• No results found

Agreements and Trading Partner Agreements

Service level agreements (SLAs) may be developed for in-house managed and/or developed information resources. Trading partner agreements (TPAs) are often developed for externally managed and/or developed information resources. If SLAs or TPAs are developed, incorporate information security requirements. Information security requirements for securing cardholder data must be incorporated in contracts and memorandum of agreements with PCI service providers.

8-5.4.6

Register Information Resource in eAccess

Register the information resource in eAccess, which is the Postal Service application for managing the authorization process for personnel needing to access the information resource and the associated information. Registration is also required for the use of managed accounts (e.g., machine accounts).

8-5.4.7

Develop Business Continuity and Facility Plans

Business continuity plans must be developed for critical information resources. A facility recovery plan is developed for facilities designated by the vice president Information Technology Operations as major information technology sites. These plans are started during this phase and updated in Phase 5 – System Integration Testing.

Development and Operations Security 8-5.5.6

8-5.4.8

Identify Connectivity Requirements

Requirements for connectivity to the Postal Service infrastructure must be identified and a request must be submitted to the Network Connectivity Review Board (NCRB) (see https://ncrbrequest.usps.gov/NCRB).

8-5.5

Phase 5 — System Integration Testing

The security controls and processes implemented in Phase 4 are tested. The information security activities of Phase 5 are described in the following paragraphs.

8-5.5.1

Develop Security Test Plan

A security test plan must be developed for sensitive-enhanced, sensitive, and critical information resources. A security test plan is also required for major information resources and general support systems. The security test plan evaluates the technical and nontechnical security controls and other safeguards to establish the extent to which the information resource meets the security requirements for its mission and operational environment.

8-5.5.2

Conduct Security Test and Document Results

Security testing is conducted using the approved security test plan. If a modification to a control is required, the change should be reflected in the security plan and the security test plan before the test is executed.

The results of the testing must be documented and communicated in language that is understandable to business-process owners and the ISSO.

8-5.5.3

Conduct Security Code Review

To protect the infrastructure, a documented security code review maybe required. (See Handbook AS-805-A for the criteria for conducting a code review.)

The security code review is based on the Postal Service Security Code Review Standards or an acceptable equivalent. This security code review is not required if an independent security code review is conducted.

8-5.5.4

Conduct Operational Security Training

Using the training materials developed in the prior phase, users, system administrators, managers, and other personnel are trained on the correct use of the information resource and its security safeguards.

8-5.5.5

Conduct Vulnerability Scan

A vulnerability scan is recommended for all information resources. A quarterly vulnerability scan is required for PCI applications and an annual vulnerability scan is required for externally facing applications. The scanning procedure must ensure adequate scan coverage and the updating of a list of vulnerabilities.

8-5.5.6

Conduct Independent Risk Assessment

identify residual risk. (See Handbook AS-805-A for the criteria for conducting an independent risk assessment.)

8-5.5.7

Conduct Independent Security Code Review

Information resources may be subject to an independent code review of the source code and documentation to verify compliance with software design documentation and programming standards and the absence of malicious code. The independent code review may also evaluate correctness and specific security issues. (See Handbook AS-805-A for the criteria for conducting an independent security code review.)

8-5.5.8

Conduct Independent Penetration Testing and Vulnerability

Scans

Independent penetration testing evaluates the effectiveness of the

implemented information resource configuration. Vulnerability scans evaluate information resources for vulnerabilities and compliance with Postal Service information security policies and standards. (See Handbook AS-805-A for the criteria for conducting independent penetration testing and vulnerability scans.)

8-5.5.9

Conduct Independent Validation of Security Testing

The independent security test validation addresses the appropriateness and effectiveness of the security controls and corroborates the previously conducted security test results. The scope of the independent security test validation depends on the information resource, its environment, and the associated threats and vulnerabilities. The independent security test validation is usually carried out at the development or test site. (See

Handbook AS-805-A for the criteria for conducting an independent security test validation.)

8-5.5.10

Conduct Development of Contingency Plans

The contingency plans (and, if applicable, the facility recovery plan) from Phase 4 – Build must be updated as required.

8-5.6

Phase 6 — Customer Acceptance Testing

Phase 6 consists of activities described below that culminate in the

certification, risk mitigation plan, accreditation, acceptance of residual risk, and approval to deploy an information resource.

8-5.6.1

Project Manager and ISSO Develop C&A Documentation

Package

Sensitive-enhanced, sensitive, and critical information resources require a C&A documentation package. The project manager and the ISSO develop the C&A package. The package is a consolidation of the designation of sensitivity and criticality and associated protection requirements (BIA); threats, vulnerabilities, additional controls, and residual risks (risk

assessment); protection mechanisms (security plan and business continuity plans); and the security test and evaluation results.

Development and Operations Security 8-5.7.1

8-5.6.2

Project Manager, Executive Sponsor, and ISSO Prepare