- CMMI Institute

Improving Security and Resilience
Capability of Postal and Transportation
Products and Services
Gregory Crabb
U.S. Postal Inspection Service
Julia H. Allen, Pamela D. Curtis, Dr. Nader Mehravari
Software Engineering Institute
Carnegie Mellon University
Notices
Copyright 2015 Carnegie Mellon University
This material is based upon work funded and supported by USPS under Contract No. FA8721-05-C-0003 with
Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and
development center sponsored by the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE
MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO
WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT
LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS
OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY
WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
INFRINGEMENT.
This material has been approved for public release and unlimited distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic
form without requesting formal permission. Permission is required for any other use. Requests for permission
should be directed to the Software Engineering Institute at permission@sei.cmu.edu.
Capability Maturity Model®, Carnegie Mellon®, CERT®, CMM® and CMMI® are registered marks of Carnegie Mellon
University.
SCAMPISM
DM-0002224
© 2015 Carnegie Mellon University
2
Outline
Nomenclature
Players
Challenges
Objectives of the Collaboration
Tools in the Toolbox
Three Success Stories – Real Life Case Studies
1.
2.
3.
Assessing Organizational Capability – Physical Security
Creating Organizational Capability – Export Compliance Screening
Assessing Organizational Capability – Express Mail
Lessons Learned
Pointers to More Details
© 2015 Carnegie Mellon University
3
Nomenclature
(Security & Resilience)
© 2015 Carnegie Mellon University
4
Security
Protection of assets
•
•
•
•
•
People
Information
Technology
Facilities
Supply chain
Sample Requirements
•
•
•
•
•
Confidentiality
Integrity
Custody
Sanctity
Safety
© 2015 Carnegie Mellon University
Activities to
Keep Assets
from Harm
Managing the
Condition of
Risk
Ensuring Assets
Can Enable
Business
Mission
5
Resilience
An entity under operational stress,
while achieving its business mission.
© 2015 Carnegie Mellon University
6
Players
© 2015 Carnegie Mellon University
7
CMU – SEI – CERT Division
Software Engineering Institute (SEI)
•
Federally funded research and development center
based at Carnegie Mellon University
•
Basic and applied research in partnership with
government and private organizations
•
Helps organizations improve development,
operation, and management of software-intensive
and networked systems
CERT Division – Anticipating and solving
our nation’s cybersecurity challenges
© 2015 Carnegie Mellon University
•
Largest technical program at SEI
•
Focused on internet security, digital investigation,
secure systems, insider threat, operational
resilience, vulnerability analysis, network situational
awareness, and coordinated response
8
Cyber Risk and Resilience Management Team
Engaged in
• Applied research
• Education & training
• Putting into practice
• Enabling our federal, state, and commercial partners
In areas dealing with
• Maturity models
• Operational resilience
• Resilience management
• Operation risk management
• Cybersecurity maturity models
• Integration of cybersecurity, business continuity, & disaster recovery
© 2015 Carnegie Mellon University
9
U.S. Postal Service (USPS)
Delivers more mail to more addresses in a larger geographical
area than any other post in the world.
40% of the world’s mail volume handled by USPS
Over 600,000 employees
Over 200,000 vehicles
Overt $67 billion annual revenue
© 2015 Carnegie Mellon University
10
U.S. Postal Inspection Service (USPIS)
The law enforcement arm of the U.S. Postal Service (USPS)
The oldest origins of any federal law enforcement agency in
the United States, dating back to 1772
USPIS responsibilities include:
• Ensure safety of mail system from dangerous and illegal use
• Ensure safety of USPS employees and customers
• Protection of mail infrastructure
• Managing risk to revenue
© 2015 Carnegie Mellon University
11
Challenges
© 2015 Carnegie Mellon University
12
Stress on Postal and Transportation Sectors
© 2015 Carnegie Mellon University
13
Operational Stress – White Powder Incidents
© 2015 Carnegie Mellon University
14
Operational Stress – Fraudulent Postage
•
•
•
•
•
© 2015 Carnegie Mellon University
Short pay
Reused
Photoshopped
Counterfeit
Photocopied
15
Operational Stress – Natural Disasters
© 2015 Carnegie Mellon University
16
Operational Stress – Dangerous Goods
© 2015 Carnegie Mellon University
17
Operational Stress – Illegal Goods
© 2015 Carnegie Mellon University
18
Operational Stress - Terrorism
© 2015 Carnegie Mellon University
19
Operational Stress – Transportation Disruption
© 2015 Carnegie Mellon University
20
Objectives of the Collaboration
© 2015 Carnegie Mellon University
21
Objectives of Collaboration
Improving the operational capability and processes
associated with USPIS’s responsibilities while operating in an
ever dynamic risk environment.
• Ensure safety of mail system from dangerous and illegal use
• Ensure safety of USPS employees and customers
• Protection of mail infrastructure
• Managing risk to revenue
Improving the Security and Resilience Capability of Selected
United States Postal Service (USPS) Products and Services
© 2015 Carnegie Mellon University
22
Tools in the Toolbox
© 2015 Carnegie Mellon University
23
Tools in the Toolbox
SCAMPI-Like
Methods
CERT-RMM
Body of
Knowledge
Subject Matter
Expertise
•
•
•
•
•
Cybersecurity
Risk Management
IT Operations
Business Continuity
Disaster Recovery
© 2015 Carnegie Mellon University
Process Improvement
24
Three Success Stories
1. Assessing Organizational Capability – Physical Security
2. Creating Organizational Capability – Export Compliance Screening
3. Assessing Organizational Capability – Express Mail
© 2015 Carnegie Mellon University
25
Lightweight
Assessment
Instrument
Assessing Organizational Capability
Physical
Security
© 2015 Carnegie Mellon University
26
Objective
Development of a simple and lightweight
assessment method and associated field
instrument to identify gaps in the physical
security of international mail processing centers
and similar shipping and transportation
processing facilities against UPU physical
security standards.
© 2015 Carnegie Mellon University
27
Approach
UPU
Security
Standards
S58 and S59
Normalization
& Annotation
Reformatted UPU
Standards that Look
Like Process Areas,
Goals, & Practices
Lightweight
QuestionnaireBased Gap
Identification and
Assessment
Methodology and
Field Instrument
Evaluation
Method
Derived from
SCAMPI
Methodology
© 2015 Carnegie Mellon University
28
Three Phases of Assessment
Preparation
Onsite
Wrap-up
• Scheduling
• Interviews
• Report production
• Pre-assessment
questionnaire
• Observations
• Report delivery
• Initial site visit
• Logistics
-
Inspections
• Other paperwork
-
Document reviews
• Follow-up items
• Characterizations
-
Interpreter
• Ratings
-
Access
• Preliminary findings
-
Camera
permission
-
Prepare paperbased instrument
• Method and standard
improvement
requests
© 2015 Carnegie Mellon University
29
Stages of Assessment
Fully Implemented
Subsection
Characterization
Largely Implemented
Partially Implemented
Not Implemented
Not Applicable
Section Rating
Satisfied
Not Applicable
Not Satisfied
Overall Compliance
Determination
© 2015 Carnegie Mellon University
30
Example Output
Summary
assessment
output will be in
“heat map” form
as shown here
Subsections are
scored using
defined rules
and a 5-point
scale: Fully,
Largely,
Partially, or Not
Implemented or
Not Applicable
© 2015 Carnegie Mellon University
Sections are
scored using
defined rules
and a 3-point
scale: Satisfied,
Not Satisfied or
Not Applicable
31
Summary Results
1
8
16
Compliant
Not Applicable
© 2015 Carnegie Mellon University
Non-Compliant
32
Benefits
Repeatable
The method can be used consistently by different
independent teams in the same situation to acquire the
same results.
Cost effective
and scalable
The method is economical and functional for all locations,
regardless of size or capability.
Accurate
The method is evidence-based and derived from
international standards so that results can be relied upon by
the international community (e.g., UPU, International Civil
Aviation Organization, International Air Transport
Association, Transportation Security Administration, and
World Customs Organization).
Meaningful
The method generates results that can easily be acted on by
owners and operators of the assessed processing facilities.
Transparent
The method is publicly available and can be used for selfassessment.
© 2015 Carnegie Mellon University
33
Creating
Assessing Organizational Capability
Export
Compliance
Screening
© 2015 Carnegie Mellon University
34
Challenge
On a weekly basis, the U.S. Postal Service (USPS) processes
over one million packages destined to overseas locations.
All international shipments being sent from the United States
are subject to federal export laws.
Export compliance screening procedures are expensive and
time consuming, and can negatively affect the efficiency of
international mail delivery services.
© 2015 Carnegie Mellon University
35
Objectives
Reduce the incidence of mail shipments violating export
control laws, regulations, and standards.
Evaluate current processes and systems and identify actions
required to improve overall efficiency, effectiveness, and
accuracy
• Reducing delays in processing outbound parcels.
• Reducing excess labor costs and improve the efficiency of
resources used.
© 2015 Carnegie Mellon University
36
Approach
Use CERT-RMM to:
 Identify required or desired organizational functions

One or more process areas
 Determine how to implement chosen functions

Based on specific goals and specific practices
© 2015 Carnegie Mellon University
37
RMM Process Areas
AM
Access Management
MA
Measurement and Analysis
ADM
Asset Definition and Management
MON
Monitoring
COMM
Communications
OPF
Organizational Process Focus
COMP
Compliance
OPD
Organizational Process Definition
CTRL
Controls Management
OTA
Organizational Training & Awareness
EF
Enterprise Focus
PM
People Management
EC
Environmental Control
RRD
Resiliency Requirements Development
EXD
External Dependencies
RRM
Resiliency Requirements Management
FM
Financial Resource Management
RTSE
Resilient Technical Solution Engr.
HRM
Human Resource Management
RISK
Risk Management
ID
Identity Management
SC
Service Continuity
IMC
Incident Management & Control
TM
Technology Management
KIM
Knowledge & Information Mgmt
VAR
Vulnerability Analysis & Resolution
© 2015 Carnegie Mellon University
38
Organizational Functions
Functional Area
Human Resources
CERT-RMM Process Area(s)
HRM
Human Resource Management
COMP Compliance
Compliance Screening
CTRL Controls Management
MON
Monitoring
Physical Controls and Mail Security EC
Environmental Control
Communications
COMM Communications
Information Management
MA
Measurement and Analysis
Training
OTA
Organizational Training and Awareness
Incident Management
IMC
Incident Management and Control
MA
Measurement and Analysis
Measurement and Monitoring
MON
Monitoring
© 2015 Carnegie Mellon University
39
Implementing Each Function
Example: Compliance Screening
COMP:SG1.SP1
Establish a Compliance Plan
COMP:SG1.SP2
Establish a Compliance Program
COMP:SG1.SP3
Establish Compliance Guidelines and Standards
COMP:SG2.SP1
Identify Compliance Obligations
COMP:SG2.SP3
Establish Ownership for Meeting Obligations
COMP:SG3.SP1
Collect and Validate Compliance Data
© 2015 Carnegie Mellon University
40
Field Implementation
Post
Office
International
Service Center
(ISC)
Processing &
Distribution
Center (P&DC)
Induct Outbound
International Mail
& Packages
Intermediate
Processing
Centers
Review &
Screening
Dispatch Outbound
International Mail &
Packages
Flow of Electronic Data About Packages
Physical Package Movement
© 2015 Carnegie Mellon University
41
Benefits
There has been a reduction in delays associated with
processing outbound parcels.
There is increased efficiency in how staff and technology
resources are used.
There is increased accuracy in how parcels that require export
screening are identified.
There is reduced risk of dispatching parcels that violate export
control laws and/or that may be of interest to fellow law
enforcement agencies.
© 2015 Carnegie Mellon University
42
Assessing Organizational Capability
Express Mail
Products and
Services
© 2015 Carnegie Mellon University
43
CERT-RMM Focus on Assets
People
Facilities
Technology
Information
Supply Chain / Raw Material
© 2015 Carnegie Mellon University
44
When Expanded for Postal Sector
People
Facilities
Technology
Information
Mailpieces
Supply Chain / Raw Material
© 2015 Carnegie Mellon University
45
CERT-RMM with Mail-Specific Extension
AM
Access Management
MA
Measurement and Analysis
ADM
Asset Definition and Management
MD
Mail Delivery*
COMM
Communications
MI
Mail Induction*
COMP
Compliance
MON
Monitoring
CTRL
Controls Management
MRA
Mail Revenue Assurance*
DMT
Domestic Mail Transportation*
OPF
Organizational Process Focus
EF
Enterprise Focus
OPD
Organizational Process Definition
EC
Environmental Control
OTA
Organizational Training & Awareness
EXD
External Dependencies
PM
People Management
FM
Financial Resource Management
RRD
Resiliency Requirements Development
HRM
Human Resource Management
RRM
Resiliency Requirements Management
ID
Identity Management
RTSE
Resilient Technical Solution Engr.
IMC
Incident Management & Control
RISK
Risk Management
IMT
International Mail Transportation*
SC
Service Continuity
KIM
Knowledge & Information Mgmt
TM
Technology Management
VAR
Vulnerability Analysis & Resolution
* Indicates mail-specific process areas
© 2015 Carnegie Mellon University
46
Approach
CERT-RMM
with
Mail-Specific
Extensions
Class C
Appraisal in
Discovery
Mode
Headquarters and
Enterprise-Wide
Recommendations
Lightweight
QuestionnaireBased
Assessment
Instrument
Development
Evaluation
Method
Derived from
SCAMPI
Methodology
Conducted
once.
© 2015 Carnegie Mellon University
Improved Express
Mail Products and
Services
Appraisal
Outcomes
Deployment
of
Assessment
Instrument
into the Field
Recommendations
per Local Facility
Conducted
many times.
47
Lessons Learned
© 2015 Carnegie Mellon University
48
Lessons Learned
The tools and techniques are flexible enough to be applicable
to a wide range of domains and applications
Foundational elements can be expanded/tailored to arrive at
domain-specific tools and techniques
Structured process improvement concepts have become a
component of many new projects
© 2015 Carnegie Mellon University
49
More Details
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=77277
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=77265
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=433528
Point of Contact:
Dr. Nader Mehravari
Cyber Risk and Resilience Management Team
Software Engineering Institute
Carnegie Mellon University
nmehravari@sei.cmu.edu
607-379-9556
http://www.cert.org/resilience/
© 2015 Carnegie Mellon University
50
Thank you for your attention…
© 2015 Carnegie Mellon University
51