Information Technology

HANDBOOK AS-805 REVISION

Information Security

Handbook AS-805, Information Security, is revised as follows to:

• Update ISSO-related roles and responsibilities in Chapter 3, Information Designation and Control.

• Clarify the sources of mandatory requirements and discretionary information security requirements.

• Address FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, and applicable industry standards.

• Address application software maintenance.

• Address regular compliance testing of security systems and processes.

• Update Appendix A, Consolidated Roles and Responsibilities.

• Update Appendix B, Information Security and Related Documents.

Handbook AS-805, Information Security

* * * * *

3 Information Designation and Control

* * * * *

3-2 Roles and Responsibilities

* * * * *

3-2.5 Information Systems Security Officers

[Revise 3-2.5 to read as follows:]

Information systems security officers (ISSOs) are responsible for the following:

a. Ensuring a business impact assessment (BIA) is completed for each application system and an infrastructure impact assessment (IIA) is completed for each infrastructure component.

b. Advising and consulting with executive sponsors and portfolio managers during the BIA and IIA processes so they know about (1) security requirements for information resources and (2) mandatory security requirements for information resources when the resources are designated sensitive or critical.

c. Specifying additional mandatory security requirements based on federal legislation (e.g., Children's Online Privacy Protection Act [COPPA]), federal regulation (e.g., requirements for cryptographic modules), federal directive (e.g., land Security Presidential Directive [HSPD] 12, personal identity verification), industry requirement (e.g., payment card industry standards, requirements, and guidelines), the operating environment (e.g., hosted in the de-militarized zone [DMZ]), and the risks associated with the information resource.

d. Recommending discretionary security requirements based on generally accepted industry practices to executive sponsors and portfolio managers during the BIA and IIA processes.

* * * * *

3-4 Security Requirements

* * * * *

3-4.4 Mandatory Security Requirements

[Revise 3-4.4 to read as follows:]

Additional security will be needed to adequately protect sensitive, critical, and business-controlled information resources. Mandatory requirements are based on the following:

a. How sensitive or critical the information resource is (determined during the BIA).

b. Federal legislation (e.g., Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, COPPA).

c. Federal regulations (e.g., requirements for cryptographic modules).

d. Federal directives (e.g., personal identity verification, critical infrastructure).

e. Industry requirements (e.g., payment card industry).

f. Operating environment (e.g., application is hosted in the DMZ, changes in technology, changes in the Postal Service mission).

g. Risks determined during the risk assessment process.

h. Vulnerabilities discovered at any time during the information resource lifecycle.

If any of these additional mandatory requirements conflict with the requirements included in Handbook AS-805, the most restrictive or protective requirement applies.

3-4.5 Discretionary Security Requirements

[Revise 3-4.5 to read as follows:]

ISSOs may recommend additional discretionary security requirements during the BIA and IIA processes to better protect sensitive, critical, and business-controlled information resources. Discretionary security requirements based on generally accepted industry practices are recommended. The executive sponsor assumes the risks associated with not implementing the recommended discretionary security requirements.

3-5 Handling Information and Media

* * * * *

[Renumber current 3-5.2 through 3-5.6.3 as new 3-5.3 through 3-5.7.3. Inset new 3-5.2 to read as follows:]

3-5.2 Controlling Access to Information

Sensitive and business-controlled sensitive information must be protected from unauthorized access and disclosure. Access must be restricted to authorized personnel with a need to know. Metadata must also be protected from unauthorized access and disclosure.

Critical and business-controlled critical information must be protected from unauthorized access and destruction.

* * * * *

3-5.4 Storage of Information

[Revise text of 3-5.4 to read as follows:]

Postal Service information must not be stored on non- Postal Service-owned devices. Postal Service information not available to the public must not be commingled with information that does not belong to the Postal Service.

* * * * *

3-5.5 Encryption of Information

* * * * *

3-5.5.2 Encryption of Information on Removable Devices or Media and in Offsite Storage

[Revise the first sentence of 3-5.5.2 to read as follows:]

Sensitive and business-controlled sensitive information stored or archived on removable devices or media including disks, diskettes, CDs, and USB storage devices must be encrypted.

* * * * *

3-5.6 Removal of Postal Service Information From Postal Service Premises

* * * * *

[Reletter current items b through f as new items c through g. Insert new item b to read as follows:]

b. Only authorized personnel are allowed to pick up, receive, transfer, or deliver Postal Service sensitive and business-controlled sensitive information.

* * * * *

[Renumber current 3-5.8 through 3-5.9.2 as new 3-6 through 3-7.2.]

* * * * *

5 Acceptable Use

* * * * *

5-6 Electronic Mail and Messaging

[Revise 5-6 to read as follows:]

Access to the Postal Service electronic mail (e-mail) system is provided to personnel whose duties require e-mail to conduct Postal Service business. Only Postal Service- provided e-mail services may be accessed from Postal Service information resources. Since e-mail may be monitored, anyone using Postal Service resources to transmit or receive e-mail should not expect privacy.

If you do not comply with the Postal Service e-mail policies defined in this section, your e-mail account may be suspended and you will have to request that your manager apply to the CIO/VP IT for re-instatement of the lost privileges.

Only authorized personnel who need to know may receive restricted information.

* * * * *

6 Personnel Security

* * * * *

6-6 Information Security Awareness and Training

6-6.1 General Security Awareness

[Add a sentence at the end of 6-6.1 to read as follows:]

***The training should explain how anyone failing to comply with security policies and procedures will be disciplined.

* * * * *

6-6.3 Information Resource Operational Security Training

[Add a sentence at the end of 6-6.3 to read as follows:]

***The training should explain how to protect application information throughout the lifecycle.

* * * * *

8 System, Applications, and Product Development

* * * * *

8-3 General Development Concepts

[Add a paragraph to read as follows:]

The following requirements apply to all sensitive, critical, and business-controlled applications:

a. Developers must not have access to production application systems software.

b. Developers' access to production information must be authorized in writing by executive sponsors.

c. Access to production information, if approved, must be temporary.

d. Production data must not be copied.

e. Audit logging must be turned on.

f. Keystroke logging must be implemented.

* * * * *

[Revise the title of 8-3.6 and add two sentences at the end to read as follows:]

8-3.6 Development and Test Environment Restrictions

***These restrictions apply to modules and to applications. Separate approvals are required for each module.

* * * * *

[Revise the title and text of 8-3.6.1 to read as follows:]

8-3.6.1 Separation of Development/Test and Production Environments

Hardware and software must be developed and tested in a test environment - not in a production environment.

* * * * *

8-6 Application Information Security Assurance Phases

* * * * *

8-6.1 Phase 1 - Definition

* * * * *

8-6.1.4 Define Security Requirements

[Revise 8-6.1.4 to read as follows:]

Security requirements are defined for all applications so the applications can be secured commensurate with the risk. Security requirements include the baseline security requirements for all applications and additional mandatory security requirements based upon how sensitive or critical the applications are (as defined by the ISA process); federal legislation, regulation, and directives; industry requirements; operating environment; and risks associated with the information resource. (See Handbook AS-805, Information Security, Chapter 3, Information Designation and Control, 3-4.4, Mandatory Security Requirements, for examples.) As an example, payment card applications must comply with the payment card industry (PCI) requirements. In addition, the ISSO may recommend additional discretionary security requirements based on generally accepted industry practices that the executive sponsor may agree to implement.

* * * * *

8-6.5 Phase 5 - Production

* * * * *

[Renumber current 8-6.5.1 through 8-6.5.7.2 as new 8-6.5.2 through 8-6.5.8.2. Insert new 8-6.5.1 to read as follows:]

8-6.5.1 Application Maintenance

Applications must be maintained in a timely manner. The tools, techniques, and mechanisms used to maintain application systems must be properly controlled.

* * * * *

9 Information Security Services

* * * * *

9-7 Authentication

* * * * *

9-7.1 Passwords

* * * * *

9-7.1.1 Password Selection Requirements

* * * * *

[Change item b from "six characters" to "eight characters".]

* * * * *

[Add item d to read as follows:]

d. Passwords must not be repeated (reused) for at least 5 generations.

* * * * *

9-7.1.6 Password Expiration

[Change item c from "180 days" to "90 days."]

* * * * *

9-7.5 Smart Cards and Tokens

[Add a sentence to the end of 9-7.5 to read as follows:]

***Protect smart cards and tokens from theft and do not allow others to use them.

* * * * *

9-8 Confidentiality

* * * * *

9-8.4 Key Management

* * * * *

9-8.4.2 Recommended Practices

* * * * *

[Revise the lettered list in 9-8.4.2 to read as follows:]

a. Generate strong keys.

b. Use split knowledge keys and establish dual control of keys.

c. Implement secure key distribution and storage.

d. Periodically change keys. Key management should be fully automated and not require manual steps.

e. Replace known or suspected compromised keys.

f. Revoke old or invalid keys.

g. Destroy old keys.

h. Generate and store all keys in hardware.

i. Never remove keys from the hardware and never store them in the host's memory.

j. Gain access to the hardware only through a trusted path.

k. Make sure key custodians sign a form stating they understand and accept their key-custodian responsibilities.

* * * * *

9-12 Audit Logging

* * * * *

9-12.2 Audit Log Events

* * * * *

[Revise item c to read as follows.]

c. Action of individuals with root or elevated privileges (e.g., system and database administrators).

* * * * *

[Reletter current item i as new item j. Add a new item i to read as follows:]

i. Access to audit logs.

* * * * *

[Renumber current 9-12.4 through 9-12.5 as new 9-12.5 through 9-12.6. Add a new 9-12.4 to read as follows:]

9-12.4 Audit Log Protection

Secure audit logs so they cannot be altered, by:

a. Limiting the viewing of logs to those with job-related need.

b. Protecting audit log files from unauthorized modifications.

c. Promptly backing-up audit log files to a centralized server or media that is difficult to alter.

d. Using file integrity monitoring and change detection software on logs to ensure existing log data cannot be changed without generating alerts.

* * * * *

10 Hardware and Software Security

* * * * *

10-3 General Guidelines for Hardware and Software

* * * * *

[Revise title and first sentence of 10-3.4 to read as follows:]

10-3.4 Maintaining Inventory

All personnel are responsible for maintaining an accurate inventory of Postal Service information resources assigned to them including hardware, software, firmware, and documentation.***

* * * * *

10-5 Hardware Security

* * * * *

10-5.3 Servers

[Revise the third sentence of 10-5.3 to read as follows:]

***Implement only one primary function per server or blade (e.g., Web server, database server, and domain name server [DNS] should be implemented on separate servers).***

* * * * *

[Revise the title of 10-5.4 and add two sentences to the end to read as follows:]

10-5.4 Hardening Servers

***Disable unnecessary services and protocols. Remove unnecessary functions such as scripts, drivers, features, subsystems, and file systems.

* * * * *

10-6 Software and Applications Security

* * * * *

10-6.6 Database Management Systems

* * * * *

10-6.6.1 DBMS Activity Logs

[In the last sentence of 10-6.6.1 change "Continuance" to "Continuity."]

* * * * *

10-7 Protection Against Viruses and Malicious Code

[Revise the second sentence of 10-7 to read as follows:]

***Malicious code includes harmful and other unwanted code such as viruses (boot sector, file infector, multipartite, link, stealth, macro, e-mail, blended), worms, keystroke loggers, botnets, Trojans, trap doors, time bombs, activity trackers, remote control agents, snoopware, spyware, and adware.

* * * * *

11 Networks and Communications

* * * * *

11-7 Protecting the Network/Internet Perimeter

* * * * *

11-7.2 Implementing Firewalls

* * * * *

11-7.2.1 Firewall Configurations

[Revise 11-7.2.1 to read as follows:]

Postal Service firewalls must be configured to:

a. Deny all services not expressly permitted (i.e., deny all inbound and outbound traffic not specifically allowed).

b. Restrict inbound Internet traffic to Internet Protocol (IP) address with the DMZ (ingress filters).

c. Prevent internal addresses from going from the Internet into the DMZ.

d. Implement dynamic packet filtering (i.e., only allow "established" connections into the network).

e. Secure and synchronize router configuration files (i.e., running configuration files and start-up configuration files used to re-boot machines must have the same secure configuration).

f. Audit and monitor all services, including those not permitted, to detect intrusions or misuse.

g. Notify the firewall administrator and system administrator in near real time of any item that may need immediate attention.

h. Run on a dedicated computer.

i. Stop passing packets if the logging function becomes disabled.

j. Disable or delete all nonessential firewall-related software, such as compilers, editors, and communications software.

* * * * *

11-12 Remote Access

[Add an introductory paragraph to 11-12 to read as follows:]

Use eAccess to ask your manager for permission to use a workstation or laptop remotely to access the Postal Service Intranet. Protect the remote workstation or laptop so unauthorized personnel cannot gain access to the Intranet. Do not use personal information resources to connect to the Postal Service Intranet.

* * * * *

11-12.6 Remote Management and Maintenance

[Add a new sentence to the beginning of 11-12.6 to read as follows:]

If you are not at your own workstation, your access must be encrypted.***

* * * * *

14 Compliance and Monitoring

* * * * *

14-3 Compliance

* * * * *

[Reletter current items a through d as new items b through e. Add new item a to read as follows:]

a. Regular testing of security systems and processes.

* * * * *

[Renumber current 14-4 through 14-7 as new 14-5 through 14-8. Add a new 14-4 to read as follows:]

14-4 Testing Security Systems and Processes

Systems, processes, and custom software must be tested regularly because hackers and others continually discover vulnerabilities, introduced in new software and inadvertently by employees, contractors, and business partners. Test as follows:

a. Continuously:

• Monitor all network traffic and alert personnel to suspected compromises using network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems.

b. Weekly:

• Use file integrity monitoring software to alert personnel when files have been modified without authorization. Configure software so it can compare files.

c. Quarterly:

• Use a wireless analyzer to identify all wireless devices in use.

• Scan for vulnerabilities in internal and external networks (or when system components have been added, network topology has changed, firewall rules have been modified, or products have been updated).

d. Annually:

• Test security controls, limitations, network connections, and restrictions so you know you can identify and stop any attempts at unauthorized access.

• Test for network-layer penetration (or when infrastructure has been upgraded or modified, i.e. the operating system has been upgraded or a sub- network or Web server has been added).

Test for application-layer penetration (or when an application has been modified).

* * * * *

Appendix A Consolidated Roles and Responsibilities

* * * * *

[Revise the title and text of 33 to read as follows:]

33. Information Systems Security Officers

Information systems security officers (ISSOs) are responsible for the following:

a. Chairing the ISA team.

b. Ensuring that a risk analysis and business impact assessment (BIA) are completed for each application system.

c. Ensuring that a risk analysis and infrastructure impact assessment (IIA) are completed for each infrastructure component.

d. Ensuring that the responsible program manager records the sensitivity and criticality designations in the Enterprise Information Repository (EIR).

e. Advising and consulting with executive sponsors and portfolio managers during the BIA and IIA processes so they know about (1) security requirements for information resources and (2) mandatory security requirements for information resources when the resources are designated sensitive or critical.

f. Specifying additional mandatory security requirements based on federal legislation (e.g., HIPAA), federal regulation (e.g., requirements for cryptographic modules), federal directive (e.g., personal identity verification), industry requirement (e.g., payment card industry), the operating environment (e.g., hosted in the DMZ), and the risks associated with the information resource.

g. Recommending discretionary security requirements to executive sponsors and portfolio managers during the BIA and IIA processes, based on generally accepted industry practices.

h. Providing guidance on how information resources are vulnerable to threats, what countermeasures are appropriate, and the ISA process.

i. Conducting site security reviews or helping the Inspection Service conduct them.

j. Reviewing the ISA documentation package.

k. Preparing the ISA evaluation report.

* * * * *

[Replace Appendix B with the following:]

Appendix B Related Information Security Documents

Administrative Support Manual (ASM)

Subchapter 27, Security

Subchapter 28, Emergency Preparedness

Chapter 8, Information Resources

Handbooks

AS-805-C, Information Security for General Users

AS-816, Open VMS Security

AS-353, Guide to Privacy and the Freedom of Information Act

Management Instructions

AS-841-2004-11, Integrated Solutions Methodology/System Development Life Cycle

AS-850-2002-10, Information Technology Change and Configuration Management

AS-860-2003-2, Data Stewardship: Data Sharing Roles and Responsibilities

AS-870-2005-2, Electronic Messaging (e-mail)

EL-660-2004-3, Limited Personal Use of Government Office Equipment Including Information Technology

Who We Are

What We're Doing

Newsroom

Careers

Doing Business with Us

Information Technology

Information Security

LEGAL

ON ABOUT.USPS.COM

ON USPS.COM

OTHER USPS SITES