IDENTIFICACIÓN DE LAS VARIABLES PARA SENSIBILIZAR

Confidentiality is the security property that ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes. Information resources must have the capability to ensure that information is transmitted and stored in a way such that only authorized users are allowed access. Confidentiality is maintained through

comprehensive and interrelated efforts that include, but are not limited to, the following:

Information Security Services 9-7.1.4

c. Physical security. d. Authentication of users. e. Encryption.

9-7.1

Encryption

Encryption is the primary means for providing confidentiality services for information that can be stored or sent over the network, intranet, and Internet. Information resources that store, process, or transmit sensitive- enhanced or sensitive information must have the capability to encrypt information.

9-7.1.1

Minimum Encryption Standards

The minimum encryption standard for the Postal Service is the Advanced Encryption Standard (AES) with a 256-bit encryption key. New

implementations must meet the minimum standard. Legacy systems must have plans for moving to the minimum encryption standard; the associated timeline for this action is based on feasibility (technical capability, business plan for upgrade/retirement, etc.), identification of a published exploit to the implemented encryption algorithm, and associated risk to the Postal Service.

9-7.1.2

Required for Transmission and Storage

Information resources storing, processing, or transmitting sensitive- enhanced or sensitive information must implement encryption based on Postal Service encryption and key recovery policies. Encryption must be used for sensitive-enhanced and sensitive information that is transmitted across networks or in transit between [1] an application or batch server and a database server and [2] between workstations and a database server. Encryption must be used for sensitive-enhanced and sensitive information stored or archived on fixed and removable devices or media (e.g., disks, diskettes, CDs, and USB storage devices).

Encryption must also be used for sensitive-enhanced and sensitive information that is stored off Postal Service premises.

Encryption must be used for nonpublicly available electronic information in transit or stored off Postal Service premises.

Encryption must be used for payment card industry (PCI) information throughout the life cycle. Unencrypted primary account numbers (PANs) must not be sent via end user messaging technologies.

9-7.1.3

Recommended for Storage on Postal Service Servers and

Mainframes

Where technically feasible, encrypt sensitive-enhanced and sensitive information stored on Postal Service nonremovable devices.

9-7.1.4

Required for Workstations and Laptops

9-7.2

Use of Encryption Products

Encryption products must comply with requirements including, but not limited to, the following:

a. Information resources using encryption must use only algorithms and standard encryption products that are approved by the Postal Service and meet federal information processing standards and industry best practices. Use of locally generated, self-signed digital certificates is prohibited.

b. All encryption products must support functionality of and integrate with security content-filtering applications or make encryption keys

available to management. Any use of encryption without such technology must be approved in writing by the CISO.

9-7.3

Key Management

Key management is the generation, recording, transcription, distribution, installation, storage, changing, disposition, and control of cryptographic keys. Key management must be rigorous and disciplined because attacks against encryption keys are far more likely to occur and succeed than attacks against encryption algorithms.

9-7.3.1

Protecting Encryption Keys

Encryption keys must be treated as sensitive-enhanced information and access to those keys must be restricted on a need to know basis. The following principles apply to the protection and access of encryption keys: a. If keying material is generated and stored, the information resource

must provide secure key storage that is resistant to compromise through a logical or physical attack.

b. If hardware-based key generation and storage is used, the key must be stored in such a way that it cannot be retrieved in clear text.

9-7.3.2

Recommended Key Management Practices

The best way to mitigate the risk of keys being attacked is to store them in hardware on a secure physical device. Postal Service information resources should adhere to key management procedures and practices that include, but are not limited to, the following:

a. Generate strong keys.

b. Key management should be fully automated and not require manual steps.

c. Generate and store all keys in hardware.

d. Never remove keys from the hardware and never store them in the host’s memory.

Information Security Services 9-7.4

9-7.3.3

Key Management Requirements

Information resources must comply with key management requirements including, but not limited to, the following:

a. If the information resource supports key recovery, then access to the key must be restricted to authorized personnel.

b. The information resource must have the capability to enforce the immediate revocation of user accounts and the associated key(s). c. Encryption keys must not appear in clear text outside a cryptographic

device.

d. Split knowledge keys must be implemented. e. Dual control of keys must be established.

f. Secure key distribution and storage must be implemented. g. Unauthorized substitution of keys must be prevented.

h. Keys must be changed periodically, (at least annually) and whenever anyone with knowledge of a portion of a key changes positions, transfers, or terminations.

i. Known or suspected compromised keys must be replaced. j. Old or invalid keys must be revoked.

k. Old keys must be archived and destroyed as applicable.

l. Key custodians must sign a form stating they understand and accept their key-custodian responsibilities.

m. Keys must not be sent in the same email as the encrypted file.

9-7.4

Cryptographic Hash Function

A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, hash value, such that an (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded is often called the “message,” and the hash value is sometimes called the message digest. The ideal cryptographic hash function must have the following significant properties:

a. It is easy to compute the hash value for any given message. b. It is infeasible to generate a message that has a given hash. c. It is infeasible to modify a message without changing the hash. d. It is infeasible to find two different messages with the same hash. The Postal Service cryptographic hash standard is SHA-2 or SHA 256. In addition it is recommended that:

a. A Salt value is always used with your hash. This is especially important if the sensitive data to be protected is short like a password, social security number, or a payment card number.

b. Never use a weak Salt value when creating a hash. For example do not use a value that is easy to guess or discover from other sources. A random number should be used that is generated by a cryptographically secure software library or hardware security module (HSM).

9-7.5

Elimination of Residual Data

The information resource must have the capability to ensure that there is no residual data exposed to unauthorized users.