No downtime for USPS managers

Editor's Note: This story was updated Dec. 7 at 11:30 a.m. The original story stated that USPS faced challenges in issuing mandatory electronic ID cards to 1 million employees and contractors. It also incorrectly stated that the agency budgeted $135 million for information security in fiscal 2005. This story was updated again Dec. 8 at 10:37 a.m. to reflect that the cards will initially go to 40,000 employees and contractors, not 40 million.

U.S. Postal Service managers won industry honors in 2005 for their information security and privacy practices. Now they face new security challenges in issuing mandatory electronic identity cards initially to about 40,000 employees and contractors and improving the postal agency’s business continuity and disaster recovery procedures.

Both are tall orders, said Peter Myo Khin, USPS’ manager of corporate information security.

Issuing secure identity credentials will become mandatory by Oct. 27, 2006, under Homeland Security Presidential Directive-12. Myo Khin said complying with HSPD-12 will be expensive for USPS, especially complying with its mandatory clearance process before issuing computer-readable identity cards.

The Postal Inspection Service, USPS’ investigative agency, is working with Office of Management and Budget officials to resolve differences about clearance standards. “We’re working with OMB to see what we can do,” Myo Khin said. “They’ve given us an extension.”

Meanwhile, USPS has set up an internal public-key infrastructure for issuing HSPD-12 credentials and is seeking to certify its interoperability with the federal PKI bridge. “We hope to be certified before the end of the year,” Myo Khin said.

USPS officials are still discussing HSPD-12 with the agency’s labor unions as they try to meet OMB’s deadlines. “We have our human resources and labor groups looking at the various policies to see what we can force our employees to go through,” Myo Khin said.

USPS has other security challenges. Business continuity and disaster recovery procedures are a high priority, said Jeannie Thomas, USPS’ manager of business continuance management. “We went through 76 exercises in the last six months to ensure that the plans were valid.”

USPS is also making significant technology investments in upgrading its two data centers. In a disaster, the agency could fully restore each data center almost immediately. That capability will be in place by April 2006, said Joseph Gabris, USPS’ manager of IT computing services. The alternative is restore each application individually, which is too complex and less reliable, he said.

USPS made strides in getting ahead of viruses and hackers when it installed Internet Security Systems’ attack prevention tools on all of its desktop PCs, servers and network devices, Myo Khin said. The ISS tools identify and block malicious code exploits of known vulnerabilities such as buffer overflows in software applications. “Since we took that prevention route, we’ve had no major virus issues,” he said.

Prabhat Agarwal, manager of Input’s information security analysis service, said information security is one of USPS’ top spending priorities. The agency budgeted $8 million for information security in fiscal 2005. “They take security very seriously,” he said.