Cybersecurity is the body of processes, practices, and technology designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. In November 2014, the U.S. Postal Service announced a significant cyber intrusion had occurred that compromised large amounts of data. This report addresses cybersecurity functions of the Postal Service at the time the intrusion was identified. Our objective was to determine whether the Postal Service’s structure, operations, and resourcing of cybersecurity functions aligned with industry best practices to support the enterprise. We examined Corporate Information Security Office processes and other Postal Service cybersecurity functions.
What The OIG Found
Management has taken significant positive action since the cyber intrusion based on input from business and industry experts. Enhancing the cybersecurity of the organization will be a long and challenging effort. Specifically, the Postal Service has additional work to do to align its structure, operations, and resourcing of cybersecurity functions with industry best practices.
At the time the intrusion was identified, Postal Service leadership had not emphasized cybersecurity, as evidenced by its undertrained employees, lack of accountability for risk acceptance decisions, ineffective collaboration among cybersecurity teams, and continued operation of unsupported systems. Because leadership had not established an effective cybersecurity culture to support business operations and drive employee behaviors, employees were not prepared to recognize and appropriately respond to cybersecurity risks. Additionally, staffing and support for cybersecurity functions provided for basic operations and compliance with legal and industry requirements. However, it did not provide for effective operations, including skilled, 24-hour-a-day incident response and analysis, effective vulnerability management, or rolebased training. This is because sufficient personnel resources were not devoted to cybersecurity functions. Without adequate resources, the Postal Service did not have the cybersecurity capabilities to prevent, detect, or respond to advanced threats.
Finally, the Postal Service lacked a comprehensive risk-based cybersecurity strategy. Consequently, it was not prepared for the rapidly changing threat landscape nor could it effectively manage the corresponding risks. The Postal Service has already begun taking action to address the strengthening of cybersecurity functions. These include an extensive joint forensic investigation with subject matter experts and initiated implementation of enhanced monitoring capabilities and procurement of 24-hour security operations center services. Existing plans for improvements in access management, intrusion detection, and authentication processes have been accelerated. In addition, the postmaster general appointed a vice president-level chief information security officer.
What The OIG Recommended
We recommended management develop, execute, and communicate a strategy to embed a strong cybersecurity culture into daily operations and adequately staff and resource cybersecurity operations. We also recommended management implement a plan for the organization to exercise the appropriate governance and incident response.