Handle With Care

Jan 1, 2006 12:00 PM, By Richard W. Pavely

Mail center security is often relegated to the mail center management, which means the mail may not be as safe as it should be. Security professionals can be reluctant to challenge the operation of a major mail center. For their part, mail center managers often are skilled at answering questions with befuddling details and detours couched in fluent postal folklore.

Any attempt to conduct a risk assessment within a mail center will almost certainly lead to disputes and concerns over jurisdictional issues, with the mail center manager holding sway by quoting postal regulations, threatening to delay mission-critical mail distributions or impacting the float from accounts receivables or lock-box transactions. Though not as powerful as their information technology (IT) counterparts, mail center professionals are usually quite capable of resisting externally applied process improvements.

What should the security professional do about the mail center? How can the corporate mailstreams get the same level of protection as every other resource flowing through the enterprise? Is the mail center manager even aware of contemporary threats, or is he or she too busy dodging mail service failure episodes to look outside the mail center?

Protecting the mail center

The first step is to define the playing field. Mail centers fall into two categories — mail services and production mail.

Mail services consist of receiving, sorting and internal distribution of incoming and internally circulating mail, plus the collection, metering and submission of outbound administrative mail to the U.S. Postal Service or an outside mail processing service provider. Mail service organizations are commonplace. They exist wherever a large number of employees receive and generate office mail.

Production mail is defined as a mail manufacturing process that generates in excess of 50,000 pieces of outbound mail per day. Production mail operations are less frequent, but are far larger in size. They only exist where the enterprise has a requirement to communicate with large sets of mail recipients such as customers, account holders, members and prospects on a regular basis. The 50,000-piece threshold is determined by having one million names in a master file to which the company mails monthly, assuming a 20-day work month.

The secret to conducting a successful security audit for any mail center operation is to focus on the most likely risks as opposed to understanding the details of the operation. The mail center staff and management will be tempted to dwell on the details, since their performance is measured in terms of mail pieces, production rates, sorting accuracy, delivery times and other facts. A successful security audit and/or risk assessment of a large and active mail center can be accomplished by focusing on the following five areas:

• Mail Center Personnel

  The enterprise is at risk based on the hiring practices, training and supervision of mail center personnel. All candidates should be carefully screened, since these workers will have access to vital corporate mail streams and possibly negotiable documents such as checks, coupons and credit cards. Careless selection of entry-level positions will surely lead to trouble, often in ways that are difficult to discover. The mail center workers are also at risk due to the automated machinery, heavy lifting, tripping hazards, elevator accidents and hazardous substances in the mail.

• Internal Mail Recipients

  The principal risk for internal mail recipients is an exposure to hazardous substances in the mail. The anthrax attacks of 2001 followed by an ongoing concern over terrorism have prompted corporations to take special precautions regarding the possibility of hazardous substances in the mail. Most large corporations have invested in bulk scanning equipment capable of detecting metal and foreign objects, but not biohazards. Even fewer have invested in biohazard detection and/or remediation equipment.

  A small but growing market has emerged whereby a host organization can outsource the receipt and digital scanning of the contents of incoming mail, which is then communicated electronically to the intended recipient, often using an internal network. In this digital mailroom scenario, the internal recipient is never exposed to the physical mail.

  Fortunately, the Postal Service has invested heavily in high-capacity biohazard detection equipment, positioning it at all major mail processing facilities. As a result, the USPS will likely detect, react and communicate the presence of a biohazard long before it ever reaches a corporate mail center.

• The Mail Flow

  The mail center is responsible for the expeditious and accurate distribution of paper-based mail and parcels. As such, its employees have a vested interest in meeting predetermined delivery schedules. Slow mail, stale mail, misdirected mail, unwanted mail and returned mail represent pesky challenges for a busy mail center. Anything that impedes the completion of its rounds is considered a threat to its performance rating. As a result, safety and security are sometimes compromised for the sake of ending the day with an empty mail center. Security auditors should look for the following security risks:

  • Are mail carts left unattended during mail runs, while on break or at lunch?

  • Is it possible for office workers and visitors to see, steal, divert or borrow mail as it is being distributed?

  • Is unprocessed incoming mail being left in the hallways overnight?

  • If mail is transported from one building to another, is it secure, covered and unable to fall from the transporting vehicle?

  • Does the delivery van driver lock the vehicle as pickups and deliveries are made at the Post Office, the bank, the credit bureau or elsewhere?

  • Are centralized mail collection boxes or mail slots secure enough to prevent the removal of mail by unauthorized persons?

  • Is the mail center secure? Can other office workers enter the mail center at will, either to visit the staff or to retrieve their own mail? Is the mail center locked overnight?

  • Does the mail center have an automated “accountable mail” system for receiving, recording and tracking the movement and ultimate delivery of express items (e.g., Express Mail, FedEx, UPS, DHL, etc.)? If the mail center receives more then 75 “accountable” items per day and tracks them using manual methods, then they are at risk for losing business-critical items, taking too long to confirm arrivals and suffering from an error-prone process.

• Postage Consumption

  A postage meter or a postage storage device (PSD) is actually a vault containing a negotiable corporate resource, namely postage. The mail center manager should be intently concerned about the amount of postage being evidenced on each and every mailpiece. In his world, the difference between full-rate postage and a properly calculated USPS discounted rate is critical to the department's performance. In addition, the ability to accurately cross-charge the consumption of postage to the proper department is also a critical success factor.

  To a security auditor, the only thing that should matter is that postage is only consumed for legitimate corporate purposes. Meter fraud occurs when an unscrupulous employee uses the equipment for personal reasons. Postage meters have been known to go home at night or over the weekend where they fuel the postage requirements of personal activities.

• Hazardous Materials Procedures

  The mail center manager and the security officer should recognize that every incoming mail center is at risk for receiving hazardous letters and parcels. Major firms with popular name recognition and large populations of employees are considered likely targets. Small mail centers are still at risk due to the random nature of terrorist activity and the more likely antics of a malicious disgruntled employee.

Security auditors should ensure that the mail center staff and supervision are alert and fully trained on the proper procedures for dealing with suspicious mail. They should have the USPS “Suspicious Mail” Poster #84 dated March 2003 conspicuously posted, which includes valuable tips on spotting suspicious mail. Also refer to USPS “Mail Center Security Guide,” Publication 166 dated September 2002, available from their Web site, www.usps.com for additional precautions.

Mail center security is a serious business, so serious it requires the full attention and cooperation of both the mail center and security management. Effective communications can ensure improved results.

---

ABOUT THE AUTHOR

Richard W. Pavely, MSE, CQA is president of Corporate Management & Marketing Consultants Inc. of Randolph, N.J., a consultancy specializing in mail center auditing and process improvements. He can be reached at (973) 989-0229 or rpavely@cmmcinc.com.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue