Audit Report - IT-AR-14-004 - 03/27/2014
A system outage in 2010 revealed the Postal Service’s data storage environment was never subject to security reviews or audits. This environment supports 230 production IT systems and applications running on more than 1,100 servers. It stores various categories of data, such as information used to process the biweekly payroll and to manage customers’ changes of address. The data have different protection requirements that reflect their level of sensitivity. The Postal Service spends about $30 million annually on storage components, which are managed by the Information Technology, Computer Operations, Data Management Services group.
Our recent audit found there was inadequate oversight of storage teams. For example, there were no periodic employee access reviews. Also, we found the Corporate Information Security Office (CISO) did not provide adequate guidance for securing storage-based information resources such as systems, hardware, software, data, applications, and telecommunications networks. These conditions increase the likelihood that information storage systems will be compromised, causing a negative impact such as an outage of systems that are critical to customers.
To secure these vital storage environments, we recommended management establish operating procedures and security requirements, improve storage environment oversight, set a schedule for complying with these new standards, and ensure personnel maintain storage skills. We also recommended that the CISO establish security requirements for storage environments.