Expands the main menu

Security of Postal Service Smartphones

Audit Reports

  • Security of Postal Service Smartphones
Jul
26
2024
Report Number:
24-009-R24
Report Type:
Audit Reports
Category: Technology

Security of Postal Service Smartphones

Background

The U.S. Postal Service issued approximately 27,000 smartphones to its employees to provide telecommunication and connectivity to its information systems and work-related applications. Although smartphones offer opportunities to improve business productivity, they also introduce the risk of cyber threats that could compromise sensitive Postal Service data. Given the level of access a smartphone offers to its internal network, it is imperative the Postal Service appropriately secures its smartphones to mitigate the risk to its data and systems.

What We Did

Our objective was to assess the security of the Postal Service’s smartphones. For this audit, we used a combination of data analytics, interviews, and control tests to determine if appropriate controls were in place and functioning as intended to protect the smartphones and Postal Service data.

What We Found

The Postal Service’s mobile device management platform (MDM) allows information technology staff to control, secure, and enforce policies on applications and operating systems installed on smartphones. The Postal Service did not fully utilize the MDM to adequately restrict the installation of or remove unapproved applications from its smartphones. Additionally, the Postal Service did not force operating system updates or quarantine smartphones without current operating systems. These issues occurred because the Postal Service did not monitor smartphones for unapproved applications or outdated operating systems, nor did it have a policy to do so. The underutilization of the MDM has led to about $4.7 million in questioned cost and funds put to better use.

Recommendations and Management’s Comments

We made three recommendations to address the security of applications and operating systems installed on the Postal Service’s smartphones. Postal Service management agreed with all recommendations. The U.S. Postal Service Office of Inspector considers management’s comments responsive to all three recommendations, as corrective actions should resolve the issues identified in the report.

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

Identify and remove unapproved applications and outdated operating systems on smartphones and/or quarantine noncompliant smartphones.

 Closed $0 Agree
2

Update the Postal Service's quarantine enforcement process and policy to include provisions for quarantining both iOS and Android smartphones with operating systems missing current security updates, on a recurring basis.

 Closed $0 Agree
3

Develop a documented plan to fully utilize the capabilities of its mobile device management platform to 1) prohibit employees from installing unapproved applications, 2) identify and remove unapproved applications, 3) force operating system updates to smartphones, and 4) quarantine all smartphones using outdated operating systems.

 Closed $4,742,792 Agree