The U.S. Postal Service’s Office of Address Management provides value-added products and services that enable business customers to better manage the quality of their mailing lists while maximizing the Postal Service’s ability to deliver mail as addressed.
The Office of Address Management’s seven address management products generated revenue totaling $14.3 million in fiscal year 2015. We evaluated six of the seven products. (The seventh product was recently reviewed in a separate audit.) For these products, the Postal Service executed 421 licenses to customers.
Customers that license address management products containing sensitive or critical data are subject to site security reviews to evaluate the physical security of the data. These reviews evaluate physical security controls to protect Postal Service information such as facilities, personnel, hardware, and software. According to Postal Service policy, site security reviews must be conducted at least every 3 years but can be conducted at any time.
Our objectives were to determine whether the Postal Service monitors licensee compliance with address management licensing agreements and evaluate whether these agreements adequately protect the Postal Service’s interests.
What The OIG Found
The Postal Service did not adequately monitor licensee compliance with five of the six address management licensing products reviewed. Additionally, although licensing agreements protected the Postal Service’s intellectual property and ability to take legal action, it could improve the language of the agreement template to better protect its interests. The Postal Service did not conduct site security reviews at any of the licensees’ locations for the five products that required them.
Management considered the reviews unnecessary because Postal Service data were encrypted; however, encryption does not eliminate all security risks. Inadequate physical security controls could affect the confidentiality, integrity, and availability of Postal Service assets and increase the risk of unauthorized use of address management information.
Also, the licensing agreement templates for all six address management products needed updating to ensure the agreements were accurate and protected the Postal Service’s interests. The templates contained outdated or inconsistent provisions, such as references to old policies and governing law. The Postal Service did not periodically evaluate and update licensing agreement language and only updated the templates to reflect price changes.
Without updated and consistent provisions, there is an increased risk that licencees may misinterpret requirements, resulting in unnecessary expenditures of time and money if the Postal Service needs to enforce provisions within the agreements. The Postal Service was unable to provide us any documentation to support that it had ever enforced an agreement.
Finally, during our fieldwork, we identified issues with the maintenance of credit card payment data for address management products. We addressed these concerns in a separate management alert.
What The OIG Recommended
We recommended that management conduct required site security reviews of address management licensees; and periodically evaluate licensing agreement templates to determine if provisions are up-to-date, include consistent language, and adequately protect Postal Service interests.