Expands the main menu

Breadcrumb

Audit Reports

  • Image
    22-194 Cover
Sep
29
2023
Report Number:
22-194-R23
Report Type:
Audit Reports
Category: Technology, Security

Corporate Information Security Office Workforce

Background

The U.S. Postal Service’s Corporate Information Security Office (CISO) plays a pivotal role in safeguarding data and assets of one of the largest and most critical networks in the nation. The Postal Service network links more than 31,000 facilities and connects more than 653,000 employees and hundreds of systems for the efficient processing and delivery of mail to everyone living in the U.S. and its territories. Staffing challenges such as an increasing demand for cybersecurity professionals with a limited applicant pool and recruiting and retaining a skilled CISO workforce are crucial for the Postal Service to overcome and protect its network and information resources against evolving cyber threats. Effective workforce planning is essential to addressing these challenges.

What We Did

Our objective was to determine whether the CISO is adequately staffed by assessing recruitment, retention, and performance measurements. For this audit, we reviewed the CISO workforce and strategic staffing activities for fiscal year (FY) 2021 through FY 2023 and interviewed headquarters personnel.

What We Found

Although the CISO workforce remained stable with low turnover in FY 2023, and while it maintains well-defined job roles and monitors some workforce related metrics, we could not determine whether the CISO is adequately staffed because the CISO leadership had not established necessary elements of an effective workforce planning process to ensure personnel are qualified to meet the organization’s mission and strategic goals. Specifically, we found that the CISO leadership did not document key components of a workforce plan to ensure ongoing initiatives aligned to strategic goals, despite highlighting recruitment and retention as a goal in its five-year strategic plan. The CISO leadership did not believe there was a need for formal documentation of a workforce plan and stated that workforce planning information is documented in current strategic planning and budgeting activities. Additionally, the CISO leadership stated that they have the ability to determine when to continue or end workforce initiatives.

Recommendations

We recommended management establish and document a workforce plan and develop a process to track employee and contractor training and certifications to monitor progress toward addressing the skills gaps identified in periodic skills assessments.

Report Recommendations

# Recommendation Status Value Management Response OIG Response USPS Proposed Resolution
1

in coordination with the Vice President, Organization Development, establish and document a workforce plan that describes key recruitment, retention, and performance measurement activities. At a minimum, the plan should address strategic priorities, include workforce goals and objectives, identify stakeholder roles and responsibilities, and define a process for periodic review and updates.

Open $0 Disagree
2

Develop a process to track employee and contractor training and certifications to monitor progress toward addressing the skills gaps identified in periodic skills assessments.

Open $0 Disagree