Expands the main menu

Breadcrumb

Audit Reports

  • Image
Aug
31
2021
Report Number:
20-277-R21
Report Type:
Audit Reports
Category: Security, Technology

U.S. Postal Service Protection Against External Cyberattacks

Objective

Our objective was to determine if the Postal Service has an effective security posture to protect its Information Technology (IT) infrastructure from external cyberattacks and prevent unauthorized access to restricted data.

In the past two years, 51 percent of organizations have experienced a cybersecurity incident that resulted in a significant disruption to their IT & business processes. With one of the largest IT networks in the world, the Postal Service faces ongoing cyberthreats and challenges that could negatively impact its customers, partners, and employees.

Ninety-one percent of cyberattacks weaponize email through phishing campaigns to gain unauthorized access to an organization’s IT infrastructure. Phishing is when an attacker pretends to be a trusted individual and tricks a victim into opening a malicious email. A security awareness program, including training and simulated phishing campaigns, is critical to supporting a strong security posture.

A way to test an organization’s defenses against potential cyberattacks is through a penetration test, which involves trusted individuals using known attack methods to identify exploitable network vulnerabilities. Vulnerabilities identified through simulated phishing campaigns and penetration tests should be tracked by a vulnerability management program until each vulnerability has been mitigated.

We contracted with a provider to conduct a simulated phishing campaign and an external penetration test targeting the Postal Service’s internet-facing systems from November 30, 2020, to February 9, 2021. We also reviewed the Postal Service’s information security awareness program.

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

Implement a consistent process to approve and update the access management system for all employees excluded from mandatory security awareness training and update information security policy to reflect the process.

Closed $0 Agree
2

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Closed $0 Agree
3

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Closed $0 Agree
4

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Closed $0 Agree