Our objective was to determine whether the U.S. Postal Service has implemented effective physical security and environmental and wireless access controls according to policy and industry best practices at the [redacted] Processing & Distribution Center (P&DC).
The Postal Service has the mail processing resources, information technology (IT) network, and transportation infrastructure necessary to deliver mail to every residential and business address in the country. These resources include facilities, equipment, and systems that allow processing, transfer, and storage of data vital for business operations. The Postal Service implements physical and environmental security controls to reduce the risk of system and equipment failure, damage from environmental hazards, and unauthorized access to its facilities and assets.
The [redacted] P&DC is 630,806 square feet and processes about 475 million mailpieces annually. The facility also includes a retail store, business mail entry unit (BMEU), and administrative offices. We selected this site based on Postal Service and OIG facility risk assessments.
What the OIG Found
We did not identify any wireless issues at the [redacted] Processing & Distribution Center; however, the Postal Service did not implement effective physical security and environmental controls. During our site visit in October 2017, we noted the following:
- Excessive access to IT assets and controlled areas. For example, [redacted] of individuals had access to the [redacted] and to the [redacted]. [Redacted]
These issues occurred because facility management was not aware of the requirement for semiannual badge access reviews and did not communicate proper access procedures or enforce requirements for emergency and exterior door use [redacted].
[Redacted]. This occurred because employees were not aware of the policy for challenging and escorting unauthorized individuals in controlled areas.
Finally, facility management did not implement environmental controls to protect IT assets against water and fire damage in the information system office and the IT server room. This occurred because the information system office was not intended to be a server room and budget constraints prevented recharging the fire suppression system.
When the Postal Service does not implement proper physical security, there is an increased risk of theft, vandalism, and unauthorized access to IT assets and controlled areas. In addition, without effective environmental controls to protect IT assets, water and fire damage would disrupt mail processing operations.
What the OIG Recommended
We recommended facility management communicate access policy requirements to all personnel and conduct a badge access review for all controlled areas. We also recommended facility management communicate and enforce policy requirements for using emergency and exterior doors.
In addition, we recommended facility management implement compensating controls for the doors without functioning card readers and the parking lot gates until installation of the new badge access system and repairing the gates, repair security cameras, and communicate policy for challenging and escorting unauthorized individuals in controlled areas. Finally, facility management should implement environmental controls to protect IT assets from water damage in the information system office and from fire damage in the IT server room.