Access Controls Over Mail Imaging Systems
Background
The U.S. Postal Service has over 270 mail processing centers across the nation with more than 6,600 pieces of mail processing equipment that capture mailpiece images. The mail processing equipment maintains these images for between 4 seconds and 120 days depending on the type of processing equipment. These images enable the tracking of mailpieces from receipt to delivery.
The Postal Service has different types of facilities that process mail, such as the Merrifield, VA, Processing and Distribution Center. When mail processing machines are unable to read addresses on mailpieces, their images are forwarded to the Remote Encoding Center (REC) in Salt Lake City, UT.
The Postal Service uses one set of security standards for its administrative network, Handbook AS-805, Information Security (AS-805), and another for account management and password controls governing the mail processing infrastructure network, Handbook AS-805-G, Information Security for Mail Processing/ Mail Handling Equipment (AS-805-G).
Our objective was to determine the effectiveness of access controls over mail imaging systems.
What The OIG Found
We found no issues with the established practice of mail image retention; however, management could improve access controls over systems that store mail images to ensure unauthorized users cannot access the images or other parts of the Postal Service network.
Engineering Systems management said they used AS-805-G to determine account management and password configuration criteria; however, they should have used the stricter standards of AS-805 because the six mail imaging systems we tested are connected to both the mail processing infrastructure and administrative networks. We identified the following instances where AS-805 was not followed:
¦ Thirteen shared administrative accounts allowed multiple users to apply the same username and password to access three mail imaging systems.
¦ Eight active user accounts had administrative privileges on three systems that did not require passwords.
¦ Access to eight shared accounts with administrative privileges that had not been used in more than a year should have been terminated.
¦ Thirty-seven administrative accounts did not require password changes at least every 30 days and 11 non-administrative accounts did not require password changes at least every 90 days.
¦ Five active guest accounts were enabled without passwords.
¦ Engineering Systems and Corporate Information Security Office management did not conduct security documentation updates, known as business impact assessments, for 11 mail imaging systems.
Finally, during our visit to the REC, we observed that a maintenance employee left a laminated note card with administrator and user login credentials in the REC server room that another employee could have used to access eight pieces of mail imaging equipment. The REC manager acted promptly to remove the visible password list and notified the staff of the importance of securing this type of information. As a result, we are not making a recommendation on this issue.
During the last 4 years, Engineering Systems and Corporate Information Security Office management have updated business impact assessments for sensitive mail imaging systems and have not finished updating the non-sensitive documentation. They have no date for completion.
Without proper security and access controls, the Postal Service is at risk of unauthorized access and theft of data, including mail images.
What The OIG Recommended
We recommended management, in accordance with Handbook AS-805, update account management, revise password settings for mail imaging systems, and establish a plan to ensure the required business impact assessments comply with Postal Service standards.