Audit Report – IT-AR-14-006 – 06/11/2014
In June 2013, the U.S. Postal Service completed consolidation of all print operations into the National Print Center in the administrative building at the Topeka, KS, Material Distribution Center. As a result of this cost-cutting measure, the National Print Center now processes about 192,000 payroll checks and 107,000 vendor checks per month (totaling about $468 million), as well as earnings and Express Mail corporate account statements.
In addition to the print operations, the Material Distribution Center’s administrative building maintains a computer server room that supports systems that manage vehicles, warehousing, inventory, and equipment.
Our objective was to determine whether general security controls pertaining to physical access, contingency planning, security management, and segregation of duties at the center’s administrative building provide reasonable assurance that computer assets, processed payroll data, and vendor data are secure.
WHAT THE OIG FOUND:
Contingency planning and segregation of duties were adequate; however, security controls related to physical access and security management were not in place to protect computer assets and data at the center’s administrative building. Specifically, management did not conduct physical key reviews or maintain a key inventory as required. Additionally, management did not use a reliable badge system for accessing the administrative building, monitor personnel access privileges, or put alarms on emergency doors that provide access to computer assets in the building’s warehouse area. In addition, management did not have procedures in place for granting and monitoring employee access to the check printing system or provide security training for employees with access to the system.
Management considered the key inventory and alarms on the emergency doors to be low priorities. Also, officials were unaware of procedures related to user access reviews and security training. Not adhering to information security controls increases the risk of unauthorized individuals accessing sensitive information, including employees’ names, addresses, and identification numbers.
WHAT THE OIG RECOMMENDED:
We recommended management complete a physical key review, rekey certain areas, and better restrict access to the administrative building. Further, we recommended management periodically review employee access to the server room and check printing system. Finally, we recommended management provide information security training to all employees with access to computer assets and data.