Physical and Environmental Controls Site Security Review – Summary Report
Objective
Our objective was to identify and summarize the findings and recommendations in four issued area physical and environmental controls site security reports. The objective of those four audits was to determine whether the Postal Service established effective physical and environmental security controls at processing and distribution centers (P&DC). As part of this audit, we identified other P&DCs where data suggest similar risks and conditions may exist.
The Postal Service has 205 P&DCs nationwide, which range in interior size from about 46,500 square feet to about 1.3 million square feet and in age from one year to 83 years old. The Vulnerability Risk Assessment Tool (VRAT) is the application employees use to identify security risks and vulnerabilities at these facilities.
During fiscal years 2017 – 2019, the OIG conducted site security audits at P&DC facilities in four Postal Service areas: Pacific, Western, Capital Metro, and Northeast. These audits focused on physical and environmental controls that protect information technology (IT) and mail processing assets.
What the OIG Found
Overall the Postal Service has effective physical security and environmental protection over its IT assets for the four sites visited because it uses a defense-in-depth strategy employing multiple physical security controls. For example, a server room is protected by multiple layers of security to include: facility gates, guards, cameras, and a badge access reader. However, we identified specific controls that needed improvement, including [redacted]. These control weaknesses occurred because facility management did not review, update, and limit access to the four facilities; and management did not keep perimeter controls operational [redacted] such as propping doors. The Postal Service has implemented 23 of the 26 recommendations in the four security reports.
We identified similar control weaknesses at [redacted] of 205 P&DCs, as reported within VRAT reports and our analysis of access lists. We found that at the four facilities we visited, management [redacted] for the [redacted] P&DCs. In addition, we found indications at [redacted] P&DCs that designated [redacted] administrators [redacted] as required and as we found at the four facilities we visited. The Postal Service [redacted] to address VRAT deficiencies, and management did not [redacted].
When the Postal Service [redacted] the risk of unauthorized individuals gaining access to critical IT and mail processing systems that process, transfer, and store data vital for business operations increases.
What the OIG Recommended
We recommended the Postal Service:
- Develop and implement a [redacted] that requires management to follow-up on each physical security deficiency identified by the VRAT within a specified time frame.
- Revise the Administrative Support Manual 13 to describe the [redacted] in response to VRAT deficiencies, including management roles and responsibilities.
- Review [redacted] basis to remove unauthorized persons and limit access to secure areas to authorized employees only.
- Develop and review an exception report semiannually that would use data from [redacted] and the human resource system of record, which would flag employees who should not be authorized access to a designated facility.