Our objective was to determine whether the U.S. Postal Service established and implemented effective environmental and physical security controls according to Postal Service policy at the [redacted] Processing and Distribution Center (P&DC).
The Postal Service has the mail processing resources, information technology (IT) network, and transportation infrastructure to deliver mail to every residential and business address in the country. These resources include facilities, equipment, and systems used to process, transfer, and store data, which are critical to business operations.
The [redacted] P&DC has [redacted] interior square feet and processes about 3.2 billion pieces of mail annually. In addition, the facility includes delivery functions, retail store, administrative offices, and a business mail entry unit (BMEU). We selected the [redacted] P&DC based on geographic location, facility size, the number of co-located functions, and overall risk.
What the OIG Found
While we did not identify any environmental control issues, we did find some physical security weaknesses at the [redacted] P&DC. We found that management did not review and update access to the facility and secure areas. For example, management did not remove access for separated employees and did not challenge an unidentified individual at the BMEU facility. Finally, we found broken locks on entrance doors and open unattended doors.
These issues occurred because facility managers were not aware of the requirement to review access lists semiannually and employees did not follow procedures for removing the facility access of separated employees. In addition, facility employees believed the individual worked in the mail processing plant and needed to use the BMEU facility. Finally, management was not aware of the broken locks and did not enforce the policy to secure entrance doors.
When Postal Service management does not review and update facility access, restrict access to critical areas, and secure doors, there is an increased risk of unauthorized individuals gaining access to critical IT and mail processing systems that are vital to business operations.
During the audit, management took corrective action by removing unnecessary access and conducting security briefings to remind employees of their physical security responsibilities such as challenging unidentified individuals and securing doors when not in use.
What the OIG Recommended
We recommended facility management review and update the current badge access list to allow only authorized personnel access to the facility and secure areas. In addition, we recommended management conduct and document semiannual reviews, communicate badge access procedures to Human Resource employees, remove access for separated individuals, and repair broken entrance door locks.