PB 22164 - September 29, 2005 - USPS.com® - About

More documents

Recommendations

Info

94 POSTAL BULLETIN 22164 (9-29-05) Exhibit 8.2 System, Application, and Product Development Responsibilities [Revise Exhibit 8.2 as follows:] Activity Executive Sponsors Portfolio Managers Project Managers ISSOs ISSRs Certifier 1 Accreditor 2 Initiate ISA & conduct BIA. X/F C P P P Conduct risk assessment. X/F C P P P Identify security controls. X/F C P C P Develop security plan & develop/acquire security controls. X/F C P C P Develop SOPs, service level & trading partner agreements. X/F C P C P Develop security test plan. X/F C P C P Conduct security testing & document results. X/F C X C P Conduct independent reviews as required. X/F C P C P Develop ISA package. X/F C P P X Review ISA package & write evaluation report. X Certify application. F X Prepare risk mitigation plan and accept responsibility for documented vulnerabilities F X C Accredit application. F X Accept risk & approve for deployment. X X C C C C Develop and test ADRP & FR Plan X/F C P C P Follow security-related plans, periodically review, test and audit. X/F C P C P Reassess risks & upgrade controls, update security-related documents. X/F C P C P Re-initiate ISA. X/F C P X P X Retire application. X/F C P C P 1 Manager, ISA Process. 2 Manager, Corporate Information Security Office (CISO) X = Responsible for accomplishment F = Responsible for funding P = Participant C = Consulting support as required
POSTAL BULLETIN 22164 (9-29-05) Other organizations and managers responsible for system, application, and product development include: chief inspector; inspector general; chief privacy officer; contracting officers and general counsel; and business partners (see Appendix A, Consolidated Roles and Responsibilities, for details). * * * * * 8-6 Application Information Security Assurance Phases * * * * * 8-6.1 Phase 1 — Definition * * * * * [Add new 8-6.1.5 and 8-6.1.6 to read as follows:] 8-6.1.5 Document High-Level Architecture A high-level architectural diagram (e.g., hardware, communications, security devices, and interconnected resources) is developed for all applications. The architectural diagram is submitted to the manager, SIS, for review and determination of the impact on the infrastructure and the need for additional security controls for the application (e.g., enclave). 8-6.1.6 Document Information Resources in the Enterprise Information Repository All applications are documented in the Enterprise Information Repository (EIR). 8-6.2 Phase 2 — Design and Integration * * * * * [Delete 8-6.2.1, Document High-Level Architecture, and 8-6.2.2, Document Information Resources in the Enterprise Information Repository.] * * * * * [Delete 8-6.2.11, Conduct Vulnerability Scan.] * * * * * [Renumber current 8-6.2.3 through 8-6.2.16 as new 8-6.2.1 through 8-6.2.13. Add new 8-6.2.14 to read as follows:] 8-6.2.14 Register Application in eAccess The application is registered in eAccess which is the Postal Service application for managing the authorization process for personnel needing to access the application and the associated information. Registration is also required for the use of managed accounts (i.e., machine accounts, etc.). 8-6.3 Phase 3 — Testing * * * * * 95 [Renumber current 8-6.3.4 through 8-6.3.9 as new 8-6.3.5 through 8-6.3.10. Add new 8-6.3.4 to read as follows:] 8-6.3.4 Conduct Vulnerability Scan A vulnerability scan is recommended for all information resources and applications, and is required for some information resources and applications (see Handbook AS-805-A, Application Information Security Assurance [ISA] Process). * * * * * 10 Hardware and Software Security * * * * * 10-2 Roles and Responsibilities * * * * * 10-2.8 Database Administrators Database administrators (DBAs) are responsible for: * * * * * [Revise item d to read as follows:] d. Tracking hardware and software vulnerabilities, and deploying database security patches. * * * * * 10-4 Configuration and Change Management * * * * * [Renumber current 10-4.5 through 10-4.6 as new 10-4.6 through 10-4.7. Add new 10-4.5 to read as follows:] 10-4.5 Patch Management An effective patch management process must be implemented to investigate, prioritize, test, track, and control the deployment and maintenance of software releases, and to resolve known security vulnerabilities. The patch management process must be addressed by all information resources installed in the Postal Computing Environment. Personnel involved in the patch management process must be trained to ensure a viable vulnerability mediation process. Patch management involves acquiring, testing, and installing multiple patches (code changes) to software systems, including operating system software, supporting software and packages, firmware, and application software. Patch management tasks include: maintaining current knowledge of available patches; deciding what patches are appropriate for particular information resources; prioritizing the
Page 2 and 3:
2 POSTAL BULLETIN 22164 (9-29-05) C
Page 4 and 5:
4 POSTAL BULLETIN 22164 (9-29-05) P
Page 6 and 7:
6 POSTAL BULLETIN 22164 (9-29-05) C
Page 8 and 9:
8 POSTAL BULLETIN 22164 (9-29-05) N
Page 10 and 11:
10 POSTAL BULLETIN 22164 (9-29-05)
Page 12 and 13:
Page 14 and 15:
Page 16 and 17:
Page 18 and 19:
Page 20 and 21:
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45: 44 POSTAL BULLETIN 22164 (9-29-05)
Page 136: 475 L’ENFANT PLAZA SW WASHINGTON
show all

PB 22164 - September 29, 2005 - USPS.com® - About

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?