An insider threat program helps an organization prevent, detect, and respond to the threat of an employee, contractor, or business partner misusing their trusted access to computer systems and data. Threats to the U.S. Postal Service include the theft and disclosure of sensitive, proprietary, or national security information, and the sabotage of its computer systems or data.
Executive Order 13587 and the National Insider Threat Policy mandate that federal agencies with access to national security information have a formal insider threat program. The guidelines outlined within the National Insider Threat policy provide a framework of security principles and best practices that the Postal Service is required to follow.
Industry best practices recommend organizations create an insider threat program to protect an organization’s sensitive, critical, and proprietary information. The program should include at minimum components such as, organization-wide participation, standard operating procedures, and insider threat training and awareness.
The Postal Service is not an originator of national security information. A limited number of employees have access to national security systems and are custodians of national security electronic and hard copy information for the purposes of continuity of [redacted].
With regard to sensitive information, the Postal Service stores and secures this type of information, [redacted].
The U.S. Postal Inspection Service (USPIS) is responsible for developing, coordinating, and implementing an insider threat program to protect national security information, while the Corporate Information Security Office (CISO) is responsible for cybersecurity, ensuring the organization’s technologies, processes and digital assets are protected from improper access.
Our objective was to determine if the Postal Service has established and implemented an effective insider threat program in accordance with Postal Service policies and best practices.
What the OIG Found
The Postal Service has not fully established and implemented an insider threat program in accordance with Postal Service policies and best practices. Specifically, the USPIS has not implemented all of the minimum standards required by the National Insider Threat Policy for national security information. Also, the CISO has not fully established a program for protecting the Postal Service’s [redacted].
This occurred because the USPIS did not dedicate full-time resources and the CISO focused their efforts on [redacted] prior to establishing and implementing an insider threat program.
Without an implemented insider threat program, [redacted] as well as negatively impact the Postal Service brand.
We also found several physical security and access deficiencies at some of the locations that hold national security information. The identified physical security deficiencies included non-functioning closed-circuit television cameras, a broken video intercom, and a [redacted]. With the exception of one location, management corrected the deficiencies we identified. We also identified personnel who had access to these locations without the proper security clearance.
These deficiencies occurred due to a lack of coordination and communication between Information Technology, USPIS, and facilities management regarding physical security.
Without proper physical security controls in place, the Postal Service cannot deter and detect unauthorized entry and movement within locations. This could result in the theft of information.
What the OIG Recommended
We recommended USPIS to continue to develop and implement an insider threat program for national security information in accordance with the minimum standards outlined in the National Insider Threat Policy. We also recommended the CISO to formally establish and implement an organization-wide insider threat program for sensitive, critical, and proprietary information. Finally, management should coordinate to repair the security deficiencies we identified at the remaining location.