PB 22164 - September 29, 2005 - USPS.com® - About
PB 22164 - September 29, 2005 - USPS.com® - About
PB 22164 - September 29, 2005 - USPS.com® - About
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
POSTAL BULLETIN <strong>22164</strong> (9-<strong>29</strong>-05)<br />
Other organizations and managers responsible for<br />
system, application, and product development include:<br />
chief inspector; inspector general; chief privacy officer; contracting<br />
officers and general counsel; and business partners<br />
(see Appendix A, Consolidated Roles and Responsibilities,<br />
for details).<br />
* * * * *<br />
8-6 Application Information Security Assurance<br />
Phases<br />
* * * * *<br />
8-6.1 Phase 1 — Definition<br />
* * * * *<br />
[Add new 8-6.1.5 and 8-6.1.6 to read as follows:]<br />
8-6.1.5 Document High-Level Architecture<br />
A high-level architectural diagram (e.g., hardware, communications,<br />
security devices, and interconnected resources)<br />
is developed for all applications. The architectural diagram<br />
is submitted to the manager, SIS, for review and determination<br />
of the impact on the infrastructure and the need for<br />
additional security controls for the application (e.g.,<br />
enclave).<br />
8-6.1.6 Document Information Resources in the<br />
Enterprise Information Repository<br />
All applications are documented in the Enterprise Information<br />
Repository (EIR).<br />
8-6.2 Phase 2 — Design and Integration<br />
* * * * *<br />
[Delete 8-6.2.1, Document High-Level Architecture, and<br />
8-6.2.2, Document Information Resources in the Enterprise<br />
Information Repository.]<br />
* * * * *<br />
[Delete 8-6.2.11, Conduct Vulnerability Scan.]<br />
* * * * *<br />
[Renumber current 8-6.2.3 through 8-6.2.16 as new 8-6.2.1<br />
through 8-6.2.13. Add new 8-6.2.14 to read as follows:]<br />
8-6.2.14 Register Application in eAccess<br />
The application is registered in eAccess which is the Postal<br />
Service application for managing the authorization process<br />
for personnel needing to access the application and the associated<br />
information. Registration is also required for the<br />
use of managed accounts (i.e., machine accounts, etc.).<br />
8-6.3 Phase 3 — Testing<br />
* * * * *<br />
95<br />
[Renumber current 8-6.3.4 through 8-6.3.9 as new 8-6.3.5<br />
through 8-6.3.10. Add new 8-6.3.4 to read as follows:]<br />
8-6.3.4 Conduct Vulnerability Scan<br />
A vulnerability scan is recommended for all information<br />
resources and applications, and is required for some information<br />
resources and applications (see Handbook<br />
AS-805-A, Application Information Security Assurance<br />
[ISA] Process).<br />
* * * * *<br />
10 Hardware and Software Security<br />
* * * * *<br />
10-2 Roles and Responsibilities<br />
* * * * *<br />
10-2.8 Database Administrators<br />
Database administrators (DBAs) are responsible for:<br />
* * * * *<br />
[Revise item d to read as follows:]<br />
d. Tracking hardware and software vulnerabilities, and<br />
deploying database security patches.<br />
* * * * *<br />
10-4 Configuration and Change Management<br />
* * * * *<br />
[Renumber current 10-4.5 through 10-4.6 as new 10-4.6<br />
through 10-4.7. Add new 10-4.5 to read as follows:]<br />
10-4.5 Patch Management<br />
An effective patch management process must be implemented<br />
to investigate, prioritize, test, track, and control the<br />
deployment and maintenance of software releases, and to<br />
resolve known security vulnerabilities. The patch management<br />
process must be addressed by all information<br />
resources installed in the Postal Computing Environment.<br />
Personnel involved in the patch management process must<br />
be trained to ensure a viable vulnerability mediation<br />
process.<br />
Patch management involves acquiring, testing, and installing<br />
multiple patches (code changes) to software systems,<br />
including operating system software, supporting software<br />
and packages, firmware, and application software. Patch<br />
management tasks include: maintaining current knowledge<br />
of available patches; deciding what patches are appropriate<br />
for particular information resources; prioritizing the