Background
The Postal Regulatory Commission (Commission) is an independent agency that exercises regulatory oversight of the U.S. Postal Service. With five commissioners, supported by a staff of approximately 70 individuals, the Commission uses smartphones to facilitate greater working efficiencies and operations, making them a core element of the Commission’s IT program.
Smartphones help facilitate communications, share on-the-go information, and run various software applications based on individual need. Often, these devices provide access to much of the same data and systems that would be available from an office desktop. Due to their mobile nature, this can present significant cybersecurity issues if the smartphones are not fully protected.
What We Did
Our objective was to assess the management of the inventory, security, and utilization of the Commission’s smartphones. We used a combination of data analytics, interviews, and control tests to determine if appropriate controls were in place and functioning as intended.
What We Found
Overall, we identified opportunities for improvement in the Commission’s management of inventory, security, and utilization of smartphones. Specifically, the Commission did not have (1) a standardized process for reviewing and maintaining its inventory; (2) key components to effectively manage the security of its smartphones; and (3) a written policy or procedure to review smartphone utilization billing. These issues occurred because the Commission did not follow a standardized process for inventory and utilization reviews, and it prioritized other IT projects over the security of its smartphones.
Recommendations
We made nine recommendations, including performing routine inventory and utilization reviews in compliance with industry best practices, developing a mobile device security policy, and providing end user smartphone security training.