Audit Reports

Background 

The U.S. Postal Service’s Engineering Systems group uses the Serena Business Manager Team Track application (Serena) to track software change requests (SCRs) for over 80 Engineering Systems’ applications. There were 391 user accounts in Serena. Changes occur when software problems are encountered or new functionality is added to a system. Serena tracks SCRs from submission through implementation of a software release. Also, Serena can manage the status of the SCRs and report on current and historical SCRs. There were 1,328 Engineering Systems SCRs in the Serena application between January 1 and December 16, 2015. 

Our objective was to evaluate the effectiveness of the software change management process for Engineering Systems. 

What The OIG Found 

We found that Engineering Systems was not effectively administering their software change management process. Engineering Systems management did not perform risk assessments on any of the 190 SCRs in our random sample. We also found that 67 of the 190 SCRs (35 percent) were not properly managed in Serena. Specifically, we identified seven SCRs that bypassed the required approval process. We also found 32 SCRs pending without a management decision and 28 SCRs that were approved but not implemented and were over 3 years old, with the oldest one being open 8 years. In addition, the system administrator was not disabling or removing user accounts as required. Specifically, we determined that 72 of the 391 total user accounts in the Serena system (18 percent) were not disabled after 90 days of inactivity, and 107 of the 391 accounts (27 percent) were not terminated after 365 days of inactivity. 

Risk assessments were not performed on any of the 190 SCRs we reviewed because management focused on higher priorities, such as deploying mail processing equipment. Also, there is no guidance for when management can bypass the approval process. In addition, management did not discuss in their monthly meetings the SCRs that were pending or not implemented. Finally, user accounts were not properly disabled or terminated because the system administrator was not aware that policies in Postal Service Handbook AS-805, Information Security, applied to Serena. 

Without effective implementation of the software change management process, Engineering Systems applications could have unauthorized changes that result in system failure. In addition, without adequate account management, inappropriate user access could compromise data within Serena. 

What The OIG Recommended 

We recommended the vice president, Engineering Systems ensure staff perform risk assessments and document them in Serena, create guidance for SCRs that bypass approval, allocate time in monthly meetings to review SCRs that are pending or not implemented, and disable and terminate user accounts in accordance with Handbook AS-805.