Background
Cybersecurity, a major enterprise risk consideration, is the practice of protecting systems, networks, and programs from cyberattacks. Cyberattacks targeting the critical infrastructure are increasing in frequency and sophistication, making a well-defined, proactive cybersecurity approach critical. To address these threats, the U.S. Postal Service’s Corporate Information Security Office (CISO) focuses on five cybersecurity strategic objectives: protect, monitor, respond, manage, and innovate.
What We Did
Our objective was to assess the effectiveness of the Postal Service’s state of cybersecurity, specifically evaluating its (1) risk profile and organizational alignment with the cybersecurity strategy, (2) cybersecurity risk management process and vulnerability management program for consistency and appropriateness, and (3) enterprise security architecture processes for alignment with best practices.
What We Found
The Postal Service has made positive strides in implementing improvements to its risk management program, cybersecurity strategy, and organizational structure. However, its state of cybersecurity lacks maturity, which limits its ability to fully understand its risk exposure and protect the agency from cyberattack.
Specifically, we found the Postal Service did not establish a cybersecurity [redacted] in accordance with agency guidance. We observed that the CISO could not perform [redacted] because they did not have the necessary tools. We also found that formal risk acceptance [redacted] of exceptions was not always conducted in accordance with policy. We further observed applications could operate in [redacted] application owners did not always provide access support for [redacted], and cybersecurity mitigation plans were not consistently managed. This occurred because, although CISO identifies and informs stakeholders of instances of noncompliance, there were no practices to compel compliance.
