Expands the main menu

Audit Reports

Mar
27
2014
Report Number:
IT-AR-14-004
Report Type:
Audit Reports
Category: Security

Information Storage Security

Background

The U.S. Postal Service Information Technology, Computer Operations, Data Management Services group manages a storage environment. This environment supports 230 systems and applications containing various categories of data, such as personal employee information, which have different protection requirements that reflect their level of sensitivity. The Postal Service spends about $30 million annually on storage components.

The Data Management Services group includes two storage teams – Storage Deployment and Architecture – which manage storage-based hardware in the non-mainframe environment. 

Postal Service storage environments were never subject to security reviews or audits. Our objective was to assess the security of information storage environments managed by this group.

WHAT THE OIG FOUND:

The Data Management Services group did not manage the storage environment in accordance with Postal Service security requirements because its managers did not provide adequate oversight of the storage teams. They did not, for example, conduct periodic employee access reviews. The absence of proper security practices and training increases the likelihood of an adverse impact on Postal Service operations, such as an outage of a customer dependent system.

In addition, the Corporate Information Security Office did not provide guidance for storage environments as it has for operating systems, databases, and telecommunication security. Establishing minimum security expectations for storage environments can reduce the likelihood of critical system and application outages throughout Postal Service operations.

WHAT THE OIG RECOMMENDED:

We recommended management establish operating procedures and security requirements and improve oversight of storage environments. We recommended management also ensure personnel are trained to maintain storage skills. In addition, we recommended management develop a schedule to bring the storage environment into compliance with established requirements. Finally, we recommended the Corporate Information Security Office establish security requirements for storage environments. Link to review the enti

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

R - 1 -- Ensure Data Management Services management provides security operating procedures, periodic reviews, and oversight for the storage teams as required by Handbook AS-805, Information Security.

 Closed $0 Agree
2

R - 2 -- Ensure the vendor for the storage contract provides periodic training to personnel to maintain storage group knowledge and skills with vendor products and management tools.

 Closed $0 Agree
3

R - 3 -- Evaluate the storage environment managed by Data Management Services against Handbook AS-805, Information Security, security requirements and develop a schedule to bring the environment into compliance.

 Closed $0 Agree
4

R - 4 -- Establish minimum security requirements for storage devices in Postal Service environments based on industry best practices.

 Closed $0 Agree
5

R - 5 -- Specifically address storage devices and storage environment security requirements within Handbook AS-805, Information Security, to reflect the significance of these infrastructure components. This should include guidance on consistent use of production and non-production designations among storage teams and application owners.

 Closed $0 Agree