The U.S. Postal Service's reaction to a 2014 breach of its networks — in which more than 800,000 personnel records were stolen — largely followed its Mass Data Compromise Response Plan (MDCRP), though the plan itself was insufficient, according to a new report from the inspector general.
The plan — created in 2010 — includes six distinct areas for the Postal Service CISO to evaluate in the wake of a breach: command structure, risk assessment, notification, reporting, incident response and assessment.
Audit Report: Postal Service Mass Data Compromise Response Plan
The plan "defines the roles and responsibilities of response team members, specifies incident severity levels, outlines the process flow for incident management and provides methodologies for conducting response activities," the IG report states.
However, the plan does not include procedures for dealing with an external cyber threat. Instead, it was targeted toward preventing data leaks from internal threats: i.e., postal employees.
Because of this, the Postal Service CISO stopped after the fourth area of the response plan and didn't complete the incident response and assessment sections.
Postal Service managers disagreed with the IG's assessment in that respect, stating that the MDCRP does not specifically mention a focus on internal threats. Management did agree that the plan needs an update, per the IG's other recommendations.
The IG suggested adding five elements to the MDCRP:
- Critical Assets: Create a list of the Postal Service’s critical data, assets and services that require the most protection during a cyber intrusion.
- Comprehensive Workflow Processes: Develop comprehensive workflow processes, procedures and flowcharts for responding to cyber incidents.
- Incident Checklists: Create incident handling and remediation checklists to ensure that the steps in the MDCRP response are followed during a cyber incident.
- External Communication Protocols: Specify protocols for communicating incidents with external agencies such as the Department of Homeland Security and the FBI before an intrusion occurs, as timeliness is a factor.
- Postal Service Policy Requirements: Incorporate critical Postal Service policy requirements, such as recertification and accreditation for affected infrastructure and applications.
Along with those elements, the IG said an update to the MDCRP should include procedures for responding to external attacks, as well as a new section on security clearances for postal employees. The report added that the CISO should run annual tests on the plan to ensure it meets the agency's needs.
Postal Service managers told the IG the plan will be updated after the CISO receives and reviews the results of a systems test conducted in October 2015. They expect this will be done by the end of March 2016.