PB 22164 - September 29, 2005 - USPS.com® - About
PB 22164 - September 29, 2005 - USPS.com® - About
PB 22164 - September 29, 2005 - USPS.com® - About
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
POSTAL BULLETIN <strong>22164</strong> (9-<strong>29</strong>-05)<br />
<strong>USPS</strong> CA Certificate Practice Statement (CPS)<br />
Boilerplate for Contracts and Agreements<br />
Guidelines for New Development of Web-based<br />
Applications<br />
Guide to Coding Secure Software<br />
Information Security Code Review Standards<br />
COTS Software Security Evaluation Process<br />
Pub. 805-A, Information Security Assurance<br />
(ISA) Process<br />
Pub. 805-E, What Every Employee Needs to<br />
Know <strong>About</strong> Information<br />
Security<br />
HANDBOOK AS-805-A REVISION<br />
Application Information Security Assurance (ISA) Process<br />
Effective <strong>September</strong> <strong>29</strong>, <strong>2005</strong>, we are revising Handbook<br />
AS-805-A, Application Information Security<br />
Assurance (ISA) Process, to address the registering of applications<br />
in eAccess and the acceptance of responsibility<br />
letter for documented vulnerabilities that will not be<br />
mitigated.<br />
We will incorporate these revisions into the next online<br />
version of Handbook AS-805-A accessible on the Postal<br />
Service PolicyNet Web site:<br />
Go to http://blue.usps.gov.<br />
Under “Essential Links” in the left-hand column, click<br />
on References.<br />
Under “References” in the right-hand column, under<br />
“Policies,” click on PolicyNet.<br />
Then click on HBKs.<br />
(The direct URL for the Postal Service PolicyNet Web<br />
site is http://blue.usps.gov/cpim.)<br />
Handbook AS-805-A, Application Information<br />
Security Assurance (ISA) Process<br />
* * * * *<br />
2 Roles and Responsibilities<br />
* * * * *<br />
2-6 Portfolio Managers<br />
Portfolio managers are responsible for the following:<br />
* * * * *<br />
[Reletter current e as new h. Add new items e, f, and g to<br />
read as follows:]<br />
e. Preparing and signing an acceptance of responsibility<br />
letter, if a documented vulnerability will not be<br />
mitigated.<br />
f. Ensuring that the application is registered in<br />
eAccess.<br />
97<br />
PS Form 1357, Request for Computer Access<br />
PS Form 1360, Information Security Incident<br />
Report<br />
MOP IT-03-11-2002, Computer Use<br />
* * * * *<br />
— Corporate Information Security,<br />
Information Technology, 9-<strong>29</strong>-05<br />
g. Accepting all risks, liabilities, and responsibilities and<br />
assuming personal accountability for any damage to<br />
the Postal Service (including direct financial losses<br />
and any costs resulting from remedial actions in<br />
operating the application) for authorizing an application<br />
to enter the production environment prior to<br />
completing the application ISA process.<br />
* * * * *<br />
4 The ISA Process<br />
* * * * *<br />
4-1 Phase 1 — Definition<br />
* * * * *<br />
4-1.5 Next Steps<br />
* * * * *<br />
[Swap sections 4-1.5.2 and 4-1.5.3 as follows: 4-1.5.2, Applications<br />
Designated as Legacy and 4-1.5.3, All Other<br />
Applications.]<br />
* * * * *<br />
4-2 Phase 2 — Design and Integration<br />
* * * * *<br />
4-2.4 Activities<br />
* * * * *<br />
[Renumber current 4-2.4.9 through 4-2.4.10 as new<br />
4-2.4.12 through 4-2.4.13. Add new 4-2.4.9 through<br />
4-2.4.11 to read as follows:]<br />
4-2.4.9 Incorporate Security Requirements in Service<br />
Level Agreements and Trading Partner<br />
Agreements<br />
Service level agreements (SLAs) are developed for all<br />
applications. Trading partner agreements (TPAs) are<br />
developed for all externally managed and/or developed applications.<br />
Information security requirements are<br />
addressed in all SLAs and TPAs.