Information Storage Security
Background
The U.S. Postal Service Information Technology, Computer Operations, Data Management Services group manages a storage environment. This environment supports 230 systems and applications containing various categories of data, such as personal employee information, which have different protection requirements that reflect their level of sensitivity. The Postal Service spends about $30 million annually on storage components.
The Data Management Services group includes two storage teams – Storage Deployment and Architecture – which manage storage-based hardware in the non-mainframe environment.
Postal Service storage environments were never subject to security reviews or audits. Our objective was to assess the security of information storage environments managed by this group.
WHAT THE OIG FOUND:
The Data Management Services group did not manage the storage environment in accordance with Postal Service security requirements because its managers did not provide adequate oversight of the storage teams. They did not, for example, conduct periodic employee access reviews. The absence of proper security practices and training increases the likelihood of an adverse impact on Postal Service operations, such as an outage of a customer dependent system.
In addition, the Corporate Information Security Office did not provide guidance for storage environments as it has for operating systems, databases, and telecommunication security. Establishing minimum security expectations for storage environments can reduce the likelihood of critical system and application outages throughout Postal Service operations.
WHAT THE OIG RECOMMENDED:
We recommended management establish operating procedures and security requirements and improve oversight of storage environments. We recommended management also ensure personnel are trained to maintain storage skills. In addition, we recommended management develop a schedule to bring the storage environment into compliance with established requirements. Finally, we recommended the Corporate Information Security Office establish security requirements for storage environments. Link to review the enti