Postmaster General Jack Potter presents retiring Citizens' Stamp Advisory Committee Chair Dr. Virginia Noelke with a letter from President Bush that thanks her for nearly 30 years of dedicated service.

After nearly thirty years serving on the Citizens' Stamp Advisory Committee (CSAC) - most recently as its Chair - and playing a major role in selecting more than 2,400 stamp subjects from more than 1 million suggestions, Dr. Virginia Noelke is stepping down. Noelke also serves as chairman and professor of History at Angel State University Department of History. She will continue to teach.

Announcing her retirement, PMG Jack Potter said Noelke's commitment to communicating the American experience through stamps has been an invaluable asset to the Postal ServiceTM and the nation.

Potter credited Noelke's knowledge of American history as helping guide the committee in developing several stamp series that celebrated contemporary American culture - the American Music, Legends of Hollywood, and American Treasures series. She also played a strong role in the Legends of the West and Civil War stamp selections.

"It has been tremendously rewarding to work with many talented and dedicated people - members, art directors and Postal Service staff alike," said Noelke. "The goal has been to produce a superior United States stamp program. I hope we have succeeded."

2 million packages! Carrier pickup volume passes milestone

If you left your heart in San Francisco, talk to Tony Bennett. But if it's a package to be picked up, talk to the Postal Service.

San Francisco Letter Carrier Xiang Zhou picked up the 2 millionth package to come through the carrier pickup online notification program.

WaterField Designs, a leading maker of custom computer bags, handed off the milestone package when Operations Manager Rommel De Peralta gave a Priority Mail® package to Zhou.

Company owner Gary Waterfield has operated his business for six years. He began using Click-N-Ship® with carrier pickup in January to ship the slim, protective laptop computer bags his company manufactures.

"We ship Priority Mail packages daily to customers throughout the United States and we use Global Express MailTM to ship to our international customers," said De Peralta as he expressed appreciation for generating the 2 millionth package.

"I got the telephone call telling us we were being recognized. Thank you," he said.

Sign of hope: Tour of Hope finale draws thousands

Nearly 8,000 people, hundreds of them cancer survivors, turned out in the nation's capital to welcome Lance Armstrong and this year's Tour of Hope team as they made their way into the city for the finale of their 3,500-mile cross- country journey.

Joining Lance and the team were several USPS Pro Cycling teammates, members from the 2003 Tour of Hope team and nearly 1,000 riders who signed up for the 28-mile recreational ride into the city.

Following close behind were three LLVs filled with nearly 150,000 Promise Cards collected during the nationwide trek. Promise Card holders pledge to learn more about cancer, support cancer research and participate in cancer screening.

At the close of the celebration, Lance commented on the honor and dignity with which the team accomplished their goal, "These 20 riders are examples of what is right with America."

World-class operation: Global Express Mail earns accolades at UPU Congress

USPS delivers more than 40% of the world's mail. With a delivery network that extensive, it's an honor to be recognized by postal representatives from other nations for the quality of services you provide.

Networks Operations Management V.P. Paul Vogel was on hand at the 23rd Universal Postal Union (UPU) Congress recently held in Bucharest, Romania, to accept an award on behalf of the Postal Service for on-time delivery service and customer care for Global Express Mail (GEM).

GEM provides fast service to over 190 countries. Prices start at just $15.50 and customers can receive volume discounts, online tracking and pickup on demand. The award reflects the combined efforts of the Postal Service's call centers and operations network.

Vogel accepted the Express Mail Service Cooperative's Silver Level Certificate from UPU Director General Thomas Leavey.

Honor for PEMS: Emergency management system gets Computerworld award

Emergency preparedness took on new meaning in the wake of the anthrax attacks. USPS met the challenge by creating the Postal Emergency Management System (PEMS), which has gained international recognition as a model information technology solution.

PEMS, which allows USPS to coordinate emergency preparedness and response, received a "Best Practice in Business Intelligence" award from Computerworld magazine.

The system is the result of a partnership between Information Technology and Emergency Preparedness. It integrates emergency management plans for terrorism, natural disasters, power outages, telecommunication failures and other threats.

Administrative Services

ASM REVISION

Administrative Support Manual (ASM) — Revised Chapters 3, 6, and 8

Effective October 28, 2004, ASM 13 Chapters 3, 6, 8, and Exhibits 892 and 895 are revised. These revisions consolidate and update policies related to the Postal ServiceTM information technology and information privacy requirements.

Note: Some forms that should have retention periods have been temporarily excluded from Exhibit 892 pending a future update. If you need assistance with a particular PS Form retention period, please contact the Records Office, by e-mail at privacy@usps.gov.

We will incorporate these revisions into the next printed version of the ASM, and also into the online version, available on the Postal Service PolicyNet Web site:

• Go to http://blue.usps.gov.

• Under "Essential Links" in the left-hand column, click on References.

• Under "References" in the right-hand column, click on PolicyNet.

• Click on Manuals.

(The direct URL for the Postal Service PolicyNet Web site is http://blue.usps.gov/cpim.)

Administrative Support Manual (ASM)

* * * * *

3 Communications

* * * * *

[Revise the title of 36 to read as follows:]

36 Web-Based Communications

[Revise 361 and 362 to read as follows:]

361 Intranet

The Postal Service Intranet home page (http://blue.usps.gov) provides a common access point to corporate-wide information intended for employee use. It provides access to internal policies and procedures, Postal Service events, current Postal Service news, human resource information, electronic recordkeeping via Track & Confirm, and electronic tools. It also provides direct access to various administrative Web pages that provide detailed information about Postal Service functional groups, including both Headquarters organizations and field units at the area and district levels. This Web site is indexed so that users can search for specific information. The functional areas participating are responsible for keeping their information accurate and up-to-date. (See MI AS-885-2002-15, Managing Web Sites on the Corporate Intranet.)

362 Internet

The Postal Service Internet Web presence (www.usps.com) provides the single, authorized Web domain for external customer access to electronic Postal Service products, services, and information. The usps.com site provides service for both the household and business customers under several categories structured to provide easy access to the desired service(s). Interactive pages include lookups for ZIP Codes, Post Offices, postage, and product/tracking information. Products sold online include stamps, stamp merchandise, and mailing labels with postage. Customers may create and post mail online, as well as change their addresses, hold mail, and schedule a pickup or redelivery. Other key pages include the latest rate and rate case information, job postings, print-on-demand forms, a wide range of Postal Service publications, and consumer information including frequently asked questions. The usps.com site provides news releases, features, and speeches. The site also provides a comprehensive search capability. The Internet Channel, under the chief marketing officer, provides the overall content and site navigation coordination, while Information Technology provides development, maintenance, and infrastructure support. (See Handbook AS-885, usps.com Development Process and Standards.)

* * * * *

6 Support Services

61 Technology

[Revise 611 and 612 to read as follows:]

611 Policy

The Postal Service uses technology as a tool to achieve its business objectives. Technology programs cover a wide range of areas and are intended to make it easier for customers to do business with us. These programs allow the Postal Service to:

a. Process, track, and distribute mail faster and more effectively.

b. Protect the environment.

c. Provide tools for our employees to improve job effectiveness.

A broad definition of technology includes computer systems hardware and software, Internet and intranet development and systems, mail processing, handling and transport equipment, mail tracking systems hardware and software, retail and self-service equipment, telecommunications, and the effective use of the information available in these systems.

612 Information Technology

612.1 Responsibility

Information Technology provides and supports products and services that use computers, telephones, and wireless devices. These services include the following:

a. Business solutions.

b. Business data management.

c. Information security service.

d. Electronic messaging.

e. Corporate software and hardware acquisition and support - Blackberry and wireless personal digital assistants (PDAs).

f. Back office processes (such as payroll processing).

g. Distributed computing environment.

h. Host computing services.

612.2 Purpose

The Postal Service information technology infrastructure provides the means to:

a. Share information electronically as follows:

(1) Between Postal Service personnel and customers regarding customer mailings and postal services.

(2) Among Postal Service managers for operational and cost management.

(3) Among employees so they can be more successful in their jobs.

b. Conduct Postal Service business transactions electronically.

c. Learn more about customers and their needs.

See Chapter 8, Information Resources, for policies and services related to the Postal Service information technology infrastructure.

* * * * *

[Add new 67 and 68 to read as follows:]

67 Postal Service Corporate Library

The Postal Service Corporate Library is responsible for providing commonly used business and legal reference materials and information services required to assist Postal Service managers with decision making. Corporate library services include the following:

a. Providing research and reference services to support Postal Service business needs through in-house and commercial databases, networks, and print materials.

b. Providing library loan services for Postal Service personnel and user access to commercial electronic subscription services for Postal Service personnel.

c. Providing orientation and training to Postal Service staff on effective search and retrieval of content from the Internet, Postal Service Intranet, and commercial electronic subscription services that the Corporate Library manages.

d. Providing support for content management, information monitoring, intelligence gathering, and the integration of commercial business information to meet customer information needs.

e. Serving as a cost control center in the acquisition, organization, and maintenance of print publications and the facilitation of access to electronically formatted commercial information required for Postal Service management and staff.

68 Postal History

Postal History serves as the institutional memory for the Postal Service. Members of the Postal History staff research, maintain, and analyze historical information on Postal Service policies, services, organizational structure, and artifacts. The historian prepares papers on Postal Service history and tradition; is responsible for the Postal Service's artifacts and fine arts collection, with the exception of New Deal murals and sculpture; maintains a collection of historic records; and develops and maintains histories of local Post Offices, including lists of postmasters. The office maintains Web sites for Postal Service staff and the public on historical postal topics and Postmaster Finder, which provides information on local Post Offices.

* * * * *

8 Information Resources

[Revise 8 to read as follows:]

81 Policy

Information resources, as they relate to this chapter, consist of Postal Service information (not including financial records) and the enabling information technologies. The Postal Service is committed to protecting its information resources; providing an information technology infrastructure that supports customer, corporate, and business needs; and staying abreast of developing legal and policy frameworks, new technologies, and best-in-class business models and practices.

811 Vice President, Chief Technology Officer

The vice president, Chief Technology Officer (VP/CTO), in consultation with key Engineering and other Postal Service functional organizations, provides the following:

a. Leadership in establishing a Postal Service information technology infrastructure that takes full advantage of new technology and better business processes.

b. Governance and management such that Postal Service information technology can respond to business needs today and into the future.

c. Investments that result in an integrated, supportable, secure, and efficient information technology infrastructure.

The VP/CTO is also the Postal Service chief information officer.

812 Installation Heads and Vice Presidents

Installation heads and vice presidents are responsible for information resources within their custody as follows:

a. Determining whether a system is appropriately protected for the value of the information it contains.

b. Ensuring that Postal Service policies, guidelines, and procedures for protecting information resources are followed in all system activities, including procurement, development, and operation.

813 Managers

Managers at all levels are responsible for protecting information and enforcing applicable policies and procedures.

814 Headquarters and Field Functional Organizations

Postal Service headquarters and field functional organizations are responsible for working with their portfolio managers, who will coordinate with the Information Technology (IT) service managers to do the following:

a. Identify business services and solutions compatible with the Postal Service technical architecture and IT policies.

b. Coordinate development, implementation, and support of business solutions with the appropriate IT service group.

c. Help enhance existing business services and solutions.

d. Ensure that business solutions conform to all federal and Postal Service information security rules and regulations.

e. Coordinate requirements to protect information in accordance with Privacy Act, Freedom of Information Act (FOIA), and Postal Service privacy policies.

815 Privacy Office

815.1 Chief Privacy Officer

The chief privacy officer is responsible for the following:

a. Developing and implementing policies, processes, and procedures related to privacy, records, and the FOIA.

b. Determining privacy compliance and information sensitivity during the application business impact assessment (BIA) process.

c. Directing the activities of the Privacy Office and the Records Office and reporting to the Consumer Advocate.

815.2 Manager, Records Office

The manager, Records Office, is responsible for compliance with policies and procedures related to the Privacy Act, FOIA, and records management.

82 Information

821 Policy

It is the intent of the Postal Service to appropriately protect its information against unauthorized disclosure, use, modification, or destruction of information; to ensure its availability; and to comply with business requirements for the creation or collection, processing, storage, maintenance, retirement, and disposal of information. The Postal Service is mandated by law to protect the privacy of its customers, employees, individuals, and suppliers, and has adopted policies to do so. The Postal Service is also required to make its records available to the public consistent with FOIA and good business practices. (See Handbook AS-353, Guide to Privacy and the Freedom of Information Act, for Postal Service policies and procedures about the privacy of information relating to customers, employees, or other individuals, and the release and protection of Postal Service records.)

822 Description

Information consists of data in any form related to Postal Service business activities, employees, or customers that has been created, acquired, or disseminated using Postal Service resources, brand, or funding.

823 Scope

This policy applies to information at all Postal Service facilities that is maintained on any equipment or system with information processing, storage, or retrieval capabilities, as well as the related resources that allow data (i.e., numbers, characters, images) to be input, processed, stored, and retrieved, and to Postal Service personnel, contractors, vendors, and business partners, as applicable.

824 Information Protection

Information is often confidential or proprietary, and its inappropriate use or disclosure could result in brand or financial damage, unfair advantage to competitors, or negative impact to our customers or employees. Such data may only be disclosed outside the Postal Service in accordance with privacy policies described in Handbook AS-353, chapter 3. The following are the high-level requirements for the types of information indicated:

a. Business Data. Non-public business data may relate to either the Postal Service or its customers. Such data, whether developed or maintained by the Postal Service, must be protected in accordance with good business practices, Postal Service policies, and customer or Postal Service data markings or practices. Customers may only receive non-public information about other customers pursuant to a FOIA request after any exempt material has been identified and redacted.

b. Employee Data. Employee data must be collected, managed, used, disclosed, and stored in accordance with Privacy Act requirements and Postal Service policies.

825 Data Stewardship

825.1 Description

Data stewardship is the management of data from collection through disposition to ensure it is accurate, available, usable, and consistent with Postal Service policies on privacy, security, disclosure, and retention. (See MI AS-860-2003-2, Data Stewardship: Data Sharing Roles and Responsibilities.)

825.2 Requirements

Each functional organization that collects or processes data that is shared with other systems or databases must identify a data steward responsible for developing standards to support data integrity and to comply with applicable privacy and security policies.

826 Ownership

Systems, media, and all data and information maintained on them are Postal Service property and are not the property of any single person or organization. Their use is dictated by the business requirements of the Postal Service, irrespective of organizational boundaries.

827 Information Protection Levels

All information maintained on information processing equipment requires some protection. Information that the Postal Service has designated as sensitive, business-controlled sensitivity, critical, or business-controlled criticality requires a greater degree of protection and controls.

83 Information Technology Infrastructure

831 Policy

It is the intent of the Postal Service to provide a technological infrastructure that delivers cost-effective electronic communications, data availability, and automated environments consistent with corporate, legal, and federal requirements and to offer affordable business solutions that keep pace with a rapidly changing and competitive marketplace.

832 Description

The Postal Service information technology infrastructure consists of all computer-based technologies and related processes associated with the creation, collection, processing, storage, transmission, analysis, and disposal of information. It includes the information systems, infrastructure, applications, products, services, telecommunications networks, computer-controlled mail processing equipment, and related resources sponsored by, operated on behalf of, or developed for the benefit of the Postal Service. Information technology-based resources are described in subchapters 84 through 88.

833 Scope

The policies apply to all components that comprise the Postal Service information technology infrastructure and to all Postal Service personnel, including contractors, vendors, and business partners, as applicable.

84 Business Solutions

Business solution services consist of application development, enhancement, and maintenance of Postal Service systems.

841 Business System Design and Development

841.1 Description

Business system design and development follows the Postal Service Integrated Solutions Methodology (ISM) system development life cycle. The ISM is the Postal Service standard for the planning, analysis, design, development, testing, implementation, operation, maintenance, and disposition of information systems required for IT-based business solutions. The ISM also mandates and supports the management of technology funding in accordance with the General Accounting Office's Information Technology Investment Management methodology.

841.2 Requirements

All IT-based application solutions built by or for the Postal Service must comply with the ISM requirements. If system development is outsourced, suppliers may use their own system development life cycle methodologies provided that the deliverables required by the ISM are provided to the Postal Service and are stored in the ISM.

842 Enterprise Information Repository

842.1 Description

The Enterprise Information Repository (EIR) at http://eir is the official central repository of information about Postal Service software applications and application modules. The EIR is used to monitor application status; review applications by their components; identify existing applications that may enhance, or be affected by, proposed applications; and avoid redundancies. When registering an application, the following components must be addressed: General (name, description, parent system); Business (stakeholders, development organization); Platform (mainframe, Web client, Web server); Security (sensitivity and criticality classifications); Disaster recovery contingencies; Section 508 status; and Contacts.

842.2 Requirements

All Postal Service applications and modules procured, developed, or used by the Postal Service must be registered in the EIR. This includes all applications, Web applications, and Web sites, regardless of the operating environment (mainframe or server/client, stand-alone PC, or Web), origin (commercial off-the-shelf (COTS) software, outsourced, or in-house development), or status (pilot, development, production, retired, replaced, future, or suspended). All information in the EIR must be kept current and accurate throughout the life cycle of the application.

842.3 Responsibilities

Functional organization vice presidents must ensure that their applications and modules are registered in the EIR once their funding has been approved. This responsibility is delegated to a portfolio manager, the designated IT point of contact, who may assign the program manager, business project leader, or project manager to maintain application information in the EIR.

842.4 Requests for Access

Anyone with access to the Postal Service Intranet may view (browse) the information contained on the EIR Web site.

843 Business System Maintenance and Enhancement

843.1 Description

Business system maintenance and enhancement focuses on maintaining, correcting, and enhancing the performance or functionality of existing production systems to sustain and extend their value and usefulness.

843.2 Requests for Service

Headquarters and field functional organizations should initiate requests through their respective portfolio managers. IT Customer Support and the Help Desk will determine the type of remedial maintenance needed and forward the request to the appropriate development organization for action.

85 Customer Support

Customer support service makes sure that authorized users can access the tools, applications, and information they need on the Postal Service IT infrastructure to do their jobs and that applications and technology are kept up-to-date.

851 Remote Support and Operations

851.1 Description

Remote support and operations is a centralized service through which IT provides, configures, installs, and supports hardware and software for the computer desktops of functional organizations. This service includes background tasks, such as account administration, maintenance of backups, disk space management, e-mail, database management, and hardware monitoring.

851.2 Responsibilities

Responsibilities related to remote support and operations are published in Handbooks AS-802 and AS-805.

852 IT Help Desk

852.1 Description

The IT Help Desk provides support 24 hours a day, 7 days a week to resolve or escalate application and technical problems. Users of Postal Service systems can call 1-800-USPS-HELP and say the name of the system or application they are calling about.

852.2 Responsibilities

To have their applications supported by the IT Help Desk, functional organizations are responsible for the following:

a. Completing the Help Desk New Business Process form provided by the IT Help Desk during application activation.

b. Providing training and documentation to application users.

c. Providing support documentation and training to IT Help Desk personnel.

d. Ensuring that a Service Level Agreement is signed by all stakeholders.

e. Complying with the requirements relating to placement of applications in the Postal Service centrally hosted environment.

86 Planning and Acquisition

861 IT Architecture and Standards

The Postal Service manages and maintains an information technology architecture and standards in a manner to ensure that the IT infrastructure can respond to Postal Service business requirements.

861.1 Enterprise Architecture

861.11 Description

The enterprise architecture is a conceptual framework for designing, developing, and operating business solutions to ensure that they are closely aligned to Postal Service business goals. It also provides the foundation for reviews of proposed systems architectures and the basis for proposing new IT services. (See Handbook AS-820.)

861.12 Responsibilities

861.121 General

All Postal Service functional organizations, employees, suppliers, and partners must comply with the Postal Service enterprise architecture requirements regarding the acquisition, design, deployment, operation, and replacement or retirement of information technology.

861.122 Enterprise Architecture Committee

The Enterprise Architecture Committee (EAC) ensures that an enterprise architecture is developed, maintained, and used to inform IT management decisions.

861.123 IT Managers

IT managers are responsible for the following:

a. Submitting the systems architecture for new or expanded business or infrastructure systems or services to the EAC for approval before development begins.

b. Maintaining current and target architectures for their respective systems and service offerings.

861.124 Portfolio Managers

Portfolio managers are responsible for the following:

a. Maintaining current and target architectures for business functions under their purview.

b. Ensuring that the enterprise map of business processes is maintained and updated.

c. Ensuring that the EIR is updated for every new or updated application.

d. Ensuring that a system's architecture is approved by the EAC before development activities begin. (See MI AS-810-2003-1.)

861.2 Standards

861.21 Description

IT provides guidance and standards for integrating applications into the IT infrastructure and provides the frameworks for developing and delivering systems to support functional organization requirements.

861.22 Software

Selection of software products for use in the Postal Service infrastructure must comply with the following:

a. Products must be listed in the Postal Service Infrastructure Tool Kit (ITK). (See http://itk.)

b. Requests to use nonstandard products must be submitted through the ITK update process for review and approval by the EAC before development work begins. (See MI AS-810-2003-1.)

c. Products must comply with Postal Service Section 508 policy. (See Handbook AS-508.)

d. COTS products must be implemented with little or no customization.

e. COTS products, freeware, and shareware must be evaluated for security functionality.

f. Functional organizations must fund certification or testing costs.

861.3 Compliance

All systems and services must align with the Postal Service Enterprise Architecture and use standards to leverage the benefits of faster deployment and cheaper development and operation. Compliance reviews are conducted under the auspices of the EAC.

862 Software and Hardware Acquisition

The acquisition of software and hardware is designed to provide the products and services that meet IT standards for the development, implementation, and maintenance of the Postal Service technological infrastructure. Acquisition activities also ensure that the Postal Service can negotiate the most beneficial agreements possible by consolidating requirements into advantageous solicitations.

862.1 Software Acquisition

862.11 Corporate Licenses

The Postal Service acquires software by establishing corporate licenses.

862.12 Responsibilities

862.121 Functional Organizations

Functional organizations working in conjunction with their assigned portfolio manager or district IT manager are responsible for the following:

a. Identifying the business, functional, and technical requirements.

b. Identifying the software products to be considered.

c. Once a supplier is selected, initiating the ITK change process, which establishes compatibility of the software with the postal computing environment. (See http://itk.)

d. Collecting Section 508 documentation from the supplier.

e. If the software complies with Section 508 requirements and is acceptable in the postal computing environment, preparing an eBuy requisition and funding the purchase.

862.122 Information Technology

IT is responsible for the following:

a. Initiating discussions with Supply Management, representing the customer requirements and business needs.

b. Working with Supply Management to develop a purchase strategy and to complete the purchase action. (This generally involves a review of the terms and conditions of the supplier's license agreement, a competition among potential suppliers, and a negotiation with the selected supplier.)

c. Funding software identified as Enterprise Desktop Software.

d. Obtaining software on a free trial basis if it supports the customer's need to evaluate a product before committing to a purchase. (See MI AS-860-2002-6.)

862.2 Hardware and Services Acquisition

862.21 General

Information technology hardware and professional services are acquired to support Postal Service business needs.

862.22 Responsibilities

862.221 Functional Organizations

Functional organizations, working in conjunction with their assigned portfolio manager or district IT manager, are responsible for the following:

a. Developing a Statement of Work (SOW) that includes the scope, timeframe, deliverables, performance metrics, and other requirements the functional organization has of the supplier, its products, or its services.

b. Providing the justification and market research data required to prepare a noncompetitive justification, if needed.

c. Developing and supporting a noncompetitive justification, if needed.

d. Funding the purchase and preparing an eBuy requisition.

862.222 Information Technology

IT is responsible for the following:

a. Reviewing the SOW.

b. Working with Supply Management to determine and to complete the acquisition strategy in the following ways:

(1) Solicitations. Works with the functional organization and Supply Management to develop the evaluation criteria; participates in the source selection and the technical evaluation and ensures that the business issues from an IT perspective are addressed.

(2) Noncompetitive justifications. Works with the functional organization to prepare sufficient documentation to justify obtaining services and/or products due to a compelling business interest, industry structure and practice, single source, or superior performance.

(3) Contract modifications. Provides requirements and technical input to Supply Management regarding business risks, terms, and conditions and suggests changes as needed.

c. Monitoring the supplier's performance and notifying Supply Management when there is a performance or delivery issue.

87 Information Technology Infrastructure

871 Application Hosting

Application hosting provides computing services for Postal Service business units. These services are provided on a broad range of operating platforms in various locations to ensure that business applications are optimally deployed, operated, and supported. (See Handbooks AS-508, AS-802, and AS-805 for policies governing the placement of applications in the Postal Service computing environment.) The components of application hosting are discussed in the following sections.

871.1 Application, Database, and Web Hosting

871.11 Platforms and Storage

The hosting environment for business applications consists of mainframe, midrange (Unix), and Wintel platforms and a variety of storage solutions. All server solutions that support Postal Service enterprise and Web applications and their databases must comply with IT standards before being placed into production.

871.12 System Support

System support for applications in the centrally hosted environment includes the following activities:

a. Developing interfaces to integrate vendor software.

b. Installing and maintaining system software (i.e., with timely patch management).

c. Hardening servers before production to ensure a secure computing environment.

d. Installing and maintaining programs that aid application development and implementation.

e. Working with hardware and software vendors and application developers to resolve problems.

f. Monitoring performance and planning for changes in capacity.

g. Managing configurations.

h. Performing system administration tasks such as file backups.

871.13 Service Support

871.131 Description

The Service Level Agreement (SLA) is an agreement between the sponsor of an information system/application and IT that specifies system objectives such as the hours of system availability; hours of help desk support; and system update, backup, and maintenance windows. The Technology Framework and Host Computing Services Application Hosting Activation Process documents include the technical specifications necessary for installing and operating the application and are completed prior to drafting the SLA. For more information, visit http://it.usps.gov/pls/itprodnp/page?psite_id=10&pnode_id=33; from the "IT Spotlight" drop-down menu, click on SLA.

871.132 Requirements

All information systems or applications hosted in the IT environment must have a valid SLA completed and approved prior to the application's being installed in production in the IT Host Computing Environment. SLAs are effective for 1 year, unless the customer changes service-level objectives, at which time the SLA must be revised. If the SLA is not renewed each year, IT will not commit to previously stated service levels after the agreement expires. The responsible IT Business System Portfolio (BSP) Program Manager completes the following steps in establishing and renewing an SLA:

a. Works with the sponsor to determine the sponsor's service objectives.

b. Documents the service objectives in the SLA.

c. Forwards the SLA to the service providers to obtain their signatures, amending the document as needed.

d. Provides the signed SLA to the sponsor for final approval and acceptance.

e. Forwards the final SLA signed by the service providers and the sponsor to the Manager, Host Computing Services, Eagan, MN.

f. Conducts an annual review and renewal process prior to the end of the fiscal year, repeating steps a-e.

871.14 Problem Management

Problem management consists of resolving information technology problems, both nationwide and locally. These services are based on a centralized approach for reporting, handling, and escalating problems to minimize the time and resources needed to resolve them, keeping any outages within predetermined acceptable service levels.

871.15 Responsibilities

871.151 Information Technology

IT is responsible for the following:

a. Hosting facilities, support staff and processing, and storage capacity to operate and maintain databases, business applications, and Web sites.

b. Providing system support.

c. Providing service support based on an active SLA.

(1) Performing an annual review of each SLA.

(2) Reminding the portfolio or functional manager about renewal requirements 2 months before the SLA expires.

d. Providing problem management.

871.152 Portfolio Managers

Portfolio managers are responsible for the following:

a. Registering applications in the EIR and eAccess.

b. Ensuring that the Application Information Security Assurance (ISA) process has been completed before an application is hosted.

c. Developing an SLA with the stakeholders; ensuring that all appropriate signatures are obtained before the application is activated; or working with them to determine whether an SLA should be renewed as is, renewed with changes, or not renewed.

d. Ensuring that an Application Disaster Recovery Plan (ADRP) is developed, maintained, and provided to Disaster Recovery Services.

e. Ensuring that a technical architectural diagram and detailed architectural description showing a technical architecture that is compatible with the hosting environment is available at the beginning of the application hosting activation process.

f. Ensuring that all jobs, scripts, and operations and support documentation are available to the hosting organization before production.

871.153 Application Sponsors

Application sponsors are responsible for the following:

a. Ensuring that applications are browser-accessible, browser-independent, and server-based, and that they use the Enterprise Directory Service for user authentication and authorization.

b. Funding application hosting, including facilities, hardware, software, and ongoing support required to meet the level of service negotiated in the SLA.

871.2 IT Disaster Recovery

871.21 Description

IT disaster recovery testing and recovery services ensure that an application can be recovered at an alternate location if a significant interruption of computing services occurs. Disaster recovery requirements are based on the outcome of the application Business Impact Assessment (BIA), the component of the process that determines the potential consequences of system unavailability or loss and the related development of an ADRP. (See 882.3.)

871.22 Requirement

Federal mandate and Postal Service policy require that disaster recovery capabilities and plans be in place and tested for all business applications and systems designated as critical or business-controlled criticality. (See Handbooks AS-805, AS-805-A, and AS-802.)

871.23 Responsibilities

871.231 Functional Organizations

To ensure that appropriate disaster recovery plans are implemented, functional organizations should do the following:

a. Review their applications with their assigned portfolio managers.

b. Ensure that application BIAs are complete and maintained for every system.

c. Identify the recovery time objective (RTO) and data currency needed to minimize the impact of business recovery.

d. Ensure that funding and requirements are reflected in the client funding agreements system and SLA.

871.232 IT Integrated Business Systems Solutions Center or Systems Development Organizations

For applications classified as business-controlled criticality or critical, Integrated Business Systems Solutions Centers or system development organizations are responsible for developing and maintaining ADRPs to document specifications for recovering them at alternate locations.

871.233 IT Disaster Recovery Services

IT Disaster Recovery Services is responsible for the following:

a. Providing technical and procedural information to assist in the completion of the application BIA and ADRP before disaster recovery testing.

b. Reviewing and approving the ADRP.

c. Providing the environment and guidance for executing application recovery testing conducted by the application owner to verify that the application can be recovered within the RTO determined during the BIA.

872 Data Management

The technical infrastructure for data management provides the Postal Service gateway to secure corporate information. Data management consists of acquiring data from disparate sources and positioning it for appropriate access by business applications and authorized users and is based on the development, use, and maintenance of an enterprise architecture. Data management activities must comply with applicable federal and Postal Service information security rules and regulations and with Privacy Act, FOIA, and Postal Service privacy and records policies.

872.1 Data Access

Functional organizations that require data from existing or planned information systems must do the following:

a. Inform the data steward (see 825).

b. Fund new development or modifications to achieve data sharing.

c. Comply with data integrity rules.

d. Comply with applicable Postal Service privacy and security requirements.

872.2 Data Acquisition

872.21 Description

Postal Service corporate data acquisition service (CDAS) activities enable the "collect once, use many" approach to ensuring that data is a shared corporate resource. CDAS collects data from operational systems and makes it sharable corporate-wide to target systems such as the Postal Service enterprise data warehouse and other data stores.

872.22 Responsibilities

Portfolio managers are responsible for the following:

a. Overall management of the project using CDAS.

b. Funding the development and production support for CDAS-related efforts.

c. Providing requirements for transformation of source data to target systems.

872.3 Data Warehouse

872.31 Description

The Postal Service data warehouse is the authoritative source for corporate data and reporting. It is a centralized resource that provides an integrated database and report and query infrastructure for the Postal Service as a whole, consolidating data from many systems and making it sharable to support accurate and consistent reporting throughout the Postal Service.

872.32 Responsibilities

872.321 Information Technology

IT is responsible for managing the data warehouse, operating the warehouse infrastructure, providing tools for ad hoc reports, and building predefined reports.

872.322 Functional Organizations

Functional organizations are responsible for working with their portfolio managers to identify reporting and storage requirements for the data warehouse.

872.4 Data Transfer

The Postal Service provides the capabilities to move data securely both internally and externally. Internally, it moves data between applications, databases, or file systems. Externally, it supports the transfer of electronic business documents between the Postal Service and its suppliers and customers. (See Handbook AS-805 for data transfer security requirements.)

872.5 Database Support

872.51 Description

Database support provides a stable production database environment across standard platforms to ensure that corporate information stored there has maximum availability.

872.52 Requests for Support

IT and functional organizations negotiate SLAs and budgetary support for each project. Requirements related to database support are published in corporate directives including, but not limited to the following: Handbooks AS-802, AS-805, AS-805-A and AS-812.

872.6 Corporate Data Presentation

872.61 Description

The Postal Service provides and supports a centralized set of data presentation tools to enable customized views of standard corporate reports and ad hoc report generation.

872.62 Responsibilities

872.621 Functional Organizations

Functional organizations are responsible for using the corporate data presentation tools for reporting the state of the corporation for presentation internally and externally.

872.622 Portfolio and Program Managers

Portfolio and program managers are responsible for the following:

a. Managing the overall project that is using corporate data presentation tools.

b. Funding development and production support for the corporate data presentation services related to their particular efforts.

c. Providing reporting requirements.

873 Telecommunications

Telecommunications capabilities provide the technological underpinnings for data and voice communication among employees, customers, partners, and suppliers in a content-neutral approach implemented in accordance with security and privacy policies and guidelines. The components of the Postal Service telecommunications environment and related responsibilities are listed below.

873.1 Wide Area Network

873.11 Description

The Wide Area Network (WAN) provides network connectivity for Postal Service locations and business partners. It consists of computer-to-computer or facility-to-facility data communications across the Postal Service through a private, secure network and secure gateways to the Internet. This service is provided through a contract known as the Managed Network Service (MNS). Types of service provided under this contract include the following:

a. New WAN service.

b. Data rate changes (upgrading or downgrading of existing service).

c. Modifications and relocation of existing service, including disconnecting.

d. Small area office to large area office conversions.

873.12 Funding

Functional organizations are responsible for funding the installation and recurring network service costs for the facility or application for which the service is provided.

873.13 Requests for Service

To request or change service, submit Form 3037, Request for Service, available at http://it under Resource Tool Box, Forms and Templates, Form 3037.

873.2 Local Area Network

873.21 Description

Local area networks (LANs) provide data communications connectivity within Postal Service facilities using wire-line and wireless technologies and designs.

873.22 Funding

Functional organizations are responsible for funding the fixed service installation costs at the facility they are responsible for.

873.23 Requests for Service

To request new or change existing service, submit Form 3037, Request for Service, available at http://it under Resource Tool Box, Forms and Templates, Form 3037.

873.3 Remote Access

873.31 Description

Remote access is the capability for authorized users (generally employees, selected contractors, vendors, and business partners) to access the Postal Service network. Types of service include the following:

a. Point-to-Point Protocol for communication between two computers, typically a personal computer connected via telephone line to a server.

b. Virtual Private Network (VPN) for use of a public telecommunication infrastructure that maintains privacy through tunneling, encryption, authentication, access control, and auditing.

c. Business partner connectivity for a secure connection, via either leased lines or VPN, for business entities requiring access to the Postal Service routed network.

873.32 Funding

Postal Service executive sponsors are responsible for funding secure connectivity for business partners related to their areas.

873.33 Requests for Service

To request service, submit the appropriate form to the Network Connectivity Review Board at ncrb@email.usps.gov. Forms are available at http://it. Click Support, then under "Corporate Information Security," click CISO Organization Information, then Network Connectivity Review Board, then Request Forms. Postal Service executive sponsors must initiate any business partner requests related to their areas of responsibility.

873.4 Telephony/Voice

873.41 Description

This service provides technical direction, specification development, and guidance for the acquisition of large and small telephone systems; upgrades and long distance and local service support; technical support in the design and implementation of infrastructure cabling for both inside and outside plant applications; public address (paging) systems; and guidance on equipment maintenance coverage.

873.42 Toll-Free Service

The Postal Service uses toll-free services to cover the continental United States, Alaska, Hawaii, Puerto Rico, all U.S. territories, and international toll-free services, when required, and has established standardized processes for acquiring them.

873.43 Funding

Functional organizations are responsible for funding the installation and recurring network service costs for the facility or application for which the service is provided.

873.44 Requests for Service

To request service, submit Form 3037, Request for Service, available at http://it under Resource Tool Box, Forms and Templates, Form 3037. Business support vendors and telecommunications companies can be reached directly by field users under contracts established for the Postal Service.

873.5 Wireless Devices and Services

873.51 Description

The Postal Service provides for the acquisition, deployment, and support of wireless devices and services to support its business activities. Such devices include pagers, personal digital assistants (PDAs), and cellular telephones. Wireless devices and services, as described here, do not include devices and services integrated with operational mail processing equipment. Supported services, providers, and funding responsibilities are shown in Exhibit 873.5.

873.52 Requests for Service

Personnel should select service from providers that are approved for their respective locations. If more than one provider is available, local IT personnel, with IT Telecommunications Services oversight, will guide managers on the choice of provider based on the expected patterns of use.

Exhibit 873.5
Funding Responsibility for Wireless Services

Service	Providers	Funding Responsibility
Cellular Telephone	AT&T Wireless Cingular Wireless Nextel Wireless Sprint Wireless Verizon Wireless	Local
Pager	Skytel	Local
PDA	Compaq Blackberry	Local

873.6 Radio Frequency

873.61 Description

The Postal Service provides radio frequencies spectrum support for wireless devices used to support its business activities, including acquisition and deletions, radio device inventory, and operational assurance.

873.62 Funding

The local facility requiring radio frequency service is responsible for funding.

873.7 Responsibilities

873.71 Information Technology

IT is responsible for the following:

a. Overall. Engineering, managing, and operating the Postal Service national telecommunications voice, video, data, satellite, and wireless communications networks in partnership with various contractors.

b. Wireless Devices and Services. Administration and fiscal oversight, including monitoring and auditing; working with Supply Management to select service providers nationwide and to establish service provider agreements.

c. Toll-Free Services. Approval and ordering of service; program administration; fiscal oversight, including rate monitoring and auditing; and overall invoice review.

d. Radio Frequency. Developing policies and procedures for managing the technology; providing guidance, contractual vehicles, and regulatory support to ensure that wireless programs within the districts are operating within regulations; and designing and developing solutions for the districts.

873.72 District Manager

The district manager, through the information systems (IS) manager at the district level, manages voice, video, facsimile, and data telecommunications systems within a geographic boundary, including processing and distribution installations.

873.73 Information Systems Manager, District Level

The IS manager at the district level is responsible for the following:

a. Overall.

(1) Managing operation and implementation of voice, video, facsimile, and data telecommunications systems within a geographic boundary.

(2) Requesting IT Telecommunications Services for installation, modification, or removal of:

(a) Private Branch Exchange (PBX) telephone systems.

(b) Electric key telephone systems of seven or more lines.

(c) Automatic call distribution and voice response systems, station message detail recorders, and public address systems.

(d) Walkie-talkie-type radio systems, beepers/ pagers, speaker phones, stand-alone single answering or recording devices, special hearing and seeing devices, and automatic dialing devices.

(e) Off-premises extensions or foreign exchange circuits.

(f) Coordinating one to six telephone lines and one or two telephone instruments with the local IS manager.

b. Local Area Networks. Documenting and managing LANs within a geographic boundary.

c. Radio Frequency. Working with IT Telecommunications Services for the engineering of wireless devices, systems, and programs and for managing commercial service accounts and cellular and paging service accounts.

873.74 Telecommunications Coordinator

The telecommunications coordinator is designated by the IS manager to coordinate voice, video, facsimile, and data telecommunications activities within an installation. The telecommunications coordinator has the following responsibilities:

a. Operating voice, video, facsimile, and data telecommunications systems in an installation (can be one or more buildings in a limited geographic area).

b. Coordinating implementation and integration of universal wiring systems.

c. Managing the cable plant and maintaining cable records.

d. Requesting changes to Federal Technology Service (FTS) through IT.

e. Submitting changes or requests for access to Postal Service networks to Telecommunication Services.

f. Complying with telecommunications systems security policies. (See Handbook AS-805.)

873.75 Postal Inspection Service

873.751 Requests

The Postal Inspection Service (Information Technology Division) processes telecommunications requests from Postal Inspection Service (Information Technology) organizations. Forward requests to:

MANAGER INFRASTRUCTURE SUPPORT
US POSTAL INSPECTION SERVICE
INFORMATION TECHNOLOGY DIVISION
2111 WILSON BLVD STE 500
ARLINGTON VA 22201-3036

873.752 Postal Inspector-In-Charge

Each Postal Inspection Service division postal inspector-in- charge approves installations of, or changes to, telephone equipment, such as the relocation or addition of telephone instruments for that division.

873.8 Facility Infrastructure Design and Engineering

Communication systems and services are designed and engineered based on Postal Service structured wiring requirements for Postal Service facilities nationwide and include voice and data communications, PBXs, and LANs. Implementation and installation of these designs are closely coordinated to comply with applicable requirements.

874 Distributed Systems Management

874.1 Description

Distributed systems management is the centralized, standardized approach to managing computers distributed throughout the postal computing environment that allows the Postal Service to enhance the performance of its applications, systems, and services. The approach includes system and network management disciplines that enhance technology integration, implementation, and support, yielding better business value and productivity improvement. The components of distributed systems management are listed in the following sections.

874.2 Enterprise Management

874.21 Description

Enterprise management activities ensure the maximum availability of Postal Service operating systems and databases. Those activities include: tuning, troubleshooting, backup and recovery, distribution of software changes, and coordination of disaster recovery procedures; remote system management and support for distributed systems and applications; nationwide support for distributed IT infrastructure; support services, including management of performance, files and directories, problem faults, software distributions, tape backups and restores, deployments, and Novell Directory Services; and disaster recoveries, reports, and changes.

874.22 Responsibilities

Responsibilities related to enterprise management are published in Handbooks AS-802 and AS-805.

874.3 Distributed Systems Engineering and Management

874.31 Configuration Management

All technology components in the postal computing environment are managed under the change and configuration management (C/CM) process. C/CM is a required part of every technology project, and the associated costs must be included in project funding. (See MI AS-850-2002-10.)

874.32 Technology Engineering

874.321 Description

Technology engineering consists of server and workstation design, engineering, and integration services for COTS software products on the Advanced Computing Environment platform.

874.322 Responsibilities

IT can provide the following:

a. Engineering, integration, and packaging, which includes server installation scripts, application launching scripts, and associated documentation.

b. Certification and beta testing.

c. Initial deployment, if the functional organization does not install the applications and supporting hardware and infrastructure or the support of the sites during initial rollout.

d. Ongoing Level 3 support and infrastructure updates and testing.

874.323 Requests for Service

To request service, submit Form 3037, Request for Service, available at http://it under Resource Tool Box, Forms and Templates, Form 3037.

875 Electronic Messaging

The Postal Service electronic messaging environment enables communication in a manner that ensures security and integrity of the environment, complies with monitoring and other applicable policies, and streamlines the development and support of electronic messaging applications throughout the organization. This environment provides the means for users to send text messages and data files electronically to other employees, suppliers, partners, and customer organizations through the gateway to the Internet to almost anyone in the world who has an e-mail address. The service is available around the clock.

875.1 E-mail Support

875.11 Description

E-mail support provides the backbone that supports the Postal Service electronic messaging service. This support entails distribution of the messaging client (the e-mail application that runs on the personal computer), user support, engineering of the messaging servers, and administration. (See MI-AS-840-2004-2.)

875.12 Requests for Service

Submit requests for a Postal Service e-mail account at http://eAccess. If necessary, contact your local IT manager to configure your computer for e-mail.

875.2 Personal Digital Assistant (Blackberry Services)

875.21 Description

Personal digital assistants (PDAs), including wireless Blackberry-style units, are handheld devices that combine a variety of computing and communication features. The Postal Service will allocate PDAs as described below to support selected business activities.

875.22 Funding and Providing

875.221 Officers and Postal Career Executive Service Executives

Headquarters IT will fund and provide Blackberry PDAs (or successor units) to Postal Service officers and Postal Career Executive Service (PCES) employees.

875.222 Executive Administrative Service Employees

PCES executives must approve and fund Blackberry PDAs (or successor units) for Executive Administrative Service (EAS) employees, and Headquarters IT will provide the equipment.

Note: No wireless PDA technology may be issued to Fair Labor Standards Act (FLSA) nonexempt EAS personnel or bargaining unit employees outside of normal working hours due to FLSA constraints.

875.23 Requests for Service

To request information about ordering and activating wireless PDA service, contact the Headquarters IT Help Desk at 202-268-5588 or 800-268-5588 from outside the Washington, DC, Metropolitan Area. The Headquarters IT Help Desk is also available via e-mail at ##IT Help Desk.

88 Information Security

881 Description

Information security activities enable the Postal Service's capability to ensure the integrity, availability, and confidentiality of its information resources. These IT activities develop the strategies and policies to support information security and comply with federal and legal requirements. Information security policies are published in Handbook AS-805 and related documents. The key policy service components are described in the following sections.

882 Supporting Services

882.1 Secure Infrastructure

This IT service provides activities that develop, implement, and operate technologies and methods to protect the Postal Service infrastructure and includes the following components:

a. Enterprise Information Security Architecture. Defines the Postal Service information security services, vehicles, tools, mechanisms, and procedures that reflect security policy, business objectives, and available technology.

b. Technology Assessment. Evaluates and recommends security products for inclusion in the ITK and evaluates infrastructure and COTS products for common vulnerabilities and exposures.

c. Computer Incident Response Team (CIRT). Responds to computer incidents and provides threat and vulnerability reconnaissance. To report a suspected computer security violation, please call 1-866-USPS-CIR(T) (1-866-877-7247) or send an e-mail message to USPSCIRT@email.usps.gov.

d. Network Vulnerability Testing. Performs network and modem vulnerability testing, onsite testing of critical sites, and remote testing of high-risk sites to identify exploitable vulnerabilities and then provides recommendations to mitigate those vulnerabilities.

e. Network Connectivity Review Board. Establishes the standards and process for connecting to the Postal Service network. (See Handbook AS-805-D.)

f. Intrusion Detection. Provides security for systems with critical business applications, including intrusion detection, host vulnerabilities analysis, security trend analysis, unauthorized-use-attempt forensics, and response to attacks.

g. Penetration Testing and Vulnerability Scans. Evaluates the effectiveness of an implemented network segment or information resource by scanning for vulnerabilities and compliance with hardening requirements and attempts to bypass implemented controls.

h. Server Hardening. Provides hardening requirements and standards to ensure that nonessential system services are shut down, responsible administrative practices are followed, and security updates are applied. IT will work with functional organizations to customize server hardening for systems in development, for systems in use that have vendor support, and for legacy systems that have limited support resources.

i. Secure Enclaves. Provides network areas where special protections and access controls, such as firewalls and routers, are used to secure information resources.

j. Wireless Access Security. Ensures that distributed wireless LANs comply with IT wireless standards. Provides onsite and remote testing of facilities to locate and identify wireless access points and wireless ad hoc networks, identifies wireless hardware configured without appropriate encryption and authentication mechanisms enabled, and provides recommendations for mitigating wireless vulnerabilities.

k. Personnel Security. Works with the Postal Inspection Service to identify sensitive positions and ensure that individuals assigned to those positions have the appropriate background investigation and level of personnel clearance before they obtain physical access to Postal Service information resources or access to sensitive, business-controlled sensitivity, critical, or business-controlled criticality information. Works with Human Resources to include information security responsibilities in job descriptions and in personnel performance appraisals.

l. Physical and Environmental Security. Provides a coordinated IT and Inspection Service approach to protect information resources in the areas of physical access controls to facilities and work areas, controlled areas inside facilities, and environmental security.

882.2 User Authentication and Access Control

This service provides user accountability by managing access to and use of Postal Service information resources based on user registration, authorization, identification, verification, and authentication. Management is enabled via eAccess at http://eaccess, the Postal Service centralized application for requesting and approving access to Postal Service information resources.

882.3 Application Information Security Assurance (ISA)

This service identifies the sensitivity and criticality of a Postal Service information resource and the corresponding security requirements, ensures that appropriate protection controls and processes are implemented, manages residual risk, and culminates with the certification, accreditation, and approval to deploy. It includes the following components:

a. Application Business Impact Assessment. The application BIA determines compliance with privacy requirements, the sensitivity, criticality, and recovery time objective of the information resource, and the appropriate security requirements to protect the information resource based on its sensitivity and criticality.

b. Application Risk Management. This component defines the methods for ensuring cost-effective protection of information resources through risk assessment, risk mitigation, and risk acceptance processes.

c. Application Disaster Recovery Plan (ADRP). The ADRP documents the specifications for recovering an application based on the RTO.

d. Security Plan. A security plan describes information security controls (safeguards) and processes in place or planned for meeting the information security requirements.

e. Security Testing and Evaluation. This component defines a test plan and process for testing the information security controls implemented for the information resource.

882.4 IT Business Continuance Management

Business continuance management (BCM) is comprised of business continuity planning and disaster recovery planning. BCM must be implemented for Postal Service information resources and facilities designated by the VP/CTO as major information technology sites to meet its business continuity and contingency planning commitments, to protect Postal Service personnel and assets, and to reduce the likelihood and impact of a disruption to essential business functions of the Postal Service and its customers. BCM requires the following:

a. A comprehensive business continuity plan for each major IT facility to provide for incident management, facility recovery, and workgroup recovery.

b. An ADRP for each information resource designated as critical or business-controlled criticality.

882.5 Strategies and Compliance

This IT service emphasizes the significance of information security requirements for maintaining public trust, continuing business operations, and protecting Postal Service investments and includes the following components:

a. Policies, Procedures, and Standards. Creating and evaluating information security policies, procedures, and standards to support an enterprise information security program that meets federal requirements and incorporates prudent industry practices.

b. Training and Awareness. Providing training and awareness products that leverage techniques to communicate policies, procedures, and standards and ensure all employees and contractors are aware of their information security responsibilities and the appropriate, secure use of information resources.

c. Monitoring. Monitoring information resources as required to ensure compliance with Postal Service policies, procedures, and standards.

d. Compliance. Providing consulting support for inspections and evaluations to the Postal Inspection Service and the Office of the Inspector General (OIG) and recommending remedial action to address significant deficiencies. This may involve conducting administrative investigations for the purpose of maintaining effective information security and confiscating information resources as requested by the Postal Inspection Service or OIG.

883 Law Enforcement and Audit

883.1 Postal Inspection Service

883.11 General

The Postal Inspection Service is a federal law enforcement agency within the Postal Service mandated to protect the Postal Service and its employees and customers from criminal attack and to protect the nation's mail system from criminal misuse. The Inspection Service's overall goals of safety, security, and integrity are based on its mission and relate to all aspects of its jurisdiction and responsibilities. Through its criminal, investigative, preventive, and security programs, the Inspection Service strives to ensure the safety of Postal Service customers and employees; increase the security of Postal Service products, services, and assets; and maintain the public trust in the integrity of the postal system. The responsibilities of the Inspection Service include the following:

a. The chief postal inspector is designated as the security officer for the Postal Service and is the Postal Service point of contact for receiving notices concerning an assignment of a threat condition under the Homeland Security Advisory System.

b. The chief postal inspector will have the specific responsibility for liaison with federal, state, and local law enforcement when implementing protective measures.

c. The Postal Inspection Service is responsible for conducting criminal investigations when Postal Service networks and computers are used to facilitate an attack or crime against Postal Service partners, employees, or customers. Complete descriptions of Postal Inspection Service responsibilities relating to security can be found in ASM 27.

883.12 Personnel Security

Clearance must be obtained for persons in sensitive positions. Management is responsible for ensuring that data processing-related positions meet the security guidelines established by the Postal Inspection Service and that all information systems-related positions requiring sensitive clearances are identified and clearances are kept current. (See ASM 272.)

883.13 Physical Security

Computer equipment, data, facilities, and information must be safeguarded at a level appropriate to their value to the Postal Service or because of statutory requirements. The minimum security requirements are found in Handbook RE-5, Building and Site Security Requirements, which is not all-inclusive, and Handbook AS-805, Information Security. The security control officer (SCO), is responsible for both physical and personnel security. The SCO is not to be confused with the Corporate Information Security Office information systems security officer (ISSO).

883.2 Office of Inspector General

The Office of Inspector General (OIG) audits Postal Service information systems and performs developmental audits of automated systems, audits of operational and financial systems, and environmental audits. The OIG is also responsible for conducting criminal investigations of attacks on postal networks and computers.

89 Records Retention

891 Record Definition and Ownership

For information on record definition and ownership, see Handbook AS-353, Guide to Privacy and the Freedom of Information Act.

892 Records Control Schedules

For the retention periods for forms used at Post Offices, see Exhibit 892, Retention Periods for Post Office Forms. Keep records for the periods indicated and then dispose of them as specified in ASM 895.3.

893 Other Records

For information about the retention of other records, contact the manager, Records Office.

894 Extension of Retention Periods

Records should not be maintained for longer than the periods specified in Exhibit 892 or by the manager, Records Office. (See 893.) Retention periods may be extended in response to a court order or if the records are needed for a special use.

895 Protection

895.1 Safeguards

Appropriate safeguards, such as access restrictions, records controls, lockable cabinets, or lockable rooms, must be provided to protect records that include information needed to protect the Postal Service's interests, its employees, contractors, or the general public, and to ensure the security and privacy of records that include information about customers, employees, or other individuals.

895.2 Transfer and Storage

895.21 Requirement

Records no longer required for active reference but not yet eligible for destruction must be transferred by the cutoff period (e.g., period of time such as a quarter or fiscal year) to local storage or a Federal Records Center (FRC).

895.22 Local Storage

Transfer to local Postal Service storage must be accompanied by Form 773, Records Transmittal and Receipt.

895.23 Federal Records Centers

The following procedures apply with respect to transferring records to the FRCs:

a. Conditions. Forward to FRCs only:

(1) Records series approved by the National Archives and Records Administration (NARA) and having a remaining life of more than 1 year.

(2) Volumes of records consisting of 1 cubic foot or more. (The installation must keep quantities of less than 1 cubic foot and destroy them in-house when the retention period expires.)

b. Procedures. For procedures for sending employee personnel and medical records to the National Personnel Records Center (NPRC), contact the Postal Service Records Office. When shipping records to an FRC other than the National Personnel Records Center at St. Louis, Missouri, use the following procedures:

(1) Assemble records to be shipped and pack (to capacity) in 1 cubic foot boxes, obtained for this purpose from the General Services Administration. Prepare a box list, identifying the folders in each box, in duplicate. Insert one copy of the box list in the first box of the accession, to be shipped with the records, and retain one copy locally.

(2) Complete two copies of SF 135, Records Transmittal and Receipt. This form may obtained from the NARA Web site at http://www.archives.gov/ records_center_program/forms/sf_135_intro. html. Send both copies to the receiving FRC at least 2 weeks before the intended shipping date.

(3) FRC shows approval by returning one annotated copy of SF 135 to the requesting installation.

(4) Place a copy of SF 135 in the first box of the shipment and ship. Hold a copy in your office until FRC returns the receipted copy.

c. Location. See Exhibit 895, Federal Records Centers, for FRC addresses and areas served.

d. Retrieval. The installation from which the records were sent handles their retrieval. Requests for retrievals are made on Optional Form (OF) 11, Reference Request - Federal Records Centers. FEDSTRIP ordering offices order this form directly from GSA; non-FEDSTRIP ordering offices order this form from their supporting supply section or from their GSA Customer Supply Center. Retrievals are made at the FRCs by the accession number and the box location number recorded on the SF 135 when the records were approved for transfer.

Note: Records transferred to local or FRC storage remain under Postal Service control.

895.3 Disposal

895.31 Definition

Disposal is the permanent removal of records or information from Postal Service custody by the following methods:

a. Transferring to the National Archives.

b. Donating to the Smithsonian Institution, local museums, or historical societies.

c. Selling as waste material (see ASM 895.32).

d. Discarding.

e. Physically destroying.

895.32 Sale

Paper records whose retention periods have expired may be sold as waste paper, if they do not include personal or other information that cannot be disclosed to the general public (see Handbook AS-353). Those records must be destroyed. The contract for sale must prohibit the resale of the records as records or documents. Film or plastic records may be sold under the same conditions and in the same manner.

895.33 Destruction

Records that cannot be sold may be destroyed by shredding, pulping, or burning.

896 Micrographics

896.1 Definitions

896.11 Micrographics

Micrographics is a technology that reduces any form of information to a microform medium.

896.12 Microform

Microform is a generic term for any form, either film or paper, that contains microimages; a unit of information, such as a page of text or drawing, too small to be read without magnification.

896.2 Policy

Micrographics may be used for the following purposes, if the applications are supported by enough documentation to prove cost-effectiveness and provide maximum compatibility with other micrographic applications, systems, and equipment:

a. Preservation of deteriorating records.

b. Production of archival or intermediate records.

c. Duplication of information for dissemination to other locations.

d. Increased efficiency in searching records.

e. Greater security for sensitive records.

f. Reduction of paper record holdings or use of space.

896.3 Requirements

896.31 Legal

Federal statutes provide for the legality and admissibility of microforms that accurately reproduce or form a durable medium for reproducing the original record (28 U.S.C. 1732). To meet the requirements of these statutes, microform records must be produced in the regular course of business and be able to be satisfactorily identified and certified.

a. Original documents sometimes must be retained to resolve questions of document authenticity.

b. If the authenticity of documents having legal significance could be subject to question, obtain the advice of the chief field counsel (or for Headquarters organizations, the managing counsel, civil practice) before disposing of the original.

896.32 Archival

Only original silver halide microfilm has sufficient archival quality to be substituted for documents requiring permanent retention or to produce microforms of permanent retention value.

896.33 Maintenance and Disposal

Microforms are subject to all regulations on retention, disclosure, privacy, and security of Postal Service records and information.

Exhibit 81
References

Handbooks

AS-353, Guide to Privacy and the Freedom of Information Act

AS-508, Section 508

AS-802, Postal Computing Operations Standards

AS-805, Information Security

AS-805-A, Application Information Security Assurance (ISA) Process

AS-805-C, Information Security for General Users

AS-805-D, Information Security Network Connectivity Process

AS-805-G, Information Security for Mail Process Equipment/Mail Handling Equipment (MPE/MHE)

AS-812, Relational Database Management System (RDMS) Naming Standards and Guidelines

AS-820, Postal Computing Environment

EL-301, Guidelines for Processing Personnel Actions

RE-5, Building and Site Security Requirements

Management Instructions

MI-AS-810-2003-1, Information Technology Governance

MI-AS-860-2002-6, Obtaining and Evaluating Information Technology Software and Hardware Products for a Trial Period

MI-AS-850-2002-10, Information Technology Change and Configuration Management

MI-AS-860-2003-2, Data Stewardship: Data Sharing Roles and Responsibilities

MI-AS-840-2004-2, Electronic Messaging (e-mail)

MI-AS-860-2003-11, Securing Wireless Local Area Networks

Web Locations

http://blue.usps.gov/caweb/privacy/welcome.htm for privacy information

http://it.usps.gov for IT organization and services information

http://eir.usps.gov for the Postal Service Enterprise Information Repository

http://itk.usps.gov for the Postal Service Infrastructure Toolkit

http://it.usps.gov; click Support, then Corporate Information Security, then Corporate Information Security Organization for the Network Connectivity Review Board

http://ism for the Integrated Solutions Methodology

http://blue.usps.gov/cpim for Postal Service policies and procedures

http://eaccess.usps.gov for requesting computer access

http://it.usps.gov under "Resource Tool Box," select Forms and Templates, then Form 3037 for requesting new or changing existing telecommunications services

http://esla.usps.gov for a listing of Service Level Agreements

Exhibit 892
Retention Periods for Post Office Forms

Form/ Label No.	Title	Retention Period	Cutoff*
Label 11-A	Express Mail Post Office to Post Office Service	* 6 months	1
Label11-A	Corporate Accounts (Finance Copy)	1 year	1
Label 11-B	Express Mail Next Day Service Post Office to Addressee	*6 months	1
Label11-B	Corporate Accounts (Finance Copy)	1 year	1
Label 11-E	Express Mail Post Office to Post Office	*6 months	1
Label 11-F	Express Mail Post Office to Addressee	*6 months	1
blank	blank	blank	blank
OF 15	Government Property Sales Announcement and Poster Combined	Dispose of in not less than 1 year and not more than 2 years.	1
OF 16	Sales Slip - Sale of Government Personal Property	Dispose of in not less than 1 year and not more than 2 years.	1
OF 346	U.S. Government Motor Vehicle Operator's Identification (Card)	4 years	2
blank	blank	blank	blank
PS 4	Employee's City or County Withholding Certificate	Maintain on permanent (right-hand) side of the employee's personnel file.	blank
PS 4	If superseded	4 years	2
PS 7	Service Record	3 years	2
PS 296	Custody Receipt	Return to individual or destroy when accountability is terminated.	blank
PS 542	Inquiry About a Registered Article or an Insured Parcel or an Ordinary Article	2 years	3
PS 571	Discrepancy of $100 or More in Financial Responsibility	2 years	3
PS 697	Extension of City Delivery Service	2 years	blank
PS 773	Records Transmittal and Receipt	2 years	2
PS 961-A	Post Office Property Record	blank	blank
PS961-A	Interim	Destroy when updated/superseded or a subsequent review is completed.	blank
PS961-A	Permanent	Retain until equipment is transferred/disposed, then forward to the information service.	blank
PS 969	Material Recycling and Disposal	Dispose of in not less than 1 year and not more than 2 years.	1
PS 991	Application for Promotion or Assignment	2 years	2
PS 1000	Domestic Claim or Registered Mail Inquiry	3 years	3
PS 1017-A	Time Disallowance Record	3 years	1
PS 1017-B	Unauthorized Overtime Record	3 years	1
PS 1091-A	Post Office Box Fee Register (Note: If automated, delete customer record upon termination of service).	2 years	2
PS 1091-B	Register for Caller Service Fees (Note: If automated, delete customer record upon termination of service).	2 years	2
PS 1093	Application for Post Office Box or Caller Service	2 years	2
PS 1094	Request for Post Office Box Key or Lock Service	2 years	2
PS 1188	Cancellation of Organization Dues from Payroll Wi