The USPS Office Of Inspector General audit report: “Parcel Readiness– Product Tracking and Reporting System Controls” 12.16.14
PTR (formally known as Product Tracking System-II) went into production in April 2013, and provides tracking and performance data for all domestic and international package and extra services products. It is the system of record for all delivery status information for letter mail and parcels with trackable services and barcodes.
Our objective was to evaluate controls associated with the security, configuration, and documentation for the PTR system.
Corporate Information Security provides security hardening standards specifically for the operating system and databases. These standards support the creation of a security infrastructure and protect Postal Service electronic business applications and sensitive customer data. In addition, these standards help to ensure that system controls are established to prevent vulnerabilities and systems are patched timely. When standards or system controls are not implemented in accordance with security hardening standards, systems can be at risk for accidental or intentional unauthorized use, modification, or disclosure of sensitive data.
What The OIG Found
The Postal Service needs to improve its process for managing and securing the PTR system. Management did not safeguard eight servers that support the PTR system as required in the Postal Service security standards. Specifically, management did not apply critical patch updates to the operating system servers and databases. In addition, management did not properly configure the operating system, databases, and the web server to comply with security standards. Further, we determined the PTR web server contained unsupported software. Management
also has not completed the disaster recovery plan for the PTR system. This occurred because management focused on other priorities such as system releases, system maintenance, and Sarbanes-Oxley Act compliance. In addition, due to a vendor software issue, management did not ensure that security configurations were reviewed on the web application server.
These security weaknesses create the potential for a malicious user to gain access to the PTR database, which could result in disclosure or modification of sensitive customer data, loss of PTR system availability, and financial liabilities. In addition, these weaknesses could allow unauthorized access to personally identifiable information, such as home addresses, phone numbers, and email addresses contained within PTR.
Not adhering to Postal Service security standards could result in data corruption or loss, unauthorized access by hackers, inappropriate changes to computer programs, physical damage to servers, or installation of malware. These security weaknesses create the potential for unauthorized access to PII contained within the PTR system. Therefore, we estimated data at risk of about $137 million for 161 million records containing sensitive information that are processed daily through the PTR system.
What The OIG Recommended
We recommended that management apply all relevant security patches to the PTR operating system servers and databases, and configure the operating system servers and databases to comply with security standards. Management should also update the PTR web server software as required, and complete the disaster recovery plan. Read the full report
Way to complicated. All you need is 5 words.
STUPID IS AS STUPID DOES
I’m at a loss now to predict when, if ever, somebody in a position to do something about the horrendous ineptitude of postal management will finally be convinced that something must be done to clean management house. I fear though it will take a real calamity we probably can’t even fathom before heads roll that need rolling right now.
Perjury by Donahoe, constantly misrepresenting financial pictures, failing to do complete studies on the impact this moronic consolidation plan will have on millions of customers, not to mention lying to cities and communities about keeping plants open and then stabbing them in the back and closing them anyway, reducing standards, switching to a minimum wage mentality work force, and legendary abuse of its employees are not enough to matter apparently.
The security is lax to a fault, both in cyberspace and in offices nationwide. A determined psycho could use the Service as a terrorist tool and the damn idiots at L’Enfant have no skills in stopping them. Packages could be very cleverly disguised and easily overlooked especially if someone on the inside made sure a suspect package avoided being screened. I certainly hope something horrible like that never happens, but it would take a catastrophe like that to make anybody do something.
We can’t wait for that day. Congress, get off your dead asses and force the Service to upgrade all levels of security under the direct supervision of qualified outside parties, make laws forbidding management to close plants and hold management accountable. They have demonstrated they cannot be trusted at any level and it’s only because craft people still care that the Service still thrives. Remember that the next time you see your carrier or go to a service counter to make a purchase or mail something.
Why would this be a surprise to anyone, duh. This nut house is famous for putting the cart before the horse in everything they do. If the data was breached on employee info that would mean the whole system is at risk, duh again. Where’s your security specialist NOW? Oh, he jumped ship. So is the Captain in a month. The truth will get even better once the idiots leave. Keep SWINGING.