An effective asset management process actively manages all hardware devices on a network, so that only authorized devices have network access, and allows for quick response to security events. Asset management consists of maintaining inventory, tracking assets, and updating records.
The U.S. Postal Service Office of Inspector General’s (OIG) Information Technology (IT) Security Risk Model identified the Greater Boston District as the district with the highest risk for security events associated with information technology assets in Quarter 1, fiscal year 2014. Security events include adware, spyware, and computer viruses. If hardware affected by any of these events is not quickly physically located, postal operations may be disrupted. To respond effectively to security events, management must be able to physically locate assets. In 2014, the Greater Boston District managed about 12,000 information technology assets.
Our objective was to determine whether the Greater Boston District has an accurate inventory and processes to manage hardware assets connected to the Postal Service network.
What The OIG Found
Management does not have an accurate inventory of hardware assets connected to the Postal Service network. Specifically, management could not physically locate 49 of the 182 (27 percent) active systems sampled at the three facilities we visited. In addition, 33 network assets or 18 percent of our sample that we physically located had inaccurate and incomplete data in the Asset Inventory Management System. We also determined the inventory list of sensitive property (such as laptops, computers, and switches) is not reconciled with physical assets.
These circumstances occurred primarily because the Postal Service does not have a process to effectively track all IT assets and enforce existing policy. We estimated about $3.9 million for incomplete data in the Asset Inventory Management System and assets potentially at risk. Management needs an accurate and complete inventory to physically locate and disconnect a compromised or unauthorized device attached to the Postal Service network.
What The OIG Recommended
We recommended the Postal Service implement validation controls to the Asset Inventory Management System application and procedures to verify assets are authorized for connectivity before adding to the system. We also recommended management implement a scheduled inventory verification process for sensitive property and complete plans to prevent unauthorized devices from gaining access to the network.