Controls Over Retired Business Applications
Objective
Our objective was to assess the effectiveness of the Postal Service’s business application retirement process.
The Postal Service uses a vast network of systems to collect, process, transport, and deliver nearly half of the world’s mail. The majority of these systems are classified as business applications because they support essential business functions, such as mail processing and delivery. To improve business operations and reduce cyber risk, the Postal Service invests in new and innovative applications and retires those that are outdated and no longer supported.
We reviewed 13 of the 28 business applications retired during fiscal years (FY) 2018-2020 to determine if they followed requirements for application retirement. We also reviewed the new system retirement process implemented during our audit to evaluate whether it aligned with best practices. Additionally, to determine the effectiveness of the new process, we reviewed the two business applications currently in the retirement phase for FY 2021.
Finding
The Postal Service did not have effective controls in place to ensure applications were retired and secured according to internal policy.
We found the Postal Service did not retire applications and remove their components from the network as required by policy and as defined by their retirement process. Specifically, we identified 10 of 13 retired business applications (77 percent) for which system documentation was incomplete and hardware and user accounts were still active on the network.
Further, the Corporate Information Security Office conducts weekly security reviews to identify vulnerabilities on the network. During these weekly reviews, they identified security risks such as administrative accounts and servers associated with retired applications on the network. The Information Security Office then selected a sample of 125 of the total 4,336 retired applications within the application management database and found that all had active components on the network. In May 2020, the Information Security Office presented this data to the Information Technology (IT) Performance Achievement group for remediation. As of April 2021, the Information Security Office identified active components on the network for the remaining 4,211 applications. However, the IT Performance Achievement group has not developed a plan to review and remove the identified retired application components.
This occurred because the IT Performance Achievement group did not prioritize removal of retired application components from the network.
In January 2021, the Postal Service implemented a new system retirement process that aligned with best practices. However, we found the process did not include effective controls to ensure retirement tasks are completed by their due dates. Specifically, of the two applications in the retirement phase, one application exceeded its due date by 31 days with about 57 percent of the tasks being incomplete. This occurred because the new process did not include steps to follow-up with task owners to ensure they were completing tasks by the due dates.
Retired applications with active components remaining on the network increases the risk that a threat actor could exploit vulnerabilities and gain access to Postal Service systems and sensitive data.
During our audit, the IT Performance Achievement group implemented a formal process to ensure completion of retirement tasks by their due dates. The new process started in April 2021 and includes weekly meetings with all stakeholders, weekly reports with updates on tasks statuses and due dates, and coordination with task owners to prepare timelines to avoid missed deadlines.
Recommendation
We recommended management develop a formal plan with target dates to review and remove active components for all applications retired before January 2021.