Background
The U.S. Postal Service issued approximately 27,000 smartphones to its employees to provide telecommunication and connectivity to its information systems and work-related applications. Although smartphones offer opportunities to improve business productivity, they also introduce the risk of cyber threats that could compromise sensitive Postal Service data. Given the level of access a smartphone offers to its internal network, it is imperative the Postal Service appropriately secures its smartphones to mitigate the risk to its data and systems.
What We Did
Our objective was to assess the security of the Postal Service’s smartphones. For this audit, we used a combination of data analytics, interviews, and control tests to determine if appropriate controls were in place and functioning as intended to protect the smartphones and Postal Service data.
What We Found
The Postal Service’s mobile device management platform (MDM) allows information technology staff to control, secure, and enforce policies on applications and operating systems installed on smartphones. The Postal Service did not fully utilize the MDM to adequately restrict the installation of or remove unapproved applications from its smartphones. Additionally, the Postal Service did not force operating system updates or quarantine smartphones without current operating systems. These issues occurred because the Postal Service did not monitor smartphones for unapproved applications or outdated operating systems, nor did it have a policy to do so. The underutilization of the MDM has led to about $4.7 million in questioned cost and funds put to better use.
Recommendations and Management’s Comments
We made three recommendations to address the security of applications and operating systems installed on the Postal Service’s smartphones. Postal Service management agreed with all recommendations. The U.S. Postal Service Office of Inspector considers management’s comments responsive to all three recommendations, as corrective actions should resolve the issues identified in the report.