Expands the main menu

Breadcrumb

Audit Reports

  • Image
Mar
19
2018
Report Number:
IT-AR-18-002
Report Type:
Audit Reports
Category: Security

Western Area Physical Security and Environmental Controls

Objective

Our objective was to determine whether the U.S. Postal Service has implemented effective physical security and environmental and wireless access controls according to policy and industry best practices at the [redacted] Processing & Distribution Center (P&DC).

The Postal Service has the mail processing resources, information technology (IT) network, and transportation infrastructure necessary to deliver mail to every residential and business address in the country. These resources include facilities, equipment, and systems that allow processing, transfer, and storage of data vital for business operations. The Postal Service implements physical and environmental security controls to reduce the risk of system and equipment failure, damage from environmental hazards, and unauthorized access to its facilities and assets.

The [redacted] P&DC is 630,806 square feet and processes about 475 million mailpieces annually. The facility also includes a retail store, business mail entry unit (BMEU), and administrative offices. We selected this site based on Postal Service and OIG facility risk assessments.

What the OIG Found

We did not identify any wireless issues at the [redacted] Processing & Distribution Center; however, the Postal Service did not implement effective physical security and environmental controls. During our site visit in October 2017, we noted the following:

  • Excessive access to IT assets and controlled areas. For example, [redacted] of individuals had access to the [redacted] and to the [redacted]. [Redacted]
  • [Redacted]

These issues occurred because facility management was not aware of the requirement for semiannual badge access reviews and did not communicate proper access procedures or enforce requirements for emergency and exterior door use [redacted].

[Redacted]. This occurred because employees were not aware of the policy for challenging and escorting unauthorized individuals in controlled areas.

Finally, facility management did not implement environmental controls to protect IT assets against water and fire damage in the information system office and the IT server room. This occurred because the information system office was not intended to be a server room and budget constraints prevented recharging the fire suppression system.

When the Postal Service does not implement proper physical security, there is an increased risk of theft, vandalism, and unauthorized access to IT assets and controlled areas. In addition, without effective environmental controls to protect IT assets, water and fire damage would disrupt mail processing operations.

What the OIG Recommended

We recommended facility management communicate access policy requirements to all personnel and conduct a badge access review for all controlled areas. We also recommended facility management communicate and enforce policy requirements for using emergency and exterior doors.

In addition, we recommended facility management implement compensating controls for the doors without functioning card readers and the parking lot gates until installation of the new badge access system and repairing the gates, repair security cameras, and communicate policy for challenging and escorting unauthorized individuals in controlled areas. Finally, facility management should implement environmental controls to protect IT assets from water damage in the information system office and from fire damage in the IT server room.

Report Recommendations

# Recommendation Status Value Management Response OIG Response USPS Proposed Resolution
1

Direct the senior plant manager to communicate badge access review policy requirements to managers.

Closed $0 Agree
2

Direct the senior plant manager to require responsible managers to complete badge access reviews.

Closed $0 Agree
3

Direct the senior plant manager to implement compensating controls for doors without a functioning card reader

Closed $0 Agree
4

Direct the senior plant manager to communicate access procedures to the resource management
personnel to ensure employees without a Postal Service badge do not gain access to the facility
west entrance.

Closed $0 Agree
5

Direct the senior plant manager to enforce emergency exit and exterior door security policy requirements to employees.

Closed $0 Agree
6

Direct the senior plant manager to implement security controls for the facility parking lots and repair surveillance security cameras.

Closed $0 Agree
7

Direct the senior plant manager to communicate policy requirements for challenging and escorting unauthorized individuals in controlled areas.

Closed $0 Agree
8

Direct the senior plant manager to implement environmental controls for protecting information technology assets against water damage in the information system office.

Closed $0 Agree
9

Direct the senior plant manager to recharge the fire suppression system in the IT server room.

Closed $0 Agree