Audit Report – IT-AR-15-008 – 07/17/2015
Cybersecurity is the body of processes, practices, and technology designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. In November 2014, the U.S. Postal Service announced a significant cyber intrusion had occurred that compromised large amounts of data. This report addresses cybersecurity functions of the Postal Service at the time the intrusion was identified.
Postal Service leadership had not fostered a culture of effective cybersecurity across the enterprise. Staffing and resources for cybersecurity functions focused heavily on complying with specific legal and industry requirements, leaving limited resources for systems that are not subject to these requirements. In addition, management had not integrated cybersecurity risks into a comprehensive cybersecurity strategy. While it has worked with business and industry experts to initiate significant positive action since the cyber intrusion of November 2014, the Postal Service could attain more effective cybersecurity operations by continuing efforts to re-align its structure, operations, and resources to better address operational risks and protect business operations.
Source: Office of Inspector General | United States Postal Service
“While the Postal Service appreciates the intent and role of the USPS OIG in developing its recent audit on cyber security issues, the findings do not reflect the current state of the organization’s capabilities. The scope of this audit was based solely on the state of cybersecurity when a significant cyber intrusion was discovered in 2014. Since then, the Postal Service has substantially and extensively upgraded management processes, staffing, computing environment protections, training and awareness, and other controls based upon the learnings from the 2014 cyber intrusion.”