Expands the main menu

Breadcrumb

Audit Reports

  • Image
Aug
15
2022
Report Number:
21-205-R22
Report Type:
Audit Reports
Category: Technology

State of Cybersecurity

Background

Cybersecurity, a major enterprise risk consideration, is the practice of protecting systems, networks, and programs from cyberattacks. Cyberattacks targeting the critical infrastructure are increasing in frequency and sophistication, making a well-defined, proactive cybersecurity approach critical. To address these threats, the U.S. Postal Service’s Corporate Information Security Office (CISO) focuses on five cybersecurity strategic objectives: protect, monitor, respond, manage, and innovate.

 

What We Did

Our objective was to assess the effectiveness of the Postal Service’s state of cybersecurity, specifically evaluating its (1) risk profile and organizational alignment with the cybersecurity strategy, (2) cybersecurity risk management process and vulnerability management program for consistency and appropriateness, and (3) enterprise security architecture processes for alignment with best practices.

 

What We Found

The Postal Service has made positive strides in implementing improvements to its risk management program, cybersecurity strategy, and organizational structure. However, its state of cybersecurity lacks maturity, which limits its ability to fully understand its risk exposure and protect the agency from cyberattack.

Specifically, we found the Postal Service did not establish a cybersecurity [redacted]  in accordance with agency guidance. We observed that the CISO could not perform [redacted] because they did not have the necessary tools. We also found that formal risk acceptance [redacted] of exceptions was not always conducted in accordance with policy. We further observed applications could operate in [redacted] application owners did not always provide access support for [redacted], and cybersecurity mitigation plans were not consistently managed. This occurred because, although CISO identifies and informs stakeholders of instances of noncompliance, there were no practices to compel compliance.

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Closed $0 Agree
2

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Closed $0 Agree
3

Enhance the agency's current enterprise security architecture approach by implementing a centralized oversight function to identify gaps within the architecture, consolidating and formally documenting security architecture information, and documenting details on deployed security components.

Closed $0 Agree
4

Implement procedures to provide assurance that application owners take necessary actions to address cybersecurity risks.

Closed $0 Agree
5

Update policies and other guidance to reflect procedures implemented to enforce cybersecurity compliance, including consequences for noncompliance.

Closed $0 Agree
6

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Closed $0 Agree