The U.S. Postal Service manages access to information resources using multiple types of accounts, including privileged accounts. Privileged accounts are those that have higher levels of rights such as account creation, update, deletion, or full application functionality. The Postal Service uses both automated and manual processes to manage account access and authorization to information resources. Proper management and monitoring of privileged accounts is important to ensure information is secure and systems and data are not modified without authorization.
Our objective was to determine if the Postal Service is effectively managing privileged accounts in accordance with Postal Service policies and best practices.
What the OIG Found
The Postal Service is not effectively managing all privileged accounts in accordance with its policies and best practices. Specifically, the Postal Service has not developed adequate guidance and controls to identify and manage privileged accounts. The [redacted] allows for the identification of privileged accounts; however, we found that the Postal Service only used this feature for [redacted] systems. As a result, management could not identify all privileged accounts throughout the Postal Service.
We reviewed accounts for three systems that did not use the privileged identifier field in eAccess to determine if controls over privileged accounts existed within each system. We found that [redacted] percent of the users for these three systems did not have proper authorization for privileged accounts and [redacted] percent of the users did not have the appropriate security clearance. Also, users did not always [redacted], as required by Postal Service policy.
Management also does not adequately monitor privileged account activity. The owners and administrators of the three systems we reviewed, as well as the Corporate Information Security Office, are not maintaining system and audit logs or tracking privileged users’ last logons to monitor user activity, as required by Postal Service policy. We also found the Postal Service does not have a comprehensive training program for all privileged users to ensure they understand their roles, responsibilities, and the risks associated with their elevated privileges.
These issues occurred because:
- Management focused on other areas of cyber security and has not yet developed comprehensive guidance for defining, identifying, and managing privileged accounts.
- System owners did not require all privileged users to follow Postal Service policy when requesting privileged access and did not ensure that users have the appropriate security clearance prior to granting access.
- System owners were not aware of the [redacted] requirement.
- Management has not defined business practices for monitoring privileged accounts or implemented privileged access management tools in accordance with best practices.
- Postal Service policy does not require all privileged users to complete training.
Without proper management of privileged accounts, the Postal Service cannot ensure the confidentiality and integrity of its data, which could lead to data loss and reduced confidence in the Postal Service brand. Without proper monitoring of privileged accounts, the Postal Service cannot ensure privileged users have accountability in order to prevent accidental harm or malicious activity. In addition, the lack of a comprehensive training program for all privileged users exposes the Postal Service to credential or password compromise.
What the OIG Recommended
We recommended management:
- Strengthen controls over privileged users by continuing to develop overarching guidance and controls for managing privileged accounts that includes establishing a consistent method for identifying all privileged accounts.
- Develop and continuously maintain a complete and accurate listing of privileged accounts for Postal Service systems.
- Require all users to follow Postal Service policy when requesting and granting privileged access, ensure privileged users have proper security clearances, and require privileged users to [redacted].
- Clearly define the responsibilities for monitoring privileged accounts, implement privileged access management tools, and track privileged users’ activity.
- Develop a comprehensive privileged user training program, and require all privileged users to complete the training before assuming their privileged role, followed by periodic refresher training.