Expands the main menu

Audit Reports

Dec
16
2014
Report Number:
IT-AR-15-002
Report Type:
Audit Reports

Parcel Readiness– Product Tracking and Reporting System Controls

Background

The Product Tracking and Reporting (PTR) system records delivery status information for all mail with trackable services and barcodes. One of the goals of the U.S. Postal Service’s Delivering Results, Innovation, Value and Efficiency Initiative 20, Achieve 100 Percent Product Visibility, is to provide the ability to track mailpieces and containers end-to-end through the postal network. Since PTR is vital to achieving this goal, it is important that security controls are in place to ensure the availability, integrity, and confidentiality of this application.

Our objective was to evaluate controls associated with the security, configuration, and documentation for the PTR system.

What The OIG Found

The Postal Service needs to improve its process for managing and securing the PTR system. Management did not safeguard eight servers that support the PTR system as required in the Postal Service security standards. Specifically, management did not apply critical patch updates to the operating system servers and databases. In addition, management did not properly configure the operating system, databases, and the web server to comply with security standards. Further, we determined the PTR web server contained unsupported software. Management also has not completed the disaster recovery plan for the PTR system. This occurred because management focused on other priorities such as system releases, system maintenance, and Sarbanes-Oxley Act compliance. In addition, due to a vendor software issue, management did not ensure that security configurations were reviewed on the web application server.

These security weaknesses create the potential for a malicious user to gain access to the PTR database, which could result in disclosure or modification of sensitive customer data, loss of PTR system availability, and financial liabilities. In addition, these weaknesses could allow unauthorized access to personally identifiable information, such as home addresses, phone numbers, and email addresses contained within PTR.

What The OIG Recommended

We recommended that management apply all relevant security patches to the PTR operating system servers and databases, and configure the operating system servers and databases to comply with security standards. Management should also update the PTR web server software as required, and complete the disaster recovery plan.

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

R - 1 -- Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

 Closed $0 Agree
2

R - 2 -- Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

 Closed $0 Agree
3

R - 3 -- Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

 Closed $0 Disagree
4

R - 4 -- Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

 Closed $0 Agree
5

R - 5 -- Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

 Closed $0 Agree
6

R - 6 -- Complete the Product and Tracking Reporting system Tier 2 Disaster Recovery Plan.

 Closed $0 Agree