Background
Software management provides processes for managing inventories, license agreements, and monitoring software assets. Effective software management allows organizations to maintain an accurate software inventory to improve accountability, security, and compliance. Reliable software inventories are necessary to effectively test, evaluate, monitor, and manage information system controls.
The U.S. Postal Service Office of Inspector General’s Information Technology Security Risk Model identified the Greater Boston District as the highest risk for security events in fiscal year 2014. Having an inventory of authorized and unauthorized software ranks second on the list of the 20 most critical security controls in the industry. To respond effectively to emerging threats and detect unauthorized software, the Postal Service must manage and monitor its software inventories.
Our objective was to evaluate the effectiveness of the Postal Service’s software inventory management practices in the Greater Boston District.
What The OIG Found
Effective software management practices are not in place to adequately protect and safeguard information resources in the Greater Boston District. Specifically, there are no clearly defined policies and procedures for the software inventory management process including: roles and responsibilities, systems to maintain software inventories, and instructions for detecting and removing unauthorized software. In addition, there is no accurate inventory of software installed at facilities in the Greater Boston District. We identified 186 instances of unauthorized software products on 31 of the 161 computers we reviewed.
This occurred because headquarters management has not issued to districts detailed guidance related to the software inventory management process. Current systems the Postal Service uses to manage its enterprise-wide software inventory are not effective and are fragmented across the organization. Without an accurate inventory of software assets, the Greater Boston District may be using unsecure versions of software, purchasing unnecessary licenses, or violating software license agreements.
What The OIG Recommended
We recommended the Postal Service update its software inventory management process, identify software to add to its approved listing, and require district information technology personnel to follow approved software processes prior to software installation. We also recommended management establish an automated process to reconcile software inventories and coordinate with district staff to remove unauthorized software.