Information Technology

HANDBOOK AS-805 REVISION

Information Security

Handbook AS-805, Information Security, is revised as follows to:

• Update the URL link and e-mail address in the transmittal letter.

• Update ordering information in the transmittal letter.

• Add USB storage devices to the examples of electronic media.

• Change the information designation "business- controlled sensitivity" to "business-controlled sensitive."

• Change the information designation "business- controlled criticality" to "business-controlled critical."

• Require the labeling of sensitive and business- controlled sensitive output from the "Print Screen" function.

• Change references from ASM 35 to Handbook AS-353.

• Prohibit the storage of Postal Service™ information on non-Postal Service-owned devices.

• Prohibit vendors from commingling Postal Service and non-Postal Service electronic information.

• Change the encryption policy for sensitive and business-controlled sensitive information in storage and in transit.

• Address the encryption of payment card industry (PCI) information.

• Address the removal of Postal Service information from Postal Service premises.

• Address the removal of unauthorized software.

• Restrict using personal information resources (e.g., portable devices and media) at Postal Service facilities.

• Require that managers remove privileged access for system and database administrator access on change-of-job responsibilities and annually review access privileges of all personnel.

• Address departing system and database administrators.

• Address using eAccess for managing authorizations.

• Address requests for use of non-expiring password accounts.

• Require spyware protection measures.

• Require isolation of Postal Service and non-Postal Service networks.

• Update wireless technical requirements.

Watch for communications in coming weeks that will provide you with guidelines and tools to help you comply with these new data protection policies and to meet your business needs.

Handbook AS-805, Information Security

Transmittal Letter

* * * * *

C. Distribution

[Revise link as follows:]

***http://blue.usps.gov/cpim/hbkid.htm***

D. Comments and Questions

* * * * *

[Revise the third paragraph to read as follows:]

Comments may also be sent by e-mail to information_security@usps.gov.

[Add fourth paragraph to read as follows:]

Additional copies may be ordered from the Material Distribution Center (MDC) using touch tone order entry (TTOE). Call 800-332-0317; select option 2.

Note: You must be registered to use TTOE. To register, call 800-332-0317; select option 8, extension 2925, and follow the prompts to leave a message. (Wait 48 hours after registering before placing your first order.)

* * * * *

[Replace all references to "business-controlled sensitivity" with "business-controlled sensitive" and references to "business-controlled criticality" with "business-controlled critical" throughout the handbook.]

* * * * *

3 Information Designation and Control

* * * * *

3-3 Information Designation

* * * * *

3-3.3 Determination of Sensitivity and Criticality

* * * * *

3-3.3.2 Business Impact Assessment Process

[Delete item g. Reletter current item h as new item g.]

* * * * *

3-5 Handling Information and Media

* * * * *

3-5.1 Labeling of Information and Media

3-5.1.1 Sensitive Information

[Revise the first paragraph to read as follows:]

Sensitive information included in electronic media (e.g., disks, diskettes, tapes, and USB storage devices) and hardcopy output (e.g., printouts, screen prints, photo- copies, architecture drawings, and engineering layouts) must be legibly and durably labeled as "RESTRICTED INFORMATION."

* * * * *

[Insert the following at the end of this section:]

Caution: The "Print Screen" function can also result in hardcopy that must be legibly and durably labeled as "RESTRICTED INFORMATION."

[Revise the title and first paragraph of 3-5.1.2 to read as follows:]

3-5.1.2 Business-Controlled Sensitive Information

Business-controlled sensitive information included in electronic media (e.g., disks, diskettes, tapes, and USB storage devices) and hardcopy output (e.g., printouts, screen prints, photocopies, architecture drawings, and engineering layouts) must be legibly and durably labeled as "RESTRICTED INFORMATION."

* * * * *

3-5.2 Retention of Information

[Change the reference from ASM 35 to Handbook AS-353.]

3-5.3 Storage of Information

[Insert text in 3-5.3 to read as follows:]

The storage of Postal Service information on non-Postal Service-owned devices is prohibited.

3-5.3.1 Sensitive Information

[Revise 3-5.3.1 to read as follows:]

Sensitive information, whether in electronic or non- electronic format, must be stored in a controlled area or a locked cabinet in accordance with established Postal Service policies and procedures (see Handbook AS-353).

[Revise the title and text of 3-5.3.2 to read as follows:]

3-5.3.2 Business-Controlled Sensitive, Critical, and Business-Controlled Critical Information

Business-controlled sensitive, critical, and business- controlled critical information, whether in electronic or non- electronic format, must be stored in a controlled area or a locked cabinet in accordance with established Postal Service policies and procedures (see Handbook AS-353).

[Insert new section to read as follows:]

3-5.3.3 Isolation of Postal Service and Non-Postal Service Information

Non-publicly available Postal Service information must be isolated from non-Postal Service information (e.g., business partner and vendor information) unless required by law or regulation. Non-publicly available Postal Service and non-Postal Service information must not be commingled in storage at Postal Service facilities, non-Postal Service facilities, or at backup sites unless required by law or regulation.

3-5.4 Encryption of Information

[Revise the title and text of 3-5.4.1 to read as follows:]

3-5.4.1 Encryption of Information in Transit Across Networks

Sensitive and business-controlled sensitive information must be encrypted in transit across networks.

[Revise the title and text of 3-5.4.2 to read as follows:]

3-5.4.2 Encryption of Information on Removable Devices or Media and in Offsite Storage

Sensitive and business-controlled sensitive information on removable devices or media must be encrypted. Sensitive and business-controlled sensitive information that is stored off Postal Service premises must also be encrypted.

[Insert a new section, 3-5.4.3, as follows:]

3-5.4.3 Encryption of Payment Card Industry Information

Payment card industry (PCI) information must be encrypted throughout the lifecycle.

[Renumber current 3-5.5 through 3-5.6.8 as new 3-5.6 through 3-5.9. Insert new 3-5.5 to read as follows:]

3-5.5 Removal of Postal Service Information from Postal Service Premises

The requirements for (1) accessing or downloading sensitive and business-controlled sensitive Postal Service electronic information off Postal Service premises or (2) taking sensitive and business-controlled sensitive Postal Service electronic and non-electronic information off-site (i.e., non- Postal Service premises) including Postal Service data processed by business partners are:

a. The removal and storage of sensitive and business- controlled sensitive Postal Service electronic information from Postal Service premises must be approved in writing by the functional vice president (data steward) and the Chief Information Officer (CIO).

b. Postal Service information accessed, processed, or stored at non-Postal Service sites must use Postal Service-owned hardware and software. The use of business partner hardware and software must be approved by the CIO and the functional vice president (data steward) and must meet Postal Service standards for server hardening and malicious code protection.

c. ACE-supported infrastructure components must connect to the Postal Service Intranet over a secure link at least weekly to receive appropriate security patches and virus recognition patterns. Non-ACE- supported infrastructure components must be appropriately patched and have the latest virus recognition patterns installed.

d. All Postal Service sensitive and business-controlled sensitive information must be encrypted during transmission and in storage on removable devices and media. Also all sensitive and business-controlled sensitive information must be encrypted in storage off Postal Service premises.

e. All Postal Service hardware devices, hardcopy, and media (including backups) containing sensitive and business-controlled sensitive information must be secured against theft (e.g., personal valuables safe, gun safe, locked cabinet, locked cable). Approved business partner devices must be likewise secured.

f. There must be accountability in the life cycle management of any sensitive and business-controlled sensitive information removed off Postal Service premises. This data and all copies must be inventoried annually and formally tracked (e.g., logbook, tape management system) from creation to destruction.

3-5.6 Release of Information

[Change reference from ASM 35 to Handbook AS-353.]

* * * * *

[Revise title of 3-5.7 to read as follows:]

3-5.7 Disposal and Destruction of Information and Media

* * * * *

3-5.7.3 Disposal of Nonelectronic Information

[Change reference from ASM 35 to Handbook AS-353.]

* * * * *

[Revise title of new 3-5.8 to read as follows:]

3-5.8 Handling Contaminated Information Resources

[Revise title of new 3-5.8.1 to read as follows:]

3-5.8.1 Sensitive and Business-Controlled Sensitive Information

* * * * *

5 Acceptable Use

* * * * *

5-5 Hardware and Software

* * * * *

5-5.3 Using Approved Software

[Revise text in 5-5.3 to read as follows:]

To protect the integrity of Postal Service information resources, only approved software may be used in the Postal Service computing environment (PCE). To obtain approval to use software not on the ITK, a formal request must be made to the EAC. The formal request process applies to: purchased and licensed applications; shareware; freeware; and downloads from bulletin boards, Internet, Intranet, FTP sites, local area networks (LANs), and wide area networks (WANs).

Unapproved software will be removed by IT personnel.

In addition to approval by the EAC, shareware and freeware must have a formal code review performed and must be scanned for viruses and malicious code prior to use on any Postal Service information resource. Software used in Engineering initiatives associated with the MPE/MHE environment that use or interact with IT information resources must be approved by the EAC and registered on the ITK.

* * * * *

5-5.5 Protecting Postal Service Networks

[Delete the word "personal" from the last sentence.]

* * * * *

[Revise the title of 5-8 to read as follows:]

5-8 Generally Prohibited Uses of Postal Service Information Resources

* * * * *

[Renumber current 5-9 as new 5-10. Insert new 5-9 to read as follows:]

5-9 Prohibited Uses of Personal Information Resources

Prohibited activities when using personal information resources include, but are not limited to, the following:

a. Do not bring personal information resources (e.g., laptops, notebooks, personal digital assistants [PDAs], handheld computers, or storage media including universal serial bus [USB] port devices) into Postal Service facilities.

b. Do not connect personal information resources to the Postal Service Intranet (Blue).

c. Do not use imaging devices (e.g., cameras, cell phones with cameras, or watches with cameras) at Postal Service facilities except as authorized by the user's vice president or his or her designee for business purposes.

[Revise title and text of new 5-10 to read as follows:]

5-10 Protection of Privacy

Sensitive and business-controlled sensitive information resources must protect the privacy-related data of customers and all personnel in accordance with the Postal Service privacy policy and the Privacy Act as applicable. Postal Service policies related to privacy, the Freedom of Information Act (FOIA), and records management can be found in Handbook AS-353. Postal Service privacy policy for customers is posted on www.usps.com.

* * * * *

[Revise title and text of new 5-10.3 to read as follows:]

5-10.3 Tracking Devices on Web Sites

Postal Service policy addressing tracking devices is contained in the Postal Service privacy policy on www.usps.com. Use of persistent tracking devices (e.g., cookies and Web beacons) must be in accordance with this policy.

* * * * *

[Renumber 5-10.3.2 as new 5-10.4 and 5-10.3.3 as new 5-10.5.]

5-10.5 Transfer to Another Site

[Delete the last sentence of the paragraph.]

6 Personnel Security

* * * * *

6-2 Roles and Responsibilities

* * * * *

6-2.4 All Managers

* * * * *

[Reletter current items d through i as new items f through k. Insert new items d and e to read as follows:]

d. Notifying appropriate system and database administrators when access to information resources by personnel under your supervision is no longer needed due to changing job requirements.

e. Reviewing all access privileges to information resources by personnel under your supervision semiannually and removing via eAccess those access privileges that are no longer needed.

* * * * *

[Revise new items j and k to read as follows:]

j. Processing departing (i.e., transferring to another organization or separating from the Postal Service) personnel appropriately and notifying the appropriate system and database administrators when personnel no longer require access to information resources.

k. Initiating written requests for monitoring an individual's noncompliance with the acceptable use policies. For monitoring electronic messaging, follow the Management Instruction AS-870-2005-2: Electronic Messaging (e-mail) for the request and approval procedures on monitoring.

* * * * *

6-7 Departing Personnel

* * * * *

[Insert new 6-7.3 to read as follows:]

6-7.3 Systems or Database Administrator Departure

Routine separation or adverse termination of a systems administrator or a database administrator requires taking extra care and precautions. Upon departure, remove the privileged access as quickly as possible to maintain the security and integrity of the specific information resources to which the administrator had access. After departure, monitor the affected information resources for improper use or access. Specifically, the manager, supervisor, or contracting officer of the departing systems or database administrator must:

a. Follow the requirements documented above in 6-7.1 for routine separation or 6-7.2 for adverse termination as applicable.

b. Reconfigure access lists to remove the departed administrator's accounts.

c. Disable or change the password or login requirements to all shared devices and applications.

d. Disable or change passwords to all shared service and privileged accounts.

e. Disallow physical access to buildings, systems, and information associated with the departed administrator's former access.

f. Monitor all privileged accounts for usage and access to the systems, applications, and databases formerly under the administrator's control to ensure all access has been removed.

g. Review records for Postal Service information approved for removal offsite and make appropriate efforts to recover information and/or equipment as applicable. Notify the manager, CISO, of any information identified as removed but not recovered.

* * * * *

7 Physical and Environmental Security

* * * * *

7-3 Facility Security

* * * * *

7-3.2 Physical Protection of Information Resources

* * * * *

[Revise the note to read as follows:]

Note: Sensitive and business-controlled sensitive information on information resources must be encrypted in transit. Sensitive and business-controlled sensitive information stored on removable devices or media must be encrypted and stored in a controlled area or in a locked cabinet. Sensitive and business-controlled sensitive information that is stored off Postal Service premises must also be encrypted and stored in a controlled area or in a locked cabinet.

* * * * *

[Revise the title and text of 7-3.2.2 to read as follows:]

7-3.2.2 Postal Service Workstations and Portable Devices

Postal Service workstations and portable information resources must be protected at all times in use, storage, and in transit against damage, unauthorized access, and theft.

* * * * *

[Revise the title and text of 7-3.2.3 to read as follows:]

7-3.2.3 Non-Postal Service Portable Devices

In order to protect Postal Service information from disclosure or compromise, non-Postal Service portable devices (e.g., laptops, notebooks, personal digital assistants [PDAs], handheld computers, cameras, watches with cameras, or storage media including universal serial bus [USB] port devices or thumb drives) should not be used on Postal Service facilities without written approval from the user's vice president or his or her designee. Under no circumstances will such devices connect to the Postal Service Intranet (Blue) or store Postal Service information.

Visitors to Postal Service facilities are required to present non-Postal Service portable devices to the installation head or his or her designee upon entry to the facility. The installation head or his or her designee will determine if such devices must be surrendered for the duration of the visit. Under no circumstances will such devices connect to the Postal Service Intranet (Blue) or store Postal Service information.

* * * * *

8 System, Applications, and Product Development

* * * * *

8.2 Roles and Responsibilities

* * * * *

8-2.6 Portfolio Managers

* * * * *

[Add item i to read as follows:]

i. Accepting personal accountability for adverse consequences if application was placed in production before the Application ISA process was completed.

* * * * *

8-5 Information Security Assurance Process

* * * * *

8-5.1 What the ISA Process Covers

[Add the following sentence to the end of the paragraph:]

***All wireless information resources, regardless of sensitivity or criticality, must complete the full ISA process.

* * * * *

8-6 Application Information Security Assurance Phases

* * * * *

8-6.3 Phase 3 - Testing

* * * * *

8-6.3.6 Conduct Independent Security Code Review

* * * * *

8-6.3.6.2 Criteria for Conducting an Independent Security Code Review

* * * * *

[Revise item c to read as follows:]

c. Applications (including COTS applications containing custom programming), regardless of the designation of sensitivity or criticality, that transmit information between a Postal Service network and an external network, or between a Postal Service demilitarized zone (DMZ) and an external network.

* * * * *

8-6.5 Phase 5 - Production

* * * * *

8-6.5.5 Re-initiate ISA

[Revise item a(1) and item c to read as follows:]

(1) Change in the functions of the application or data that alters the criticality or sensitivity designation of the application.

* * * * *

c. A significant finding of an audit or other external assessment.

* * * * *

[Revise the title of 8-6.5.7.1 to read as follows:]

8-6.5.7.1 Disposal of Data

[Change reference from ASM 35 to Handbook AS-353.]

* * * * *

9 Information Security Services

* * * * *

9-4 Authorization

* * * * *

9-4.2 Authorization Process

[Add a sentence to 9-4.2 to read as follows:]

eAccess is the Postal Service application for managing authorization to information resources.

* * * * *

9-5 Accountability

* * * * *

9-5.2 Types of Accountability

* * * * *

9-5.2.3 Individual Accountability

* * * * *

[Revise item b to read as follows:]

b. Verify that users are authorized to use the system.

9-5.3 Types of Accounts

* * * * *

[Add new items e and f to read as follows:]

e. Guest.

f. Other.

* * * * *

9-7 Authentication

* * * * *

9-7.1 Passwords

* * * * *

9-7.1.1 Password Selection Requirements

* * * * *

[Revise items a and b to read as follows:]

a. For privileged users, personnel in technology areas, mobile users, and personnel using Encryption File System (EFS), passwords must consist of at least eight characters and contain at least one character from three of the four following types of characters: English uppercase letters (A-Z), English lowercase letters (a-z), Westernized Arabic numerals (0-9), and nonalphanumeric characters (special characters such as &, #, and $).

b. For all other users, passwords must consist of at least six characters and contain at least one character from three of the four following types of characters: English uppercase letters (A-Z), English lowercase letters (a-z), Westernized Arabic numerals (0-9), and nonalphanumeric characters (special characters such as &, #, and $).

* * * * *

[Renumber current 9-7.1.6 through 9-7.1.9 as new 9-7.1.8 through 9-7.1.11. Renumber current 9-7.1.4 and 9-7.1.5 as new 9-7.1.5 and 9-7.1.6. Insert new 9-7.1.4 to read as follows:]

9-7.1.4 Password Suspension

After six unsuccessful attempts, suspend the password and disable the account.

9-7.1.5 Re-set Passwords

[Revise new 9-7.1.5 to read as follows:]

Users with nonprivileged accounts who have forgotten their passwords or whose accounts have been disabled due to using an incorrect password after six attempts, may re-set their password by invoking ePassword Reset. ePassword Reset will re-set the password to a temporary password and the user must then change the password at first logon.

ePassword Reset is not used for system administrators, database administrators, or other privileged accounts. When privileged users request the re-set of a password, the user must be prepared to provide some predetermined shared secret that only the user would know for validation purposes (see 9-7.3, Shared Secret). Re-set passwords for privileged users must be hand-delivered. The password is re-set to a temporary password and the user must then change the password at first logon.

* * * * *

[Insert new 9-7.1.7 to read as follows:]

9-7.1.7 Requests for Use of Non-Expiring Password Accounts

All requests for use of non-expiring password accounts must be submitted in writing (e-mail is acceptable) by the executive sponsor to the manager, CISO. These accounts will be tracked for compliance purposes. The executive sponsor will be held accountable for the usage of these accounts. If approval is granted, the following compensating controls must be implemented:

a. Account must be in Active Directory. (The only exception will be source-restricted mainframe accounts.) No privileged access allowed.

b. Non-expiring accounts must be requested and documented through eAccess.

c. Source restrict the account to a specific host and do not allow console or remote entry.

d. Encrypt the LDAP call to keep the password from being transmitted across the network in clear text.

e. Use a maximum length complex password.

f. Strictly restrict access to the password to operations staff with a need to know.

g. Change password when personnel with access to the account leave or transfer.

* * * * *

9-7.1.11 Password Requirements

* * * * *

[Reletter current items b through d as new items c through e. Insert new item b to read as follows:]

b. Suspend password and disable account after an administrator-configurable number of unsuccessful entries.

* * * * *

9-7.4 Digital Certificates and Signatures

9-7.4.1 Digital Certificates

[Revise the second sentence to read as follows:]

***The certificate's purpose is to relate a unique name to a specific public key and is used for encryption and decryption of files and the nonrepudiation of messages.***

* * * * *

9-8 Confidentiality

* * * * *

9-8.2 Encryption

[Revise the last sentence to read as follows:]

***The minimum encryption standard for the Postal Service is the Advanced Encryption Standard (AES) with a 128-bit encryption key. Triple Data Encryption Standard (DES) with 128-bit encryption key may be used if AES is not available for the information resource.

[Revise the title and last sentence of 9-8.2.1 to read as follows:]

9-8.2.1 Required for Transmission and Storage on Removable Devices and Media

***Encryption must be used for sensitive and business- controlled sensitive information that is transmitted or stored on removable devices or media. Encryption must be used for payment card industry (PCI) information throughout the lifecycle. Encryption must also be used for sensitive and business-controlled sensitive information that is stored off Postal Service premises.

[Revise the title and text of 9-8.2.2 to read as follows:]

9-8.2.2 Recommended for Storage on Non-Removable Devices

Additionally, encryption is recommended for sensitive and business-controlled sensitive information stored on non- removable devices. See 3-5.4, Encryption of Information.

* * * * *

9-10 Availability

* * * * *

9-10.4 High Availability

* * * * *

[Reletter current items d through g as new items f through i. Add new items d and e to read as follows:]

d. Offsite vaulting of application transactions.

e. Mirroring of applications at site not subject to the same threats.

* * * * *

9-12 Audit Logging

[Revise introductory text to read as follows:]

Audit logs must be sufficient in detail to facilitate reconstruction of events if a compromise or malfunction is suspected or has occurred. Audit logs include system logs, event logs, error logs, and Web logs. Information resources must implement audit logging functions including, but not limited to, the following:

* * * * *

9-12.5 Audit Log Retention

[Change reference from ASM 35 to Handbook AS-353.]

* * * * *

10 Hardware and Software Security

* * * * *

10-5 Hardware Security

* * * * *

10-5.4 Workstations

* * * * *

[Revise the title of 10-5.4.2 to read as follows:]

10-5.4.2 Password- or Token-Protected Screen Saver

* * * * *

10-6 Software and Applications Security

* * * * *

10-6.3 Version Control

* * * * *

[Add new 10-6.3.4 to read as follows:]

10-6.3.4 Unapproved Software

Unapproved software will be removed by the IT staff.

* * * * *

10-6.6 Database Management Systems

* * * * *

10-6.6.1 DBMS Activity Logs

[In the last sentence, change "Continuity and Contingency Planning" to "Continuance Management."]

* * * * *

10-7 Protection Against Viruses and Malicious Code

* * * * *

10-7.1 Virus Protection Software

10-7.1.1 Installation

[Revise the last sentence to read as follows:]

***Unauthorized personnel must not modify the configuration of virus protection software.

* * * * *

10-7.2 Other Protection Measures

* * * * *

[Add new 10-7.2.6 to read as follows:]

10-7.2.6 Spyware Protection Measures

All information resources within the Postal Service must be protected against the introduction of spyware. A layered- defense must be implemented combining anti-spyware software with anti-virus software, a personal firewall, host anomaly detection/intrusion prevention software, spam and content filtering for inbound e-mail, pop-up blocker protection, and user education. Unauthorized personnel must not modify the configuration of spyware protection software.

* * * * *

11 Networks and Communications

* * * * *

11-3 Networks and Communications Security

11-3.1 Purpose

[Revise the introductory text to read as follows:]

Physical, administrative, and technical security controls and processes that safeguard the confidentiality, availability, and integrity of the network will be implemented to:

* * * * *

11-5 Protecting the Network Infrastructure

* * * * *

[Renumber current 11-5.11 as new 11-5.11.1, current 11-5.12 as new 11-5.11.2, current 11-5.13 as new 11-5.11.3, current 11-5.10 as new 11-5.11, and add new 11-5.10 to read as follows:]

11-5.10 Isolation of Postal Service and Non-Postal Service Networks

Postal Service networks must be isolated from non-Postal Service networks (e.g., business partner and vendor networks). Postal Service and non-Postal Service network devices must not be commingled. Non-publicly available Postal Service information must be isolated from non- Postal Service information (e.g., business partner and vendor information) in transit.

* * * * *

11-12 Remote Access

11-12.1 Authentication

* * * * *

[Revise the last sentence of the second paragraph to read as follows:]

***In addition, personnel outside Postal Service firewalls must use an encrypted session, such as VPN or secure socket layer (SSL), if transmitting sensitive or business- controlled sensitive information.

* * * * *

12 Business Continuance Management

* * * * *

12-2 Roles and Responsibilities

* * * * *

12-2.11 Executive Sponsors

[Reletter current item c as new item d. Add new item c to read as follows:]

c. Developing an ADRP for critical and business- controlled critical applications.

* * * * *

Exhibit 12.2 Business Continuance Management
Responsibilities

[Change the entry in the cell at the intersection of "Develop, maintain, and test ADRPs" and "Managers of Development Centers" from "C" to "X."]

* * * * *

[Revise the title and text of 12-6 to read as follows:]

12-6 Relationship of Criticality, Recovery Time Objective, and Recovery Point Objective

The criticality of an application is determined during the Application BIA, and the EIR is updated at the completion of the BIA process. The RTO, which is the maximum allowable downtime for an application, is determined for applications designated as critical or business-controlled critical. It is how long it takes to restore the application. The RTO does not indicate how much data will be lost.

The RTO must be commensurate with the level of criticality. If there is a significant mismatch between the RTO and the criticality designation, the RTO and criticality designation must be reviewed. As a general rule, the more critical the application, the lower the RTO. A lower RTO often requires a larger investment in BCM resources, which, in turn, results in higher costs. The RTO is determined in consultation with the DR service provider as the DR strategy is defined.

Also at this time, the data currency requirements/recovery point objective (RPO) is determined. The RPO indicates the maximum amount of allowable data loss. It is the point in time (age) to which data must be recovered relative to the time of the disaster. It is the size of the window of opportunity for data loss. The amount of data loss is determined by backup methods and frequency of backup transport offsite. A better RPO requires more frequent backup and transport of the backups offsite or mirroring of the application at an offsite location.

The DR service provider uses the EIR to identify which applications require the development and testing of an ADRP.

* * * * *

13 Incident Management

* * * * *

13-3 Information Security Incidents

* * * * *

13-3.2 Reportable Incidents

* * * * *

[Reletter current items m through w as new items n through x. Add new item m to read as follows:]

m. Systems displaying strange messages or mislabeled files or directories.

* * * * *

13-4 Incident Prevention

[Revise text to read as follows:]

The following actions by Postal Service personnel can help prevent information security incidents:

a. Display proper badge when in any Postal Service facility.

b. Be aware of your physical surroundings, including weaknesses in physical security and the presence of any unauthorized visitor.

c. Use only approved computer hardware and software with the latest patches installed.

d. Use updated virus protection software and pattern recognition files.

e. Do not download, install, or run a program unless you know it to be authored by a person or company that you trust.

f. Use a personal firewall.

g. Use a strong password of at least eight characters composed of upper- and lower-case alphabetic, numeric, and special characters.

h. Encrypt sensitive and business-controlled sensitive information physically removed from a Postal Service facility.

i. Encrypt sensitive and business-controlled sensitive information in transit.

j. Back up data stored on local workstation and physically secure the backup copies.

k. Be wary of unexpected attachments. Know the source of the attachment before opening it. Remember that many viruses originate from a familiar e-mail address.

l. Be wary of URLs in e-mail or instant messages. A common social engineering technique known as phishing uses misleading URLs to entice users to visit malicious Web sites. URLs can link to malicious content that, in some cases, may be executed without your intervention.

m. Be wary of social engineering attempts to solicit restricted information, such as account numbers and passwords.

n. Users of technology such as instant messaging and file-sharing services should be careful of following links or running software sent by other users.

* * * * *

14 Compliance and Monitoring

* * * * *

14-5 Monitoring

* * * * *

14-5.5 Warning Banner

* * * * *

Exhibit 14-5.4 Authorized Standard Postal Service
Warning Banner

[Remove boldface from the last sentence of the second paragraph.]

* * * * *

14-5.6 What is Monitored

* * * * *

[Revise the title of 14-5.6.1 to read as follows:]

14-5.6.1 Requesting User Monitoring

* * * * *

[Revise the title of 14-5.6.2 to read as follows:]

14-5.6.2 Approving User Monitoring

* * * * *

14-5.7 Infrastructure Monitoring

[Revise the introductory text to read as follows:]

The manager, CISO, is responsible for ensuring security of the Postal Service infrastructure through the following:

* * * * *

14-7 Confiscation and Removal of Information Resources

[Revise text to read as follows:]

The CISO, OIG, Inspection Service, or their designee may confiscate and remove any information resource suspected to be the object of inappropriate use or violation of Postal Service information security policies to preserve evidence that might be used in forensic analysis of a security incident. The CISO, OIG, Inspection Service, or their designee, as appropriate, will ensure that the chain of evidence (associated with the possession of the confiscated information resource) is preserved and documented.

* * * * *

15 Wireless Networking

15-1 Policy

* * * * *

[Add a third paragraph to read as follows:]

All wireless technology, including wireless local area networks (WLANs), cellar technologies, radio frequency identifier (RFID) tag applications, Bluetooth technologies, and personal area networks (PANs), must be approved by the NCRB before procurement and integration.

* * * * *

15-6 Wireless Solutions

15-6.1 General

* * * * *

[Revise the first sentence of the second paragraph to read as follows:]

Devices that meet the current WLAN standard solution will not require a firewall between wireless devices and wired networks.***

* * * * *

15-9 Deployment Requirements

* * * * *

15-9.3 Technical Security Requirements

[Revise text to read as follows:]

Technical security controls should be implemented to mitigate risks such as eavesdropping, traffic analysis, masquerading, replay, message modification, and denial of service. Wireless technical security requirements are as follows:

a. Implement a "power-on" password based on Postal Service standards for each mobile wireless handheld device.

b. Implement appropriate password management (e.g., aging) for all handheld devices.

c. Implement mutual authentication between a wireless device and an access point.

d. Implement authentication for users whether operating locally or remotely (i.e., authenticate to the device or to the network).

e. Provide only specific services; i.e., HTTP, HTTPS, SMTP, etc.

f. Control access between the WLAN and wired LAN with a firewall.

g. Implement timeout mechanisms that automatically prompt the user for a password after a period of device inactivity.

h. Implement nonrepudiation access check for financial transactions.

i. Use the wireless access point for access only.

j. Configure the wireless access point properly.

k. Set wireless access points at 1, 6, and 11 so they don't compete and interfere with each other. If a nonstandard channel is used, it will indicate a possible "man-in-the-middle" attack.

l. Routinely test the inherent security features (e.g., authentication and encryption) that exist in wireless algorithms to protect sensitive and business- controlled sensitive information.

m. Encrypt data between a device and an access point, or ancillary downstream device utilizing Postal Service encryption standards; e.g., implement Wired Equivalency Protocol (WEP) using a 104/128-bit key.

n. Use a VPN to secure communication between WLAN and LAN resources.

o. Implement Media Access Control (MAC) address filtering.

p. Use a HTTP/SHTTP proxy to access the Internet.

q. Turn off ad hoc networking and ensure your wireless network interface card (NIC) remains in "infrastructure only" mode.

r. Utilize Temporal Key Integrity Protocol (TKIP) to provide data encryption including a pre-packet key mixing function, a message integrity check (MIC), an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

s. Implement 802.1x and EAP to provide a framework for strong user authentication.

t. Employ Postal Service standard end-to-end cryptographic protection to transmit sensitive and business- controlled sensitive information over other network segments, including wired segments or the Internet.

u. Even when approved cryptography is used, employ additional countermeasures (e.g., strategically locating access points, firewall filtering, blocking, and installation of antivirus software) as required.

v. Employ automated key rotation.

w. Install personal firewall software on all mobile networked wireless devices.

x. Implement appropriate logging and intrusion detection where any wireless equipment is used.

* * * * *

Appendix A Consolidated Roles and
Responsibilities

* * * * *

11 Portfolio Managers

* * * * *

[Add item k to read as follows:]

k. Accepting personal accountability for adverse consequences if application was placed in production before the Application ISA process was completed.

* * * * *

Appendix B Information Security and Related
Documents

[Under "Other Related Documents," change the title of Pub. 805-A to read as follows:]

Pub. 805-A, Application Information Security Assurance (ISA) Process

* * * * *

We will incorporate these revisions into the next online update of Handbook AS-805 available on the PolicyNet Web site.

• Go to http://blue.usps.gov.

• Under "Essential Links" in the left-hand column, click on References.

• Under "References" in the right-hand column, under "Policies," click on PolicyNet.

• Then click on HBKs.

(The direct URL for the Postal Service PolicyNet Web site is http://blue.usps.gov/cpim.)

— Corporate Information Security,
Information Technology, 9-28-06