PB 22164 - September 29, 2005 - USPS.com® - About

More documents

Recommendations

Info

96 POSTAL BULLETIN 22164 (9-29-05) patches to be installed; testing patches in a nonproduction environment first in order to check for unwanted or unforeseen side effects; developing a backout plan, which includes backing up the systems about to be patched to be sure that it is possible to return to a known-good working configuration should something go wrong with the patch; ensuring that patches are installed properly; testing information resources after installation; and documenting all associated procedures, such as specific configurations required. Patch management is critical to ensure the integrity and reliability of information resources. Patch management should be capable of: a. Highly granular patch update and installation administration (i.e., treating patches and mainframes, servers, desktops, and laptops separately). b. Tracking machines, and updating and enforcing patches centrally. c. Verifying successful deployment on each machine. d. Deploying client settings, service packs, patches, hot fixes, and similar items network-wide in a timely manner in order to address immediate threats. e. Initiating from a central management console. f. Providing scheduling, desktop management, and standardization tools to reduce the costs associated with distribution and management. g. Providing ongoing deployment for both new and legacy systems in mixed hardware and OS environments. h. Automating the repetitive activity associated with rolling out patches. i. Analyzing the operating system and applications to identify possible security holes. j. Scanning the entire network (IP address by IP address) and providing information such as service pack level of the machine, missing security patches, key registry entries, weak passwords, users and groups, and more. k. Analyzing scan results using filters and reports to proactively secure information resources (e.g., installing service packs and hotfixes, etc.). * * * * * Appendix A Consolidated Roles and Responsibilities * * * * * 11 Portfolio Managers Portfolio managers are responsible for the following: * * * * * [Reletter current items e through i as new items f through j. Add new item e to read as follows:] e. If a documented vulnerability will not be mitigated, preparing and signing an acceptance of responsibility letter as part of the ISA process. * * * * * 35 Database Administrators Database administrators are responsible for the following: * * * * * [Revise item l to read as follows:] l. Tracking hardware and software vulnerabilities, and deploying database security patches. * * * * * 36 All Personnel * * * * * [Reletter current items e through s as new items g through u. Add new items e and f to read as follows:] e. Always using their physical and technology electromechanical access control identification badge or device to gain entrance to a controlled area. f. Ensuring no one tailgates into a controlled area on their badge. * * * * * Appendix B Information Security and Related Documents [Revise Appendix B to read as follows:] Administrative Support Manual (ASM) Subchapter 27, Security Subchapter 28, Emergency Preparedness Chapter 8, Information Resources Handbooks AS-805, Information Security AS-805-A, Application Information Security Assurance (ISA) Process AS-805-B, Infrastructure Information Security Assurance (ISA) Process AS-805-C, Information Security for General Users AS-805-D, Information Security Network Connectivity Process AS-805-G, Information Security for Mail Processing/Mail Handling Equipment AS-816, Open VMS Security AS-353, Guide to Privacy and the Freedom of Information Act Other Related Documents Enterprise Information Security Architecture USPS PKI Certificate Policy (CP)
POSTAL BULLETIN 22164 (9-29-05) USPS CA Certificate Practice Statement (CPS) Boilerplate for Contracts and Agreements Guidelines for New Development of Web-based Applications Guide to Coding Secure Software Information Security Code Review Standards COTS Software Security Evaluation Process Pub. 805-A, Information Security Assurance (ISA) Process Pub. 805-E, What Every Employee Needs to Know About Information Security HANDBOOK AS-805-A REVISION Application Information Security Assurance (ISA) Process Effective September 29, 2005, we are revising Handbook AS-805-A, Application Information Security Assurance (ISA) Process, to address the registering of applications in eAccess and the acceptance of responsibility letter for documented vulnerabilities that will not be mitigated. We will incorporate these revisions into the next online version of Handbook AS-805-A accessible on the Postal Service PolicyNet Web site: Go to http://blue.usps.gov. Under “Essential Links” in the left-hand column, click on References. Under “References” in the right-hand column, under “Policies,” click on PolicyNet. Then click on HBKs. (The direct URL for the Postal Service PolicyNet Web site is http://blue.usps.gov/cpim.) Handbook AS-805-A, Application Information Security Assurance (ISA) Process * * * * * 2 Roles and Responsibilities * * * * * 2-6 Portfolio Managers Portfolio managers are responsible for the following: * * * * * [Reletter current e as new h. Add new items e, f, and g to read as follows:] e. Preparing and signing an acceptance of responsibility letter, if a documented vulnerability will not be mitigated. f. Ensuring that the application is registered in eAccess. 97 PS Form 1357, Request for Computer Access PS Form 1360, Information Security Incident Report MOP IT-03-11-2002, Computer Use * * * * * — Corporate Information Security, Information Technology, 9-29-05 g. Accepting all risks, liabilities, and responsibilities and assuming personal accountability for any damage to the Postal Service (including direct financial losses and any costs resulting from remedial actions in operating the application) for authorizing an application to enter the production environment prior to completing the application ISA process. * * * * * 4 The ISA Process * * * * * 4-1 Phase 1 — Definition * * * * * 4-1.5 Next Steps * * * * * [Swap sections 4-1.5.2 and 4-1.5.3 as follows: 4-1.5.2, Applications Designated as Legacy and 4-1.5.3, All Other Applications.] * * * * * 4-2 Phase 2 — Design and Integration * * * * * 4-2.4 Activities * * * * * [Renumber current 4-2.4.9 through 4-2.4.10 as new 4-2.4.12 through 4-2.4.13. Add new 4-2.4.9 through 4-2.4.11 to read as follows:] 4-2.4.9 Incorporate Security Requirements in Service Level Agreements and Trading Partner Agreements Service level agreements (SLAs) are developed for all applications. Trading partner agreements (TPAs) are developed for all externally managed and/or developed applications. Information security requirements are addressed in all SLAs and TPAs.
Page 2 and 3:
2 POSTAL BULLETIN 22164 (9-29-05) C
Page 4 and 5:
4 POSTAL BULLETIN 22164 (9-29-05) P
Page 6 and 7:
6 POSTAL BULLETIN 22164 (9-29-05) C
Page 8 and 9:
8 POSTAL BULLETIN 22164 (9-29-05) N
Page 10 and 11:
10 POSTAL BULLETIN 22164 (9-29-05)
Page 12 and 13:
Page 14 and 15:
Page 16 and 17:
Page 18 and 19:
Page 20 and 21:
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47: 46 POSTAL BULLETIN 22164 (9-29-05)
Page 136: 475 L’ENFANT PLAZA SW WASHINGTON
show all

PB 22164 - September 29, 2005 - USPS.com® - About

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?