. Ensuring the completion of a PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

20 Managers of Development Centers

Managers of development centers shall be responsible for the following:

a. Providing support services to the executive sponsor through the appropriate portfolio manager for all matters relating to BCM.

b. Ensuring that ADRPs are developed for applications developed at their site or applications developed under their governance and that those ADRPs are tested in accordance with the application's designated criticality.

c. Identifying and training key technical personnel to provide support in the testing of BCP plans for their facility and ADRPs for applications developed at their site, applications developed under their governance, and applications housed at their site or alternate site facilities.

d. Identifying and training alternate technical personnel to support critical and business-controlled criticality applications in case of disaster.

21 Program Manager, Secure Infrastructure Services

The program manager, Secure Infrastructure Services (SIS), is responsible for the following:

a. Defining the hardening standards for Postal Service information resources.

b. Configuring and managing the implementation of personal firewalls on laptops and desktop workstations.

c. Removing network connectivity from any computing device that does not meet the defined operating system and anti-virus software and recognition pattern thresholds.

d. Providing consulting support regarding physical, administrative, and technical security controls and processes that safeguard the availability and integrity of the Postal Service intranet and support the confidentiality of information.

e. Providing consulting support regarding secure connectivity to the Postal Service intranet.

f. Providing consulting support regarding network services and protocols used by Postal Service information resources.

g. Implementing and maintaining a secure Postal Service computing infrastructure by setting standards and developing the security processes and procedures.

h. Implementing and maintaining operational information security throughout the infrastructure.

i. Coordinating and approving standard configurations for devices.

j. Recommending and deploying network hardware and software based on the Postal Service security architecture.

k. Approving network services and protocols.

l. Monitoring and tracking all physical connections between any component of the Postal Service telecommunications infrastructure and any other information resource not under Postal Service control.

m. Ensuring secure and appropriate management of the Postal Service Managed Network Services (MNS).

n. Implementing security controls and processes that will safeguard the availability and integrity of the MNS.

o. Determining the standards and configuration for secure enclaves.

p. Assessing information resources to determine the need for placement in a secure enclave.

q. Ensuring that network services and protocols used by Postal Service information resources provide the appropriate level of security for the MNS.

r. Implementing secure methods of remote access and appropriate remote access controls.

s. Implementing secure identification and authentication mechanisms including strong authentication, digital certificates, digital signatures, biometrics, smart cards, tokens, and the associated infrastructure.

t. Ensuring that only Postal Service-approved encryption products are used.

u. Implementing appropriate security administration and managing accounts appropriately.

v. Maintaining the integrity of data and information resources.

w. Providing security incident detection through perimeter virus scanning and intrusion detection services.

x. Approving, managing, and ensuring appropriate perimeter virus scanning, penetration testing, and network vulnerability scans and testing.

y. Ensuring network perimeter security by implementing, approving, and managing firewalls, secure enclaves, proxy servers, intrusion detection services, and intrusion prevention services.

z. Managing the CIRT to assist the Postal Service to contain, eradicate, document, recover following a computer security incident, and return to a normal operating state.

aa. Implementing necessary corrective measures learned from incidents or from other sources.

ab. Ensuring compliance with Postal Service computing infrastructure security standards, processes, and procedures.

ac. Approving the use of networking monitoring tools, except those used by the OIG.

ad. Providing support to the OIG during the conduct of investigative activities concerning information security, the computing infrastructures, and network intrusion as requested.

ae. Monitoring all logs.

af. Providing network intrusion detection services (IDS).

ag. Providing network vulnerability testing and analysis services.

22 Network Connectivity Review Board

The NCRB is responsible for the following:

a. Managing the Postal Service network connectivity process through the implementation of the Handbook AS-805-D, Information Security Network Connectivity Process.

b. Developing system connectivity requirements for Postal Service connections to external systems, externally facing applications (e.g., FTP servers), and connections via the Internet to Postal Service development, production, and internal networks.

c. Developing standard connectivity and documentation criteria to expedite approval of connectivity requests without additional board action.

d. Requesting additional information, security reviews, or audits regarding proposed or approved connections, if deemed necessary.

e. Evaluating connectivity and firewall change requests and approving or rejecting them based upon existing policy, best practices, and the level of risk associated with the request.

f. Consulting with executive sponsors on network information security requirements.

g. Assisting the requester in identifying alternative solutions for denied requests that are acceptable to the requester and the Postal Service.

h. Reviewing new information resource, infrastructure, and network connections and their effects on overall Postal Service operations and information security.

i. Approving network services and protocols.

j. Recommending changes to the business partner (BP) network. In situations where high risk factors exist, issuing mitigating requirements for connectivity.

k. Ordering the disabling of an information resource or network connection that does not comply with Postal Service policies, procedures, and standards or which is found to pose a significantly greater risk than when originally assessed.

23 Computer Incident Response Team

The CIRT is responsible for the following:

a. Providing timely and effective response to computer security incidents as they occur.

b. Working with an organization to contain, eradicate, document, and recover following a computer security incident.

c. Engaging other Postal Service organizations in- cluding, but not limited to, the OIG and Inspection Service.

d. Escalating information security issues to executive management as required.

e. Conducting a post-incident analysis, where appropriate, and recommending preventive actions.

f. Maintaining a system for tracking incidents until they are closed.

g. Maintaining a repository for documenting and analyzing Postal Service-wide security incidents.

h. Interfacing with other governmental agencies and private sector computer incident response centers.

i. Participating in and providing information for Postal Service security awareness.

j. Developing and documenting processes for incident reporting and management.

k. Providing support to the OIG and the Inspection Service, as requested.

24 Managers, Help Desks

The managers, Help Desks, are responsible for the following:

a. Creating the entry for the problem tracking management system for security incidents reported to the Help Desks.

b. Providing technical assistance for responding to suspected virus incidents reported to the Help Desks.

c. Escalating unresolved suspected virus events to the CIRT.

25 Contracting Officers and Contracting Officer Representatives

Contracting officers and contracting officer representatives are responsible for the following:

a. Ensuring that information technology contractors, vendors, and business partners are contractually obligated to abide by Postal Service information security policies, standards, and procedures.

b. Ensuring that all contracts and business agreements requiring access to Postal Service information resources identify sensitive positions, specify the clearance levels required for the work, and address appropriate security requirements.

c. Ensuring that contracts and business agreements allow monitoring and auditing of any information resource project.

d. Ensuring that the security provisions of the contract and business agreements are met.

e. Confirming the employment status and clearance of all contractors who request access to information resources.

f. Ensuring all account references, building access, and other privileges are removed for contractor personnel when they are transferred or terminated.

26 General Counsel

The general counsel is responsible for the following:

a. Ensuring that information technology contractors, vendors, and business partners are contractually obligated to abide by Postal Service information security policies, standards, and procedures.

b. Ensuring that contracts and agreements are in place that allow monitoring and auditing of any information resource project.

27 Business Partners

Business partners may request connectivity to Postal Service network facilities for legitimate business needs. Business partners requesting or utilizing connectivity to Postal Service network facilities are responsible for the following:

a. Initiating a request for connectivity to the Postal Service executive who sponsors the request.

b. Complying with Postal Service network connectivity request (see Handbook AS-805-D, Information Security Network Connectivity Process) requirements and process.

c. Abiding by Postal Service information security policies regardless of where the systems are located or who operates them. This also includes strategic alliances.

d. Protecting information resources at risk during security incidents, if feasible.

e. Reporting information security incidents promptly to the CIRT, the executive sponsor, and the information systems security officer (ISSO) assigned to their project.

f. Taking action, as directed by the CIRT, to eradicate the incident and recover from it.

g. Documenting all conversations and actions regarding the security incident.

h. Allowing site security reviews by the Postal Inspection Service and CISO.

i. Allowing audits by the OIG.

28 Project Managers

Project managers for the information resource development, acquisition, or integration project are responsible for the following:

a. Managing day-to-day development and implementation efforts for new information resources.

b. Incorporating the appropriate security controls in all information resources.

c. Updating the EIR on behalf of the portfolio manager.

29 Accreditors

For internally managed information resources, the accreditors are the portfolio manager and the manager, Host Computer Services. For externally managed information resources, the accreditor is the portfolio manager. Accreditors are responsible for the following:

a. Reviewing the ISA evaluation report and documentation package.

b. Recommending to the VP/CTO and the vice president of the functional business area that the Postal Service should accept residual risks associated with the information resource's existing security controls or require additional security controls.

c. Writing and signing the letter of accreditation for submission to the VP/CTO and vice president of the functional business area.

30 Security Control Officers

SCOs ensure the general security of the facilities to which they are appointed, including the safety of on-duty personnel and the security of mail, Postal Service funds, property, and records entrusted to them (see ASM 271.3). SCOs are responsible for the following:

a. Establishing and maintaining overall physical and environmental security at the facility, with technical guidance from the Inspection Service.

b. Establishing controlled areas within the facility, where required, to protect sensitive, critical, or business- controlled information resources.

c. Establishing and maintaining access control lists of people who are authorized access to specific controlled areas within the facility.

d. Ensuring positive identification and control of all personnel and visitors in the facility.

e. Ensuring the protection of servers, workstations, portable devices, and information located at the facility.

f. Consulting on the facility COOP plans.

g. Conducting annual facility security reviews using the site security survey provided by the Inspection Service.

h. Reporting suspected information security incidents to the CIRT and ensuring the completion of a PS Form 1360, Information Security Incident Report, or acceptable facsimile.

i. Providing support to the CIRT for incident containment and response, as requested.

j. Responding to physical security incidents.

k. Reporting physical security incidents to the Inspection Service.

l. Interfacing with CIRT, Inspection Service, CISO, or OIG-CIU, as required.

31 Information Systems Security Officers

ISSOs are responsible for the following:

a. Chairing the ISA team.

b. Coordinating the completion of the BIA and ensuring that the sensitivity and criticality designations and RTO are properly recorded in the EIR.

c. Providing advice and consulting support to executive sponsors regarding the security requirements and controls necessary to protect information resources, based on the resources' sensitivity and criticality designation.

d. Providing guidance on potential threats and vulnerabilities to information resources, appropriate choice of countermeasures, and the ISA process.

e. Conducting site security reviews or assisting the Inspection Service in conducting them.

f. Reviewing the ISA documentation package.

g. Preparing the evaluation report.

32 Information Systems Security Representatives

ISSRs are appointed in writing by the executive sponsors and are members of the information resource development or integration teams. The role of the ISSR can be an ad-hoc responsibility performed in conjunction with assigned duties. ISSRs are responsible for the following:

a. Providing support to the executive sponsor and portfolio manager, as required.

b. Promoting information security awareness on the project team.

c. Ensuring security controls and processes are implemented.

d. Notifying the executive sponsor and ISSO of any additional security risks or concerns that emerge during development or acquisition of the information resource.

e. Developing or reviewing security-related documents required by the ISA process as assigned by the executive sponsor.

f. Organizing the ISA documentation package and forwarding the package to the ISSO.

33 System Administrators

System administrators are technical personnel who serve as computer systems, network, firewall, and database administrators, whether the system management function is centralized, distributed, subcontracted, or outsourced. System administrators are responsible for the following:

a. Implementing information security policies and procedures for all information resources under their control, and also for monitoring the implementation for proper functioning of security mechanisms.

b. Implementing appropriate platform security based on the platform-specific hardening guidelines for the information resources under their control.

c. Complying with standard configuration settings, services, protocols, and change control procedures.

d. Applying approved patches and modifications in accordance with policies and procedures established by the Postal Service. Ensuring that security patches and bug fixes are updated and kept current for resources under their control.

e. Implementing appropriate security administration and ensuring that logon IDs are unique.

f. Setting up and managing accounts for information resources under their control in accordance with policies and procedures established by the Postal Service.

g. Disabling accounts of personnel whose employment has been terminated, who have been transferred, or whose accounts have been inactive for an extended period of time.

h. Making the final disposition (e.g., deletion) of the accounts and information.

i. Managing sessions and authentication and implementing account time-outs.

j. Preventing residual data from being exposed to unauthorized users as information resources are released or reallocated.

k. Testing information resources to ensure security mechanisms are functioning properly.

l. Tracking hardware and software vulnerabilities.

m. Maintaining an accurate inventory of Postal Service information resources under their control.

n. Ensuring that audit and operational logs, as appropriate for the specific platform, are implemented, monitored, protected from unauthorized disclosure or modification, and are retained for the time period specified by Postal Service security policy.

o. Reviewing audit and operational logs and maintaining records of the reviews.

p. Identifying anomalies and possible internal and external attacks on Postal Service information resources.

q. Reporting information security incidents and anomalies to their manager and the CIRT immediately upon detecting or receiving notice of a security incident.

r. Protecting information resources at risk during security incidents and assisting in the containment of security incidents as required.

s. Taking action as directed by the CIRT and initiating a PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

t. Participating in follow-up calls with the CIRT.

u. Fixing issues identified following an incident.

v. Ensuring that virus protection software and signature files are updated and kept current for resources under their control.

w. Ensuring the availability of information resources by implementing backup and recovery procedures.

x. Ensuring the compliance with Postal Service information security policy and procedures.

y. Monitoring the implementation of network security mechanisms to ensure that they are functioning properly and are in compliance with established security policies.

z. Assisting with periodic reviews, audits, troubleshooting, and investigations, as requested.

aa. Maintaining a record of all monitoring activities for information resources under their control.

34 Database Administrators

Database administrators (DBAs) are responsible for the following:

a. Implementing appropriate database security based on the platform-specific hardening guidelines for the information resources under their control.

b. Implementing information security policies and procedures for all database platforms and monitoring the implementation of database security mechanisms to ensure that they are functioning properly and are in compliance with established policies.

c. Applying approved patches and modifications, in accordance with policies and procedures established by the Postal Service.

d. Maintaining an accurate inventory of Postal Service information resources under their control.

e. Implementing appropriate database security administration and ensuring that logon IDs are unique.

f. Setting up and managing accounts for systems under their control in accordance with policies and procedures established by the Postal Service.

g. Disabling accounts of personnel that have been terminated, transferred, or have accounts that have been inactive for an extended period of time.

h. Making the final disposition (e.g., deletion) of the accounts and information.

i. Managing sessions and authentication and implementing account time-outs.

j. Preventing residual data from exposure to unauthorized users as information resources are released or reallocated.

k. Testing applications to ensure that security mechanisms are functioning properly.

l. Tracking hardware and software vulnerabilities.

m. Ensuring database logs are turned on, logging appropriate information, protected from unauthorized disclosure or modification, and retained for the time period specified.

n. Reviewing audit logs and maintaining records of log reviews.

o. Assisting with periodic reviews, audits, troubleshooting, and investigations, as requested.

p. Ensuring the availability of databases by implementing database backup and recovery procedures.

q. Identifying anomalies and possible attacks on Postal Service information resources.

r. Reporting information security incidents and anomalies to their manager and the CIRT immediately upon detecting or receiving notice of a security incident.

s. Taking action as directed by the CIRT and initiating a PS 1360 as required.

35 All Personnel

All personnel, including employees, consultants, subcontractors, business partners, customers who access non- publicly available Postal Service information resources (such as mainframes or the internal Postal Service network), and other authorized users of Postal Service information resources are responsible for the following:

a. Complying with applicable laws, regulations, and Postal Service information security policies and procedures.

b. Displaying proper identification while in any facility that provides access to Postal Service information resources.

c. Being aware of their physical surroundings, including weaknesses in physical security and the presence of any authorized or unauthorized visitor.

d. Protecting information resources, including workstations, portable devices, information, and media.

e. Performing the security functions and duties associated with their job, including the safeguarding of their logon IDs and passwords.

f. Changing their password immediately, if they suspect that the password has been compromised.

g. Prohibiting any use of their accounts, logon IDs, passwords, personal information numbers (PINs), and tokens by another individual.

h. Taking immediate action to protect the information resources at risk upon discovering a security deficiency or violation.

i. Using licensed and approved hardware and software.

j. Protecting intellectual property.

k. Complying with Postal Service remote access information security policies, including those for virtual private networks (VPNs), modem access, dial-in access, secure telecommuting, and remote management and maintenance.

l. Complying with acceptable use policies.

m. Maintaining an accurate inventory of databases for which they are responsible.

n. Protecting information resources against viruses and malicious code.

o. Calling the appropriate Help Desk for technical assistance in response to suspected virus incidents.

p. Promptly reporting to the CIRT and, as appropriate, to their immediate supervisor, manager, or system administrator, any suspected security incidents, including security violations or suspicious actions, suspicion or occurrence of any fraudulent activity; unauthorized disclosure, modification, misuse, or inappropriate disposal of Postal Service information; and potentially dangerous activities or conditions.

q. Taking action, as directed by the CIRT, to protect against information security incidents, to contain and eradicate them when they occur, and to recover from them.

r. Documenting all conversations and actions regarding the security incident.

s. Completing PS Form 1360, Information Security Incident Report, or an acceptable facsimile.

* * * * *

[Delete the Glossary and Acronyms portions of the handbook.]

- Corporate Information Security Office,
Vice President/Chief Technology Officer, 9-30-04

International Mail

ASM REVISION

Changes to Mail Security Regulations for International Mail

Effective August 9, 2004, the Administrative Support Manual (ASM) is revised to reflect changes in procedures for screening and search of international mail. These revisions are designed to harmonize the ASM with changes in statutory law; the reclassification of international postal services; the introduction of a new, international service; and the adoption of protocols for screening transit mail.

First, these revisions reflect changes in the nomenclature of international mail products, including the change from the former "LC" and "AO" distinctions to a new classification system that was replaced in January 2001 by a new product classification system. This change based the classification of mail mainly on the speed of service rather than on the contents of the mail.

Second, the changes reflect the introduction of Global Express Guaranteed (GXGTM) service, which provides high-speed time-definite service to certain destination countries.

Third, mail security regulations are amended to reflect changes by the Trade Act of 2002, which authorized customs authorities to conduct searches of outbound international mail.

Fourth, references to "Customs authorities" have been changed to refer to "Customs and Border Protection," because that agency was transferred to the Department of land Security (DHS) and its name was changed.

Finally, the regulations are revised to reflect recent instructions provided to Customs and Border Protection officers. These officers have been authorized to conduct certain screening activities in connection with transit mail. Customs and Border Protection officers may now use non- intrusive means to screen transit mail for materials that pose a threat to persons and property and may take appropriate actions to render such materials harmless.

This section does not confer any substantive rights upon any other person or entity.

We will incorporate these revisions into the next printed version of the ASM and into the online version of the ASM available on the Postal ServiceTM PolicyNet Web site, which includes all updates since the last published version of the manual. The online version of the ASM is available as follows:

• Go to http://blue.usps.gov.

• Under "Essential Links" in the left-hand column, click on References.

• Under "References" in the right-hand column, click on PolicyNet.

• Click on Manuals.

(The direct URL for the Postal Service PolicyNet Web site is http://blue.usps.gov/cpim.)

Administrative Support Manual (ASM)

* * * * *

2 Audits and Investigations

* * * * *

27 Security

* * * * *

274 Mail Security

* * * * *

274.2 Opening, Searching, and Reading Mail Generally Prohibited

* * * * *

274.23 Definitions

274.231 Mail Sealed Against Inspection

The following terms and definitions apply:

* * * * *

[Revise items b and c to read as follows, and delete item d.]

b. The terms include First-Class Mail, Priority Mail, Express Mail (domestic and international), Mailgram messages, Global Express Guaranteed Document service, Global Priority Mail service, International Priority AirmailTM service, international Letter Post Mail other than International Surface Airlift service and Publishers' Periodicals, and international transit mail. See the definition of Letter Post in the International Mail Manual.

c. The terms exclude incidental First-Class Mail matter permitted to be enclosed in or attached to certain Periodicals, Standard Mail, and Package Services mailing (see DMM E070).

274.232 Mail Not Sealed Against Inspection

The following terms and definitions apply:

* * * * *

[Revise item b to read as follows, and delete item c.]

b. The terms include Periodicals, Standard Mail, Package Services, incidental First-Class attachments or enclosures mailed under DMM E070, and (as defined in the International Mail Manual) Global Express Guaranteed Non-Document service, international parcel post mail, International Surface Airlift service, and Publishers' Periodicals.

* * * * *

274.4 Mail Reasonably Suspected of Being Dangerous to Persons or Property

274.41 Screening of Mail

[Replace "chief postal inspector" with "Chief Postal Inspector" throughout 274.41.]

* * * * *

274.8 International Transit Mail

274.81 Definitions

* * * * *

274.813 Découvert Letter Post Item

[Revise 274.813 to read as follows:]

The term " découvert letter post item" refers to any international letter post item as defined in the International Mail Manual that is addressed for delivery by a foreign postal administration and is passed to the Postal Service by a foreign postal administration in a bag or container, or mail that must be opened by the Postal Service under applicable postal treaties or conventions because it also contains items addressed for delivery by the Postal Service.

274.82 Special Security Rules

[Revise 274.82 to read as follows:]

International transit mail is entitled to freedom of transit. It must not be opened, seized, or searched. It is not subject to Agriculture inspection under 274.92, but is subject to screening by Customs and Border Protection officers under 274.913. In accordance with the Universal Postal Convention, any international transit mail consisting of closed mail, -découvert letter post items, and airmail correspondence must not be detained, but must instead be forwarded to the next foreign postal administration by the quickest routes that the Postal Service uses for mail sealed against inspection.

274.9 Mail Security, Law Enforcement, and Other Government Agencies

[Revise the heading and text of 274.91 to read as follows:]

274.91 Customs and Border Protection

274.911 Inbound Mail

Without a search warrant, but upon reasonable cause to suspect that the mail contains dutiable or prohibited items, designated Customs and Border Protection personnel may open or inspect the contents of mail in the customs inspection of mail (including APO and FPO mail) that originated outside the Customs Territory of the United States (CTUS) and is addressed for delivery either inside the CTUS or inside the customs district of the Virgin Islands, on the following terms and conditions:

a. Other Regulations. Such inspections may be conducted only under the International Mail Manual (IMM) relating to cooperation with Customs and Border Protection on inspection of imports.

b. Privacy of Correspondence. No Customs and Border Protection personnel may read, allow any other person to read, divulge, or transfer to any other person any correspondence contained in sealed mail; nor may Customs personnel divulge, allow any other person to read or listen to, transfer to any other person, or knowingly listen to any paper or recording that is correspondence for the blind contained in unsealed mail; nor may Customs and Border Protection personnel divulge, allow any other person to read, or transfer to any person correspondence of school children permitted transmission in unsealed mail, unless such action is authorized by a search warrant issued under Rule 41 of the Federal Rules of Criminal Procedure.

c. Search Warrant Required for Domestic and Certain International Mail. No Customs and Border Protection personnel may, without a search warrant, open, inspect, read, or seize any mail in postal custody (including APO and FPO mail) that has not originated outside the CTUS, or that has diplomatic or consular immunity from Customs inspection (see IMM 711).

d. Controlled Delivery of Drugs in Sealed Mail. When a postal inspector decides, at the request of a federal, military, state, or local narcotics agent, to make a controlled postal delivery of a sealed mail article that the Customs and Border Protection personnel have opened under 274.91, and that the Customs and Border Protection has determined through a reliable field test or reliable laboratory examination to contain il- legal narcotics or dangerous drugs, the postal inspector may reopen the article without a search

warrant. The inspector may reopen the article without a warrant only to prepare the article for such a controlled delivery in such way or ways as lawfully and reasonably aid in the investigation of the crime of importing such substances through the mail. No correspondence inside such an article may be read or divulged without a search warrant as described in 274.6.

274.912 Outbound Mail

a. Designated Customs and Border Protection personnel may, as authorized by this section and without a search warrant, open and inspect the contents of mail originating inside the Customs Territory of the United States and addressed for delivery at a place outside the United States, its territories or possessions ("outbound international mail") for the purpose of ensuring compliance with the customs laws of the United States and other laws enforced by Customs and Border Protection.

b. Designated Customs and Border Protection personnel may search outbound international mail that is not sealed against inspection under the postal laws and regulations of the United States, outbound international mail which bears a customs declaration, and outbound international mail with respect to which the sender or addressee has consented in writing to search.

c. Designated Customs and Border Protection personnel may, without a search warrant, search outbound international mail that weighs more than 16 ounces and is sealed against inspection if there is reasonable cause to suspect that the mail contains one or more of the items listed in 19 U.S.C. 1583(c)(1). No one acting under the authority of this section shall read or authorize any other person to read any correspondence contained in mail sealed against inspection without a search warrant or the written consent of the sender or addressee.

d. Outbound international mail that weighs less than 16 ounces and is sealed against inspection may not be searched by Customs and Border Protection personnel without a search warrant.

274.913 International Transit Mail

a. Designated Customs and Border Protection personnel may, without a search warrant, screen international transit mail to detect materials that pose a physical threat to persons or property, such as explosives, flammables, and other dangerous materials. Such screening must be done by non-intrusive means such as canines trained to detect explosives, radiation detection equipment, x-rays, explosive swabs, or other characteristics of the mail that can be sensed from the examination of the mail, including seeing or feeling exposed wires or leaking fluids, hearing ticking sounds, or smelling black powder.

b. Screening of international transit mail may not disrupt the processing of that mail. Customs and Border Protection personnel will have a reasonable opportunity to perform screening of specifically identified mail, but may not prevent the Postal Service from forwarding the mail without delay by the quickest means it uses for United States mail unless the mail has been screened and the screening has detected, or appears to have detected, materials that pose a physical threat to persons or property including explosives, flammables, or other dangerous materials. International transit mail that has been screened and found to be free of materials that pose a physical threat to persons or property shall be returned to the Postal Service immediately.

c. Other than in cases of (1) exigent circumstances where the screening of the mail has disclosed the presence of materials that pose a physical threat to persons or property, (2) consent of the sender or addressee, or (3) waiver, no correspondence or other written or printed matter may be read, nor recorded matter listened to without a search warrant.

d. In the event that non-intrusive screening detects, or appears to detect, materials that pose a physical threat to persons or property, Customs and Border Protection personnel may open or take other actions with respect to the specific suspected mail to confirm the presence of material that poses a physical threat to persons or property and to eliminate or negate the danger, including seizure of the dangerous material. All such actions shall be coordinated with the Postal Inspection Service.

e. Paragraphs a through d above also apply to international transit mail that is handled by airlines or other carriers without the direct intervention by the Postal Service. Customs and Border Protection personnel shall have a reasonable opportunity to perform screening of specifically identified mail, but may not prevent the airlines or other carriers involved from forwarding the mail without delay unless the mail has been screened, and the screening has detected, materials that pose a physical threat to persons or property. International transit mail that has been screened and found to be free of materials that pose a physical threat to persons or property shall be returned to the carriers immediately, with no involvement by the Postal Service.

- Office of Counsel,
Postal Inspection Service, 9-30-04

* * * * *

Philately

STAMP ANNOUNCEMENT 04-34

Moss Hart Stamp

The Postal ServiceTM will issue a 37-cent, Moss Hart commemorative stamp in one design in a pressure- sensitive adhesive (PSA) pane of 20 stamps (Item 457000), on October 25, 2004, in New York, New York. The stamp, designed by Ethel Kessler of Bethesda, Maryland, goes on sale nationwide October 26, 2004.

This stamp honors award-winning dramatist and director Moss Hart (1904-1961) on the 100th anniversary of his birth. A gifted playwright, Hart wrote a series of sparkling comedies in the 1930s with George S. Kaufman. A brilliant director, he staged one of the most dazzling musicals of his era, "My Fair Lady." A witty and charming personality who embodied the glamour of Broadway, Hart penned what many consider the best theatrical memoir ever written, Act One.

The stamp art shows a painting by Tim O'Brien based on a photograph made by Alfred Eisenstaedt showing Hart in Times Square.

How to Order the First Day of Issue Postmark

Customers have 30 days to obtain the first day of issue postmark by mail. They may purchase new stamps at their local Post OfficeTM, by telephone at 800-STAMP-24, and at the Postal Store Web site at www.usps.com/shop. They should affix the stamps to envelopes of their choice, address the envelopes (to themselves or others), and place them in a larger envelope addressed to:

MOSS HART STAMP
SPECIAL EVENT UNIT
421 8TH AVE RM 2029B
NEW YORK NY 10199-9998

After applying the first day of issue postmark, the Postal Service will return the envelopes through the mail. There is no charge for the postmark. All orders must be postmarked by November 24, 2004.

How to Order First Day Covers

Stamp Fulfillment Services also offers first day covers for new stamp issues and Postal Service stationery items postmarked with the official first day of issue cancellation. Each item has an individual catalog number and is offered in the quarterly USA Philatelic catalog. Customers may request a free catalog by calling 800-STAMP-24 or writing to:

INFORMATION FULFILLMENT
DEPT 6270
US POSTAL SERVICE
PO BOX 219014
KANSAS CITY MO 64121-9014

Philatelic Products

There are no philatelic products for this stamp issue.

Distribution: Item 457000, 37-cent Moss Hart Commemorative Stamp

Stamp distribution offices (SDOs) will receive approximately one-third the standard automatic distribution quantity for a PSA sheet stamp. Distributions are rounded up to the nearest master carton size (40,000 stamps).

Initial Supply to Post Offices

SDOs will make a subsequent automatic distribution to Post Offices of one-quarter their standard automatic distribution quantity using PS Form 17, Stamp Requisition/Stamp Return. SDOs must not distribute stamps to Post Offices before October 20, 2004.

Philatelic Requirement

SDOs with authorized philatelic centers will receive an automatic distribution of these stamps in 10 positions for subsequent distribution to each philatelic window.

Additional Supply

Post Offices requiring additional Item 457000 must requisition them from their designated SDO using PS Form 17. SDOs requiring additional stamps must order them from the appropriate accountable paper depository (APD) using PS Form 17.

For fulfilling supplemental orders from SDOs, the New York APD will receive 2,200,000 additional stamps; the Memphis and Chicago APDs will each receive 2,000,000 additional stamps; the San Francisco APD will receive 1,600,000 additional stamps; and the Denver APD will receive 600,000 additional stamps.

Sales Policy

All Post Offices must acquire and maintain a supply of each new commemorative stamp as long as customer demand exists, until inventory is depleted, or until the stamp is officially withdrawn from sale. If supplies run low, Post Offices must reorder additional quantities using their normal ordering procedures.

- Stamp Services,
Government Relations, 9-30-04

Pictorial Cancellations Announcement

As a community service, the Postal ServiceTM offers pictorial cancellations to commemorate local events celebrated in communities throughout the nation. A list of events for which pictorial cancellations are authorized appears below. If available, the sponsor of the pictorial cancellation appears in italics under the date. Also provided, as space permits, are illustrations of those cancellations that were reproducible and available at press time.

People attending these local events may obtain the cancellation in person at the temporary Post OfficeTM station established there. Those who cannot attend the event, but who wish to obtain the cancellation, may submit a mail order request. Pictorial cancellations are available only for the dates indicated, and requests must be postmarked no later than 30 days following the requested pictorial cancellation date.

All requests must include a stamped envelope or postcard bearing at least the minimum First-Class Mail postage. Items submitted for cancellation may not include postage issued after the date of the requested cancellation. Such items will be returned unserviced.

Customers wishing to obtain a cancellation should affix stamps to any envelope or postcard of their choice, address the envelope or postcard to themselves or others,insert a card of postcard thickness in envelopes for sturdiness, and tuck in the flap. Place the envelope or postcard in a larger envelope and address it to: PICTORIAL CANCELLATIONS, followed by the NAME OF THE STATION,ADDRESS, CITY, STATE, ZIP+4 CODE, exactly as listed below (using all capitals and no punctuation, except thehyphen in the ZIP+4 code).

Customers can also send stamped envelopes and postcards without addresses for cancellation, as long as they supply a larger envelope with adequate postage and their return address. After applying the pictorial cancellation, the Postal Service returns the items (with or without addresses) under addressed protective cover.

- Stamp Services,
Government Relations, 9-30-04

Stamp Stock Items Withdrawn From Regular Sale and From Sale at Philatelic Centers

Effective close-of-business October 30, 2004, all Post OfficesTM, stations, branches, postal stores, vending outlets, and authorized philatelic centers must (1) withdraw the stamp stock items and products listed below and their related vending and store-prepared stamp items from sale and (2) prepare them for destruction. Submit items to destruction sites according to local established procedures, under the guidelines in Handbook F-1, Post Office Accounting Procedures, subchapter 45, Destroying Stamp Stock.

Do not permit sales of the stamp stock items, products, and their related vending and store-prepared stamp items listed below at retail counters and outlets after October 30, 2004, unless otherwise instructed. Items listed are also withdrawn from sale at Stamp Fulfillment Services.

- Stamp Services,
Government Relations, 9-30-04

Post Offices

MOVER'S GUIDE NEWS

Spanish-Language Edition of Mover's Guide (Publication 75-S, La Mudanza) - October-December Version Now Available

The October-December edition of Publication 75-S, La Mudanza (the Spanish edition of Publication 75, Mover's Guide) is now available. Please display La Mudanza next to the English edition of Mover's Guide.

You may order a 3-month supply of the October- December 2004 edition of La Mudanza from the Material Distribution Center (MDC) by using touch-tone order entry (TTOE): Call 800-332-0317, option 2.

Note: You must be registered to use TTOE. To register, call 800-332-0317, option 1, extension 2925, and follow the prompts to leave a message. (Wait 48 hours after registering before placing your first order.)

Discard/recycle all copies of expired stock once you receive the October 2004 edition. Please order only enough copies to last from October through December. This version is valid for only 3 months. At the end of December, order new La Mudanzas for January 2005.

Use the following information to order Publication 75-S from the MDC:

PSIN: PUB 75-S
PSN: 7610-03-000-4096
Unit of Measure: EA
Minimum Order Quantity: 125
Bulk Pack Quantity: 125
Quick Pick Number: N/A
Price: No cost

- Address Management,
Intelligent Mail and Address Quality, 9-30-04

REMINDER

Maintenance Stockrooms - Annual Inventory Review

An annual review of all Maintenance stockrooms is required by Handbook MS-63, Maintenance Operations Support ("Reporting of Excess/Surplus Items"). Spare parts and supplies inventories in Maintenance stockrooms are Postal ServiceTM assets and are the responsibility of line management, including maintenance managers, plant managers, district managers, and area vice presidents.

Handbook MS-63, Part 751, "Yearly Review," states:

"Offices must review each item in the stockroom at least once a year to determine whether the item can be declared excess/surplus."

Use excess material before processing additional replenishment activities, or process the excess material in accordance with Handbook AS-701, Material Management, Chapter 6, "Asset Recovery: Redistribution, Recycling, and Disposal."

If you have not yet completed your 2004 review, complete it as soon as possible.

- Maintenance Policies and Programs,
Engineering, 9-30-04

Retail

PASSPORT APPLICATION REVISIONS

Search Fee Will Increase, and Issuance of a Passport to a Minor Will Require Notarization

All Retail personnel must note the following important changes from the Department of State regarding issuances of passports:

• Effective October 1, 2004, the file search fee (to verify an applicant's U.S. citizenship) will increase from $45 to $60. This fee is noted on Form DS-11, Application for a U.S. Passport or Registration.

• Effective November 1, 2004, the Department of State will require that Form DS-3053, Statement of Consent: Issuance of a Passport to a Minor Under Age 14, or other paper with the same information that an applicant submits, must be notarized. The purpose of this change is to prevent forgery and ensure that the person signing the Statement has been properly identified. This change will further reduce the possibility of a U.S. passport being used in any effort to interfere with the custodial rights of non-applying parents (i.e., the parent or guardian who is not present at the time the applying parent or guardian submits the child's application).

Note: These changes become effective before the Department of State will distribute copies of revised Forms DS-11 and DS-3053, which it expects to do as soon as possible after January 1, 2005. In the meantime, to get up-to- date forms starting on the effective dates, customers may go online to the U.S. Department of State web site at www.travel.state.gov; click on Passports, and under "Applications and Forms," click on the desired forms. Passport acceptance personnel should have this information available for verification (with customers) until the Department of State reprints the official forms. However, Passport acceptance personnel must not post this information in Retail lobbies but must post it only on employee bulletin boards.

- In-Store Programs,
Service and Market Development, 9-30-04

Supply Management

GOODYEAR 5-DAY TIRE SALE FOR EMPLOYEES

Buy Tires at Goodyear Associate Prices - But for Only 5 Days!

If you are planning to purchase tires soon, here's an opportunity to save money. Twice a year, Goodyear Tire and Rubber Company offers its associates discounts on tires sold by its company-owned stores, including Just Tires. These prices are offered for only 5 days and are not extended to the general public.

Goodyear is now extending these special discounts by offering Postal ServiceTM employees and retirees up to 25 percent off the purchase of Goodyear brand auto and light truck tires October 14-18, 2004. Goodyear is also offering special pricing for tire balancing and installation. You can take advantage of these discounts at Goodyear's company-owned stores only (Goodyear Auto Service Centers or Just Tires). There are more than 700 locations in 40 states. To locate a participating store near you, call 888-439-7786.

If you don't have a Goodyear Auto Service Center or Just Tires near you, you can call 877-847-3728, option 1, and have the tires shipped directly to your and installed at a place convenient for you. This isn't a 24-hour telephone line, so you may have to leave your telephone number and a message advising of your interest to purchase tires through the sale. Please use reference code USPS-2. The prices are too good to pass up, and all you need to receive the discount is a Postal Service photo ID or other proof of employment.

You can check out sale information on the Goodyear Employee Deal on the Postal Service intranet at http://blue.usps.gov; under "Employee Deals," click on View More Deals; then click on Goodyear Employee VIP Program.

- SCM Strategies,
Supply Management, 9-30-04

REMINDER

Approval Authority and Off-Catalog Requisitions

This is a reminder that all Postal ServiceTM employees who create off-catalog requisitions through eBuy must follow normal purchasing procedures, depending on the purchase value of the items. You must purchase locally if you are within that office's authority; otherwise, if you are not within that office's authority, forward the requisition to the correct category management center (CMC) or purchasing service center (PSC) for purchasing action.

If you receive an e-mail message stating that your requisition has been approved, but your office does not have the authority to make the purchase, then you must route the requisition to the appropriate CMC or PSC.

If you need to review the complete instructions outlining the off-catalog requisition process, go to http://blue.usps.gov/purchase/ereq_page.htm. You should read all of the documents to fully understand the off- catalog requisition routing process.

If you need more information on unauthorized purchases, please refer to Management Instruction AS-710-1999-2, Unauthorized Contractual Commitments:

• Go to http://blue.usps.gov.

• Under "Essential Links" in the left-hand column, click on References.

• Under "References" in the right-hand column, click on PolicyNet.

• Click on MIs.

The direct URL for the MI is http://blue.usps.gov/cpim/ftp/manage/a710992.pdf.

- SCM Strategies,
Supply Management, 9-30-04

eFleet Offers More Advantages for You

On September 9, per user requests, Delivery Operations, Information Technology, and Supply Management teamed to make improvements to eFleet. The new enhancements will make eFleet a more effective system for vehicle maintenance, fuel reconciliation, and management for Post OfficesTM.

To access eFleet:

• Go to http://blue.usps.gov.

• Click on My Work.

• Under "General Tools," click on eFleet.

• Click on eFleet Account-Link.

The new eFleet enhancements are:

• The Product Summary screen now displays a Mobile Refueling subtotal under the Total Fuel line when there are mobile refueling transactions. It appears only if you have mobile refueling transactions. If you do not have mobile refueling transactions, you will see no change to the Product Summary screen.

• You can now download data on many of the screens to Microsoft Excel. The screens that offer this capability (such as the Invoice Report) have an Excel Download button in the screen header. Just click on the button to download your data, which will then be displayed in an Excel spreadsheet. Click File/Save As to save the data and specify where you want it to be saved. Also, you must save it as a Microsoft Excel Workbook (*.xls). Then just click on your browser's Back button to return to the eFleet system.

• You can now view and display a report of reconciliation statistics for individual finance numbers.

For each station, you can create a report that shows:

• Total number of transactions.

• Total number of unreconciled transactions.

• Percentage of unreconciled transactions.

• Total dollar amount of all transactions.

• Total dollar amount of unreconciled transactions.

You can download the report to Microsoft Excel as follows:

• Go to the eFleet page.

• Enter a finance number under the Finance View section (you must enter a finance number, not a budget authorization (BA) code, district, station, or location).

• Click on Search.

• Click on the finance number that you wish to report ("Finance Number" has no alpha-numeric suffixes).

• Click on the Reconciliation Summary that appears in the Reports box at the top right of the screen.

• Select a fiscal year (FY) and a beginning and ending month or accounting period (AP), and click View.

If you have questions about these enhancements or any other functionality with the eFleet system, contact Transportation Asset Management Purchasing Specialist Kimya Moore at 202-268-8525.

- SCM Strategies,
Supply Management, 9-30-04