350R92007
Computer Systems Integrity
EPA Must Fully Address Longstanding
Information Resources Management Problems
-------�
-------�
I UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
/ WASHINGTON, O.C. 20460
SEP 2 8 (998
THE INSPECTOR GENERAL
MEMORANDUM
SUBJECT: Report of Audit—COMPUTER SYSTEMS INTEGRITY:
EPA Must Fully Address Longstanding Information
Resources Manageaent Problems
Audit Report No. E1NMF1-15-0032-2100641
TO: William K. Reilly
Administrator . .
*' •
Attached is the final report entitled "COMPUTER SYSTEMS
INTEGRITY: EPA Must Fully Address Longstanding Information
Resources Management Problems." This audit was part of Task 3- of
the President's Council on Integrity and Efficiency's (PCIE's)
Computer Systems Integrity Project, which was performed at EPA
and 10 other Federal agencies. That PCIE project is a series of
subprojects or tasks, designed to assess the integrity of Federal
computer systems and develop Governmentwide recommendations for
improving operations affecting computer systems integrity. The
report contains important findings and recommendations regarding
these areas, which will be consolidated in a Governmentwide
report to the Office of Management and Budget (OMB) and other
Federal oversight agencies.
This report demonstrates that despite 50 Office of Inspector
General (OIG), General Accounting Office, and General Services
Administration reports and testimonies over the past 12 years
criticizing IRM within EPA, the Agency still has not adequately.
addressed many of the basic issues in those reports. As a
result, continuing IRM weaknesses contribute to: (1) EPA's
inability to accomplish its cross-media mission; (2) significant
cost overruns and delays in developing and implementing
information systems; (3) development of duplicate information
systems; (4) failure to economically manage mainframe storage
devices; and (5) exposure of the Agency to unnecessary risk by
providing the means for unethical users to access the Agency's
most sensitive information systems, including the payroll system,
and conduct .unauthorized activities with little fear of
detection. In our opinion, the IRM prograte weaknesses identified
in this report meet OMB's and EPA's materiality criteria for
reporting to the President and Congress in conjunction with OMB
circular A-123 and the Federal Managers' Financial Integrity Act
(FMFIA).
-------�
This audit report contains findings that describe problems
the OIG has identified and corrective actions the OIG recommends.
This report represents the opinion of the OIG. Final
determinations on matters in this report will be made by EPA
managers in. accordance with established EPA audit resolution
procedures. Accordingly, the findings described in this report
do not necessarily represent the final EPA position.
Because this report recommends specific action which must by
law be taken by the Head of the Agency, we have addressed this
report directly to you. You may designate an appropriate action
official to oversee the corrective actions being taken to resolve
the findings raised in this report. This official, in accordance
with EPA Order 2750, is required to provide this office a written
response to the audit report within 90 days of the final report
date. For corrective actions planned but not completed by the
response date, reference to specific milestone dates will assist
this office in deciding whether to close this report. We have no
objections to the further release of this report to the public.
We appreciate the positive response by Assistant
Administrator for Administration and Resources Management to our
recommendations presented in the report and the many substantive
actions he and his staff have initiated to strengthen the
Agency's IRM infrastructure. My staff and I look forward to
helping strengthen the Agency's IRM program.
If your staff members have any questions or need additional
information regarding this report, please have them contact
Kenneth A. Konz, Assistant Inspector General for Audit at (202)
260-1106.
{ J Johr
John C. Martin
-------�
Computer systems Integrity
EXECUTIVE
PURPOSE
Effective information resources management (IRM) is crucial
to EPA accomplishing its mission. Vast amounts of data are
accumulated in Agency information systems, and used for such
things as management and scientific decision-making, and
reporting to Congress and the public. In recent years, EPA
has spent hundreds of millions of dollars on information
systems and plans to spend like amounts in the future. Due
to the dollars involved, and EPA's high dependency on
information systems to support its mission critical
functions, Congress has expressed great interest in EPA's
cross-media deficiencies in program information systems.
Congress has also proposed studies to improve accountability
and consistency by consolidating enforcement of environmental
laws and regulations in .legislation to.make EPA a cabinet
department. Consequently, the Office of the Inspector
General (OIG), in conjunction with the President's Council on
Integrity and Efficiency (PCIE), performed an audit to
evaluate EPA's implementation of Federal computer system
integrity requirements.
This report is the third and final PCIE audit report, on EPA's
implementation of computer system integrity requirements. •
Two reports were previously issued under this PCIE project:
(1) a March 31, 1992, audit report entitled "CONTRACT
MANAGEMENT: EPA Needs To Strengthen The Acquisition Process
For ADP Support Services Contracts;" and (2) a September 22,
1992, audit report entitled "SOFTWARE INTEGRITY: EPA Needs To
Strengthen General Controls Over System Software."
BACKGROUND
The need for a sound IRM infrastructure and efficient,
responsive information systems is critical to the Agency's
ability to provide objective, reliable, and understandable.
information to help achieve its mission. EPA is an
information-intensive Agency, and its information resources
are critical to the success of all the program activities.
EPA has over 500 information systems as well as computer
models which support its mission.
Report No. B1NXP1-15-0032-2100641
-------�
Computer Systems Integrity
During fiscal 1992, Office of Management and Budget (OMB)
estimates that the Federal government will spend over $23.9
billion on information technology. EPA ranks 17th among all
Federal agencies in information technology expenditures,
estimated at $287 million for fiscal 1992. This is
approximately five times what EPA spent ($58 million) in 1982
for ADP resources. EPA also ranks 18th among Federal
agencies in workyears supporting IRM activities, estimated at
848 for fiscal 1992. This amount has more than doubled since
1982 (384 workyears).
RESULTS IN BRIEF
Despite 50 OIG, General Accounting Office (GAO), and General
Services Administration (GSA) reports and testimonies
criticizing EPA's IRM program over the last 12 years, the
Agency has not adequately addressed many of the basic issues
in those documents. As a result, EPA is still hampered by
many of these problems. These continuing problems contribute
to: (1) EPA's inability to accomplish its cross-media
mission; (2) significant cost overruns and delays in
developing and implementing information systems; (3) develop-
ment of duplicate information systems; (4) failure to
economically manage mainframe storage devices; and (5)
exposure of the Agency to unnecessary risk by providing the
means for unethical users to access the Agency's most
sensitive information systems—including the payroll system—
and conduct unauthorized activities with little fear of
detection.
EPA has not implemented certain fundamental management
practices in its IRM program. There is a serious absence of
top management central direction and control, and the
decentralized nature of Agency operations has made it
extremely difficult to effectively manage IRM activities.
Specifically, we found that contrary to the requirements of
the Paperwork Reduction Act of 1980 (as amended), EPA has not
formally appointed a Designated Senior Official (DSO) for
IRM, and has fragmented IRM responsibilities between
different organizations with no clear lines of authority.
EPA has not developed certain key comprehensive, formal, and
authoritative IRM policies, standards, and procedures, and
does not have an integrated long-range planning/budgeting
process for IRM. Further, EPA has not established a
comprehensive quality assurance program for major information
systems, and internal control reviews were not conducted on
ii
Report HO. E1NMP1-15-0032-2100641
-------�
computer System* integrity
15 of the Agency's 29 sensitive systems as required by
Federal lav and regulations. Finally, the Agency has-not met
key minimum requirements of the Computer Security Act of 1987
and OMB Circular A-130 for establishing a comprehensive
Agencywide computer systems security program.
These weaknesses meet OMB's and EPA's materiality criteria
for reporting to the President and Congress in conjunction
with OMB Circular A-123 and the Federal Managers' Financial
Integrity Act (FMFIA). Because IBM is so critical to the
success of. all program activities, these weaknesses could
substantially impair the fulfillment of the Agency's mission,
significantly weaken safeguards against the waste and abuse
of EPA's funds, and reflect adversely on .the.management
integrity of the Agency, thereby diminishing EPA's
credibility and reputation. As a result, we also reviewed
the FMFIA evaluation process for Office of Information
Resources Management (OIRM) and Office of Administration and
Resources Management-Research Triangle Park (OARM-RTP) to -
determine why these weaknesses were not identified internally
(see Chapter 8).
PRINCIPAL FINDINGS
Top Management Involvement In IBM Is Needefl
Considering the extent of IRM deficiencies identified in this
report and the 50 OIG, 6AO, and 6SA reports and testimonies
over the past 12 years criticizing IRM within EPA, continuing.
top management attention and involvement in IRM is of prime
importance. However, despite all of these problems and
requirements of the Paperwork Reduction Act: (1) EPA has
never formally designated a senior official for IRM (i.e.,
DSO); (2) EPA has fragmented the IRM responsibilities between
four organizations under two major Agency components, with no
clear lines of authority between them; and (3) actual IRM
authority has been informally delegated to too low an
organizational level to be fully effective. In addition,
EPA's IRM Steering Committee does not provide sufficient
oversight and control over the IRM function.
The absence of top management central direction and control
has contributed to many serious deficiencies in how EPA
manages and uses its ADP resources. Based on review of
available documentation and discussions with EPA officials,
we were unable to find why the DSO was not formally
iii
Report NO. E1HMF1-15-0032-2100641
-------�
Computer Systems Integrity
designated by the Administrator or why EPA fragmented IBM
responsibilities and delegated IRM authority to the office
level. However, it is our observation that the decentralized
nature of the Agency makes it difficult to centrally manage
the IRM function with the requisite authority. Furthermore,
over the past 17 years the executive ISM Steering Committee
has evolved from a high-level decision-making body to a low
level advisory and assistance group.
Comprehensive ISM Policies.
Standards. And Progeflures Are Needed
EPA has made some progress in establishing IRM policies,
standards, and procedures. Since January 1977, EPA has
formally issued an Agencywide IRM policy manual, four
procedural directives, and four orders establishing
requirements for implementing the policies and standards of
OMB Circular A-130. Collectively, these serve as a partial
basis for the management planning, control, and evaluation of
IRM activities within EPA. In addition, at least 19 guidance
documents address IRM topics. However, despite these
efforts, OIRM: (1) has directives that are incomplete and
outdated; (2) has not developed certain key IRM standards;
and (3) has not made a distinction between formal or
mandatory policies, standards, and procedures, and informal
or optional guidance when issuing IRM documents.
Seventeen of the 50 OI6, 6AO, and 6SA reports and testimonies
since fiscal 1980 identified the magnitude of IRM problems
resulting from deficiencies in IRM policies, standards, and
procedures. These problems adversely impacted the IRM
contract management process, information system development
and operations, and EPA's ability to accomplish its cross-
media mission. Further, some IRM officials in Agency
components and individual program offices were developing
their own policies, standards, and procedures.
In addition to the lack of top management emphasis on the
establishment of formal IRM directives, the absence of a
comprehensive program was largely caused by the lack of
resources and other higher priorities. Additionally, the
formal directive system was not always used, because OIRM
officials considered it too cumbersome and time consuming.
However, at the end of the audit OIRM officials stated that
they support the need for the formal review and clearance
process, and they plan to issue future guidance through it.
iv
Report Ho. B1HMF1-15-0032-2100641
-------�
computer systems integrity
An Aoencyvide IBM Planning
Process Which Ties Into The
Budget Has Not Been Established
EPA has made some progress in establishing long-range ISM
planning. In particular, EPA has developed an IRM strategic
framework and individual IRM-related plans to meet specific
needs.
However, the Agency has not established an integrated long-
range IRM planning and budgeting process to help acquire,
manage, and use its computer resources. Specifically, OIRM
has neither prepared a 5-year Agencywide IBM plan which meets
Federal requirements nor enforced the requirements that
Agency components prepare and submit mission-based plans.
Sixteen of the 50 OIG, GAO, and 6SA reports and testimonies
since fiscal 1980 addressed IRM problems which were
attributed to inadequate IRM planning at EPA. The
significant problems include: (1) OIRM's inability to manage
Agency information resources; (2).Agency components' lack of
a sufficient mechanism to make information system funding
decisions, thus subjecting systems development projects to
funding shortages; (3) information systems being designed in
an independent and incremental fashion; and (4) development
of duplicate information systems. Further, we found major
information system development efforts were not linked to the
budget request process which led to inaccurate and untimely
reporting to OMB. Additionally, OIRM has spent additional
resources in meeting OMB requirements, which would otherwise
not have been necessary if a comprehensive IRM planning
process was in place.
In addition to the lack of top management attention and
commitment to IRM long-range planning, the absence of an
integrated long-range IRM planning/budgeting process can be
attributed to three other specific causes. First, OIRM had
not dedicated sufficient staff to develop such a process.
Secondarily, they had not prepared procedures and guidance on
mission-based IRM planning. Finally, OIRM had hot
established a mechanism to oversee and enforce the mission-
based planning policy.
v
Report Mo. B1NMP1-1S-0032-2100641
-------�
Computer Systems Integrity
A Comprehensive Quality Assurance Program
For Information Systems Is' Needed
EPA has made some progress in establishing quality assurance
in its IRM activities. In particular, EPA has implemented an
active IBM review program to improve the quality and
usefulness of its IRM activities. However, the Agency has
not instituted a comprehensive quality assurance program for
information systems to ensure that its mission-critical
information systems operate effectively and accurately.
Specifically, EPA has not developed complete Agencywide
policy or procedures on information system quality assurance,
established a quality assurance entity for independently
reviewing and evaluating information systems, or provided
training in this area.
As a result, EPA has experienced serious data integrity and
software problems in its operational information systems. To
correct these problems, EPA may have to retrofit the
software; This can cost an estimated 100 times more for
information systems in operation than if changes were made
during system development. Thirty-five of the 50 OIG, GAO,
and 6SA reports and testimonies since fiscal 1980 identified
the magnitude of the quality assurance problems at EPA.
Significant problems included not following generally
accepted system development practices, deficiencies in
software management, and weaknesses in application software
test practices. Furthermore, the absence of an Agencywide
program has resulted in 68 major EPA information systems not
being subjected to review by OIRM, and one Agency component
separately developing its own quality assurance program.
OIRM officials explained that they did not have the resources
to establish a full-time staff dedicated to information
system quality assurance. Furthermore, the absence of a
program can be attributed, in part, to the lack of clear
Federal information system quality assurance guidance.
Internal Control Reviews Of Some Sensitive
Information Systems Security Controls
Have Not Been Performed
EPA has not conducted any reviews of 15 of the Agency's 29
sensitive systems (i.e., information systems and general
support systems) as required by OMB Circulars A-123, A-127,
and A-130. Without conducting these reviews, EPA cannot
fully meet the provisions of the Paperwork Reduction and
vi
Report HO. B1NKP1-15-0032-2100641
-------�
Computer Systems Integrity
Computer Security Acts regarding sensitive system
certifications, or provide reasonable assurance under FKFIA
that management controls for the Agency's systems are in
place, reviewed, and evaluated. Moreover, if State, local,
and other Federal agencies do not have confidence that
.sensitive systems are adequately protected, then their
willingness to supply requested data may be adversely
impacted. This breakdown, in turn, may negatively impact
EPA*s mission. -. In addition, OIG and GAO have issued 16
reports since fiscal: 1980 addressing serious internal control
problems in sensitive systems at EPA, including significant
system software control weaknesses at EPA's National Computer
Center (HCC). . .
The reasons why sensitive system reviews were not always
conducted were: (1) 17 of 29 sensitive systems were not
included in the Agency component event cycle.documentation;
(2) detailed FMFIA instructions prepared annually did not
always cover sensitive systems; and (3) OIRM did not always
enforce/oversee the sensitive, systems certification process.
EPA Has Not Established A Comprehensive
.computer Systems Security Program ' ' •' .
EPA has made some progress in implementing the computer
systems security (i.e., computer and telecommunications
security) requirements of the Computer Security Act of 1987
and OMB Circular A-130. For example, the Agency has
established and filled .three security positions: a position
in .OIRM responsible for developing and implementing an
Agencywide computer systems security program; another
position in OIRM to perform security functions within OIRM;
and a position in the National Data Processing Division
(NDPD) responsible for NCC hardware and systems software
security. EPA has conducted various voluntary security
awareness training sessions for Agency officials over the
past two years. Finally, EPA has maintained and periodically
tested a disaster recovery plan for EPA's three "highly
sensitive".systems.at the.Agency's .backup computer sits in
Cincinnati, Ohio. - ,
However, despite eight OIG reports since 1988 criticizing
computer systems security within EPA, the Agency has not met
key minimum Federal requirements for the establishment of a
comprehensive Agencywide computer security program.
Specifically, the Agency has not: (1) completed required risk
vii
Report NO. BlNMPl-15-003,2-2100641
-------�
Computer Systems Integrity
analyses, security reviews, certifications, and updated
security plans for its sensitive information systems;
(2) completed an updated risk analysis for the NCC since
August 1986; and (3) established mandatory security awareness
training for officials involved in the management, use, or •
operation of its sensitive computer systems. As a result,
EPA has no assurance that its valuable and mission-critical
information resources are adequately protected from fraud,
abuse, and unauthorized manipulation. These deficiencies
have occurred because EPA has not provided adequate mandatory
technical guidance for information technology installation
security, and has not provided information system owners
adequate mandatory technical guidance on selecting and
implementing security standards to be followed. In addition,
the Agency has not fully assigned the computer systems
security responsibilities within the program offices to
effectively establish an Agencywide computer systems security
program. Finally, OIRM has not established a mechanism to
oversee and enforce its information security program.
RECOMMENDATIONS
EPA needs to establish: (1) top management controls and
attention over IRM; (2) comprehensive, formal, and
authoritative IBM policies, standards, and procedures; (3) an
Agencywide IBM planning process which ties into the budget;
(4) a comprehensive quality assurance program for information
systems; (5) an internal control review program to provide
for periodic reviews of sensitive information system
controls; and (6) a comprehensive-computer systems security
program.
AGENCY COMMENTS AND OIQ EVALUATION
In a memorandum dated September 15, 1992, the Assistant
Administrator for Administration and Resources Management
responded to our draft report. His response (see Appendix I)
consists of four parts: a transmittal memorandum summarizing
the Agency response and concerns; the detailed Agency
response to the draft audit report; Appendix A - Summary
Response Matrix; and Appendix B - Agency Response to OMB
Regarding Proposed Changes to OMB Circular A-130. To provide
a balanced understanding of the issues, we have summarized
the Agency's position in appropriate locations throughout our
report. He are addressing the transmittal letter memorandum
viii
Report NO. E1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
below and the recommendations at the end of each chapter. We
have also commented on the detailed Agency response and its
key attachments in Appendix II.
In summary, the Agency fully agreed with all the findings and
recommendations and has taken a number of positive actions to
correct the deficiencies. In six of the recommendations
where the proposed actions did not fully meet the intent of
our recommendations, we addressed our concerns in the
individual chapters. In addition, the intent of our
recommendations in Chapters 2 and 4 were clarified in the
individual chapters, and at the formal exit conference.
In their response, the Office of Administration and Resources
Management (OARM) expressed concern that our report did not
fully reflect improvements in IRN. We have noted all
relevant actions taken by OARM in areas addressed in our
report. However, some of the significant improvements listed
in the response are limited to actions within OIRM, which do
not address the problems on an Agencywide basis.
Additionally, most of the problems addressed in the report
are longstanding problems (12 years) which need to be
addressed across programs. We agree that our recommendations
are difficult to implement because of the current
decentralized, separate, and distinct environmental programs.
However, IBM is set up on a centralized basis to support all
programs and the Paperwork Reduction Act requires that this
function be managed centrally. Because of this structure, in
our view, OARM has a unique opportunity to be a leader in
promoting a cross-media focus on EPA systems and data.
The response indicated that many of the recommendations could
be directed to the DSO once the position is formalized, and
we agree. However, until the position is formalized, the
Deputy Administrator should initiate actions requiring
Agencywide impacts and involvement (i.e., Chapters 2, 3, and
4). We changed the action official to the Assistant
Administrator for Administration and Resources Management in
Chapters 5, 6, 7, and 8. In our view, the Assistant
Administrator for Administration and Resources Management is
in a position to facilitate actions in these areas.
Nonetheless, all these areas would still be of concern to the
DSO once the position is formalized.
ix
Report MO. E1HMF1-1S-0032-2100641
-------�
Computer systems integrity
(This page intentionally left blank)
x
Report HO. B1HMT1-15-0032-2100641
-------�
Computer 8y»t«a* Integrity
TABLB OFCONTENTS
Page
EXECUTIVE SUMMARY i
CHAPTER
1 INTRODUCTION 1
PURPOSE 1
BACKGROUND 1
SCOPE AND METHODOLOGY. 5
PRIOR AUDIT COVERAGE. 8
2 TOP MANAGEMENT INVOLVEMENT IN IRM IS NEEDED 9
TOP MANAGEMENT CRITERIA FOR IRM ARE HELL
ESTABLISHED 10
INADEQUATE IRM TOP MANAGEMENT CONTROLS
AND ATTENTION 11
ADVERSE EFFECTS ON THE IRM PROGRAM WERE NUMEROUS 16
FACTORS CAUSING INADEQUATE IRM TOP MANAGEMENT
INVOLVEMENT 17
CONCLUSIONS 18
RECOMMENDATIONS. .' .... 19
•»
AGENCY COMMENTS AND OIG EVALUATION 19
3 COMPREHENSIVE IRM POLICIES, STANDARDS, AND
PROCEDURES ARE NEEDED 21
CONSIDERABLE FEDERAL AND AGENCY CRITERIA EXIST
ON IRM POLICIES, STANDARDS, AND PROCEDURES.. . 22
IRM POLICIES, STANDARDS, AND PROCEDURES ARE NOT
COMPREHENSIVE 24
Report MO. B1NMP1-15-0032-2100641
-------�
Computer Bygt«a» integrity
ADVERSE EFFECTS ON THE IRM PROGRAM WERE NUMEROUS.... 31
REASONS FOR NOT HAVING ADEQUATE POLICIES, STANDARDS
AND PROCEDURES 33
CONCLUSIONS 34
RECOMMENDATIONS 35
AGENCY COMMENTS AND OIG EVALUATION 35
AN AGENCYWIDE IRM PLANNING PROCESS WHICH
TIES INTO THE BUDGET HAS NOT BEEN
ESTABLISHED 37
IRM PLANNING CRITERIA ARE WELL ESTABLISHED 38
COMPREHENSIVE IRM PLANNING AND BUDGETING PROCESS
IS NEEDED 39
IMPACT OF NOT HAVING A COMPREHENSIVE IRM PLANNING
AND BUDGETING PROCESS 42
CAUSES OF INADEQUATE IRM PLANNING. 45
CONCLUSIONS 45
RECOMMENDATIONS 46
AGENCY COMMENTS AND OIG EVALUATION 46
THE QUALITY ASSURANCE PROGRAM FOR INFORMATION
SYSTEMS NEEDS IMPROVEMENT 49
INFORMATION SYSTEM REQUIREMENTS FOR OVERSIGHT
AND ENFORCEMENT ... 50
A COMPREHENSIVE QUALITY ASSURANCE PROGRAM FOR
INFORMATION SYSTEMS IS NEEDED 52
SERIOUS DATA INTEGRITY AND SOFTWARE PROBLEMS EXIST.. 54
REASONS WHY A COMPREHENSIVE QUALITY ASSURANCE
PROGRAM DOES NOT EXIST. . . 56
CONCLUSIONS 57
Report HO. E1NMP1-15-0032-2100641
-------�
Computer Systems integrity
RECOMMENDATION 57
AGENCY COMMENTS AND OIG EVALUATION 58
INTERNAL CONTROL REVIEWS OF SOME SENSITIVE
INFORMATION SYSTEMS HAVE NOT BEEN PERFORMED 59
FEDERAL AND AGENCY REQUIREMENTS ON INTERNAL CONTROLS
FOR INFORMATION SYSTEMS. 59
INTERNAL CONTROL REVIEWS NOT PERFORMED 62
INSUFFICIENT BASIS FOR PROVIDING REASONABLE
ASSURANCE FOR SENSITIVE INFORMATION SYSTEMS
SECURITY CONTROLS 62
REASONS FOR NOT PERFORMING SENSITIVE INFORMATION
SYSTEM REVIEWS 63
CONCLUSIONS 64
RECOMMENDATIONS 64
AGENCY COMMENTS AND OIG EVALUATION 65
' EPA HAS NOT ESTABLISHED A COMPREHENSIVE COMPUTER
SYSTEMS SECURITY PROGRAM 67
FEDERAL SECURITY REQUIREMENTS. 68
EPA HAS NOT IMPLEMENTED SECURITY REQUIREMENTS........ 70
EPA HAS LITTLE ASSURANCE SYSTEMS ARE ADEQUATELY
PROTECTED. 72
EPA HAS NOT PROVIDED TECHNICAL GUIDANCE 73
CONCLUSIONS 74
RECOMMENDATIONS 75
AGENCY COMMENTS AND OIG EVALUATION '. 75
8 OARM'S FMFIA PROCESS DOES NOT SUFFICIENTLY ADDRESS
THE RISKS ASSOCIATED WITH CRITICAL IRM PROCESSES.... 77
CONCLUSION 78
Report Ho. BUOCF1-15-OOM-2100641
-------�
Computer 8yst«a« Integrity
RECOMMENDATIONS 79
AGENCY COMMENTS AND 016 EVALUATION 79
APPENDIXES
APPENDIX I: AGENCY COMMENTS 81
APPENDIX II: OIG EVALUATION OF AGENCY COMMENTS 119
APPENDIX III: OFFICE OF POLICY, PLANNING, AND
EVALUATION ORGANIZATION CHART 123
APPENDIX IV: OFFICE OF ADMINISTRATION AND
RESOURCES MANAGEMENT ORGANIZATION
CHART 125
APPENDIX V: SUMMARY OF OIG, GAO, AND GSA
REPORTS AND TESTIMONIES ISSUED
SINCE FISCAL 1980 CITING IRM
PROBLEMS AT EPA 127
APPENDIX VI: OIG, GAO, AND GSA REPORTS AND
TESTIMONIES ISSUED SINCE FISCAL 1980
CITING IRM PROBLEMS AT EPA. 129
APPENDIX VII: OFFICES WITH RESPONSIBILITIES UNDER
THE PAPERWORK REDUCTION ACT OF 1980
(AS AMENDED) 135
APPENDIX VIII: FRAGMENTATION OF PAPERWORK REDUCTION
ACT (AS AMENDED) RESPONSIBILITIES.... 137
APPENDIX IX: OIRM/NDPD IRM POLICIES, STANDARDS,
PROCEDURES, AND GUIDANCE 139
APPENDIX X: OIRM'S LISTING OF IRM POLICY,
GUIDANCE AND STANDARDS INITIATIVES... 143
APPENDIX XI: IRM PLANNING EFFORTS UNDERTAKEN
BY EPA 145
APPENDIX XII: SUMMARY OF IRM REVIEWS PERFORMED FROM
FISCAL 1989 TO 1991 147
APPENDIX XIII: GLOSSARY OF TERMS USED IN THE
FMFIA PROCESS 149
Report HO. B1NMF1-15-0032-2100641
-------�
Computer 8y»t«M Integrity
APPENDIX XIV:
APPENDIX XV:
APPENDIX XVI:
STATISTICS FOR SENSITIVE INFORMATION
SYSTEMS 151
SECURITY PROGRAM STATUS FOR
SENSITIVE INFORMATION SYSTEMS AS OF
JUNE 30, 1992 153
GLOSSARY OF ACRONYMS AND
ABBREVIATIONS.
155
APPENDIX XVII: DISTRIBUTION 157
Report.VO. E1NMP1-1S-0032-2100641
-------�
Computer flystams integrity
(This page intentionally left blank)
Report MO. ElNMyi-15-0032-2100641
-------�
Computer Systems Integrity
CHAPTER Z
IHTRODUCTIOM
PUSPO8B
Effective IRM is crucial to EPA accomplishing its mission.
Vast amounts of data are accumulated in Agency information
systems, and used for such things as management and
scientific decision-making, and reporting to Congress and the
public. In recent years, EPA has spent hundreds of millions
of dollars on information systems and plans to spend like
amounts in the future. Due to the dollars involved and EPA's
dependency on information systems, Congress has expressed
great interest in EPA's cross-media deficiencies in program
information systems. Congress has also proposed studies to
improve accountability and consistency by consolidating
enforcement of environmental lavs and regulations in
legislation to make EPA a cabinet department. The OI6, in
conjunction vith the PCIE Computer Committee-sponsored
project, performed an audit to evaluate EPA's implementation
of Federal computer system integrity requirements.
This report is the third and final PCIE audit report on EPA's
implementation of computer system integrity requirements.
Two reports were previously issued under this PCIE project:
(1} a March 31, 1992, audit report entitled "CONTRACT
MANAGEMENT: EPA Needs To Strengthen The Acquisition Process
For ADP Support Services Contracts;" and (2) a September 22,
1992, audit report entitled "SOFTWARE INTEGRITY: EPA Needs To
Strengthen General Controls Over System Software."
BACKGROUND
EPA is a regulatory Agency statutorily responsible for
establishing and enforcing environmental standards. In
recent years, the Agency has been charged with mounting an
integrated, coordinated attack on the environmental problems
of air and water pollution, solid waste management,
pesticides, radiation, noise, and toxic substances. EPA's
mission of protecting health and the environment depends on a
wide range of individuals within and outside the Agency
having access to data in order to make informed decisions.
Report HO. B1NMF1-15-0032-2100641
-------�
Computer Systems integrity
The need for a sound IRM infrastructure and efficient,
responsive information systems is critical to the Agency's
ability to provide objective, reliable, and understandable
information to help achieve its mission. EPA is an
information-intensive Agency, and its information resources
are critical to the success of all the program activities.
EPA has over 500 information systems as veil as computer
models which support its mission.
For instance, major information systems provide data:
— on nationwide air pollution and water quality;
— on management and oversight of the Superfund program;
— to track and report on Agency financial management;
— for computerized models designed to evaluate acid
rain and emissions; and
— on the effects of pesticides and toxic substances on
humans and the environment.
The Federal government as a whole has been making significant
investments in IRM activities over the last decade. During
fiscal 1992 alone, OMB estimates that the Federal government
will spend over $23.9 billion on information technology. EPA
ranks 17th among Federal agencies in information technology
expenditures, estimated at $287 million for fiscal 1992.
This is approximately five times what EPA spent ($57 million)
in 1982 for ADP resources. Figure l shows the actual IRM
obligations reported by EPA to OMB over the last 10 years and
projected obligations for fiscals 1992 and 1993.
2
Report Ho. E1NMF1-15-OOT2-2100641
-------�
Computer Systems integrity
EPA's IRM Obligations Reported to -OMB
Fiscal 1982 - 1993
I
I
1962 1963 1984 1963 1966 1967 1966 1969 199O 1991 1992 1993
Year
Figure 1
During fiscal 1992, OMB estimates that the Federal government
will use over 120,000 vorkyears for IRM-related activities.
EPA ranks 18th among Federal agencies in these vorkyears,
estimated at 848 for fiscal 1992. This amount has more than
doubled since 1982 (384 workyears).
Figure 2 shows the actual workyears reported by EPA to OMB
over the last 10 years and projected workyears for fiscals
1992 and 1993.
Report HO. B1HHP1-1S-0032-2100641
-------�
Computer System Integrity
EPA's IRM Workyears Reported to OMB
Fiscal 1982 - 1993
700
900
9OO-
2OO
100
t
i
I
I
I
I
i
1982 198? 1984 1905 1986
1987 1988 1989 199O 1991 1992 1993
Year
figure 2
IRM Organization
Implementing the Agency's Paperwork Reduction Act
responsibilities, which includes IRM, is primarily shared by
the Office of Policy, Planning, and Evaluation (OPPE) and the
OARM. The Assistant Administrator for Policy, Planning, and
Evaluation acts as the senior official responsible for
directing and overseeing the Agency's activities under the
Paperwork Reduction Act.
OPPE's Office of Regulatory Management and Evaluation (ORME)
has the primary functional responsibility to evaluate
information collection request/activities and data uses.
(See Appendix III for OPPE's organization chart.) within
OARM, IRM responsibilities are shared by several offices.
Report HO. B1NKP1-15-0032-2100641
-------�
Computer Systems Integrity
OIRM has primary functional responsibility for the
development of IRM policy and overall management of the
Agency's ISM program. OARM-RTP has functional responsibility
for the acquisition, management, and operation of ADP
resources including telecommunications services, and has
assigned these functions to the NDPD. OARM-Cincinnati
maintains the national disaster recovery site for the Agency
mainframe computer.systems and has assigned this function to
its IBM division. (See Appendix IV for 0ARM'S organization
chart.) In addition, the Agency has created an IRM Steering
Committee chaired by the Director, OIRM and comprised of 22
senior officials (i.e., primarily Office and Division
Directors). The committee is chartered to advise the Deputy
Administrator on matters of IRM policy and on improvements in
the responsiveness and efficiency of EPA's IRM programs and
operations.
EPA senior managers (i.e., Assistant Administrators,
Associate Administrators, Regional Administrators, Heads of
Headquarters Staff Offices, the General Counsel and the
Inspector General) are responsible for ensuring that IRM
activities carried out by their organizations comply with
Federal and EPA IRM policies and regulations. To assist in
meeting these responsibilities 22 Senior IRM Officials
(SIRMO's) were appointed and are responsible for directing
and managing their offices' information planning and ensuring
that information system and technology acquisitions within
their organizations comply with Federal regulations and EPA
policy.
SCOPE AMD METHODOLOGY
The primary focus of this review was on EPA's major IRM
management functions and responsibilities. The audit field
work was performed from June 1991 to July 1992, primarily at
EPA Headquarters, Washington, DC; NDPD, RTF, NC; two EPA
regional offices in Philadelphia and Atlanta; three EPA
laboratories (Atmospheric Research and Exposure Assessment
Laboratory, RTF, NC; Chesapeake Bay Program, Annapolis, MD;
and Environmental Research Lab, Athens, GA); the Office of
Air Quality Planning and Standards, Durham, NC; and the
Information Resources Management Division (IRMD) in
Cincinnati, OH.
The overall objective of the audit was to evaluate the
•effectiveness of the Agency's compliance with OMB Circulars
5
Report MO. E1KMP1-15-0032-2100641
-------�
Computer Systems Integrity
A-123, A-127, and A-130 requirements from an ADP perspective.
This audit specifically addressed the Agency's compliance
with requirements in the areas of IBM organizational
structure; policies, standards and procedures; IRM planning
and budgeting; quality assurance; internal controls; and
security.
To accomplish our objective, we reviewed the following.
The Paperwork Reduction Act of 1980 and its legislative
history; the Paperwork Reduction Reauthorization Act of
1986; the Computer Security Act of 1987; FMFIA; detailed
requirements of OMB Circulars A-ll, A-123, A-127, A-130,
and A-132; OMB Bulletins 88-16, 90-08, and 91-10; the
Federal Information Resources Management Regulations
(FIRMR); Federal Information Processing Standards (FIPS)
Publications; and GAO's guide entitled "Evaluating
Internal Controls in Computer-Based Systems."
EPA Directive 1100 on EPA's mission and functions;
Directive 1200 on delegation of responsibilities;
Directive 2100 on IRM policies; past and current EPA
organizational charts; IRM Steering Committee minutes
and charters since 1985; proposed legislation and 6AO
testimony on EPA cabinet status and Chief Information
Resources Officer (CIRO); and the June 1992 draft and
final reports on Contracts Management at EPA—"Managing
Our Mission" issued by EPA's Standing Committee on
Contract Management.
Formal EPA IRM policies, standards, and procedures
issued under Directive 1315 since 1977; OIRM and NDPD
IRM guidance documents; Directive 1315 on EPA's formal
directive system; EPA Acquisition Regulations (EPAAR)
sections on IRM; minutes of task group meetings on IRM
policy and procedures; and Office of Solid Haste and
Emergency Response's (OSWER) Directive 9028, and its
quality assurance process for information systems and
review results.
IRM Strategic Plan 1991-1995 and other IRM plans from
locations we visited; OMB's 1991 Information Resources
Management Plan of the Federal Government, and the EPA
special exhibits 43A, B, and C since 1984 submitted to
OMB; EPA's contract regarding the IRM strategic plan
update; and four contracts on the Office of Research and
Development's (ORD) modernization effort.
6
Report MO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
OIRM's synopses of IRM reviews conducted in fiscal years
1989 to 1991 under the GSA Triennial Review Program; and
a National Archives and Records Administration report.
issued in February 1992 on EPA records management.
EPA Order 1000.24 and EPA Resources Management Directive
2560 on internal controls; EPA Resources Management
Directive. 2580 on financial management systems; and -,'
EPA1s "Internal Control Guidance for Managers and
Coordinators.? ' ....
EPA FMFIA documentation including management control
plans (MCP); assessable unit assurance ;letters; internal
control reviews (ICRs) and alternate internal control
reviews (AICRs) from fiscal years 1989 to 1991; FMFIA
instructions provided from 1990 through 1992; event
cycle documentation; and EPA's 1990 and 1991 annual
assurance letters to the President and Congress.
EPA's sensitive.system security plans as of January
1991; risk analyses, certifications, and updated
security plans for EPA's sensitive systems as of June
1992; security awareness training documents; EPA's . >..
disaster recovery plan; and OMB Executive briefing
documents on EPA's Information Security Program prepared
by OIRM.
We interviewed senior OIRM officials, OPPE officials in the
Regulatory Management Division, and NDPD officials. Other.
IRM officials we spoke to included. Headquarters SIRMOs, IRM
Steering Committee members, and regional, lab and program
officials involved in IRM matters. Position descriptions of
these officials were reviewed, as appropriate. Further, we
discussed IRM delegation and'policy matters with OARM's
Management and Organization Division (MOD). We also
contacted internal control coordinators on FMFIA issues and
system managers on security matters. We spoke to OMB and GSA
officials to obtain the status of revisions to OMB Circulars,
and to clarify the Agency's responsibilities under the
Paperwork Reduction Act and FIRMR. Additionally, we
interviewed GSA officials and examined evidence supporting
GSA's 1991 report on IRM and procurement. In addition, we
examined 50 prior OIG, GAO, and GSA reports and testimonies
issued since fiscal 1980 addressing Agency IRM problems.
We conducted this audit in accordance with Government
Auditing Standards (1988 revision) issued by the Comptroller
7
Report MO. K1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
General of the United States. Our audit included tests of
management and related .internal controls, policies,
standards, and procedures specifically related to the audit
objectives. We did not report on the OIG's IRM activities
(e.g., IRM planning, FMFXA, and security) during this audit .
because it would violate the auditing standard on
independence. Because this review disclosed material
weaknesses related to EPA's IRM program, we also reviewed the
FMFIA evaluation process for OIRM and OARM-RTP to determine
why these weaknesses were not identified internally (see
Chapter 8). No other issues came to our attention-which we
believed were significant enough to warrant expanding the
scope of this audit.
PRIOR AUDIT COVERAGE
EPA has a longstanding history of numerous IRM problems
identified in 50 prior OIG, GAO, and GSA reports and
testimonies. This audit identified problems in IRM
management functions and its effects on EPA's IRM program,
which are similar to problems discussed in prior reports.
Appendix V addresses problems cited in the prior
reports/testimonies which relate to this report's chapters,
and Appendix VI lists the corresponding report/testimony
titles and dates. Although EPA implemented some aspects of
the recommendations made in these prior reports,•these
actions have not corrected the fundamental weaknesses in its
IRM program. The following chapters of this report discuss
the status of these weaknesses.
8
Report NO. E1NMF1-1S-0032-2100641
-------�
Computer Systems Integrity
CHAPTER 2
TOPMMJftQEMBNT IMVOLVEMEKT IH IRM IB HEEDED
Considering the extent of IRM deficiencies identified in this
report and the 50 OIG, GAO, and 6SA reports and testimonies
over the past 12 years criticizing IBM within EPA (see .
Appendixes V), continuing top management attention to and
involvement in IRM is of prime importance. However, despite
all of these reports and testimonies and Paperwork Reduction
Act requirements, EPA has not provided effective top
management direction and control to its IRM program. For
example, EPA has never formally designated a senior official
for IRM (i.e., DSO). EPA has fragmented the IRM
responsibilities between four organizations under two major
Agency components, and has not established clear lines of
authority between them. Further, EPA has informally
delegated actual IRM authority to too low an organizational
level to be fully effective. Finally, EPA's executive IRM
Steering Committee does not provide sufficient oversight and
control over the IRM function.
The absence of top management central direction and control
has contributed to many serious deficiencies regarding how
EPA manages and uses its ADP resources. Although EPA has
taken some corrective action on these various 'reports, our
review showed that problems identified since fiscal 1980
still hamper EPA. Many of these deficiencies are dealt with
in the two reports previously issued under this PCIE review,
a March 1992 report on IRM contract management, and a
September 1992 report on general controls at EPA's NCC. The
remaining deficiencies are addressed in the subsequent
chapters of this report.
From our research of documents and discussions with EPA
officials we were unable to determine why the Administrator
never formally designated a DSO, or why EPA fragmented IRM
responsibilities and delegated IRM authority to the office
level. However, it is our observation that the decentralized
nature of the Agency makes it difficult to centrally manage
the IRM function with the requisite authority. Furthermore,
over the past seventeen years the IRM Steering Committee has
evolved from a high level decision-making body to a- lower
level advisory and assistance group. A senior IRM official
told us that, other than the Deputy Administrator, there
9
Report Mo. E1NMP1-15-0032-2100641
-------�
computer systems Integrity
would be little interest on the part of top management to
participate in an executive level IBM Steering Committee.
TOP MANAGEMENT CRITERIA
FOR IRM ARE WELL ESTABLISHED
The Paperwork Reduction Act of 1980 (as amended) requires
Federal agencies to integrate and establish accountability
for their IRM activities. The Act states that the head of
each agency shall designate a "senior official" who will
"report directly" to the "agency head" in carrying out the
responsibilities of the Act. The Act's legislative history
indicated the intended structure was to place IRM functions
under the jurisdiction of the DSO, and give the DSO final
authority over the functions. Also, the legislative history
indicated that sub-components may be created under the DSO as
necessary to meet the operating needs of the agency, as long
as the components report directly to, and are under the
direction of, the DSO. The basic reason for the DSO
organization is so IRM matters could be dealt with from an
agencywide mission standpoint versus an individual program
basis. In implementing the Act, OMB intended that the DSO
have a substantial, personal, daily involvement in the
management of the agency's information resources. Pursuant
to the Act, OMB Circular A-130 requires that an official be
designated to carry out the Act's responsibilities. The
designation of the official is intended to assure clear
accountability for setting policy for agency IRM activities,
provide greater coordination among the agency's information
activities, and ensure greater visibility of such activities
within the agency.
6AO guidance, entitled "Evaluating Internal Controls in Com-
puter-Based Systems," recommends that a steering committee be
established so that top management could exercise sufficient
controls over the ADP support function. The guidance
recommends that the steering committee assist in: (1) estab-
lishing agencywide policies for data processing systems;
(2) approving short- and long-range plans to develop and
implement new systems; (3) evaluating the need for new
computer equipment; (4) ensuring that new equipment is
acquired in the most economical and expeditious manner; and
(5) ensuring that major recommendations made by both internal
and external audit groups are fully implemented. Likewise,
GSA's Information Systems Planning Handbook recommends
establishing a steering committee in each Federal agency. It
10
Report NO. B1NMF1-15-OOJ2-2100641
-------�
Computer Systems Integrity
provides that the committee's role would be to serve as a
permanent advisory and policy setting body. Two of its
functions are to ensure that the organization's missions,
goals, and objectives are properly reflected in IRM planning
and that approved IRM activities are accomplished as
scheduled. .
In June 1991, Senate Report 102-82, accompanying a bill
(S.533) to create.a cabinet level Department of the
Environment, addressed the need for central direction and
control of IBM activities in EPA. Specifically, the proposed
legislation provides for the designation of a GIRO whose
responsibility shall include IRM functions under the
Paperwork Reduction Act. Further, the GAO, based on reviews
of IRM systems, strongly endorsed the designation of an EPA
GIRO in its February 1990 testimony before Congress. The
testimony further concluded that, even if EPA was elevated to
cabinet status, several organizational and management
problems would remain to be addressed. These include the
need for better management information systems and internal
controls.
IRM TOP
CONTROLS AND XTTEMTIOM
Considering the extent of IRM deficiencies identified in this
report and the 50 OIG, GAO, and GSA reports and testimonies
over the past 12 years criticizing IRM within EPA, . continuing
top management attention to and involvement in IRM is of
prime importance. However, despite all of these reports and
testimonies and Paperwork Reduction Act requirements, EPA has
not provided effective top management direction and control
over its IRM program. For example, EPA has never formally
designated a senior official for IRM. EPA has fragmented the
IRM responsibilities between four organizations under two
major Agency components, and has not established clear lines
of authority between them. Further, EPA has informally
delegated actual IRM authority to too low an organizational
level to be fully effective. Finally, EPA's IRM Steering
Committee does not provide sufficient oversight and control
over the IRM function.
DSO Not Formally Designated
Contrary to Paperwork Reduction Act requirements we found no
formal designation of an Agency senior official for IRM
11
Report Ho. B1MMF1-15-0052-2100641
-------�
Computer Systems Integrity
(i.e., DSO). However, in practice, the Assistant
Administrator for Policy, Planning, and Evaluation is
recognized as the Agency DSO based on our discussions with
Agency officials and on our review of prior GAO and GSA
reports. In addition, Directive 2100, IRM Policy Manual,
states that the Assistant Administrator for Policy, Planning,
and Evaluation is the Agency DSO. Nevertheless, we found no
mention of the DSO in Directive 1100, Organization and
Functions Manual, and Directive 1200, Delegation Manual,
which are the Agency's formal authoritative organizational
directives.
Furthermore, the Paperwork Reduction Act intended to assign
accountability by establishing a single individual with a
clear mandate to carry out the responsibilities of the Act.
However, EPA's informally recognized DSO has limited
involvement and influence in overall IBM at EPA. In fact,
OIRM, under the Assistant Administrator for Administration
and Resources Management, has the majority of the Act's
responsibilities.
We surveyed 12 departments/agencies as of July 1992,
including 10 participating in this PCIE project, to determine
their IRM organization hierarchy. In all cases, we found
that an official at the Assistant Secretary or Assistant
Administrator level had been formally designated as the
senior official for IRM.
Fragmentation Of Responsibilities And Unclear
Lines Of Authority
Contrary to the intent of Paperwork Reduction Act, EPA has
fragmented the primary IRM responsibilities and authority
between four organizations (ORME, OIRM, OARM-RTP and OARM-
Cincinnati) under two Assistant Administrators (OPPE and
OARM). (See Appendixes VII and VIII.) For example, ORME
evaluates and reviews all Agency information collection
requests and activities, and evaluates Agency management and
uses of data for decision-making. OIRM has the primary
functional responsibility for IRM policy development and
overall management of the Agency's IRM program. OARM-RTP has
the functional responsibility for the acquisition,
management, and operation of ADP resources including
telecommunications resources. Finally, OARM-Cincinnati has
the functional responsibility to maintain the Agency's
disaster recovery facility.
12
Report HO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
Although the four offices cooperate with one another on
primary IBM matters, lines of authority for IRN matters are
fragmented. Specifically, ORME reports to the Assistant
Administrator for Policy, Planning and Evaluation. This is
separate from OIRM, OARM-Cincinnati and OARM-RTP, each of
which reports to the Assistant Administrator for
Administration and Resources Management. OARM has further
split major IRM responsibilities among other sub-
organizations which are not in the direct chain of command
with one another. For example:
Information Management and Services Division (IMSD),
which reports directly to OIRM, has the major
responsibilities for implementation of the Agencywide
IRM program under Paperwork Reduction Act;
NDPD, which reports directly to OARM-RTP, is responsible
within the authority of OIRM for: (1) planning,
oversight, management, operation, and acquisition of all
ADP resources in the Agency; and (2) computing and
telecommunications services; and
iRMD-cincinnati, which reports directly to OARM-
Cincinnati, is responsible for maintaining the Agency's
disaster recovery facility for highly sensitive
information systems.
i
OPPE officials stated that this structure parallels the
practical realities of the Agency and management \officials'
backgrounds. These officials maintained that it works
reasonably well. However, the 1988 GAO report (Report No.
RCED-88-101) on this issue indicated that although the Act
allows agencies considerable freedom in organizing their IRM
functions, the structure within which IRM functions are
managed must be defined and, where delegations are. issued,
clear lines of authority and responsibilities for each
function must be established. Another GAO report (RCED-92-
107) dated April 1992 criticized the Agency's current
organization for enforcement. It states that both House and
Senate bills to create a Cabinet Department of the
Environment call for a commission to examine and make
recommendations on a number of EPA organizational and
management issues. GAO suggested that even if EPA remains an
Agency, the Administrator may wish to examine broad
organizational issues to improve its ability to adopt a more
integrated approach. GSA's 1991 report entitled "Information
Resources Procurement, Management Review, Environmental
13
Report Ho. E1NMP1-15-OOM-2100641
-------�
Computer systems Integrity
Protection Agency1* also indicated that the organizational
separation of IBM activities in EPA could create problems in
the future.
QIRM'S Authority Does Not Match Its Responsibilities
Although OIRM has been assigned the primary functional
responsibility for overall management of the IBM program, it
does not have sufficient authority to direct IBM in the
offices of the various Assistant and Regional Administrators.
Its placement in the organization is at a lower level than
these other offices. We discussed this issue with IRM
Steering Committee officials, OIRM officials, and SXRMOs, who
made the following comments regarding OIRM's authority.
One Steering Committee member indicated that "OIRM does
not have the authority to ensure the effective and
efficient management and use of information resources."
0 He also indicated that "OIRM was not providing adequate
direction and control due to its ambiguous mission."
Five of the eight Headquarters SIRMOs we talked to had
concerns about the correlation of OIRM's responsibili-
ties and authority. For example, one SIRMO believed
that OIRM's reporting level placed them in a position of
having responsibility—but insufficient authority—to
direct program offices' information system development
efforts. In addition, two SIRMOs indicated that OIRM
acts more as coordinators and advisors than as managers
of information resources.
Several key OIRM managers expressed widely divergent
views on OIRM's structure. One senior level OIRM
manager believed that OIRM has the authority and
responsibility for IRM, but does not exercise its full
authority. Another OIRM manager acknowledged that ADP
management is dispersed within the Agency and believed
that OIRM does not have the required authority to ensure
the effective and efficient use of information
resources. In addition, two other OIRM managers
indicated that they consider their role to be one of
advisors or consultants for the program offices; and one
of these officials does not feel responsible for
managing ADP activities across organizational lines.
We concluded that the Director, OIRM, who, in effect,
performs most of the functions of the DSO, cannot be
14
Report Ho. E1NMF1-15-0032-2100641
-------�
computer Systems Integrity
effective at the office level position because he does not
have direct access to the Administrator, and lacks influence
to direct program offices in Agencyvide IBM activities. For
example, in other agencies we surveyed, the DSO is at a'high
enough level to be the direct, representative of the Agency
head for IBM "natters across all the Agency program areas and
has a direct chain of command in Paperwork Reduction Act
matters.
-^ *
In addition, EPA's standing Committee on Contract Management,
in its draft report on "Managing our Mission11 (dated June 17,
1992),. reported many systemic Agency problems, two of which
parallel the IRM organizational concerns we have identified.
First, the report cites.that "billions of dollars each year
flow through the Agency's business and financial organiza-
tions and systems that support EPA's mission. Yet, these
crucial business and resources management functions are <
'buried' too deeply in the current -structure and compete with
,a large number of other functions. This fosters a climate
where the Agency's business and financial functions cannot
command equal priority with technical program functions."
This parallels.our concern about the organizational placement
of IRM responsibilities in OIRM. Second, the Standing
Committee indicated that OPPE and OARM have fragmentation
problems related to, audit followup. The, report further
stated that the existing mechanisms had riot ensured that
effective corrective.action was taken to remedy problems
identified in 6AO or DIG audits. Again, this is similar to
.the OPPE/OARM fragmentation we identified related to the DSO
and overall IRM responsibilities. The Standing Committee's
final report issued at the end of.June 1992 indicated.that
EPA has recently allocated additional resources to followup.
EPA's %RM Steering C9T"TOJttee Has Not Been An Effective
Decision-Making Body
An IRM steering committee is an accepted method for top
management to provide leadership and direction to ensure
effective and efficient use of information resources. EPA
has an IRM Steering Committee which acts as an information
exchange group rather than an effective decision-making body.
Based on our review of the minutes of all 9 meetings during.
fiscal years 1985-1991, the Committee has only been actively
involved in the decision-making related to 6 major IRM
initiatives (e.g., IRM policy manual development, ADP
modernization, and systems integration). Although an
additional 45 IRM activities were discussed at these meetings
15
Report NO. E1NMF1-15-0032-2100641
-------�
Computer systems Integrity
including such things as .system operation and maintenance .
costs, cross-media data bases, planning IBM costs, mission-
based planning, Integrated Financial Management System (IFMS)
and Aerometric Information Retrieval System (AIRS), records
management, and the Technical and Operational ,Support
Services (TOSS) contract, the Committee did hot take an
active role to lead or direct these activities.
Furthermore, contrary to GAO's guidance, the IRK Steering
Committee has not been involved in: (1) approving many of the
nev and existing major systems; (2) evaluating new ADP
equipment; (3) ensuring that the equipment is acquired in the
most economical way; and (4) ensuring that audit recommenda-
tions are implemented. Additionally, no evidence exists in
the minutes that the Committee satisfied its 1985 charter
objectives to develop strategies and programs to ensure the
EPA and state managers possess the skills and knowledge
necessary in an IRM environment, and to ensure the
development and implementation of an adequate security
program.
The IRM Steering Committee members agree that they were* not
addressing many major IRM initiatives. For instance, one
official, who has been on the Committee since 1986, indicated
that the Committee does not carry out the IRM oversight role.
To this end, the official indicated that the Committee has
not reviewed any major acquisition or system development
projects, and did not formally review and approve the
implementation of the IRM strategic plan. Another Committee
member indicated that the Committee does not routinely review
systems under development and/or acquisition projects within
the Agency (such as IFMS), or provide advice on policies and
significant IRM matters.
ADVERSE AFFECTS ON THE
IRM PROGRAM WERE NUMEROUS
The absence of top management central direction and control
has contributed to many serious deficiencies in how EPA
manages and uses its ADP resources. Increased attention and
control is particularly important because of EPA's
significant growth and current investment in ADP resources.
Despite some actions that EPA has taken, our review showed
that problems identified since 1980 still hamper the.Agency.
These deficiencies include:
16
Report HO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
— a lack of adequate IBM policies, standards,, and
procedures (see Chapter'3);
an Agencywide IBM planning process which ties into the
budget has not been established (see Chapter 4);
a comprehensive quality assurance program is needed (see
Chapter 5);
internal control reviews were not performed to support
all sensitive information system certifications (see
Chapter 6); and
a comprehensive computer systems security program is
needed (see Chapter 7).
Furthermore, our two most recent reports have cited:
(1) major deficiencies in the acquisition process for ADP
support services; and (2) system software weaknesses which
expose EPA mainframes to unnecessary risks through
unauthorized access. Moreover, 48 other 016, GAO, and 6SA
reports and testimonies have been issued over the last decade
addressing IBM problems. Appendix V presents a matrix
summarizing these longstanding IBM problems.
FACTORS CAUSING IMADEQUATB IRM
TOP MAHAQBMBKT IKVOLVEMEMT
Based on our review of available documents and discussions
with EPA officials we were unable to determine why the
Administrator never formally designated a DSO, or why EPA
fragmented IBM responsibilities and delegated IBM authority
to the office level. However, it is our observation that the
decentralized nature of the Agency makes it difficult to
centrally manage the IBM function with the requisite
authority. For example, a 1988 GAO report (Report No. RCED-
88-101) stated that because EPA has organized itself along
media lines, it was difficult for OIBM to persuade program
managers to invest in cross-media projects to achieve better
environmental results for the Agency. This, in turn, made it
difficult for the IBM officials to exercise long-range
direction for the deployment and use of ADP systems to
integrate data.
Furthermore, over the past seventeen years the IBM Steering
Committee has evolved from a high level decision-making body
17
Report Ho. E1NXF1-1S-0032-2100641
-------�
Computer Systems Integrity
to a lower level advisory and assistance group. When
originally established in 1975, the IBM Steering Committee
vas composed of Assistant Administrators. However, by 1976
the Steering Committee was dissolved because the Assistant
Administrators were not able to devote enough time to it, and
consequently, had delegated duties to lower level officials
and technical personnel who did not have enough authority to
establish and implement Agencywide IRM goals and objectives.
In 1985, the IRM Steering Committee was formally re-
established by charter and headed up by the Director, OIRM.
However, the 1985 charter stated that "the IRM Steering
Committee is responsible for advising the OIRM concerning IRM
policies, resources, and priorities, and for assisting OIRM
in communicating and implementing these policies and
priorities within EPA. In this capacity, the Committee shall
assist OIRM in conducting periodic reviews of the Agency's
information resources and the policies and programs for
managing these resources, and in designing improvements where
needed." Thus, the Committee was established to provide
advice and assistance to OIRM rather than Agencywide IRM
control and oversight.
The 1985 charter was revised in 1990 to allow the Committee
to become more of a coordination and information exchange
group and to provide advisory services to the Deputy
Administrator. Thus, the Committee is still a lower level
group with little responsibility and authority. A senior IRM
official told us that, other than the Deputy Administrator,
there would be little interest on the part of top management
to participate in ah executive level IRM Steering Committee.
CONCLUSIONS
We believe that top management control and oversight over IRM
activities is imperative. This top management involvement
should start with: assigning a DSO at the Assistant
Administrator level; establishing a clear chain of command
under the DSO for IRM activities; and establishing a high
level IRM Steering Committee.
18
Report MO. ElNMPl-15-0032-2100641
-------�
Computer Systems Integrity
We recommend that the Administrator:
1. Formally designate a senior official (DSO) in accordance
with the Paperwork Reduction Act at the Assistant
Administrator level.
2. Delegate the authority and responsibilities for all the
IBM functions to the DSO in accordance with the
Paperwork Reduction Act/ and clearly define any re-
delegations.-
We also recommend that the Deputy Administrator:
3. Establish a clear chain of command under the DSO for all
IRM activities, especially between OIRM and NDPD.
4. Establish a high level IRM Steering Committee which acts
as a decision-making body for significant IRM
.activities, headed by the Deputy Administrator or the.
DSO with principal members being senior executives with
the IRM knowledge and authority to commit their
Assistant .Administrator's offices to action.
AGENCY COMMENTS MID OT<3 •VALUATION
OARM and OPPE have agreed with all of our recommendations,
and have taken actions to implement most of them. Based on
the Agency comments we modified Recommendations 3 and 4 in
order to be more specific.
The Agency's planned actions for Recommendation 3 are unclear
as to what organizations are going to be examined. As a
minimum, all the organizations discussed in this Chapter
should be included in the review. In addition, OIRM and NDPD
perform the majority of EPA's IRM functions (i.e., Agencywide
policies, standards, procedures, and guidance; IRM planning;
ADP contracting; and computer security). The current
fragmented structure does not lend itself to a centralized,
consistent approach to accomplishing Agencywide IRM support.
This has resulted in duplication of efforts, failure to
address key IRM areas, and confusion from the program offices
as to who is to provide IRM leadership and direction. In
addition, the oversight role of OIRM over the NDPD—a
division which is service-oriented and focuses more on
19
Report HO. B1NMP1-15-0032-2100641
-------�
Computer systems Integrity
operational efficiency than on internal controls—in the area
of computer and telecommunications security and other
internal control activities is extremely weak due to the
decentralization of authority of these two components. In
our view, a direct chain of command between OIRM and NDPD is
needed in order to establish strong centralized IBM
leadership and provide more of a balance between operations
and computer/telecommunications security and other internal
control activities*
The planned actions for Recommendation 4 are not fully
responsive. The intent of the recommendation was to ensure
top management involvement on the Steering Committee (i.e.,
that the steering Committee be headed by the Deputy
Administrator or DSO). However, the response did not
specifically address who would head the Steering Committee.
Additionally, we believe that the membership of this
committee should consist of senior executives with the IRM
knowledge and authority to commit their Assistant
Administrator's offices to action. We envision that this
Steering Committee will assist the DSO in the performance of
his/her IRM responsibilities under the Paperwork Reduction
Act of 1980. Also, it will provide consensus and support for
the DSO in: (1) establishing Agencywide IRM policies,
standards, and procedures; (2) implementing Agencywide
information system quality assurance program, computer and
telecommunications security, and other internal control
activities; and (3) approving IRM plans, major system
development projects, and significant IRM acquisitions and
contracts.
20
Report NO. ElNMFl-15-0032-2100641
-------�
Computer systems Integrity
COMPREHENSIVE IRM POLICIES. STANDARDS.
AND PROCEDURES JAB HEEDED
EPA has made some progress in establishing IRM policies,
standards, and procedures. Since January 1977 EPA has
formally issued an Agencywide IRM policy manual, four
procedural directives, and four orders establishing
requirements for implementing the policies and standards of
OMB Circular A-130. Collectively, these serve as a minimal
basis for the management planning, control, and evaluation of
IRM activities within EPA. In addition, there are at least
19 guidance documents which address IRM topics issued by
either OIRM or NDPD (see Appendix IX).
However, despite 17 of the 50 OIG, GAO, and GSA reports and
testimonies over a 12-year period criticizing IRM policies,
standards, and procedures (see Appendix V), OIRM has not
instituted a comprehensive program which meets all minimum
Federal requirements. Specifically, OIRM: (1) has directives
that are incomplete and outdated; (2) has not developed
certain key IRM standards; and (3) has'not made a distinction
between formal or mandatory documents (i.e., policies,
standards, and 'procedures) and informal or optional guidance
when issuing IRM documents.
As a result, extensive IRM problems exist throughout EPA.
The OIG, GAO, and GSA have issued 17 reports and testimonies
since fiscal 1980 showing the magnitude of IRM problems
resulting from deficiencies in IRM policies, standards, and^
procedures. For instance, the lack of policies, standards, .
or procedures has, in part, adversely impacted: (1) the IRM
contract management process; (2) information system
development efforts; (3) information systems themselves, some
of which contain highly sensitive information; and (4) EPA's
ability to accomplish its cross-media mission. Further, some
IRM officials in Agency components and individual program
offices were developing their own policies, standards, and
procedures. We concluded that if EPA instituted a
comprehensive program, then many of these problems could be
minimized or avoided in the future, resulting in significant
long-term savings to the Agency.
In addition to the lack of top management emphasis on the
establishment of formal IRM directives, the absence of a
21
Report MO. E1HMF1-1S-0032-2100641
-------�
Computer Systems integrity
comprehensive program was largely caused by the lack of
resources and other higher priorities. Additionally, the
formal directive system was not always used, because it was
considered too cumbersome and time consuming by OIRM
officials. However, in discussions at the end of our audit,
OIRM officials stated that they support the need for the
formal review and clearance process, and they plan to issue
future policies, standards, and procedures through it.
CONSIDERABLE FEDERAL MID AGENCY
CRITERIA EXIST OM IBM POLICIES.
STANDARDS. AND PROCEDURES
The Paperwork Reduction Act of 1980 (as amended) establishes
a broad mandate for Federal agencies to perform their
information activities in an efficient, effective, and
economical manner. It requires agencies to implement
applicable governmentwide and agency information policies,
principles, standards, and guidelines with respect to
information collection, paperwork reduction, statistical
activities, records management activities, privacy and
security of records, sharing and dissemination of
information, acquisition and use of information technology,
and other IRM functions.
OMB Circular A-130 establishes policy for the management of
Federal information resources and requires Federal agencies
to establish policies and procedures for IRM, computer
security, and quality assurance. Specifically, the circular
requires that each agency: (1) develop internal information
policies and procedures and oversee, evaluate, and otherwise
periodically review their IRM activities; (2) ensure that the
information policies, principles, standards, guidelines,
rules, and regulations prescribed by OMB are implemented
appropriately; and (3) develop policies and procedures that
provide for timely acquisition of required information
technology. OMB is currently in the process of strengthening
aspects of Circular A-130 in the areas of information
management, information systems, and information technology.
A draft circular was issued in April 1992 requiring new
policies in areas such as records management and electronic
collection and dissemination of information. Another update
is scheduled for the Fall of 1992, and will focus on areas
including IRM planning, budgeting, and computer security.
22
Report HO. E1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
The development of policies, standards, and procedures to
implement the Paperwork Reduction Act and relevant
legislation is assigned to OIRM by EPA1s Directive 1100,
entitled "Organization and Functions Manual." This '
responsibility includes establishing Agencywide IRM policies,
standards, procedures,, and guidelines for the collection,
reporting, storage, manipulation, and use of EPA .data,
information products, and information technology and records.
OIRM has assigned these responsibilities to IMSD. OIRM has
three other divisions which assist, in developing IRM policy
for scientific, program, and administrative information
systems. Also, NDPD provides policy and procedures for voice
and data telecommunications systems. . :
OIRM's July 1987 Directive 2100, entitled "IRM Policy
Manual," provides the policy framework for IRM within the
Agency. The intent of the manual was to provide EPA with a
structure for the implementation of relevant legislation as
well as policies,and regulations issued by OMB and GSA—- the
two primary oversight agencies for Federal IRM programs.* The
manual is limited to core IRM policy statements and •.
establishes the authorities and responsibilities under which
the IRM program functions at EPA. Detailed procedures and
operating guidance are to be issued separately.to supplement
each of the policies. The manual is an EPA authoritative
document (i.e., in compliance with Directive 1315 discussed
below) and applies to all EPA organizations, as well as the
facilities, state agencies,, contractors, and grantees of.. EPA
which are involved in IRM-related activities.
EPA Directive 1315, entitled "Directives Manual" (issued
August 1987), provides a systematic process for identifying,
writing,, reviewing, approving, and disseminating internal
Agency policy and operating procedures. OARM's MOD is .
responsible for controlling the Agency directives management
system and developing and promoting, on an Agencywide basis,
improved principles, policies, standards, and procedures..
EPA Directive 1315 establishes the formal Agencywide
directives process and requires proposed directives to go
through a review and clearance process (known as the green
border process). If the proposed directives are mandated by
authorities outside EPA (such as public laws or OMB
Circulars), the originating office must,informally alert
other program offices and must go through the Agency Central
Directives Officer (CDO) before the directives can be issued.
If the details of the proposed directives are not mandated by
23
Report NO. E1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
authorities outside EPA, the originators should conduct
formal clearance that involves all substantially impacted
offices before green border approval. Agencywide directives
(other than those which cannot be delegated) may be approved
by the Administrator, Deputy Administrator, Assistant
Administrator for Administration.and Resources Management,
and Director, Office of Administration.
IRM POLICIES. STANDARDS. MID
PROCEDURES ARE HOT
During our audit, OIRM officials assisted OABM's Office of
Administration (OA) in issuing changes to the EPAAR and began
tvo initiatives to examine IRM policies and procedures. In
August 1991, O ARM'S OA issued a final EPAAR ruling which
incorporated EPA IRM directives, orders, and guidance
documents into all IRM contracts. The EPAAR list was
subsequently revised in December 1991, to include five
additional IRM guidance documents for incorporation into
contract clauses.
In September 1991, IMSD hired a contractor to provide
analytic support for updating EPA ' a System Design and
Development Guidance. Work -sessions began in February 1992,
with Agency components to develop an approach to updating the
guidance. Preliminary discussion on updating the guidance
indicated that it would go through the Directive 1315 process
and contain some degree of minimum requirements. The formal
guidance is expected to be in draft by September 1993.
The second effort began in March 1992, when OIRM initiated, a
task force to help' EPA programs and their contractors to
develop an awareness of the EPAAR IRM clause and to develop
an appropriate compliance strategy. The goal of the task
force is to develop a process by which EPA's IRM policies and
standards will be incorporated into all Agency systems being
developed or enhanced. Three groups were set up to review
the current EPA IRM policies and procedures process and
develop recommendations for a new and improved process. IMSD
plans to issue a report on the task force findings to the
Director, OIRM by September 1992.
While these efforts are a step in the right direction, we
believe a comprehensive program needs to be developed and
enforced. We encourage the task group to take a broad look
at the IRM policy and procedure process from an Agencywide
' ! ' '
24
Report HO. B1NMF1-15-0032-2100641
-------�
computer Systems Integrity
perspective and address the concerns discussed in this
Chapter.
In an April 1992 meeting, the Director and Deputy Director,
OIRM, discussed with us the IBM implications of the Agency's
increasing emphasis on integration and cross-media approaches
to environmental problems. They stated that this challenge
meant that certain mandatory policies and standards are
necessary at EPA, along with some sort of enforcement
mechanism. For example, they stated that OIRM was currently
redoing the systems development life cycle methodology. They
added that EPA is growing (which they believed was the number
2 major factor affecting IRK) and moving away from a
"proprietary environment" in which individual Agency
components view themselves as sole owners and users of data,
to an open environment. Finally, they stated that the
Administrator has indicated that information is EPA's
"currency," and the key to EPA's mission, but information
must be flexible and standardized. In our view, these
perspectives further increase the need for sound Agencywide
policies and standards.
EPA'a Formal IRM Policies Do Not Cover All OMB Circular
A-13Q Topics
M^H^^^^^^H^^M^MH^MlMI«» , ^
The IRM Policy Manual (Directive 2100) contains 13 chapters
on IRM-related topics covered in OMB Circular A-130. These
chapters include policy on information management and
information systems and technology management. However, the
Agency has not yet issued individual formal policies on some
significant OMB Circular A-130 IRM topics. For instance, EPA
has not fully addressed in formal policies the following
issues:
— sharing of information processing capacity;
— avoiding duplication;
— cost recovery; and
— application security sensitivity evaluations
IRM officials stated that there may not be discrete separate
policies dealing.with all topics, but they believed that all
but cost recovery were addressed within the context of the
IRM Policy Manual. At the time of our work, sharing of
information processing capacity and application security
sensitivity evaluations were only addressed in'informal
guidance. Chapter 9 of the IRM Policy Manual does address
duplicate collection of information from the public.
25
Report HO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
However, the Chapter does not address duplication of Agency
application systems or maintenance of multiple databases.
The Agency has also prepared draft policies on Public Access
and Rule Making Dockets and discussed drafting a broader
telecommunications policy to replace the existing voice
communications policy. In addition, the Agency has issued
formal regulations on electronic exchange of information with
external organizations. However, no plans existed at the
time of our audit to update the IRM Policy Manual or to
formalize policies in guidance to include the OMB Circular A-
130 topics identified above.
An IMSD official'also provided us a document, entitled "IRM
Policy, Guidance, and Standards Initiatives" (see Appendix
X), which contained a listing of IRM topics that needed to be
addressed in the Agency. The IMSD official told us the
listing was outdated and meant for internal use by OIRM.
While we did not consider this as OIRM's basis for ongoing
policy and procedure development efforts, OIRM may be able to
incorporate some of the missing Circular A-130 topics during
the development of the documents listed in Appendix X. In
our view, an implementation plan is needed to prioritize and
formalize the activities, and to address the issues presented
in this Chapter.
IRM Policy Manual Was Not Fully Supplemented With Formal
Procedures And Guidance
The IRM Policy Manual establishes a policy framework and is
set up to provide core Agencywide policies for the IRM
program at EPA. The manual's introduction section states
that detailed procedures and operating guidelines in support
of the policies are issued separately. All 13 chapters
require supplemental procedures and guidance describing the
specific manner and responsibilities for performance of that
policy. However, OIRM has:
not issued formal procedures or guidance for 3 of the 13
chapters—'"Mission-Based Planning," "ADP Resources
Management," and "Voice Communications"; and
issued only informal procedures and guidance to
supplement 3 of the 13 chapters—"Software Management,"
"Information Security," and "Locational Data."
As previously mentioned, at the time of our review OIRM was
formalizing and updating its System Design and Development
26
Report NO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
Guidance. However, no other plans existed to issue formal
procedures on topics identified in the previous paragraph.
IRM Directives Have Not Been Updated
We found that all four of the directives (i.e., Directives
2115, 2130, 2160, and 2190) which supplement the IRM Policy
Manual are either incomplete, outdated, or both. First,
Directive 2115, entitled "Guide for ADP Reviews" (dated
October 1984), does not provide guidance for conducting
reviews of EPA's contemporary information systems. Agency
modernization efforts have resulted in adopting current
technologies such as distributed processing, telecommuni-
cations and local area networks. The guide does not address
these technologies in terms of how to evaluate the
effectiveness and efficiency of information systems, nor does
it provide techniques for assessing security measures
associated with these technologies. Further, the guide cites
defunct OMB circulars and Federal regulations.
Directive 2130, entitled "Library systems Manual" (dated
January 1977), precedes issuance of the IRM Policy Manual
(Directive 2100) by 10 years. The "Library Systems Manual"
is currently 15 years old, and has never been revised or
updated to reflect the current services, operations, or
configuration of EPA's extensive library and information
network.
Directive 2160, entitled "Records Management Manual" (dated
July 1984), is outdated and incomplete. A 1992 National
Archives and Records Administration review concluded that the
records management policies are deficient in areas of
electronic media, audiovisual records, and paper records.
The report also indicated that EPA should clarify the
management of special records, fully define record keeping
definitions, and refine instructions on personal papers.
Finally, Directive 2190, entitled "Privacy Act Manual" (dated
January 1986), does not include recent legislative
requirements such as the Computer Matching and Privacy
Protection Act of 1988. In addition, it cites defunct
requirements such as OMB Circular A-108, which was superseded
by OMB Circular A-130.
Directives 2160 and 2190 are scheduled for revision in fiscal
1992. Further, an update to Directive 2115 is being
27
Report Ho. BlMHPl-lS-0032-2100641
-------�
Computer Systems Integrity
considered, but will not be performed in fiscal 1992. We
could find no plans, however, to update Directive 2130.
Certain Kev IRM Standards Are Not In Place At EPA
The existing IRM directives and orders contain policies on
some standards, and two chapters in the IBM Policy Manual
reference adherence to PIPS publications. Further, EPA has
issued four orders establishing some formal data standards
(see Appendix IX): EPA Orders 2180.1, 2180.2, 2180.3 and
7500.1. However, EPA has not referenced or prepared formal
minimum standards in other key IRM areas. We found that
standards were not in place or referenced for hardware,
software,. ADP operations, or telecommunications. Further,
our March 1992 report on ADP support services contracts
concluded that detailed minimum mandatory standards did not
exist for: information systems hardware and software
maintenance; concept feasibility studies; requirements
definitions; information system design; application software;
application software programming, implementation and testing;
or information system training and documentation.
OIRM officials agreed that they were missing standards in
certain areas. However, they indicated that in addition to
the formal orders, OIRM had issued following informal
standards: (1) Central Database Environment Management
Standards; (2) Microcomputer Delegation 1-10A; (3) Draft EPA
IRM Hardware and Software Standards; and (4) Draft Agency
Catalog of Data Policies and Standards. We do not consider
these formal, comprehensive Agencywide standards that are
related to specific OIRM policies for the following reasons.
The Central Data Base Environment Standards are a
combination of standards and procedures for the use of
NDPD mainframe computers. They can be considered
"defacto" standards for the Agency's mainframe
computers, since NDPD operates the Agency's mainframes.
However, they are not applicable to all data base
environments used by information systems Agencywide,
because they are silent about Agency data bases used in
personal computers, local area networks, minicomputers
or supercomputers.
The Microcomputer Delegation 1-10A is a delegation of
procurement authority, not an IRM standard. To be
considered a standard these documents should be a
28
Report HO. E1NMF1-1S-0032-2100641
-------�
Computer Systems Integrity
rule/objective against which conformance with an EPA
policy can be measured.
The draft EPA IBM Hardware and Software Standards do not
cover all hardware and software platforms. Scientific
workstations, minicomputers, and telecommunications
standards should also be addressed.
The draft Agency Catalog of Data Policies and Standards
only consolidates the existing formal data standards in
EPA1s four formal orders on data standards, the formal
policy on electronic reporting and selected Federal data
standards. However, it does not address many other
needed IBM standards such as data bases, hardware, and
software. ->
None of these IBM guidance documents are formal or
authoritative, since they have not been incorporated in
Directive 1315, and the latter two are in draft and thus
subject to change. The Director, OIBM, advised us that he
could enforce the central data base standard by refusing to
allow Agency components to procure data bases which do not
comply. However, we believe that it is always preferable to
have a clearly stated, official standard to enforce, rather
than placing management in the position of deciding, on a
case by case basis, which unofficial standards will be
enforced and upon whom. When standards are not clearly
spelled out for users, enforcement could inadvertently become
erratic and capricious. Additionally, we noted that OIBM's
list of IBM guidance in the EPAAB does not cite any of these
four informal standards as guidance documents, and EPA's ADP
contractors may not be aware of them. OIBM officials told us
that contractors could contact the Agency to learn of any
additional requirements. However, if this does not occur the
contractors may not always build quality systems or may have
to redo systems development work.
IBM Guidance Does Not Make A Distinction Between Policies.
Standards. Procedures. And Guidance
OIBM needs to make a distinction between formal or mandatory
documents (policies, standards, and procedures) and guidance
documents. During the audit, we evaluated ten IBM guidance
documents issued by either OIBM or NDPD. We found the
following attributes:
29
Report MO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
all ten guidance documents had Agencywide implications
and impacts;
— four of the ten contained new policies or standards not
included in the Directive 2100 series on IRM;
seven required Agency components to follow the guidance
on a mandatory basis, and the other three implied that
they should be adhered to; and
five cross-referenced the EPAAR section oh mandatory
requirements for AOP contractors, but five did not.
Directive 1315 requires the use of the green border process
for Agencywide policies, standards, and procedures; and for
ISM directives that are required by public law and other
Federal authorities (i.e., mandatory directives). On the
other hand, Directive 1315 does not define "guidance" and
does not provide a management process for review and approval
of guidance. We concluded that since these IRM guidance
documents have Agencywide impact and contain additional
policies and mandatory requirements, they therefore should go
through the green border process. Additionally, OIRM had not
established a central repository for these guidance documents
shown in Appendix X, nor could they provide us with an
overall listing of the IRM guidance. This raises further
questions about whether all the guidance has been
appropriately disseminated to proper individuals and
organizations throughout the Agency.
We discussed the issue of IRM guidance with OARM's MOD. An
MOD official told us that OIRM and NDPD are two of the three
groups in the Agency using improper procedures for issuing
policy statements (referring to the IRM guidance) that affect
other Agency components because they do not always use the
formal Directive 1315 process. The MOD official stated an
OIRM official had told her that they avoided the green border
process because it was too lengthy, and the requirements to
respond to criticism (on potential directives) are too
bothersome. The MOD official stated that OIRM should use the
Directive 1315 process because it allows prospective
directives to be reviewed and commented upon by those groups
within the Agency that will be most affected by the
implementation of the directive, and these groups will be
more informed regarding the intent of the directive and more
willing to abide by it.
30
Report Ho. B1NMP1-15-0032-2100641
-------�
Computer System* Integrity
We concluded that OIBM and NDPD need to re-evaluate their
guidance documents and process. At the tine of our review,
NOD vas conducting a detailed reviev of OABM to determine the
number and types of documents being distributed to EPA. At
the completion of the review, HOD should identify OIBM/NDPD
IBM policies, standards, and procedures contained in the
existing IBM guidance which need to go through Directive
1315. .
B OH THB • IP*
PROGRAM WERB MDMBROUS
The lack of . adequate policies and procedures has resulted in
extensive IBM problems throughout EPA. OIG, 6AO, 'and GSA
have issued 17 of the 50 reports and testimonies since fiscal
1980 addressing significant IBM policy, standards, and
procedure problems at EPA. The* more significant policy and
procedure issues addressed in recent reports include the '
following.
Lack of minimum standards for effective IBM contract
management: a March 1992 OIG report (Beport No. E1NMF1-
15-0032-2100300) indicated that EPA had not established
minimum standards or meaningful criteria for acceptance
of ADP. contractor support services and sufficiently
defined work specifications for contracts with a
potential value of $487 million.
Lack of system development standards for critical
information systems: a March 1991 OIG report (Beport No.
E1AMFO-11-0029-1100153) on the IFMS indicated that
software development and maintenance costs have
escalated from $7.7 million to almost $20 million due,
in part, to the lack of system development standards.
Subsequently, in. September 1991, the Agency reported to
OMB that the life cycle costs were $26.9 million.
Policies and standards were not developed for
information systems: a March 1991 OIG report (Beport No.
. E1NMBO-15-002 1-1100 152) concluded that NDPD lacked
standards for job control language, data set naming
conventions, configuration management, and quality •
assurance. It also concluded that ADABAS and CICS
manuals for database development and design needed to be
updated and were not comprehensive. The report
31
Report HO. E1HMT1-15-0032-2-L00641
-------�
Computer Systems Integrity
concluded that development of these standards could
produce a savings of $1.4 million annually.
Lack of policies and procedures to prevent unauthorized
access to highly sensitive information: a September 1992
OIG audit report (Report No. E1NMF1-15-0055-2100591) on
general system software controls concluded that the lack
of policies, standards, and procedures was the primary
cause of weaknesses in mainframe access controls and
disk management practices at NCC. in another case, a
March 1991 016 audit report (Report E1NMBO-15-0027-
1100151) on mainframe security software concluded that
controls over user access to the mainframe needed to be
strengthened. The report concluded that this was
caused, .in part, by the lack of established procedures
for monitoring files on the system.
EPA's inability to accomplish its cross-media mission:
an April 1992 GAO report (Report No. IMTEC-92-14)
recommended that the Agency complete its cross-media
strategy by developing policies and guidance, and by
instituting management procedures to plan, coordinate,
and budget for cross-media information resources
activities. It also recommended that OARM address data
quality problems in the Facility Index System redesign
project by setting standards for accuracy, completeness,
and timeliness. In fact, in our April 1992 meeting, the
Director and Deputy Director, OIRH, stated that the
Agency's change from a single medium program approach to
an integrated cross-media approach was the number one
major factor now impacting EPA's IRH direction. These
officials stated that because this change has been
informal (i.e., not based on statutes and regulations),
it is difficult for Agency components to adjust.
In addition to these audit reports, our discussions of the
current status of IRM policies and procedures with IRM
officials in various Agency components evidenced confusion.
One SIRNO indicated that he believed OIRM had not developed
and published any IRM directives and consequently'had not
established any criteria for information system implementa-
tion and enforcement. As a result, this SIRMO has taken
action to develop local policies and procedures for IRM.
This SIRMO further indicated that he would like to stop
producing IRM policies and procedures and start performing
more audits of information systems. In contrast, another
SIRMO provided examples of what he believed to be disregard
32
Report MO. B1NMF1-15-0032-2100C41
-------�
Computer systems Integrity
for IRM policies. The SIRMO indicated that he recognized
that policies did exist, but he stated information systems in
one Agency component were being developed under what he
believed to be a non-standard software (FOCUS).
Additionally, he cited a lack of data standards for another
Agency component's information systems. A third IRM
official, from the Chesapeake Bay Program Office (Region 3),
indicated that his office develops its own documentation
standards due to the absence of Agencywide standards. This
official agreed that the Agency needs to improve its IRM
policies and procedures.
We also spoke to several OIRM officials outside IMSD
regarding policies and procedures. One official told us that
OIRM had not developed any specific policies and procedures
with respect to the budget development process for IRM.
Another OIRM official told us that "OIRM had not established
a formal set of directives on IRM activities. And as a
result other offices, such as NDPD, are issuing guidance or
directives on IRM." Moreover, a review of the recent April
1992 policy and procedure task force meeting minutes
confirmed that problems similar to those above exist
regarding IRM policies, standards, and procedures throughout
EPA.
REMOMfl FOR MOT HAVING XPBQOATB
POLICIES. flTAMPARDfl. AMD PROCEDURES
As discussed in Chapter 2 we believe that the lack of top
management attention and emphasis to IRM contributed to the
deficiencies in IRM policies, standards, and procedures. In
addition, an IMSD official indicated that the lack of
resources and other higher priorities contributed to them not
having sufficient IRM policies and procedures. So we
examined IMSD staffing supporting the policy and procedure
effort. The Chief of the Information Management Branch,
IMSD, told us that he spends about 20 percent of his time on
policies and procedures. Further, we were told that one
staff person involved in the effort spends about 66 percent
.of her time on policies and procedures. In addition, IMSD
has one contractor .working on updating the information system
design and development guidance. In our view, given the
magnitude of the workload, the issue of additional resources
needs to be addressed.
33
Report MO. B1MHP1-15-OOJ2-2100641
-------�
Computer systems Integrity
We believe inadequate resources have also contributed to not
having sufficient IBM standards. However, when we asked IMSD
officials they admitted that they did not have standards in
certain IBM areas, but gave no reasons why this condition
existed.
OIBM selectively used EPA's formal directive system rather
than processing all IBM guidance through it. The formal
directive system was not always used because OIRM officials
considered it too cumbersome and time consuming. We
discussed this issue of informal guidance with officials from
IMSD. One key official indicated that only policies (not
guidance and procedures) have to be cleared through the
Agency process, and that the process is cumbersome and time
consuming. Further, the official indicated that EPA offices
are expected to abide by existing IBM guidance. Another IMSD
official indicated that guidance is not discretionary, but
did not see the need for routing it through the green border
process. This official further indicated that while a few
regions and program officials appreciate the prescriptive
approach to IBM, most others do not, and consequently OIRM
did not use the green border process. However, in subsequent
discussions, IMSD officials indicated support for the green
border process, and pointed out that they plan to issue the
revised System Design and Development Guidance through it.
CONCLUSIONS
Well defined IBM policies, procedures and standards are the
foundation of an effective system for acquiring, managing,
and using IBM resources. Policies, standards, and procedures
communicate guidance to all levels of the organization and
provide the basis for management control of its resources.
They serve as the means for integrating separate Agency
components to make them consistent with and supportive of the
Agency's overall mission objectives.
While EPA has some policies, standards, and procedures, many
of these lack authority, are incomplete, are outdated, and do
not reflect the current and complex IBM environment or the
critical importance of computers to EPA's mission. In the
decentralized environment within EPA, the IBM community
requires an effective policy structure, complete with
adequate enforcement measures, to direct Agency IBM efforts
in the pursuit of Agency goals.
34
Report MO. B1NMF1-15-0032-2100641
-------�
Computer Systems integrity
In summary, there are longstanding, widespread IRM problems
as a result of inadequate and non-existent policies,
standards, and procedures. All these problems seriously
jeopardize control over the management of IRM which can, in
turn, diminish its effectiveness and credibility in program
areas and ultimately the mission of EPA.
We recommend that the Deputy Administrator:
1. Formalize and prioritize a plan for developing and
revising policies, standards, and procedures which
addresses the issues presented in this finding, which
also include the following actions:
a. Review existing IRM guidance documents and
incorporate them as necessary into IRM policies,
standards, and procedures under Directive 1315.
b. Immediately issue temporary directives for informal
guidance and standards as set forth in Directive
1315 on critical IRM guidance documents until green
border detailed review of the guidance documents
can be performed.
c. Develop additional comprehensive, formal,
authoritative, IRM policies, standards, and
procedures which would cover all minimum Federal
and EPA IRM requirements based on the above plan.
2. Establish and maintain a central repository for IRM
policies, standards, procedures, and guidance.
AGENCY COMMENTS AMD OIQ EVALUATION
OARM's planned actions satisfy the intent of our recommenda-
tions.
35
Report HO. B1MM71-15-0032-2100641
-------�
Computer System* Integrity
(This page intentionally left blank)
36
Report Ho. B1NMT1-15-0032-2100641
-------�
Computer systems integrity
APTER
Ml AQBNCYlflDB IRM PIANKIMfl PROCESS
"PTKS TWPO TUB BUMS* HAfl MOT BBSH KflT%Bt.T8H%fi
EPA has made some progress in establishing long-range IRM
planning. In particular, EPA has developed an IRM strategic
framework and individual IRM-related plans to meet specific
needs. However, despite 16 016, GAO, and 6SA reports and
testimonies over a 12-year period criticizing EPA's IRM
planning, the Agency has not established an integrated long-
range IRM planning and budgeting process to help acquire,
manage, and use its computer resources. Specifically, OIRM
has not prepared an integrated comprehensive 5-year
Agencywide IRM plan which meets all Federal requirements. In
addition, OIRM has required Agency components to prepare
mission-based plans, but they have not ensured these
components comply.
As a result, the Agency has been severely criticized for its
management of information resources and activities over the
past 12 years. For example, the DIG, GAO, and GSA have
issued 16 of the 50 reports and testimonies since fiscal 1980
addressing IRM problems which can be attributed to inadequate
IRM planning at EPA. The significant problems include:
(l) OIRM's inability to manage Agency information resources;
(2) Agency components' lack of a sufficient mechanism to make
information system funding decisions, thus subjecting systems
development projects to funding shortages; (3) information
systems being designed in an independent and incremental
fashion; and (4) development of duplicate information
systems. Additionally, we found major information system
development efforts were not linked to the budget request
process which led to inaccurate and untimely reporting to
OMB. If a comprehensive IRM planning process was in place,
OIRM would not have had to spend additional resources in
meeting OMB requirements and many of these problems could
have been avoided or minimized.
In addition to the lack. of top management attention and
commitment to IRM long-range planning, the absence of an
integrated long-range IRM planning/budgeting process can be
attributed to three other causes. First, OIRM had not
dedicated sufficient staff to develop such a process.
Secondly, they had not prepared procedures and guidance on
37
Report Mo. B1NMP1-15-0032-2100641
-------�
Computer systems Integrity
IRM planning. Finally, OIRM had not established a mechanism
to oversee and enforce the mission-based planning policy.
IRM PLANNING CRITERIA MB
WELL ESTABLISHED
The importance of IRM planning is veil established in Federal
requirements. The Paperwork Reduction Act of 1980 (as
amended) requires agencies to develop and annually revise a
5-year plan for meeting their information technology needs.
Pursuant to this Act, the December 1985 OMB Circular A-130,
entitled "Management of Federal Information Resources,1*
requires each agency to establish a multi-year strategic
planning process for acquiring and operating information
technology that meets program and mission needs, reflects
budget constraints, and forms the basis for their budget
requests. Additionally, OMB circular A-ll requires that
agency budget proposals should result from a comprehensive
system that integrates analysis, planning, evaluation, and
budgeting. It further requires quarterly submissions of
special exhibits 43A (Report on Obligations for Information
Technology Systems), 43B (Major Information Technology
Acquisition Plans), and 43C (Benefit-Cost Analysis for Major
Information Technology Initiatives) which support the
agencies' AOP and telecommunications budget requests. As
part of this submission, agencies are required to submit a
separate report on obligations for specific information
technology systems with, life cycle costs exceeding $25
million.
The FIRMR also emphasizes the need for information system
planning. Part 201.7 requires agencies to: establish
strategic planning processes for the creation, processing,
storage, and disposition of information; ensure that program
officials and IRM officials participate in the development
and annual revision of the 5-year plan; and ensure that
information needs are determined before conducting a
requirements analysis for Federal Information Processing
(FIP) resources. Part 201.18 also requires that agencies
develop a 5-year plan for meeting their information
technology needs. The plan shall: (1) reflect current and
future program and mission needs; (2) consider the potential
for deploying projected technological advances of FIP
resources to enhance future performance of programs and
operations; (3) consider FIP resources needed to meet
national security and emergency preparedness; (4) reflect
38
Report HO. B1NMF1-15-0032-2100€41
-------�
Computer Systems Integrity
budget constraints; (5) form the basis for the agency budget
request; (6) serve as a foundation for requirements.analysis;
and (7) be updated as needed, but at least annually.
.EPA directives support a strong IBM planning mechanism, which
is tied into OZRM's mission and functions. EPA Directive
1100, entitled "Organization and Functions Manual,11 assigns
responsibility to OIRM to develop annual and long-range* plans
and budgets for IRM functions and activities. ZMSD, under
OIRM, has the.responsibility to establish Agencywide IRM
plans in compliance with the Paperwork .Reduction Act and
other Federal oversight requirements. OIRM's Management .
Planning and Evaluation Staff (MPES): formulates.and executes
the IRM budget; manages the funds control and reporting
services for OIRM; and administers several ADP support
services contracts. MPES.also collects and summarizes the '
information required under OMB Circular A-ll for the annual
submissions of 43A, B, and C exhibits to OMB.
Chapter 2 of the IRM Policy Manual requires the Agency to
effectively plan for the acquisition and management of
information and information technology through the annual
preparation of mission-based IRM plans. In this regard,
OIRM's major responsibilities include: developing and issuing
procedures and guidance for the preparation of mission-based
plans; determining which major national programs are
responsible for preparing the plans; and responding to OMB
and other external requests on EPA's plans and budgets for
the acquisition and use of information technology. Also,
Chapter 2 of the IRM Policy Manual makes SIRMOs for major
national programs responsible for ensuring the development of
mission-based IRM plans, ensuring that these plans .are
integrated into budgets for information investments which- are
reflected in formal planning and budgeting submissions, and
establishing an IRM program consistent with the organiza-
tional mission, organizational information plans, and Agency
policy. It also states that NDPD is responsible for
translating the mission-based plans into specific ADP
resources requirements.
COMPREHENSIVE JRM PLAMNINO
AKD BOPQETIMO PROCESS IS NEEDED
The need for comprehensive IRM planning has been a long-
standing concern at EPA. Despite 16 of the 50 OIG, GAO, and
GSA reports and testimonies over a 12-year period criticizing
39
Report HO. E1NMF1-15-0032-2100641
-------�
Computer systems Integrity
EPA's IRM planning, the Agency has hot established an
integrated long-range IRM planning and budgeting process to
help acquire, manage, and use its computer resources. Of the
16 reports/testimonies, 4 (see Appendix V numbers 10, 38, 44,
49) concluded, in part, that EPA needed a mission-based' IRM
planning process. In response to these reports, EPA has
generally agreed to the findings and implemented some aspects
of IRM planning to satisfy the recommendations. However,
OIRM has not prepared an integrated, comprehensive 5-year
Agencywide IRM plan which meets all Federal requirements. In
addition, OIRM has required Agency components to prepare
mission-based plans, but.they have not ensured these
components comply.
Although OIRM does not have an integrated IRM planning and
budgeting process, some aspects of IRM planning have been
completed in the Agency (see Appendix XI). In November 1990,
five years.after GSA recommended that EPA conduct mission-
based planning, OARM issued its "IRM Strategic Plan 1991-
1995." However, as identified in GSA's August 1991 report,
this document only reflects EPA's IRM vision, philosophy, and
goals at the highest level of management. Also, it was not
developed on a bottom-up basis and had only limited input in
the form of comments from Agency IRM officials. This
document falls short of the OMB and FIRMR requirements in
that it does not: reflect budget constraints; form the basis
for the Agency budget request; and serve as a foundation for
requirements analysis. In our view, it is of little value to
integration of IRM planning and budgeting because it does
not: address individual information systems or associated
planned costs; integrate the Agency budget into the plan;
address specific program user needs; and address detailed
Agencywide IRM initiatives.
Key Agency and IRM officials also did not believe that this
document was adequate. In the comments responding to the
draft, one SIRMO indicated that the "plan appears to be
1 Mission-based planning refers to the planning for an
agency's investments and management of information resources and
technology that are required to achieve the agency's mission and
priorities. The plans are to: (1) cover major national programs
for a 3 to 5-year period and be updated annually; (2) be tied
into the.budget process; (3) support investment decisions during
budget preparation; and (4) translate into specific ADP require-
ments.
40
Report NO. B1NMF1-15-0035-2100641
-------�
Computer System* Integrity
simply a written record of a one time effort to document the
views of a small collection of Agency management. Hopefully,
we can use these initial efforts to begin a realistic and
useful strategic planning process." Another IBM official
indicated that it is merely a "vision statement."* Further,
an IBM Steering Committee member commented that it was
basically a "first step" to IBM planning and that it
represented EPA's first IBM plan. He also stated that the
program offices should have developed IBM strategic plans
based upon a common set of standards and definitions;
however, he noted that EPA is a very decentralized Agency and
thus, standardization is not a consideration.
As of September 1991, OIRM was in the process of updating the
IBM Strategic Plan (1993-1997) through a contract. The
effort will result in a similar product to the November 1990
document, and contain the same level of detail. Comments are
being solicited from Agency components as before. Therefore,
this effort again will fail short of the Federal and EPA
mission-based planning requirements.
EPA has also prepared various plans which have analyzed IBM
needs at different program and office levels (see Appendix
XI). Upon review of these plans, we found that there was no
standard format or methodology used in developing them.
Further, these efforts have been limited in scope, and have
addressed only segments of the overall IBM planning needed.
All of these plans are closely related but have not been
dealt with collectively. As a result, these plans have not
been consolidated to support Agencywide conclusions. A
comprehensive plan which treats all aspects of IBM would help
ensure that EPA-wide needs are being effectively and
efficiently examined. In our view, OIBM has an opportunity
to improve its IBM planning by integrating these efforts into
a comprehensive planning process.
In our April 1992 meeting, the Director and Deputy Director,
OIBM, stated that overall planning was an area with which
they were dealing. They stated that they will be addressing
planning after they have dealt with other major areas of
emphasis: policy, implementation, and oversight.
41
Report MO. E1NMF1-1S-0032-2100641
-------�
Computer Systems Integrity
IMPACT OF MOT HAVTMQ A COMPREHENSIVE
PIAMHIKQ AND BUDGETING PROCESS
If OIRM had established an Agencyvide planning process, many
problems reported by the OIG, GAO, and GSA previously could
have been avoided or minimized. The more significant IRM
problems which can be attributed to inadequate planning
include the following.
OlRM's inability to manage Agency information resources:
an April 1992 GAO report (Report No. IMTEC-92-14)
concluded that EPA's IRM planning, coordinating, and
budgeting have not adequately supported IRM activities,
such as managing cross-media data and information
systems development. In another case, an August 1988
GAO report (Report No. RCED-88-101) concluded that if
EPA/ State data management project phases were conducted
within the framework of a long-range IRM plan and
supported with funding independent of that of the
program offices, the project might be strengthened and
its results more effectively used. The report indicated
that EPA planning and budgeting processes generally do
not accommodate new information systems development or
improvement initiatives, thereby inhibiting EPA's
ability to exploit new technologies.
— Agency components lack a sufficient mechanism to make
information system funding decisions, thus subjecting
' system development projects to funding shortages: a
February 1990 GAO report (Report No. PEMD-90-3)
concluded the Office of Solid Haste's central
coordinating office did not have sufficient funding
authority to develop new Resource Conservation and
Recovery Act (RCRA) data collection efforts. As a
consequence, the office had to rely on contributions
from the budgets of other offices to carry on
development work. Another August 1988 GAO report
(Report No. RCED-88-101) on an EPA/ State data sharing
project concluded that the IRM plan did not document
current or projected information on the necessary
resources to complete the project. Thus, when the
project was expanded, no resources were available, and
it was necessary to use OIRM and regional funds
previously committed to other activities. This was
linked directly to the fact that the IRM budget is not
clearly tied to program plans.
42
Report 80. B1NMP1-15-0032-2100641
-------�
Computer System* Integrity
Information systems are being designed in .an incremental
and independent fashion: in an October 1991 testimony
(Testimony No. T-IMTEC-92-3), GAO concluded that EPA's
Office of Pesticide Programs (OPP) had developed and
implemented nine data base management information
systems (estimated cost of $14.5 million over three
years) to trade or manage information about chemicals
reregistration. At the same time these individual
information systems vere being designed, OPP acquired
technology which allowed its computers to be networked
together. However, because each information system had
been designed and developed separately without a cross-
functional emphasis, OPP could not use its computer
networking effectively. Further, an April 1992 GAO
report (Report No. IMTEC-92-14) also concluded that
EPA's information systems were largely independent,
having been designed to serve the needs; of individual
environmental programs. As a result, to pull together
information to assess cross-media compliance of
regulated facilities, EPA must use a cumbersome, labor-
intensive process. For instance, after the Exxon Valdez
oil spill in Alaska, it took EPA about three months to
assemble and analyze a cross-media profile of the Exxon
Corporation to determine whether a corporate-wide
pattern of environmental noncompliance existed. Since
the Valdez incident, EPA has initiated Information
Management/Data Administration efforts to share
information across-media (e.g., Gateway, Facilities
Index System (FINDS), and Integrated Data for
Enforcement and Analysis (IDEA)). However, EPA still
needs to establish an Agencywide architecture for cross-
media systems development.
Development of duplicate information systems: a March
1992 OIG report (Report No. E1SFG1-15-5001-2400027)
concluded that because of certain Comprehensive
Environmental Response, Compensation and Liability
Information System (CERCLIS) design deficiencies,
additional information systems have been developed which
duplicate intended functions of CERCLIS. Further, a
March 1991 OIG report (Report No. E1AMFO-11-0029-
1100153) on IFMS concluded that some offices had
developed alternative information systems or.established
manual records so they can manage their programs'.
finances and check the accuracy of the financial
records. ~
43
Report Ho. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
Because of the lack of a comprehensive long-range plan, OIRM
is forced to spend additional resources to meet OMB
requirements. For instance, OMB requires Federal agencies to
submit specific information on major IBM initiatives—based
on their ISM plans—for publication in its annual Information
Resources Management Plan of the Federal Government. This
submission includes items such as major initiatives,
accomplishments, and IRM improvements. However, since EPA
has no detailed IRM plan, IMSD and MPES, with the assistance
of other Agency components, had to compile this information
in a separate effort. Furthermore, no assurance exists that
this information includes all of the major IRM initiatives.
For example, during our review we found that the ORD was
undertaking a significant modernization effort which was not
reported as a major initiative to OMB's IRM plan. We
reviewed several contract awards for this modernization
effort which totaled over $152 million. Moreover, we noted
that ORD does not have an IRM plan, nor is this modernization
effort tied into OIRM's strategic plan.
In addition, we found that not linking major information
system development efforts to the budget request process led
to inaccurate and untimely reporting to OMB. The IRM Policy
Manual defines life cycle costs as the sum total of all costs
incurred or predicted to be incurred in the formulation,
design, development, production, operation, maintenance and
support of an information system throughout its useful life.
Although OMB Circular A-ll requires reporting systems with
life cycle costs exceeding $25 million, Agency officials told
us that OMB had verbally interpreted this reporting
requirement for older systems to apply only to costs from the
last major modification of the system, and not from the
initial development.
OMB officials also told us that OMB Circular A-ll is
deliberately vague about what systems should be reported.
Normally, the system life cycle costs should be accumulated
from the initial development and variations should be handled
on a case by case basis. We believe that OMB's reporting
requirements on life cycle costs should be clarified in OMB
Circular A-ll. The circular needs to address the definition
of a "major* modification that would distinguish it from
normal systems maintenance, and when an agency should use
this as a basis for reporting, rather than the entire system
life cycle costs. For instance, EPA's IFMS—with planned
life cycle costs of at least $26.9 million—was initiated in
1987, however, these life cycle costs were not reported to
44
Report HO. R1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
OMB until September 1991. Additionally, EPA's Storage and
Retrieval of Water Quality Information (STORET) system has
exceeded $25 million in life cycle costs. However, the
STORET system has not yet been reported to OMB by the Agency.
We are referring this matter to the PCIE for recommendations
to OMB.
CAUSES OF INAPBOOATB IRM PLANNING
In addition to the lack of top .management attention and
commitment to IRM long-range planning, the absence of an
integrated long-range IRM planning process can be attributed
to three other causes.
First, OIRM had not dedicated sufficient staff to develop a
comprehensive IRM planning program. During our audit, OIRM
did not have a full-time person dedicated to the development
and issuance of procedures and guidance, nor for overseeing
the preparing and updating of Agency mission-based IRM plans.
OIRM hired one additional staff member in March 1992, who was
dedicated 100 percent to IRM planning. In addition, the
Chief of the Information Management Branch also spends about
10 percent of his time on planning.
Second, despite the IRM Policy Manual which establishes
mission-based planning and requires development of proce-
dures, OIRM has not prepared procedures and guidance on
integrating the planning and budgeting processes, nor do they
have plans to' do so.
Finally, OIRM had not established a mechanism to oversee and
enforce its mission-based planning policy. Consequently, IRM
plans are either not prepared by Agency components, or are
undertaken only to meet specific IRM objectives of the
individual Agency component.
CONCLUSIONS
Development of a comprehensive, integrated long-range plan is
a recognized way to achieve efficient and effective use of
resources, assure that these resources support the Agency
mission and objectives, and commit top management to action.
A comprehensive plan is also necessary for decision-making
and priority setting, and can be a valuable tool for -
measuring and controlling activities. Furthermore, a
45
Report NO. BlNMPl-15-0032-2100641
-------�
computer Systems Integrity
comprehensive plan can identify opportunities for eliminating
waste and duplication.
If an integrated IBM planning approach existed, many of the
reported problems would have been minimized or avoided. We
believe that improvements are much needed in the IBM planning
structure and process, both at an Agencywide and Agency
component level. The actions taken to date by OIRM in
response to relevant GAO and GSA criticisms on IRM planning
are inadequate. Thus, we are making the following long-term
recommendations. Our recommendations are not intended to
provide a quick fix for the problems we found. Instead, they
are directed towards the establishment of a more permanent
and effective Agencywide planning framework and process.
REQOKMgHDATIONS
We recommend that the Deputy Administrator establish a
formal, Agencywide, integrated planning process for the
direction, coordination, and control of IRM activities and
resources that will provide management involvement and
accountability at all levels, which at a minimum should
include the:
a. Development and implementation of an action plan to
accomplish Agencywide mission-based IRM planning.
b. Establishment of an evaluation and review process
for program offices' IRM mission-based plans to
ensure the plans support a consolidated Agencywide
mission-based IRM plan.
c. Integration of the responsibilities for IRM
planning and budgeting.
d. Modification of the methodology for IRM planning to
include clear policies and procedures for linkage
of the planning and budgeting process.
OARM has agreed with all of our recommendations. However,
the planned actions for Recommendation Ib are not fully
responsive. Although they plan to establish an evaluation
and review process for mission-based plans, there is no
46
Report NO. B1NMF1-15-0032-2100641
-------�
Computer systems Integrity
indication that the program offices' plans will be used to
support a consolidated mission-based Agencywide IBM plan. We
intended that a consolidated Agencywide IRM plan should be
prepared, used as a basis for reporting to OMB, and serve as
a critical management tool for the DSO to plan and control
EPA's IRM activities. Also, in order to provide a linkage
between the planning and budgeting processes, the planned
actions for Recommendation Id should include, at a minimum,
requiring that mission-based plans provide detailed
descriptions and costs of all major IRM initiatives—for
example, major system development and modernization
activities and significant ADP acquisitions and contracts.
47
Report HO. B1NMF1-15-0032-2100641
-------�
Computer System* Integrity
(This page intentionally left blank)
48
Report HO. B1NMP1-15-0032-2100«41
-------�
Computer System* Integrity
CHAPTER S
___ QUALITY M8URAMCB PROGRAM TOR
INFORMATION SYSTEMS MEEDS
EPA has made some progress in establishing quality assurance
.over IRM activities. In particular, EPA has implemented an
active IRM review program to improve the quality and
usefulness .of its IRM activities. , However, despite 35 OIG,
GAO, and GSA reports and testimonies over a 12 -year period.
criticizing quality assurance and the integrity of EPA's
information systems, the Agency has not instituted a .
comprehensive quality assurance program to ensure that its
mission-critical information systems operate effectively and
accurately. Specifically, EPA has not established an
oversight and enforcement function .for independently
reviewing and evaluating information systems or provided
training in this area.
The absence of a comprehensive information system quality
assurance program has led to serious data integrity and .
software problems in EPA's operational information systems.
As a result of these problems, EPA may be forced to retrofit
the software. This can cost an estimated 100. times more for
information systems in operation than if changes were
incorporated during system development. The OIG, GAO, and
GSA have issued 35 reports and testimonies since fiscal 1980
showing the magnitude of the quality assurance problems at
EPA. Significant problems include generally accepted system
development practices not being followed, and deficiencies in
software management and application software test practices.
Furthermore, the absence of an Agencywide program has
resulted in 68 major EPA information systems not being
subjected to review by OIRM, and one Agency component
separately developing its own quality assurance program. He
concluded that if a comprehensive program is established,
then many of these problems could be minimized or avoided,
resulting in significant long-term savings to the Agency.
The absence of a comprehensive program was largely due to
OIRM not having the resources to establish a full-time staff
dedicated to information system oversight and enforcement,
and EPA information system quality assurance .guidelines being
unclear, incomplete, and outdated. Furthermore, the absence
of a program can be attributed, in part, to the lack of clear
Federal information system quality assurance guidance.
49
Report HO. B1MMP1-15-0032-2100641
-------�
Computer System* Integrity
INFORMATION SYSTEM REQUIREMENTS
FOR OVERSIGHT AND Elffgp^BHEMT
Federal guidance recommends the establishment of quality
assurance for information systems within each agency. The
Paperwork Reduction Act of 1980 (as amended) states that
"each agency shall...periodically review its information
resources management activities" and "...periodically
evaluate and, as needed, improve the accuracy, completeness,
and reliability of data and records contained within Federal
information systems." OMB Circular A-130 .entitled
"Management of Federal Information Resources," dated December
1985, requires that Federal automated systems operate
effectively and accurately. Thus, it requires the
establishment of a process by which appropriate safeguards
are built into information systems, including design reviews,
system tests, certifications, and periodic review. It also
requires re-certification of each application (i.e.,
information system) processing sensitive information.
Further, GSA is required to establish procedures for
implementation of FIPS publications, and the Department of
Commerce (DOC) is required to issue FIPS publications and
guidelines to ensure the efficient and effective acquisition,
management, security, and use of information systems.
However, GSA has not issued any procedures on quality
assurance and, while DOC has issued certain FIPS publications
prescribing procedures for testing, validating, and
documenting information systems (FIPS Publications Nos. 38,
101, 105, and 132), it has not issued FIPS publications for
other aspects of quality assurance (e.g., monitoring of
development and testing activities, change controls, data
integrity assurance, and reviews and audits).
Additionally, OMB Circular A-132 entitled "Federal
Productivity and Quality Improvement in Service Delivery,"
dated April 1988, requires agencies to Implement quality and
productivity management practices, and make continuous,
incremental improvements in quality, timeliness, and
efficiency of services. Under its provisions, each agency is
required to implement an active, agencywide productivity and
quality improvement process for its primary program
functions. As an integral part of this overall improvement
process, EPA should establish an information systems quality
assurance review program to ensure that a mechanism is in
place to aid in developing systems that are effective and
accurate. Given the absence of more specific Federal
50
Report MO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
guidance, each agency should have its own quality assurance
guidance.
Quality assurance of information systems is tied into OIRM's
mission and functions. EPA Directive 1100 entitled
"Organization and Functions Manual1* requires that OIRM
provide for an IBM program consistent with the provisions of
the Paperwork Reduction Act. It requires that OIRM oversee
the performance of IRM activities and reviews, and evaluate
information systems and services operated by other EPA
components. IMSD responsibilities include conducting
periodic evaluations of the Agency's IRM program and
components in response to external reporting and internal
management evaluation requirements. Efforts of this division
are directed at improving the quality, accuracy, timeliness,
and usefulness of information systems supporting EPA's
information needs. IMSD had assigned one official in the
Information Management Branch on a part-time'basis to oversee
EPA's IRM triennial reviews.
Chapter 1 of the IRM Policy Manual, entitled "IRM Management
Controls/Reviews and Approval," requires OIRM and Agency
components to conduct evaluations and reviews to assess the
adequacy of its information systems and resources. These
reviews include special studies, ADP reviews, contract
performance reviews, risk analyses, and GSA's IRM triennial
reviews. OIRM has the functional responsibility for the
quality assurance of information systems as well as the
overall management of the Agency's IRM program. In addition,
IRM Directive 2115, entitled "Guide for ADP Reviews,"
contains guidance for conducting periodic reviews of
information systems, and is to be used by OIRM and program
managers to carry out reviews on a regular basis. This guide
responds to the Paperwork Reduction Act which states that
each agency shall periodically.review its information
management activities. Further, the IRM Policy Manual states
that the IRM Steering Committee's responsibilities include
assisting OIRM in conducting periodic reviews of the Agency's
information resources, and developing policies and programs
for managing these resources.
Establishment of a planned, systematic quality assurance
program is of prime importance to the Agency to ensure that
information system products and acquisition/development
processes comply with established standards, practices, and
procedures. One of the main focuses of quality in
information systems is software quality because of its
51
Report NO. B1NM71-15-0032-2100641
-------�
Computer Systems Integrity
critical role in the success of the information system.
Software quality assurance focuses on controlling software
development and testing procedures and thus is tied into the
systems development life cycle. In effect, quality assurance
includes all the processes, standards, testing, and other
means used to. ensure quality software and information
.systems, so that the system in general, and the software in
particular, will reliably perform the functions that
management intends. In addition, the quality assurance
program provides an opportunity for management to
independently review the effectiveness of the IRM program on
a systems application level.
A COMPREHENSIVE QUALITY ASSURANCE
PROGRAM FOR INFORMATION SYSTEMS IS NEBDEp
The need for a comprehensive information system quality
assurance program has been a longstanding concern. Despite
35 OIG, GAO, and GSA reports and testimonies over a 12-year
period criticizing quality assurance and the integrity of
EPA's information systems, the Agency has not instituted a
comprehensive quality assurance program for information
systems to ensure that its mission-critical information
systems operate effectively and accurately. Of these 35
reports/testimonies, 3 (see Appendix V numbers 10, 44, 49}
concluded, in part, that EPA needs such a program. In
response to these reports, EPA agreed to the findings and
implemented some of the recommendations. However, OIRM has
not established an oversight and enforcement function for
independently reviewing and evaluating information systems;
or provided training in this area.
Although no comprehensive program exists at EPA, we
identified some aspects of a program in the Agency. For
example, we found that in the last 3 years, 33 IBM reviews
were conducted (see Appendix XII). The reviews covered nine
major information systems, and focused on records management,
IBM policy, pre/post .system implementation, data sharing,
security, telecommunications, architecture studies, and the
integrated administrative system concept. Generally, these
reviews were conducted by contractors or Agency components
with oversight from OIRM.
The OSWER completed two reviews which addressed the
Technology Transfer Bulletin Board (CLU-IN) information
system and the Office of Underground Storage Tank's funds
52
Report HO. E1NMF1-15-0032-2100641
-------�
computer Systems Integrity
management system (INFIMIS). SIKHOs from the Office of Air
and Radiation (OAR), Office of Enforcement (OE>, Office of
Prevention, Pesticides and Toxic Substances (OPPTS), and
Administrator's Office indicated that quality assurance
reviews of information systems were being performed on an ad
hoc basis at their Agency component level and that OIRM had
not performed any reviews on their developmental systems. In
addition, ORD had established a mandatory quality assurance
program for all environmental-related data measurement
activities performed by or for EPA.
IMSD officials told us that the above areas constituted their
oversight portion of the quality assurance program for EPA's
information systems. They also said that other aspects to
the quality assurance program were in place to improve the
operations. For example, they believed that the system
operations were improved by issuance of guidance such as
"Good Laboratory Practices11 and "Plan for Implementing a
Systems Engineering Environment Appropriate to the Systems'
Development Center".
While we agree that these are aspects of a program, they do
not constitute a complete, comprehensive program for the
following reasons. First, the IRM reviews did not address
key elements. Specifically, they did not cover all major
information systems, nor did the reviews concentrate on
systems under development. The reviews did not provide
sufficient information to determine whether the IRM functions
were being properly performed or whether the problems
identified were being resolved. Further, the IRM review
program required by 6SA has unique goals and objectives, and
was not intended to be a substitute for the information
system quality assurance program. Second, the SIRMOs*
quality assurance reviews were not coordinated or managed by
OIRM, nor were they based on a systematic, comprehensive
plan. The SIRMOs in the previous paragraph agreed that EPA
needs a comprehensive information systems quality assurance
program. Third, ORD's quality assurance program focused on
environmental-related measurement data, and was not designed
to evaluate information systems or information management
functions. Finally, the above guidance for improving
operations was never published officially as Agencywide
policies and procedures under Directive 1315.
In our April 1992 meeting, the Director and Deputy Director,
OIRM, advised us that in the past their oversight function
was based on GSA's review program. They now plan to build
53
Report Ho. E1KMF1-15-0032-2100641
-------�
computer Systems Integrity
their own oversight program to address such things as the
overall IBM program, including records management, and
major/sensitive-critical information systems.
SERIOUS DATA INTEGRITY
MID SOFTWARE PROBLEM B3CIST
The absence of a comprehensive quality assurance program has
resulted in serious data integrity and software problems in
EPA operational information systems. Correction of these
integrity and software problems often requires retrofitting
of software. Industry studies show that it can cost an
estimated 100 times2 more to make changes to systems in
operation, than if the changes were made during system
development. The 35 OIG, GAO, and GSA reports and
testimonies issued since 1980 show the magnitude of these
problems at EPA. The more significant issues addressed in
these reports include the following.
Crucial, generally accepted system development practices
not followed: a March 1990 OIG report (Report No.
E1SFF9-15-0023-0100187) on CERCLIS concluded that
inadequate controls existed over system documentation,
software changes, and testing. The report pointed out
that the lack of program quality assurance procedures
led to unreliable reports which, in turn, caused users
to abandon use of this management information system.
Based on a March 1992 OIG followup review (Report No.
ElSFGl-15-5001-2400027) of this audit, only two of the
five recommendations had been fully implemented and the
other three were partially implemented.
Deficiencies in software management: a February 1989 OIG
report (Report No. E1NWF8-15-0021-91000192) on the
Permit Compliance System (PCS) concluded that the Office
of Water did not always manage the overall testing
2 A May 1988 GAO report entitled "Information Systems-
Agencies overlook Security Controls During Development" (GAO
IMTEC-88-11) concluded that the cost to change software increases
substantially over the life of a system. The report concluded
that on the average it would require approximately $100 to make a
change in the software after the system was operational, compared
to $1 to make an equivalent change while the system was in
deve1opment.
54
Report NO. E1NM71-15-0032-2100641
-------�
Computer Systems Integrity
process to insure its effectiveness in producing
• accurate and reliable software. Untested and unapproved
software .was routinely used,which resulted in inaccurate
and unreliable data.
Deficiencies in information system software testing
procedures: a March 1991 OIG report (Report No. E1AMFO-
11-0029-1100153) on the IFMS concluded that EPA did not
follow generally accepted test practices. The report
pointed out deficiencies including: (1) not selecting
, program test cases adequately; (2) not testing all
. modules of the information system; and (3) incomplete
system documentation. .
Furthermore, the lack of a comprehensive quality assurance
program for enforcement and oversight of information systems
has resulted in 68 major information systems3 not being
reviewed by OIRM. Examples of these information systems
include: Gateway System, Superfund Document Management
System, Integrated Data for Enforcement Analysis, and
Contract Payment System.
Additionally, because of the lack of an Agencywide program,
OSWER developed a. separate quality assurance program. The
program took four years to develop and implement. It centers
around OSWER Directive 9028 entitled "OSWER System Life Cycle
Management Guidance" which established the framework for the
development of their information systems. OSWER:has
developed supplemental guidance supporting Directive 9028,
covering issues such as data modeling, cost-benefit analyses,
and security. They have also secured contractor support for
independent'verification and validation of their information
systems. The quality assurance review process at OSWER has
multiple levels. The first level includes reviews of ,
proposed information systems; the second includes reviews of
3 • A September 1991 OIG report, entitled "Special Review of
EPA's Major Information Systems" (Report No. E1RMG1-15-0041- .
1400061) identified 77 systems at EPA which the OIG considered to
be major. Nine of the systems were covered under OIRM's IRM
review program and the remaining 68 were not addressed. The
report defined a major system as: (1) a system processing
sensitive data; (2) the risk of loss or harm from disclosure,
modification, or destruction is substantial; or (3) improper
operation of the system would seriously affect the Agency's
ability to perform its mission. ' ' <
55
. Report HO. E1HMF1-15-0032-2100641
-------�
Computer systems integrity
system development documentation prior to the information
system being approved; and the third includes in-depth
reviews of intended or operational information systems,
reviewing all phases and products. As of March 1992, OSWER
has conducted two in-depth information system development
reviews, and provided contractor support and oversight for
four independent information system acceptance projects.
REASONS WHY A COMPREHENSIVE QUALITY
ASSURANCE PROGRAM DOES HOT EXIST '
The Director, IMSD stated that OIRM did not have the
resources to establish a staff dedicated to information
system quality assurance oversight and enforcement. Quality
assurance is 1 of 12 major duties assigned to the Chief,
Information Management Branch, IMSD. This official has
delegated responsibility for IRM triennial reviews to an
Information Management Specialist who spends about one-third
of the time in this area. In performing this function, the
specialist coordinates and summarizes the IRM triennial
reviews performed each year. While we recognize that other
officials throughout the Agency are involved in quality
assurance, OlRM's resources appear to be insufficient.
Furthermore, EPA's quality assurance policy is unclear,
incomplete, and outdated. Although Chapter 1 of the IRM
Policy Manual lists the types of IRM reviews and assigns OIRM
and/or program managers review responsibilities, it does not:
(1) assign one individual the responsibility for an oversight
and enforcement program; (2) detail when the reviews should
be performed; (3) outline criteria as to what information
systems should be reviewed; and (4) specifically assign
responsibility for the review of major information systems
and subsequent follow-up on recommendations made. In
addition, IRM Directive 2115 on conducting ADP reviews is
incomplete and outdated. The Directive, published in 1984,
does not provide information on conducting reviews of current
ADP technologies, and contains references to obsolete Federal
policies and EPA criteria. Other than OIRM, we found no one
during our review who used this Directive to conduct IRM
reviews.
Additionally, in our opinion, the absence of a comprehensive
information system quality assurance program can be
attributed, in part, to the lack of clear Federal quality
assurance guidance. While OMB circular A-130 requires that
56
Report NO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
information systems operate effectively and accurately, it
does not specify procedures for complying with the
requirements. Similarly, OMB Circular A-132 requires the
implementation of quality and productivity management
practices, but does not specify procedures for compliance.
We plan to address these Governmehtvide deficiencies through
the FCIE. Nonetheless, the Agency should develop a
comprehensive information system quality assurance policy and
program.
CONCLP8IOMS
If quality assurance information system reviews were
periodically performed for EPA's major information systems,
and a more comprehensive program was established, many of
these software and data integrity problems the Agency
currently faces could have been minimized or avoided. . We
also believe it could have resulted in significant long-term
savings to the Agency.
EPA should establish an oversight and enforcement program for
comprehensive quality assurance of information systems. The
program's primary purpose should be to ensure that EPA's
systems are developing and operating in compliance with
Agency and Federal requirements. The increasing reliance on
mission-critical information systems, the complexity of
system development, and associated high cost of information
systems, underscore the need for such a program. An
effective program helps ensure that cost-effective methods
are established by which information systems are planned and
measured, and throughout the development process, information
systems incorporate the necessary attributes and thus meet
both user and control requirements. Also, the program should
clearly address other aspects of the IRM functions,
operational information systems, and compliance issues.
We recommend that the Assistant Administrator for Adminis-
tration and Resources Management develop a comprehensive
Agencyvide oversight and enforcement program which focuses on
software quality and the system development life cycle and
which at a minimum should include the:
57
Report MO. B1HMP1-15-0032-2100641
-------�
Computer Systems Integrity
a. Development and implementation of an action plan to
accomplish Agencywide quality assurance for major
information systems.
b. Establishment of an oversight and enforcement
function to be responsible for the overall
information systems quality assurance program to
include independently reviewing and evaluating
major information systems.
c. Updating and establishment of clear policies,
standards, procedures, and guidelines on
information systems quality- assurance and
incorporation of them into formal EPA directives.
d. Provision of training on information system quality
assurance.
AGENCY COMMENTS AMD OIQ EVALUATION
OARM has agreed with all our recommendations. However,
planned actions for Recommendation Ic are not fully
responsive to our recommendation. EPA Directive 2115
entitled "Guide to ADP Reviews" (addressed in Chapter 3)
needs to be updated and formally reissued. Further, the
EPA's System Design and Development Guidance and other
related guidance should be revised and formalized. In
addition, FIPS publications should be incorporated or
referenced in the updates to the above documents.
58
Report MO. ElNMFl-15-0032-2i00641
-------�
Computer Systems Integrity
INTERNAL CONTROL REVIEWS OF BOMB SENSITIVE INFORMATION
. BYSTBMfl HAVB MOT BEEN PERFORMED
EPA has not conducted any internal control reviews of 15 (52
percent) of the Agency's 29 sensitive systems (i.e.,
information systems and general support systems) as required
by OMB Circulars A-123, A-127, and A-130. Without conducting
system reviews, EPA can not fully meet the provisions of the
Paperwork Reduction and Computer Security Acts regarding
sensitive system certifications, and provide reasonable
assurance under FHFIA that management controls for the
Agency's sensitive systems are in place, reviewed, and
evaluated. Moreover, if State, local, and other Federal
agencies do not have confidence that EPA's sensitive systems
are adequately protected, then their willingness to supply
requested data may be adversely impacted. This breakdown, in
turn, may negatively impact EPA's mission. In addition, OZG
and 6AO have issued 16 reports since fiscal 1980 addressing .
serious internal control problems in sensitive systems at
EPA. Among the concerns these reports addressed.were
significant system software control weaknesses at EPA's NCC,
and major weaknesses not being identified under EPA's FMFIA
process. The reasons why sensitive system reviews were not
always conducted were: (1) 17 (59 percent) of 29 sensitive
systems were not included in the Agency component event cycle
documentation; (2) detailed FMFIA instructions prepared in
1991 and 1992 did not cover sensitive systems; and (3) OIRM
did not enforce/oversee the sensitive systems certification
process.
FEDERAL AND AGENCY REQUIREMENTS OH
INTERNAL CONTROLS FOR INFORMATION SYSTEMS
FMFIA requires executive agencies to evaluate their systems
of internal accounting and administrative controls and submit
an annual letter to the President and Congress on the status
of the agency's system of internal controls. OMB Circular A-
123, entitled "Internal Control Systems," dated August 1986
provides regulations on FMFIA implementation. The circular
requires that each agency: (1) update its risk assessments at
least once every 5 years; (2) examine the internal control
process regularly; and (3) conduct ICRs or AlCRs of internal
control systems. The internal control requirements under OMB
59
Report NO. B1NMF1-15-0032-2100641
-------�
Computer systems Integrity
Circular A-123 apply to all of an agency's programs and
administrative functions, of which sensitive systems are an
integral part. In addition, OMB Circular A-123 requires that
activities under OMB Circulars A-130 and A-127 be considered
when scheduling and performing vulnerability assessments and
internal control reviews. See Appendix XIII for a glossary
of definitions of the FMFIA process.
The Paperwork Reduction Act of 1980 (as amended) established
a broad mandate for agencies to perform their information
management activities in an efficient, effective, and
economical manner. Pursuant to the Act, the December 1985
OMB Circular A-130, entitled "Management of Federal
Information Resources," requires:
the establishment of systems of management control
that assure that appropriate administrative,
physical, and technical safeguards are incorporated
into all new information systems, and into
significant modifications to existing information
systems. Upon completion of system tests, an
agency official shall certify that the system meets
all applicable Federal policies, regulations, and
standards, and that the results of the tests
demonstrate that the installed security safeguards
. are adequate; and
— the conduct of periodic audits or reviews of
sensitive applications and recertification of the
adequacy of security safeguards. Audits or reviews
and recertification of information systems shall be
performed at least every three years. They should
be considered as part of agency vulnerability
assessments and internal control reviews conducted
in accordance with OMB Circular A-123. Security
and other control weaknesses shall be included in
the annual internal control assurance letter
required by OMB Circular A-123.
The Computer Security Act of 1987 requires agencies to
identify each computer system that contains sensitive
information and to prepare and implement a plan for the
security and privacy of these systems. OMB Bulletin 90-08
which implemented the Act requires that agencies shall
manage, develop, and implement adequate security controls,
which includes performing system certifications. Under
system certification, if the sensitive system has been in
60
Report MO. B1HMF1-15-00«-2100€41
-------�
Computer Systems Integrity
operation for a period of time it should have been audited or
reviewed and recertified within the last three years.
.OMB Circular A-127, entitled "Financial Management Systems,"
implements FMFIA in developing, operating, evaluating, and
reporting on financial management systems. The circular
requires that a limited review of each financial system must
be performed at least once a year. In order to provide full
assurance, these systems must also have a detailed evaluation
at least once every three years. All agencies are required
to report to the President and Congress on whether the
agencys* accounting system conforms to appropriate accounting
principles and standards.
EPA directives support internal controls and the sensitive
system certification process. Chapter 8 of the IRM Policy
Manual established policy to protect sensitive information
and sensitive applications from improper use, alteration, or
disclosure. Among its ten policies, it requires that all new
sensitive systems undergo a control review leading to formal
certification, and existing sensitive systems be reviewed
every three years. OIRM responsibilities include developing
security policy, overseeing the security program, providing
guidance on selecting safeguards and participating, as
necessary, in management and internal control reviews. Each
Primary Organization Head (POH) is required to provide annual
assurance to OARM that organizational information resources
are adequately protected which includes performing sensitive
systems certifications. The directives indicate that this
will be done as part of the internal control review process
required under OMB Circular A-123.
Additionally, EPA's Resources Management Directive 2560,
"Internal Control," requires each POH to evaluate all
internal control systems on an ongoing basis. The directive
specifically lists ADP as part of the general control
environment which should be evaluated when considering
internal control systems. Resources Management Directive
2580, "Financial Management Systems," further instructs OARM
to evaluate, improve, and report on EPA's financial
management systems.
61
Report Mo. BlNMFl-15-0032-2100641
-------�
Computer Systems integrity
INTERNAL CONTROL REV1BUS HOT PERFORMED
EPA has conducted reviews on 14 (48 percent) of EPA's 29
sensitive systems over the last 3 years, and 10 (34 percent)
of these 29 systems are scheduled for review from 1992
through 1996. Of the 10 reviews planned, 7 are for systems
reviewed during the prior 3 years. However, EPA has not
reviewed 15 (52 percent) of the 29 sensitive systems over a
3-year period. Furthermore, 19 (66 percent) are not
scheduled for review from fiscal 1992 through 1996. Appendix
XIV provides a detailed listing of OIRM-designated sensitive
systems by Agency component, indicating which systems have
been, and are planned to be, reviewed per the management
control plans, and whether these systems were listed in the
event cycle documentation.
In addition, as of May 1992, OIRM was updating and expanding
its inventory of sensitive systems. In our view, it is
likely that the sensitive systems listing will increase
significantly. This makes it even more important to ensure
security controls are operating in these sensitive systems by
the performance and planning of the supporting reviews.
INSUFFICIENT BASIS FOR PROVIDING REASONABLE
ASSURANCE FOR SENSITIVE INFORMATION
SYSTEMS SECURITY CONTROLS
Without conducting these reviews, EPA can not meet the
provisions of the Paperwork Reduction and Computer Security
Acts regarding sensitive system certifications, and provide
reasonable assurance under FMFIA that management controls for
the Agency's sensitive systems are in place and evaluated.
Moreover, if state, local, and other Federal agencies do not
have confidence that sensitive systems are adequately
protected, then their willingness to supply requested
information in a cooperative and timely fashion may be
adversely impacted. Consequently, a breakdown in EPA's
information collection capability may negatively affect EPA's
mission.
In addition, OIG and GAO have issued 16 reports over the past
12 years addressing internal control deficiencies in EPA's
sensitive systems. Some of the more significant ADP internal
control issues addressed in these reports included the
following.
62
Report NO. ElNMFl-15-0032-2100641
-------�
computer Systems integrity
Significant system software control weaknesses at NCC: a
March 1991 OIG report (Report No. E1NMBO-15-0027-
1100151) concluded that an adequate division of
responsibilities had not been provided in the assignment
of duties involving security software administration,
auditing, and maintenance which affects all sensitive
systems on NCC's mainframe.
Major weaknesses not identified under the FMPIA process:
one OZ6 report (E1SFG1-15-5001-2400027) and two GAO
reports (RCED-90-139 and RCED-86-34) identified material
internal control weaknesses affecting sensitive systems .
which should have been, but were" not, found under EPA's
FMFIA process.
Significant internal control deficiencies: a September
1990 GAO report (Report No. RCED-90-232) indicated that
three information systems (including the sensitive
system—-PATES) contained inaccurate and/or incomplete
data or were missing data on disinfectants. The report
concluded that these problems existed because EPA lacked
adequate procedures to ensure data accuracy'. ' -
REASONS TOR HOT PgRPORMIKO SBMSITIVB
SRVTKVB '
We found several reasons why sensitive systems reviews were
not always conducted or planned. First, 17 (59 percent) of
29 sensitive systems were not included in the Agency's
assessable unit event cycle documentation. The event cycle
documentation is updated on an annual basis and serves as the
primary source used to determine which ICRs and AICRs will be
conducted each year.
•**',.' • <•
Second, detailed guidance on the FMFIA process did not always
address sensitive systems. Each year, OARM'S Resources'
.Management Division prepares guidance addressed to each POH
reminding them of the FMFIA process and informing them of any
changes or new information. The fiscal 1990 guidance
provided some information about the need to review sensitive.
systems. However, the fiscal 1991 and 1992 instructions did
not specifically emphasize the importance of EPA's sensitive
systems reviews, or require that these systems be included in
management control plans and event cycle documentation.
63
Report Ho. B1NMF1-15-0032-2100641
-------�
Computer systems Integrity
Third, OIRM does not provide oversight Or enforcement of the
sensitive system certification process, and thus internal
control reviews were not given sufficient priority and
emphasis. As of October 1991, only 2 of the 29 sensitive
systems (i.e., AIRS, and PCS) had been certified based on
discussions with OIRM officials. However, as of April 1992,
OIRM officials told us that they are: (1) updating the
sensitive system listing; (2) drafting risk analysis and
certification guidance; and (3) planning to oversee/enforce
the certification process. Thus, the internal control
reviews and the planning of such reviews will be vital in
establishing a basis for the sensitive system certification
process, (see Chapter 7).
CONCLUSIONS
The probable expansion of the sensitive system universe and
the importance of protecting sensitive systems underscore the
need for the performance and planning of supporting reviews.
If the sensitive systems reviews were performed, then EPA
would have a basis for meeting requirements of the Paperwork
Reduction and Computer Security Acts and providing reasonable
assurance to the President and Congress that the Agency's
sensitive systems comply with internal control standards.
Further, the lack of confidence in the adequacy of sensitive
systems protection may negatively impact EPA's mission.
RECOMMENDATIONS
i _ »
We recommend that the Assistant Administrator for
Administration and Resources Management:
1. Provide detailed guidance in the Agency's FMFIA
instructions requiring sensitive systems to be
incorporated into FMFIA risk assessments, event cycle
documentation, and management control plans to ensure
that these systems are reviewed.
2. Use the FMFIA reviews, as appropriate, to certify or
recertify sensitive systems in accordance with OMB
Circular A-130.
64
Report NO. B1NMF1-15-0032-2100641
-------�
Computer System* Integrity
AGENCY COMMKlWa AMD OTO EVALUATION
OARM's planned actions satisfy the intent of our, recommenda-
tions .
65
Report HO. B1HMP1-1S-0032-2100641
-------�
computer System* Integrity
(This page intentionally left blank)
66
Report NO. E1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
CHAPTER 7
IPX HAfl MOT ESTABLISHED A COKPREHgNfilVg
GOXPITFEB SYSTEMS BECnRTTY
EPA has made some progress in implementing the computer
systems security (i.e., computer and telecommunications
security) requirements of the Computer Security Act of 1987
and OMB Circular A-130. For example, the Agency has
established and filled one position in OIRM responsible for
developing 'and implementing an Agencyvide computer systems
security program; another position in OZRM to perform
security functions within OIRM; and a position in NDPD
responsible for NCC hardware, systems software security, and
other security activities. EPA has also conducted various
voluntary security awareness training sessions for Agency
officials over the past two years, issued security .awareness
brochures throughout EPA Headquarters, and maintained and
periodically tested a disaster recovery plan for EPA's three
"highly sensitive" systems at the Agency's backup computer
site in Cincinnati, Ohio.
However, despite eight 016 reports since 1988 criticizing
computer systems security within EPA, the Agency has not met
key minimum Federal requirements for the establishment of a
comprehensive Agencywide computer security program.
Specifically, the Agency has not: (1) completed required risk
analyses, security reviews, certifications, and updated
security plans for all of its sensitive information systems;
(2) prepared an overall, updated, complete risk analysis for
the NCC since August 1986; and (3) established mandatory
security awareness training for its officials involved in the
management, use, or operation of its sensitive computer
systems. As a result, EPA has no assurance that its valuable
and mission-critical information resources are.adequately
protected from fraud, abuse, and unauthorized manipulation.
These deficiencies have occurred because EPA has not provided
adequate mandatory technical guidance for information
technology installation security, and has not provided
information system owners adequate mandatory technical
guidance on selecting and implementing safeguards or security
standards to be followed. In addition^ the Agency has not
fully assigned the computer systems security responsibilities
within the program offices to effectively establish an
Agencywide computer systems security program. Finally, OIRM
67
Report HO. E1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
.has not established a mechanism to oversee and enforce its
information security program.
FEDERAL SECURITY REQUIREMENTS
The Computer Security Act of 1987, Public Law. 100-235, dated
January 8, 1988, requires all Federal agencies to identify
their computer systems, whether operational or under
development, that contain sensitive information; establish
training programs to increase security awareness and
knowledge of security practices; and establish a security
plan for each computer system with sensitive information.
OMB Bulletin 88-16 dated July 6, 1988, provided initial
guidance for preparing security plans for systems and
installations. This Bulletin was superseded by OMB Bulletin
90-08, dated July 9, 1990, which provides detailed guidance
on implementing the Computer Security Act of 1987. This
Bulletin is effective until it is incorporated into OMB
Circular A-130 or superseded. It requires that a new
security plan be done for each system with sensitive
information incorporating advice and comments from National
Institute of Standards and Technology (NIST) and the national
Security Agency (HSA). It also requires security plans to
incorporate appropriate internal control corrective actions
identified under OMB Circular A-123. OMB Bulletin 91-10
dated March 28, 1991, requires that agencies prepare and
implement security plans containing sensitive information,
and report IRM and security plans and activities in their 5-
year IRM plans.
OMB circular No. A-130 requires that agencies implement and
maintain a computer systems security program, including the
preparation of policies, standards, and procedures. Agency
programs shall, at a minimum, include four primary elements:
(1) information systems security; (2) information technology
installation security; (3) personnel security; and
(4) security awareness and training.
OMB Circular A-130 also states that agencies shall:
establish systems of management control that assure
that appropriate administrative, physical, and
technical safeguards are incorporated into all new
information systems, and into significant
modifications to existing information systems.
68
Report HO. B1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
Upon completion of system tests, an agency official
shall certify that the system meets all applicable
Federal policies, regulations, and standards, and
that the results of the tests demonstrate that the
,installed security safeguards are adequate;
— conduct periodic audits or reviews of sensitive
applications and recertify the adequacy of security
safeguards. Audits or reviews and recertification
of information systems shall be performed at least
every three years. Security and other control
weaknesses shall be included in the annual internal
control assurance letter required by OMB Circular
A-123;
establish and maintain a program for the conduct of
periodic risk analyses at each installation to
ensure that appropriate, cost effective safeguards
are incorporated into existing and new installa-
tions. A risk analysis shall be'performed at least
every five years and whenever a significant change
occurs;
establish a security awareness and training program
to assure that agency and contractor.personnel
involved in the management, operation, programming,
maintenance, or use of information technology are
aware of their security responsibilities and know
how to fulfill them; and
establish and implement personnel security policies
consistent with policies issued by the Office of
Personnel Management.
Further, OMB Circular A-130 requires agencies to use Federal
Information Processing and Telecommunications Standards
except when the cost of using the standards exceeds the
benefits or the standard will impede the agency in
accomplishing its mission. For instance, FIPS Publication
102 entitled "Guidelines For Computer Security Certification
And Accreditation" should be adopted by the agency. FIPS
Publication 102 defines the risk analysis as a method of
identifying security risks, determining their magnitude, and
identifying areas where safeguards or controls are needed.
The publication requires a risk analysis as well as
certification for each sensitive information system.
69
Report HO. E1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
The FIRMR Part 201-7.102 (Amendment 1,. December 1984)
requires that each agency establish a computer systems
security program that clearly delineates the responsibility
for security agencywide. Agencies are also required under
FIRMR Fart 201-7.204 to organize and maintain a computer
systems security program to ensure the protection, confi-
dentiality, and integrity of the Federal government's
investment in computer systems, including associated data,
computer media, and software.
EPA's Information Security Manual requires that each nev
sensitive information system must undergo initial
certification and then recertification every three years.
This certification must take place prior to the system being
put into use or production. Recertification of the
operational systems should be based on reviews or audits that
test and evaluate the adequacy of implemented safeguards and
that identify any new vulnerabilities. Additionally, the
Manual requires that qualitative risk analyses be completed
for sensitive applications.
EPA Directive 1100, "Organization and Functions Manual,"
Change 9 Edition, August 16, 1991, shows four offices under
OARM that are responsible for security in mostly general
terms. The Office of Administration is responsible for
property security; OIRM's IMSD is responsible for managing
the computer systems security provisions of the computer
Security Act of 1987, as amended; and OARM-RTP and OARM-
Cincinnati are responsible for various general services
(including safety and security).
EPA HAS MOT IMPLEMENTED
SECURITY REQUIREMENT^
OIRM has not met all of the minimum requirements of the
Computer Security Act of 1987 and OMB Circular A-130, which
require that the program include information systems
security, information technology installation security, and
security awareness and training. In our April 1992 meeting,
the Director and Deputy Director, OIRM, acknowledged that
they were concerned about security.
Information Systems Security
HIST and NSA completed a review of the Agency's security
plans for sensitive information systems for OMB in 1990.
70
Report NO. E1NMF1-15-0032-2100641
-------�
computer systems integrity
Although the Agency has made some progress in correcting
deficiencies noted by NIST/NSA, EPA has not made adequate
progress. Our review of the Agency's implementation of OMB's
requirements for sensitive information systems indicated that
as of July 1992, the following requirements were not
completed for. the 29 sensitive systems: (!) 20 (69 percent)
risk analyses; (2) internal control reviews (as discussed in
Chapter 6) which would cover security controls for 15 (52
percent) systems; (3) 22 (76 percent) system certifications;
and (4) 13 (45 percent) updated security plans. (See Appendix
XV.) '
Under OMB Bulletin 88-16, HIST and NSA jointly reviewed the
original security plans, for sensitive systems submitted by
EPA. NIST/NSA•s primary criticism about these plans was the
general lack of formal risk analyses and the informal risk
analyses done were not adequately described.. OMB Bulletin
90-08 required EPA to update the plans to correct
deficiencies identified by NIST/NSA. Subsequently, EPA
responded in June 1991 to OMB Bulletin 91-10, "Information
Resources Management (IRM) Plans Bulletin," that OIRM was
working closely with SIRMOs and system managers to ensure
existing security plans were updated and that procedures 'were
in place to identify additional sensitive systems. They also
said that application program managers had conducted reviews '
and audits of their systems.
In an OMB Executive briefing on EPA's Information Security
Program in July 1991, Agency officials cited significant
progress in establishing a comprehensive Agencywide
information security program. They also cited that
certifications and recertifications (which are based on risk
analyses and security reviews) of all existing sensitive
systems were a high priority in the upcoming months. Yet as
of July 1992 (as cited above), a significant number of
sensitive information systems still have no risk analyses,
security reviews, or certifications.
Information Technology Installation Security
NCC has not updated its installation risk analysis. A
facility vulnerability assessment was completed in May 1989,
but this is only part of an installation risk analysis. NCC
has exceeded the time requirements in OMB-circular A-130,
which requires the Agency to conduct risk analyses for each
installation at least every five years to ensure that
appropriate, cost effective safeguards are incorporated into
71
Report HO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
existing and new installations. The last completed
installation risk analysis of the NCC facilities was done in
August 1986.
NCC is the primary computer facility for the Agency's
mainframe computers which are used for many sensitive and
critical Agency information systems. The last completed
installation risk analysis from 6 years ago is not
representative of the current facility operations (e.g., the
Agency has replaced its mainframes). We also believe that an
installation risk analysis is needed based on the
September 22, 1992, OI6 audit report (Report No. E1NMF1-15-
0055-2100591), which identified significant mainframe system
software control'weaknesses affecting sensitive information
systems such EPA's payroll and financial systems. NCC
officials, told us that they were in the process of updating
the facility risk analysis and expected to complete it in
1992.
Security Awarenessand Training
Contrary to the Computer Security Act of 1987, EPA has not
established mandatory periodic training in security awareness
for all persons involved in the management, use, or operation
of Federal computer systems. For instance, in December 1991,
OIRM conducted security awareness training sessions on
Computer Security Day for Agency executives, SIRMOs, system
managers, Personal Computer (PC) site coordinators, and
mainframe and PC end users. We were advised by OIRM
officials that these training sessions were "optional" and
only about 40 employees attended the sessions. We were
advised by OIRM officials that their other security awareness
and training activities were also provided on an optional
basis and only one Headquarters program office required
mandatory periodic security awareness training of its
employees.
HPA HAS LITTLE ASSURANCE SYSTEMS
ARE ADEQUATELY PROTECTED
Without an Agencywide computer systems security program which
meets all the minimum requirements of the. Computer Security
Act of 1987 and OMB Circular A-130, EPA has little assurance
that its valuable and mission-critical information resources
are adequately protected from fraud, abuse, and unauthorized
manipulation. Since 1988, the OIG has issued eight reports
72
Report HO. B1NMP1-1S-OOS2-2100641
-------�
computer Systems Integrity
addressing security problems such as inadequate controls over
passwords,.failure to perform system risk analyses, and
illegal entry of computer systems by "hackers" (see
Appendixes V and VI). Our prior report on mainframe security
software (Report No. E1NMBO-15-0027-1100151, dated March
1991) and our September 1992 report on mainframe access
control weaknesses showed that the Agency is exposed to •
unnecessary risks by providing opportunities for ' *
knowledgeable perpetrators to.access, modify, and/or destroy
EPA's computer data, programs, and other resources with
little fear of detection. The Agency's increased
vulnerability to computer fraud could adversely affect its
mission and the integrity of its programs and sensitive
information systems. . '
BPA HAS MOT PROVIDED
EPA has not provided adequate mandatory technical guidance
for information technology installation security, and has not
provided information, system owners .adequate mandatory
technical guidance on selecting and implementing safeguards
or security standards to be followed. Although . OIRM issued
the Information Security Manual in December 1989 to provide
Agencywide security procedures , the manual has never been
formalized through EPA Directive 1315. In addition, the
Agency has not fully assigned the computer systems security
responsibilities within the program offices to effectively
establish an Agencywide computer systems security program.
The August 1986 NCC Vulnerability Evaluation and Risk
Analysis by the accounting firm Deloitte, Raskins & Sells
cited the need for .OIRM to develop an EPA-specif ic computer
systems security manual for EPA users. The manual was needed
to provide users with specific guidance on how to protect
information in the EPA environment, if the information, needs
protection. Subsequently, OIRM issued the Information
Security Manual which helps information owners in evaluating
the sensitivity of their information systems or collections
of information. However, this guidance is very general, is
presented as suggested procedures, and is not supported by
basic security standards that assure the information systems
owners that controls implemented comply with Agency policies.
As a result, OIRM's computer systems security program has not
adequately protected sensitive information systems such as
the payroll system and IFMS.
73
Report No. E1NMF1-15-0032-2100641
-------�
computer systems integrity
He found that security responsibilities were not formally
defined in each organizational unit as required by FIRMR Part
201-7.102. EPA has not assured that an appropriate level of
security is maintained at all information technology
installations operated by or on behalf of the Federal
government. Of the eight computer installations visited
between June 1991 and October 1991, only one had a computer
systems security officer formally designated. Further, the
computer systems security responsibilities are not explicitly
defined in EPA Directive 1100 or EPA Directive 2100.
As discussed in Chapter is, OIRM did not perform internal
control reviews—which would encompass security—of sensitive
systems. OIRM states in the Information Security Manual that
it does not want to bog organizations down in a time-
consuming paper exercise, but requires each major
organizational unit to submit an annual security report
comprised of worksheets and documents prepared during day-to-
day implementation of the security program. In OIRM's
opinion, the report would help them in monitoring Agency
compliance with the information security program.
Nevertheless, when we interviewed the Chief, Information
Management Branch (i.e., OIRM manager responsible for
computer systems security), he was not aware of this
requirement, had never seen an Organizational Security
Report, and does not request the information from
organizations. Therefore, we concluded that OIRM has not
established a mechanism to oversee and enforce its
information security program.
CONCLUSIONS
Contrary to OMB Circular A-130 and the thrust of the Computer
Security Act of 1987, EPA has not established an active
Agencywide computer systems security program. For example,
organizational responsibilities, policies, and procedures
were not formalized, and key computer systems security
controls, such as risk analyses and certification of
sensitive information systems, were not implemented.
Consequently, EPA has little assurance that information
resources critical to its mission were adequately protected
and that appropriate, cost effective safeguards were
incorporated into NCC installation security.
74
Report HO. E1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
We recommend that the Assistant Administrator for
Administration and Resources Management:
1. Develop specific, formal Agencyvide computer systems
security standards and procedures for the protection of
SPA's valuable and sensitive information resources.
Where detailed mandatory Federal procedures (e.g., PIPS
publications) are available, Agency policies, standards,
and procedures should at least reference these Federal
procedures.
2. Formally designate qualified officials as security
officers in all information technology installations to
carry out the responsibilities of EPA's computer systems
security program.
3. Require the completion of risk analyses, security
reviews, certifications, and updated security plans for
all sensitive information systems.
4. Require the completion of the NCC updated facility risk
analysis.
5. Establish mandatory periodic training in security
awareness for all persons involved in the management,
use, or operation EPA's sensitive computer systems.
6. Develop an information security monitoring program
capable of ensuring that all Agency organizational units
are in compliance with the information security program.
A8EHCY COMMENTS MID OTS
OARM agreed with all our recommendations. However, the
planned actions for Recommendation 2 on the designation of
security officers are not fully responsive. We believe that
the placement of NDPD's security officer within ADP
Operations Management Branch does not ensure adequate
independence as discussed in our September 1992 DIG Report
No. E1NMF1-15-0055-2100591. The planned actions for
Recommendation 4 to complete a risk analysis of the KCC
operations should be based on FIPS Publication 65 which
requires a quantitative risk analysis rather than the
optional qualitative risk analysis as set forth in the EPA
75
Report No. B1HKF1-15-0032-2100641
-------�
Computer Systems Integrity
Security Manual. We feel that FIPS Publication 65 is more
appropriate to use because: (1) OMB Circular A-130 requires
agencies to use FIPS publications; (2) NCC operations are
critical to EPA in performing its mission; (3) size, scope,
and investment (i.e., operating budget of over $60 million)
in NCC operations are significant; and (4) a quantitative
risk analysis provides for a determination of the most cost
effective security safeguards.
76
Report. Mo. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
CHAPTER B
QARM'S Tljgp^ PROCESS DOBS HOT BUFPICIBHTLY ADDRESS THE
WITH CRITICAL ISM PROCESSES
The FMFXA, Public Lav 97-255, requires each executive agency
to periodically.evaluate its system of internal accounting
and administrative controls and submit an annual statement of
assurance to the President and the Congress on the status of
the agency's system of internal controls. These evaluations
are made pursuant to OMB Circular A-123. The annual reports
are to state whether the systems meet the objectives of
internal control and conform to standards developed by GAO
(Standards for Internal Controls in the Federal Government.
published in 1983). EPA Resources Management Directive 2560
applies the FMFIA review requirements to financial,
administrative, and program activities at all levels of the
Agency and designates the Assistant Administrator for
Administration and Resources Management as the Agency
official responsible for assuring compliance with the FMFIA,
GAO standards, and OMB guidance. EPA's "Internal Control
Guidance for Managers and Coordinators" provides FMFIA
implementation procedures to Agency officials.
An agency component (i.e., assessable unit) is defined in OMB
Circular A-123 as a major program, administrative activity,
organization, or functional subdivision. EPA guidance
requires 5-year MCP which summarize the Agency's risk
assessments, planned actions, and internal control
evaluations to provide reasonable assurance that controls are
in place and working. Assessable units are to include event
cycles (i.e., a group of related steps needed to complete an
activity in an assessable unit). MCPs should be updated
annually and used by management to monitor risk assessment
activities ensuring that scheduled actions actually occur.
Necessary ICRs and AICRs should be listed in MCPs, and should
identify internal controls (i.e., control objectives and
techniques) that need to be strengthened or streamlined.
Based on the results of these reviews, management should
implement required corrective actions 'on a timely basis.
The IRM process deficiencies identified in this report are
material weaknesses which meet EPA's materiality criteria for
reporting to the President and Congress in conjunction with
OMB Circular A-123 and the FMFIA. However, these weaknesses
were never identified by OARM'S FMFIA process.
77
Report Ho. BlNMPl-15-0032-2100641
-------�
Computer Systems Integrity
We reviewed the OIRK (AU 1210) and the OARM-RTP (AU 1212)
1991 5-year MCPs, and found they identified 5 sub-units for
which AICRs and ICRs were planned. Twenty AICRs and no ICRs
relating to those sub-units were scheduled for fiscal 1991.
Ninety-five AICRs are planned from fiscal 1992 through 1996.
Ho ICRs are planned for this period.
Based on this review we found no on-going or planned
ICRs/AICRs specifically addressing the IRM process weaknesses
discussed in this report. Furthermore, these areas may not
be covered in any ICRs planned in the future, because event
cycles and control objectives and techniques expressly
related to these weaknesses were not included. Although
information security was discussed in OIRH's event cycle
documentation, it does not adequately address the critical
issues of oversight and enforcement of security policies or
specific items (i.e. security plans, risk assessments,
certifications) to be prepared. Instead, the event cycle
dealt primarily with administrative issues, such as issuance
of the information security manual and responding to the
annual data call from OMB/NIST. We also examined OARM's 1991
Annual Report on Management Controls and found that no
material weaknesses related to the IRM process were
identified.
CONCLUSION
As a result, EPA's IRM process does not receive the requisite
extent of coverage deserved under the FMFIA process. We
concluded that the material weaknesses presented in this
report have not been addressed in the FMFIA process.
However, considering the scope of the IRM problems identified
in this report, we believe the OIRM and OARM-RTP
vulnerability assessment ratings should be changed from
medium to high risk because of the criticality of IRM to the
success of all program activities. Considering the
importance of IRM within EPA, OARM needs to more adequately
address accountability and control over IRM processes,
especially those functions described in this report, within
the FMFIA process.
78
Report Ho. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
We recommend that the Assistant Administrator for
Administration and Resources Management:
1. Establish event cycles specific to IBM processes and
include the .appropriate control objectives and
techniques.
2. Update the risk assessment for the assessable units 1210
and 1212 to more adequately account for the risks
associated with EPA's information resources.
3. Schedule formal AICRs specifically addressing policies
and procedures, planning and budgeting, quality
assurance, individual sensitive information systems, and
security of sensitive systems and facilities in the next
MCP.
AGENCY COMMBMTS AND OIQ EVALUATION
OARM'S planned actions satisfy the intent of our recommenda-
tions .
79
Report No. E1NMF1-1S-0032-2100641
-------�
Computer Systems Integrity
(This page intentionally left blank)
80
Report NO. Z1NMP1-15-0032-2100641
-------�
Computer system* Integrity
APPENDIX I
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
• SEP I 5 1992
ANDAESOUftCES
MANAGEMENT
SUBJECT: Agency Response to Draft Audit Report No.
E1NMF1-15-0032; COMPUTER SYSTEMS INTEGRITY:
EPA Must Fully Address
FROM: Christian R. Holme
Assistant Admin1st
TO: Kenneth A. Konz
Assistant Inspector General for Audit
Thank you for the opportunity to respond to the above-
referenced draft audit. The attached response reflects input
from both OARM and OPPE, with OPPE's input directed mostly
toward the organizational issues raised in Chapter 2 of the
draft audit. In general, we agree with all recommendations,
and the Agency is already working to implement many of them.
I am appreciative of the importance of the audit and
Strongly support your emphasis on the need for a sound IRM
infrastructure to attain the Agency's mission. I also
understand and endorse your call for more involvement in IRM
by top Agency management. The Agency must manage its
information resources as well as it manages its fiscal,
physical, and human resources. The recommendations of the
draft audit can help move the Agency toward that goal.
Your draft report does not fully reflect the significant
improvements OARM has already made in many areas of IRM.
These improvements include: substantial focus on information
systems quality assurance within OIRM's Administrative
Systems Division and EPA's Systems Development Center,
designation of qualified security officers for OARM'a major
computer installations, leadership of the IRM Compliance
Strategy Task Group, enforcement of the requirement for
certified security plans for sensitive information systems,
and prior commitments to establish an independent IRM
oversight function within OIRM and conduct security reviews
for all Agency administrative applications managed by OIRM.
OARM has made substantial progress in all of these areas.
81
Report No. B1NMF1-15-0032-2100641
-------�
computer Systems integrity
APPENDIX I
See Appendix II, There are'some areas in which the draft audit could be
N t , ' strengthened. For example, certain recommendations in
Chapters 2 and 4 would be more helpful if they could be made
more specific. I request that the heading for Chapter 4 be
changed to focus on the Agency's need for improved IKM
planning, rather than improved information systems planning.
In addition, many of the recommendations could be directed to
the Designated Senior Official for IRM, once that position is
/formalized. Lastly, there are a few findings that appear to
contain minor factual errors.
The attached detailed response parallels the structure
of the draft audit, moving from our response to the Executive
Summary to our responses to Chapters 1 through 6. Appendix A
provides a convenient summary of our responses to your
specific recommendations.
Should you have any questions on this response,-please
contact Alvin Pesachowitz, Director of the Office of
Information Resources Management, at 260-4465.
Attachment
cc: Richard Morganstern, OPPE
Gordon Milbourn, OIG
82
Report Ho. ElNMFl-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX Z
AGENCY RXSPOHSS TO DRAFT AUDIT RS9ORT HO. 11NMT1-15-0032
"MA Must Fully Address Longstanding IRM Problems"
Suamary of Our Response
OARM appreciates the opportunity to respond in writing
to the draft audit report on computer systems integrity. The
year-long process of discussion leading up to the draft audit
report has already resulted in progress in a number of areas,
ranging from information .security to IRM planning. OARM
appreciates the use of the word "fully" in the. audit title
since it acknowledges, at least slightly, our ongoing efforts
to address IRM problems and concerns for the benefit of the
Agency mission.
These ongoing efforts include: substantial focus on
information systems quality assurance within OIRM's
Administrative Systems Division and EPA's Systems Development
Center, designation of qualified security officers for OARM's
major computer installations, leadership of the IRM
Compliance Strategy Task Group, enforcement of the
requirement for certified security plans for sensitive
information systems, and commitments to establish an
independent IRM oversight function within OIRM and conduct
security reviews for all Agency administrative applications
managed by OIRM. OARM has made substantial progress in all
of these areas.
In general, OARM agrees with the recommendations of the
draft audit. He believe that the recommendations, when
intelligently implemented, can strengthen the Agency's IRM
program. The importance of the audit is clear, and OARM
strongly supports the report's emphasis on the need for a
sound IRM infrastructure to attain the Agency's mission.
OARM also understands and fully endorses the call for more
involvement in IRM by top Agency-management.
Some of our comments on the draft audit report are quite
specific, while others are more general. The general
comments may serve as the basis for productive discussions
prior to creation of the final audit report. It is hoped
that even the very specific comments will also be useful in
creating the final audit report.
s
See Appendix II, There are two general and two specific comments worth
Note 2 highlighting here, even though they are presented in greater
detail in the sections that follow. First, the report would
portray a more complete picture of the Agency's information
security program if it referenced the responsibilities of the
. 9/15/92 Page 1
83
Report MO. B1NMF1-15-0032-2100641
-------�
Computer 8yatarns Integrity
APPENDIX I
See Appendix II, Office of Inspector General for personnel security for
N0te 3 Federal and contractor employees, as formalized in EPA
Directive-2100. Second, because of the dynamic nature of
computing and telecommunications technology, we urge caution
at the implication that all NDFO operational policies should
undergo green border review. These operational policies must
be maintained on a very timely basis.
See Appendix II, The first specific comment is that, contrary to the
Note 4 report's statement, OARM does have plans to update EPA'5 IBM
Policy manual, per the recommendations of the IRM Compliance
Strategy Task Group. The final comment is that OARM
disagrees with the observation that EPA's XRM Strategic Plan
"is of little value to XRM decision-making". The document
represents a major achievement in reaching consensus on ,
issues such as data integration, and the document's strategic
vision lays the foundation for further progress in key areas
of Agencywide mission support by the XRM community.
There were two principles used to guide development of
this entire response. The first was to always respond so as
to best enable effective management of EPA information to
meet EPA's mission. The second was to work consistently
towards strengthening and centralizing XRM controls in accord
with TQM principles. TQM principles provide an effective
reminder to avoid imposition on the Agency of unnecessary,
non-value-added work for the cause of better IRM.
See Appendix II, This second principle is important because, during
Note 5 implementation of the audit recommendations, it will be
essential to help Agency managers and their employees
understand how an improved XRM program can support better
environmental management. XRM at EPA will never be as simple
as implementing recommendations extracted from an XRM
textbook.
The following pages respond to the Executive Summary ar.d
Chapters 1 through 8 in turn. Appendix A, which comes
afterward, summarizes the actions we propose to take in
response to the draft audit recommendations. We have not
developed specific due dates for all actions, but we would be
pleased to discuss scheduling issues and we plan to provide
firm dates in our response to the final audit.
Appendix B, referenced in our response to Chapter 5 of
the draft audit, provides a copy of the Agency's comments to
OMB regarding the proposed revision of OMB Circular A-13G.
9/15/92 .
84
Report MO. E1NMP1-1S-0032-2100641
-------�
Computer Systms Integrity
Response to the executive Suxmary
APPENDIX I
The Executive Summary, comprised of entirely new text,
has not benefitted from being the focus of prioz discussions
between OIRM/NDPD and OIG. Since that is the case, comments
may seem a little heavy on this chapter given that any issues
relating to the Executive Summary should theoretically be
addressed in the responses to the other chapters. In some
cases, the comments below will be repeated or expanded upon
in the chapter comments that follow.
In general, the Executive Summary accurately reflects
the contents of the individual chapters, but there are a few
sentences where the chapter texts and executive summary
See Appendix II, diverge. Specifically, the topic of Chapter 8 seems to be
Note 6 missing entirely from the closing paragraph of the Executive
Summary. We suggest 'adding a sentence to the end of page vii
saying that, "In addition, EPA needs to expand coverage of
IRM issues under FMFIA".
The same paragraph of the Executive Summary also
conflicts with the contents of Chapter 5 when clause (4)
calls for "a comprehensive quality assurance program for
sensitive information systems." Since the topic of Chapter S
is not restricted to mmnsltlvm systems, the clause could
better read as "a comprehensive quality assurance program for
Agency information systems."
It may be the case that the word "sensitive" was simply
misplaced in the closing paragraph on page vii because it
would be appropriate to include it in the next clause, which
describes "an internal control review program to provide for
periodic reviews of information system controls." Clause (5)
would be more accurate if it read, "an internal control
review program to provide for periodic reviews of controls
for sensitive information systems."
There is also one area in the Executive Summary which
does not diverge from the contents of the chapters, but which
would potentially benefit from change. It begins with the
statement on page ii that EPA ".. does not have an integrated
long-range planning/budgeting process." For the benefit of
readers who may not understand the report's clear focus on
IRM, it may be beneficial to add the phrase for IBM to the
end of the sentence. Otherwise, a reader who took the phrase
out.of context might question EPA's entire planning and
budgeting process, which does not seem to be the intent of
the report.
The potential for confusion about the report's focus on IRM
planning continues with the heading on page iv that states "An
Agencywide Information System Planning Process Which Ties Into
The Budget Has Not Been Established." This confusion between
system planning and broader IRM planning continues on page vii
9/15/92 Page 3
85
R«port No. E1NMP1-15-0032-2100641
-------�
Computer Systena Integrity
APPENDIX I
See Appendix II,
Note 7
See Appendix II,
Note 8
when the final paragraph calls for "an Agencywide information
system planning process which ties into the budget." In both
cases, better wording would refer to IRM planning, since that
seems to be the actual focus of Chapter 4. The title of Chapter
4 could also be improved to avoid potential confusion between
system planning and overall IRM planning.
Finally, there is one factual error in the Executive
Summary. Page iii states "Furthermore, over the past 17 years
the executive IRM Steering Committee has evolved from a high-
level decision-making body to a low level advisory and assistance
group". The IRM Steering Committee has been in existence for
only 7 years.
Response to Chapter 1
Chapter 1 provides an excellent introduction to-the audit
and to the framework for IRM at EPA. It is noteworthy that page
4 mentions the IRM Steering Committee as being "comprised of 22
senior officials." This conflicts somewhat with the Chapter 2
finding that the IRM Steering Committee is a lower level group.
Chapter 1, and parts of the rest of the document, will
benefit from the final editing they will likely receive. The
bottom of page 3 reverses parts of OPPE's name when it references
the Office of "Planning, Policy and Evaluation", and the Table of
Contents page numbers are slightly incorrect (e.g., Chapter 7
recommendations begin on page 66 not 65). The Table of Contents
also lists chapter titles which differ from the actual chapter
titles in the body of the report.
On a more substantive note, Chapter 1 references 54 prior
OIG, GAO, and 6SA reports and testimonies as evidence of EPA's
longstanding history of IRM problems. A review of the report
titles in Appendix IV reveals 14 of the 54 that appear to be of
indirect relevance to major IRM problems based on their title
-------�
Computer Byatsas Integrity
APPENDIX X
See Appendix II,
Note 9
See Appendix II,
Note 10 '
See Appendix II,
Note 7
Respon»e to Chapter 2
'Chapter 2 provides a solid argument for the need for top
management involvement in IBM. Some comments on specific
findings follow:
p. 9 - "..over the past seventeen years the IRM Steering
Committee has evolved..." The-IRM Steering Committee was
established seven years ago, in 1985.
p. .10 - The heading .should read "TOP MANAGEMENT CRITERIA FOR
IRM ARE WELL ESTABLISHED"
P. 10 - There seems to be the potential for conflict between
the recommendation to have a steering committee set IRM
policy and the recommendation in Chapter 3 to create all IRM
policies through the formal directives-process. Do you still
recommend having the EPA IRM Steering Committee "serve as a
permanent advisory and policy setting body" rather than using
the authority of the directives process?
p. 14 - You state that the Director, OIRM, performs most of
the functions of the DSO, yet cannot be effective at the
Office level position. It is unclear that real change will
result- from implementing the recommendation to appoint a DSO
for IRM at the AA level and then clearly redelegate
responsibilities and authorities.
p. 17 - "Furthermore, over the past seventeen years the IRM
Steering Committee has evolved...". The IRM Steering
Committee has been in-existence for only seven years.
p. 17 - "Thus, the Committee is still a lower level group
with little responsibility and authority". This statement
conflicts with the observation on page 4 of Chapter 1 that
the Committee is comprised of 22 senior officials. Although
the Committee is not comprised of 'Assistant Administrators,
we do not consider Deputy Assistant Administrators, Office
Directors and Assistant-Regional Administrators to be "lower-
level". These members represent significant policy makers in
the Agency, and they manage major information systems.
Recommendation 1: We recommend that the Administrator
formally designate a senior official (DSO) in
accordance with the Paperwork Reduction Act at the
Aaaictant Administrator -level.
.OARM and OPPE agree with the recommendation that the
Administrator formally designate, at the AA level, one senior
official for IRM in accordance with the Paperwork Reduction
Act. Details of the designation are already being discussed
by OPPE and OARM senior management.
9/15/92
Page 5
87
Report MO. B1NMF1-15-0032-2100641
-------�
Computer 8yst«m« Integrity
APPENDIX I
Recommendation 2: We recommend that the Administrator
delegate the authority and responsibilities for all
the IBM functions to the DSO in accordance with the
PR*, and clearly define any re-delegations.
The specific delegation, mentioned above, will
delegate authority and responsibility for all IRM
functions to the DSO, and will clearly define any re-
delegations to other Agency organizations.
Recommendation 3: We recommend that the Deputy
Administrator establish a clear chain of command under
the OSO for all IRM activities.
To ensure readiness for formal delegation of certain or
all IRM functions to the AA for OARK, OARM will examine the
existing.formal chains of command for all IRM activities
currently performed by OARM and ensure that they are clearly '
defined.
Recommendation 4: We recommend that the Deputy
Administrator establish a high level IRM Steering
Committee which acts as a decision-making body for
significant IRM activities, headed by the Deputy
Administrator or the DSO.
OIRM will review the charter and current membership of
the IRM Steering Committee and make a recommendation to the
Deputy Administrator for any changes required in its
leadership or membership to ensure the high-level nature of
the group. In addition, OARM will place on the Steering
Committee's'agenda more decisions relating to significant IRM
activities.
Response to Chapter 3
SUMMARY: . This chapter begins with the statement that EPA has
made some progress in establishing IRM policies, standards
and procedures and concludes that not enough has been done in
this area. Although some specific findings and conditions
are disputable, as noted below, OARM generally agrees that
most of the recommendations will improve the consistency and
completeness of IRM policies, standards and procedures. OIRM
and NDPD have already produced an extensive set of
operational policies and procedures and are continuing their
ongoing review and update of these documents in consultation
with the Agency's IRM community. OIRM and NDPO will work
together with the Management and Organization Division to
implement the recommendations presented in this chapter to
meet the IRM needs of the Agency.
GENERAL CONCERN: The decision by the OIG to net accept as
authoritative, OIRM and NDPD policies and procedures because
9/15/92 Page 6
88
Report MO. E1NMF1-15-0032-2100641
-------�
Computer sy«t«m» Integrity
See Appendix II,
Note 11
APPENDIX I
they were not submitted to the green border review process is
of concern. A formal green border review for every NDPD
Policy would severely hamper timely provision of guidance to
the customer community. The NDPD in particular would be
unable to develop and disseminate procedural policy on new
and or developing systems in a timely fashion. It is
important to get critical IRM policy and procedural
information to clients and the contractor community in a
timely manner. It is also important to ensure that the
information J.ssued has been reviewed by the affected parties
prior to issuance. OIRM and NDPD strive to obtain an
appropriate balance between these two objectives. An
understanding or appreciation that. IRM operational policies,
procedures and guidance documents are not developed in a
vacuum and are submitted to an extensive review seems to be
missing from the OIG's report.
SPECIFIC FACTUAL ERRORS AND EDITORIAL COMMENTS:
p. 19 - Your list of formal IRM policy directives and orders
in Appendix VII is missing the directive requiring use of the
metric system (Order 1000. 2 la > and the Agency's Policy or.
Electronic Reporting. This is troubling since one of the
purported benefits of the directives system is that it
creates an easy-to-use index for the formal IRM policies.
p. 19 - The draft audit report references 16 audits conducted
over a 12 year period which criticized EPA's IRM policies,
standards and procedures . Since OMB Circular A-130 was
enacted in 1985, and the EPA IRM Policy Manual was issued :r.
1987, the 12 year period cited in the report seems a wider
time span than is reasonable given that the subject of
examination is the Agency's IRM Program.
p. 19 - We suggest moving the last sentence in the 2nd
paragraph to the end of the 3rd paragraph. As it is,
currently positioned, the first sentence of the 3rd paragraph
is not logical (i.e., it sounds as though the corrective
actions taken to remedy problems have resulted in extensive
problems throughout the Agency) .
We would also suggest that ' the report clarify that the
directives system is not required for guidance documents. He
have always used it for policy and data- standards . Although
the green border process was not used for the guidance
documents and NDPD Operational Policy Manual, this does not
mean that these documents were issued absent any agency-wide
review.
See Appendix II,
Note 12
See Appendix II,
Note 13
p. 21 - "OIRM issued a final EPAAR ruling..." The issuing
office was the Office of Administration.
p. 22 - "IMSD hired a contractor .to update the SD4D
Guidance." This is not correct. We hired a contractor- tc
9/15/92
Page
89
Report NO. B1NMP1-15-0032-2100641
-------�
Conput«r SystwBs Integrity
APPENDIX I
provide analytic support in planning the update project. The
formal guidance will not be ready in Sept. 1992. Rather, the
plan to coordinate the update will be available then. We
expect formal revised lifecycle documents to be completed in
draft by September of 1993, not 1992. Since the documents
will address minimal mandatory lifecycle standards, they will
likely not be titled "guidance", to help clarify the
distinction between guidance and mandatory requirements.
p. 23 - we take issue with the statement, "no plans exist to
update the IRM Policy Manual or to formalize policies in
guidance to include the OMB Circular A-130 topics identified
above". In fact, one of .the recommendations of the IRM
Compliance Strategy Task Force is to re-visit the Manual and
update it accordingly — filling in gaps, or revising
outdated material. In our view an implementation plan is
needed. We are committed to developing such a plan and it is
shown as a milestone in IMSD's FX93 tactical plan.
p. 24 - State/EPA guidance on developing grant applications
is not informal, nor are the others identified. This seems
to be semantic interpretation of the auditors. Nowhere in
: the text of the referenced documents are they presented in
this vein; rather the language is always very straightforward
in stating these are, in fact, the procedures to be followed.
He do now have a specific plan in place to update the
Information Security Manual, and it should be revised within
.FY93.
p. 24-25 - Reference to "Library Systems Manual"— We will
formally rescind this outdated manual. Chapter 12 of the EPA
IRM Policy Manual provides the current policy framework for
EPA's Library Network and replaced the Library Systems Manual
at the time it was made final.
p. 26 — The draft EPA TRM Hardware t Software Standards
document explicitly covers microcomputers.
See Appendix II, p. 27 - "OIRM needs to make a distinction between formal
Note 14 policies, standards, procedures, and guidance documents". It
would be helpful to OIRM if OIG could provide thoughts on
defining such a distinction. The intent of the draft audit
seems to be to treat all of these categories similarly, to
issue them all as formal directives, and to not distinguish
among them based on their timeliness, frequency of required
update, level of authority, etc.
9/15/92 Page 8
90 "
Report No. E1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
RESPONSE TO RECOMMENDATIONS:
APPENDIX Z
Recommendation 1: We recommend that the Deputy
Administrator formalise and prioritise a plan for
developing and revising policies, standards, and
procedures vhich addresses the issues presented in
this finding.
a) Reviev existing IRK guidance documents and
incorporate them as necessary into IRM policies,
standards, and procedures under Directive 1315.
b) immediately issue temporary directives for informal
guidance and standards as set forth in Directive 1315
on critical IRM guidance documents until green border
detailed review of the guidance documents can be
performed.
c) Develop additional comprehensive, formal,
authoritative policies, standards, and procedures for
information systems as prescribed by Federal and ISA
IRM requirements based on the above plan.
In response to sub-recommendations a) - c), OIRM will
coordinate with NDPD, MOD, and the SIRMO community to
formalize a plan for developing and revising policies,
standards and procedures which addresses the issues presented
in the audit report. The plan will identify lead
organizations who will provide subject matter experts on the
respective topics and will present the topics to be addressed
in priority order to ensure there is a mutually clear
understanding between OIRM/NDPD and its clients. The plan
may be adjusted as necessary to accommodate new oversight
agency or EPA-specific requirements. This plan will reflect
contributions by the Management and Organization Division to
develop a strategy to issue temporary directives for relevant
documents that have not yet gone through the green border
process.
Recommendation 2: We recommend that the Deputy
Administrator establish and maintain a central .
repository for IRM policies, standards, procedures,
and guidance.
- Since most, if not all, of the IRM documents will be
issued as either permanent or temporary directives, the
Management and Organization Division, in coordination with
the Agency's Distribution Center, will serve as a central
repository for all of these documents, as it does for other
Agency directives.
9/15/92 Page 9
91
Report NO. E1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX Z
See Appendix II,
Note 4
See Appendix II,
Note 15
Response to Chapter 4
OVERALL RESPONSE: The Agency will continue to move forward
in its IRM planning process. As noted below, we agree with
the general recommendation and the thrust of the various
components of the recommendation. Recently, the Agency was
able to hire a new staff member devoted to IRM planning.
Further, OIRM has convened one planning session with a budget
focus and is hosting an additional session to discuss IRM
planning with NDPD and program office SIRMOs. The focus of
this session, in part, will be mission-based needs of the
various Program and Regional offices. Finally, OIRM is
consolidating its planning processes between IMSD and MPES to
provide a more focused and integrated IRM planning effort.
DETAILED COMMENTS: The chapter seems to be mis-titled since
the real focus of the chapter is on JAM planning, not
information system planning.
p. 36 - "In our view, it," (referring to the
current IRM Strategic Plan), "is of little value to IRM
decision-making..." While we agree the plan needs additional
breadth and depth, as noted in the report, we do not agree it
is of little value. We would point out that it represents a
major achievement to have achieved consensus on an issue such
as data integration. The strategic vision lays the
foundation for further advancement in key areas of Agencywide
mission support by the IRM community.
p. 39 - "EPA has initiated various actions to share
information across-media... However, EPA still needs to
improve its management structure and establish an Agencywide
architecture for cross-media systems development." The
report should also note the Information Management/Data
Administration effort under way as a major effort to address
these issues. In addition, the MOSES contract and SDC are
efforts to improve systems development, including cross-media
aspects.
OIRM has consistently undertaken efforts to lead
integration in EPA through information integration. However,
OIRM alone cannot overcome the predominantly media-oriented
organizational structure of the Agency. Current
organizational structures and responsibilities do not
encourage multi-media system development by program offices.
p. 39 & 40 - The text discusses OMB A-ll reporting and
possible problems. We strongly support the OIG's decision to
refer to OMB the reporting issues discussed, so that OMB can
improve their guidance. As noted in the discussion, this is
an area where various interpretations abound. EPA reporting
of ORD and STORET initiatives has been consistent with the
interpretation provided previously by OMB.
9/15/92
Page 10
92
Report HO. B1NM71-15-0032-2100641
-------�
computer Systems Integrity
APPENDIX I
p. 41 - "Our recommendations are not intended to provide a
quick fix for the problems we found." We appreciate your
recognition of the long-term nature of the recommendations.
Recommendation 1: we recommend that the Deputy
Administrator establish a formal, Agencywide,
integrated planning process for the direction,
coordination, and control of ZRM activities and
resources that will provide management involvement and
accountability at all levels, which at a minimum
should include the:
a) Development and implementation of an action plan to
accomplish Agencywide mission-based bottom-up IRM
planning.
He agree to develop a plan to broaden the scope and
depth of the IRM planning process. An action plan to
accomplish this will be completed by April, 1993. As noted
in the draft audit, this is the first step to establishing a
more permanent and effective planning process; it is not a
one year, quick fix.
We agree that the process upon-implementation should be
Agencywide and mission-based with bottom-up input. However,
it is also critical that top-down guidance be a part of the
process. GSA's August 1990 publication "A Model IRM Program"
cites top-down guidance, as well as bottom-up input, as
essential qualities of a strategic IRM planning process. The
process we develop shall combine both approaches, and not be
solely bottom-up in its orientation.
b) establishment of an evaluation and review process
for program offices' IRM mission-based plans to ensure
the plans support a consolidated Agencywide mission-
based IRM plan.
An evaluation and 'review process will be part of the
overall IRM planning process established. The process will
review program offices' IRM plans to ensure that they 1)
address the key issues in the top-down Agencywide guidance,
and 2) are mission-based, i.e. consistent with the policies,
procedures, and methodologies established for mission-based
IRM planning.
OIRM has reviewed program office IRM plans when they are
made available. For example, OSWER has completed an IRM
plan, which was reviewed by OIRM's IRM strategic planning
staff. However, this review has been informal and will
benefit from a more formalized process.
9/15/92 Page 11
93
Report NO. E1NMP1-1S-0032-2100641
-------�
Computer systaas Integrity
APPENDIX I
c) Integration of the responsibilities for IBM planning
and budgeting.
OIRM, NDPD, and the Office of the Comptroller (OC) will wor)
together with OPPE to better integrate the responsibilities for
IBM planning and budgeting. This will reflect OPPE's roles in
Agencywide strategic planning and information collection
budgeting, as well as OC's role in budget formulation/execution/
and OIRM/NDPD roles in strategic and tactical IRM planning.
d) Modification of the methodology for X8M planning to
include clear policies and procedures for linkage of the
planning and budgeting processes.
We agree with this approach to improving the integration of
planning and budgeting activities. Linkage between the budget
and IRM planning is an important goal. OIRM and OC will work to
establish the necessary policies and procedures for linkage of
the IRM planning and budgeting process, perhaps in concert with
the Budget Reform Task Force.
The process of improving linkage between IRM planning and
the budget has already begun. Recently, OIRM held a two- day
planning session involving the management staff of OIRM. A
significant portion of the planning session was devoted to a
discussion of budget issues, the cost of key initiatives, *r.d the
financial support provided to the key strategic IRM goals.
Response to Chapter 5
SUMMARY: Chapter 5 calls for a comprehensive quality assurance
(QA) program which focuses on software quality and the system
development life cycle. EPA agrees with the intent of the
recommendations and in fact has committed to organizing an IRM
Oversight Program, whose focus will be on issues addressed in
this chapter. OIRM is continuing its longstanding emphasis on QA
by institutionalizing quality software in all software
development conducted under the supervision of the Program
Systems Division and the Administrative Systems Division as veil
as by continuing to promote good automated laboratory practices
in the ORD community. OIRM is also making quality assurance one
of the key topics to be addressed in the revision of the Agency's
systems lifecycle approach.
This chapter of the draft audit report acknowledges the lack
of guidance from oversight agencies on the topic of quality
assurance. He appreciate this concern and have included comments
provided by the DIG on this topic in the formal Agency response
to OMB regarding the revised draft of OMB Circular A-130. A copy
of this correspondence is provided as Appendix B.
9/15/92 ' P«
-------�
Computer Systems Integrity
APPENDIX I
SPECIFIC EVIDENCE OF SYSTEMATIC IMPLEMENTATION OF QUALITY
ASSURANCE PROCEDURES
OIRM's ASD has introduced several processes and
procedures which have significantly increased the reliability
of IFMS and MARS. A Change Management process has been
established which monitors all requests for system change,
both functional and operational, through the system life
cycle. While each stage of the life cycle carries its own
level of importance, the most critical areas within the
process are those which focus on testing. .An independent
test team has,also been formed to provide additional quality
assurance through their review of software, test plans and
results. Due to the number of enhancements for IFMS and
MARS, a release strategy has been developed whereby several'
changes are packaged and targeted for a specific
implementation date.
Three stages of testing reside within the Change
Management process adopted for IFMS. and MARS prior to the
implementation of new software.
Stage 1 - Developer Unit Test
All system changes are tested by the developer to ensure
that the changes satisfy the specifications which have been
developed by ASD. Unit testing is limited to a test of the
specific enhancement only. A unit test plan is created by
the developer and approved by ASD and the client office as a
valid and accurate test plan. It is used for the Developer
Unit Test and all results are documented. The results of the
test are passed to ASD and the client office and must be
approved before moving to the next stage.
Stage 2 - EPA Unit Test
All system changes are tested by the client office with
participation by ASD upon approval -of the Developer Unit Test
results. As with the Developer Unit Test, the testing by EPA
is limited to the specific enhancement only. While the
developer may test the functionality adequately, the EPA Unit
Test provides the opportunity to test with specific test
cases which reflect actual system usage. It serves as
confirmation that .the change which has been made satisfies
the functional requirements and meets ASD and NDPD policy and
guidance. Completion of the EPA Unit Test and subsequent
approval indicates that the enhancement, performs as required
and'is ready for the Integrated System Test.
Stage 3 - Integrated System Test
The Integrated System Test is a test of the entire
system with changes which have been successfully unit tested.
Testing is now extended beyond each of the specific
9/15/92 . Page 13
95 ^ .
Report HO. E1NMF1-15-0032-2100641
-------�
computer Systems Integrity
APPENDIX I
enhancements and ensures that all IFMS or MARS processing is
not adversely impacted by the introduction of modified
software. The package of changes, as defined by the release
strategy, is integrated into the current version of the
system and placed in a special testing environment.
Participants in the test are all of the IFMS responsible
divisions. The. Integrated System Test is fully defined and
scripted in a test plan. The plan describes the processing
to be conducted during the test, the test cases and expected
results. Each function of IFMS and MARS is tested and only
successful completion of a process permits continuation of
the test. Changes to IFMS and MARS are implemented only upon
the successful completion of an Integrated System Test and
approval by all IFMS responsible divisions that the enhanced
version of the software can be implemented.
The independent test team has participated during the
Integrated System Test. They have developed test plans,
executed test cases, reviewed software and documented test
results.
The quality assurance activities for IFMS and MARS have bee
significantly enhanced. Over the past year, there have been fou
releases to IFMS and MARS to implement all of the changes to
these applications. The process, through the Integrated System
Test, has been applied each time. The only exception to this
approach is an emergency fix. Use of these procedures has enable'
EPA to implement more efficient and problem-free software.
Recommendation 1: We recommend that the Deputy
Administrator develop a comprehensive Agencyvide
oversight and enforcement program which focuses on
software quality and the system development life cycle
and which at a minimum should include the:
a) Development and implementation of an action plan to
accomplish Agencywide quality assurance for information
systems.
OIRM will develop an action plan for information systems
quality assurance. The plan will reflect both our future effort:
and our established initiatives. For example, EPA has already
established the System Development Center as a mechanism to
ensure that best practices are followed during development of EPj
information systems. EPA has already developed a plan to revise
its System Design and Development Guidance, which codifies the
process by which systems are developed and ensures that the
software-is of high quality and meets Agency mission needs. In
the future, EPA will further emphasize quality assurance by
conducting independent reviews of all IRM delivery orders being
processed under major IRM contracts. This will further ensure
that quality assurance is built into IRM work performed by
contractors.
9/15X92 ' Page 14
96
Report NO. E1NMF1-15-0032-2100641
-------�
Computer Systmaa Integrity
APPENDIX z
b) E»tabli*hment of ma oversight and enforcement functioi
to be responsible .for tba overall information systems
quality assurance program to include independently
reviewing .and evaluating information systems.
The Director, OIRM has committed to organize an IRM
Oversight team in MPES. OIRM will follow-up to formalize the
transfer of this evaluation function from IMSD to MPES in the EP*
Directives system. This group would perform the same function as
the recommended "quality assurance entity" referenced in the
draft audit report. In addition/ the group will likely conduct
IRM reviews on topics other than individual systems. These
review topics may include the structure and function of program
office IRM organizations, or key cross-system topics such as
records management, data standards, and information security.
c) Establishment of clear policies, standard*,
procedures, and guidelines on information system
quality .assurance and incorporation of them into
formal SFA directive*.
EPA has already established formal EPA policy directives
and implementing guidelines addressing information systems
quality assurance. These include the Agency's software
management policy and EPA's System Design and Development
Guidance. The lifecycle document will be revised to improve
coverage of key topics, including'quality assurance.
d) Provision of training on information system quality
assurance.
OIRM has already provided training to key members of the
Agency IRM community on the approach it will take to ensure
the quality of systems developed at the Systems Development
Center. In the future, OIRM will provide training in
selected aspects of the revised Systems Design and
Development Guidance to ensure that the document's messages
about software quality are understood.
Response to Chapter 6
Chapter 6 provides clear findings and recommendations
promoting the use of the PMFIA processes to schedule and
perform periodic reviews of the Agency's sensitive
information systems.
Recommendation 1: tr* recommend that the Deputy
Administrator provide detailed guidance in the
Agency's FMTIA instructions requiring sensitive
system* to be incorporated into FMTIA risk
assessments, event cycle documentation, and management
control plan* to ensure tbat these systems are
reviewed.
9/15/92 Page IS
97
Report MO. B1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX z
The Agency is including sensitive systems and sensitive
systems reviews as part of its 1992 assurance letter
guidance. Additionally, the Agency will acknowledge
sensitive systems as part of its 1993 FMFIA detailed
guidance. In advance of receipt of this guidance, OIRM's
event cycle documentation has already been updated to include
known sensitive systems for which OIRM is responsible.
Recommendation 2: He recommend that the Deputy
Administrator use the rKTXA review*, a* appropriate,
to certify or recertify sensitive ayatema ia
accordance with OMB Circular A-130.
Use of the FMFIA process to ensure periodic security
reviews for the Agency's sensitive systems is certainly
appropriate. As of 1 September 1992, 16 of 22 known
sensitive application systems in use by the EPA have been
certified.
Assessable Unit f!210 {OIRM} has already scheduled a
review of sensitive systems in its Management Control Plan
for 1993. As a result of both guidance documents (see
above), other AU's will be required to schedule future
reviews to certify or recertify their sensitive systems.
i
Response to Chapter 7
See Appendix II, Chapter ~i paints an incomplete picture of the Agency's
Note 2 computer systems security program. Specifically, the chapter
omits any mention of OIG's significant responsibilities for
personnel security and for procedures relating to information
security for-contractors. While this is laudable for the
sake of objectivity, there is a certain irony to the
omission. OIG's responsibilities for ADP contractor security
are an important component in remedying the situations for
which OARM has recently been audited by OIG.
For example, pages 60 and 61 describe the requirements
for agencies1 information security programs. These
requirements sort into the following topics: appropriate
management controls, application systems security,
information technology installation security, security
awareness/training, and personnel security. Each of these
topics that is not addressed in prior chapters is described
in detail on pages 62 and 63, except personnel security.
An acknowledgement of the OIG's responsibilities for
security would be appropriate near the bottom of page 61.
After describing the four OARM offices that play a role in
ensuring information security, it would be correct to
describe the OIG's responsibilities as formalized in EPA
Directive 2100, Chapter 8.
- 9/15/92 Page 16
98
Report NO. E1NMF1-15-0032-2100641
-------�
Computer systems Integrity
APPENDIX I
See Appendix II,
Note 16
See Appendix II,
Note 17
p. 61 - "The publication [FIPS Pub. 102} requires a risk
analysis as well as certification.for each sensitive
information system." Given that there are existing formal
Federal guidances such as this that establish specific
requirements, perhaps the first recommendation of this
chapter should be revised to require the Agency to develop
standards and procedures.only where there are no Federal
documents already established. Spending Agency resources to
duplicate FIPS would not be wise.
p. 63 - The section on security awareness and training would
be more comprehensive if it mentioned the previous desk-to-
desk distribution at Headquarters of the awareness brochure
on information security basics, entitled "Information
Security — What You Need to Know".
p. 63 - "NCC has not updated its installation risk analysis."
As stated in earlier responses, the NCC did conduct a Risk
Analysis .in 1989. The OIG seems to be refusing to accept the
1989 analysis because it was conducted by NCC Security Staff
rather than an "independent" organization. We feel that; the
analysis was conducted in an open environment and that the
results are valid. The NDPO will, however, conduct an
"independent" analysis before the end of CY92.
p. 63 - The terms Vulnerability Assessment and Risk Analysis
(Assessment) are used in'different contexts in the Draft c:3
document. We have specifically identified both to be
conducted on the NCC system this year. Although the (Draft)
OIRM guidance for Risk studies does not specifically refer tc
a "Vulnerability" study it' is considered incorporated into
the Risk Analysis. We have spelled out the requirement for
conducting both Vulnerability and Risk studies, per the
appropriate OMB Circular, in CY92. The vendor conducting
this study will identify both as being accomplished in the
final report.
p. 64 - The draft audit report implies that "hackers" have
penetrated the NCC system. Quite the contrary. The security
procedures in place on the NCC mainframe system have
detected, traced, and reported .two ATTEMPTED hackers - one
which had penetrated the State of New Jersey computer system.
An incident on a Washington DC-based Prime minicomputer in
1989 and a Las Vegas, Nevada VAX system in 1987 are the only
recorded incidents of unauthorized access to EPA systems.
p. 65 - "...the OIRM manager responsible for computer systems
security...had never seen an Organizational Security Report,
and does not request the information from organizations."
The Director, OIRM, recently sent a memorandum to all AAa,
RAs, the Inspector General, and the General Counsel reminding
them of their responsibility for submitting an organizational
security report to OIRM at the'end of each calendar year.
9/15/92
Page :
99
Report MO. E1NMP1-1S-0032-2100641
-------�
computer Systens integrity
APPENDIX I
OIRM intends to use the organizational security reports as an
aid in monitoring Agency compliance with the information
security program.
Recommendation 1: He recommend that the Deputy
Administrator develop specific, formal Agencywide
computer system security standards and procedures for
the protection of IPX's valuable and sensitive
information resources.
;
The Information Security Manual is being revised in
FY93 and will be made more formal via the directives
process. The Risk Analysis Guidance will also be finalized
and made formal. Further improvements will also be made to
the RACF procedural manual. In addition, we will request OIG
to make needed improvements in personnel security by
developing a contractor-oriented personnel security manual or
modifying their current manual to cover contractor personnel
security issues. Finally, OIRM has drafted a policy
directive to clarify the requirements for background
investigations for IRM contractors who may access sensitive
Agency information. This policy should be issued in final
form within FY93.
Recommendation 2: We recommend that the Deputy
Administrator formally designate qualified officials
as security officers in all information technology
installations to carry out the responsibilities of
XPA's computer system security program.
A qualified IT installation security officer has already
been designated for all OARM installations — Bob Lewis. His
work is supplemented by on-site security managers; Mike
Stein at WIC, Shannon McFarland at Cincinnati, a position
yet-to-be designated at Bay City.
Bob Lewis reports to the Chief of the ADP operations
Management Branch to assist in coordinating the other NDPD
operational groups on all security-related matters. The
creation of a dedicated ADP Security Officer position has
separated the duties of government employees performing
system operations from those responsible for system security
activities. Defined in the official Position
Description for the NDPD ADP Security Officer is the
responsibility for oversight and physical security for the
National Computer Center, Washington Information Center and
National Environmental Supercomputer Center (Bay City). The
Computer Center in Cinn. will also be added to this list.
Other IT installation security officers will be formally
designated after presentation of security awareness training
to SIRMOs, who will play a key role in identifying these
individuals.
9/15/92 Pa9e 18
100
Report Mo. E1NMF1-15-003U-2100641
-------�
computer Systems Integrity
APPENDIX Z
Recommendation 3: We recommend that the Deputy
Administrator require the completion of risk analyses,
security reviews, certifications, and updated security
plans for all sensitive information systems.
Certified, updated security plans for all sensitive
systems are already being required by OIRM as a condition of
approval of any new TOSS delivery orders. The supporting
security reviews and risk analyses will be required in the
near future, in concert with the CY92 organizational security
reports.
In addition, the Administrative Systems Division (ASD)
of OIRM has currently in place an initiative to review the
overall security of all systems for which it is responsible.
The" major steps include assessing system security measures
and identifying additional requirements for security
standards/assistance.
The following areas will be performed/reviewed:
Risk Assessment and Management
Management Controls
-- Development and Implementation Controls
-- Operational Controls
Security Awareness and Training
— Technical Controls
A questionnaire has been developed for the Functional
Applications Manager and Application Systems Manger to review
and complete. The questionnaire and subsequent interviews
will provide sufficient data to complete formal risk analyses
for the administrative systems that require it. Detailed
security reviews will then begin for all national
administrative systems.
Recommendation 4: We recommend that the Deputy
Administrator require the completion of the HOC
updated facility risk analysis.
NDPD conducted a Vulnerability Assessment in May 1969
and provided a copy of this assessment to the OIG. This
document analyzes the vulnerabilities and provides a
qualitative assessment of risk for EPA management review.
This approach is acceptable under the EPA Information
Security Manual, is mentioned specifically in OMB Circular A*
123, and was selected by NDPD instead of the quantitative
risk analysis that was previously conducted in August 1986.
NDPD has funded a complete vulnerability assessment and
risk analysis of the NCC that will be completed prior to
December 31, 1992. This analysis will follow guidelines
established by OIRM.
9/15/92 Page 19
101
Report MO. B1NMF1-15-0032-2100641
-------�
Computer Systems integrity
APPENDIX I
Recommendation 5: We recommend that the Deputy
Administrator establish mandatory periodic training in
security awareness for all persons involved in the
management, use, or operation of BPA's sensitive
computer systems.
Planning, for mandatory security awareness training
is underway as part of a MOSES delivery order. The
ARAs will be briefed on their information security
responsibilities via televideo conference on September 14,
1992. Other groups will follow according to the plan to be
developed.
We agree that security training should be mandatory for
Government staff as well as Contractor staff involved with
sensitive systems. NDPD has security training opportunities
(RACF Security Administrator Training, Technical Conference
Sessions, PC Security pamphlets, etc.) that can be made
available. Additionally, NCC Contractor Staff have their own
security and ethics training classes.
As part of the Agency initiative to decentralize RACF
responsibility and authority, ASD already mandated that all
its Systems Managers receive RACF training provided by NDPD.
To date, two systems, IFMS and EPAYS, are participating in
the pilot to .decentralize RACF implementation.
Recommendation 6: We recommend that the Deputy
Administrator develop, aad support with budget sad
staff, an information security monitoring program
capable to ensure that all Agency organisational units
are ia compliance with ' the information security
program.
As stated in the OARM response to the recent systems
software audit, OIRM and NDPD will work together to define
resource requirements for such a monitoring program. The
approach will certainly make use of the organizational
security reports, as described in the recent memo from the
Director, OIRM. In addition, OIRM is establishing an IRM
oversight program, which will include information security
among its oversight topics.
Response to Chapter 8
OARM has taken strong steps to improve its FMFIA
program, and, though FMFIA compliance was not listed as a
material weakness in OARM's 1991 Annual Report, it has been
given the attention of one in FY92. OIRM has already updated
its FMFIA documents to provide:
9/15/92 Page 20
102
Report NO. E1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX Z
1. Event cycles specific to IRM processes, including
appropriate (and updated) control objectives and techniques,
2. Updated risk assessments for Assessable Units 41210 and
t!212 which account for the risks associated with EPA's
information resources, and
3. A Management Control Plan, with formal reviews which
specifically address the security of sensitive systems and
facilities, and oversight and enforcement of information
security.
Recommendation 1: We recommend tbat tbe Deputy
Administrator establish event cycles specific to IRM
processes and include tbe appropriate control
objectives and techniques.
OIRM has established its own event cycles specific to
IRM processes, including appropriate updated control
techniques and objectives. OIRM, with input from KDPD, will
provide IRM event cycle guidance to the Agency during FY93.
Recommendation 2: We recommend tbat tbe Deputy
Administrator update tbe risk . assessment for tbe
assessable units 1210 and 1212 to more adequately
account for tbe .risks associated with EPA's
information resources.
OARM has established updated risk assessments for
AUs 1210 and 1212 which account for the risks
associated with EPA's information resources.
A Vulnerability Assessment (per OMB Circular A-123} and
Risk Analysis (per OMB circular A-130) of the KCC will be
accomplished prior to December 31, 1992. Currently a vendor
has -been identified and a Delivery Order is being prepared.
It is expected that the vendor will have the Delivery Order
in hand in early September 1992. Work will begin immediately
after the Delivery Order is accepted by the vendor.
Recommendation 3: We recommend tbat tbe Deputy
Administrator schedule formal AZCRs specifically
addressing policies and procedures, planning and
budgeting, quality assurance, individual sensitive
information systems, and security of sensitive systems
and facilities in tbe next MCP.
OIRM has updated its Management Control Plan to include
AICRs which specifically address the security of sensitive
systems and facilities, and oversight and enforcement of
information security. OIRM's and NDPD's FY93 Management
Control Plans will reflect the formal reviews needed in the
other specific areas mentioned in the recommendation.
9/15/92 Page 21
103
Report Mo. ElNMFl-15-0032-2100641
-------�
*
•8 H
O o
H *>
ft
I
M
Appendix A
Summary Response Matrix
H
in
8
o
OIG Draft Audit Report of 8/6/92
PCIE Computer Systems Integrity Project * „
0
ft
0 *
O H
« M
c
rt
ft
-------�
Response to OIG Draft PCIE Audit Report of 8/6/92
0
•1
«t
o
01
Recommendations
Chapter!
Recommendation. 1: We recommend thai the
Administrator formally designate a senior
official (DSO) in accordance with the
Paperwork Reduction Act at the Assistant
Administrator level.
Recommendation 2: Werec
mend that the
Administrator delegate the authority and
responsibilities for all the IRM functions to the
DSO in accordance with the PRA, and clearly
define any re-delegations.
Recommendalion3: We recommend that the
Deputy Administrator establish a dear chain of
command under the DSO for all IRM activities.
Recommendation 4: We recommend that the
Deputy Administrator establish a high level
IRM Steering Committee which acts as a
decision-malting body for significant IRM
activities, headed by the Deputy Administrator
or the DSO.
Lead«»» and
Supporting
Organizations
PARM
OPPE
OARM
OPPE
OARM
QPPE
OARM
OPPE
"• NOTE; Hie organizational assignments shown in this
column of the matrix are based on cunent organizational
assignments of IRM responsibilities and authorities as
indicated by various Agency directives, guidance, and
current practices of these offices.
Agree/
Disagree
Agree
Agree
Agree
Agree
Summary of Response
OARM and OPPE agree with the recommendation
thai the Administrator formally designate, at the AA
level, one senior official for IRM in accordance with
the Paperwork Reduction Act. Details of the
delegation are already being discussed by OPPE and
OARM senior management.
The specific delegation, mentioned above, will
delegate authority and responsibility for all IRM
functions to the DSO, and clearly define any
re-delegations.
To ensure readiness for formal delegation of certain or all
IRM functions lo the AA for OARM. OARM will examine
the existing formal chains of command for all IRM activities
currently performed by OARM and ensure that they are
OIRM will review the charter and current
membership of the IRM Steering Committee and
make a recommendation to the Deputy
Administrator for any changes required in its
leadership or membership to ensure the high-level
nature of the group. In addition, OARM will place
on the Steering Committee's agenda more decisions
relating to significant IRM activities.
O
a
^
rr
8
H
4
Matrix Version 9/10/92
-------�
•8
o
H
it
Response to OIG Draft PCIE Audit Report of 8/6/92
Recommendat Ions
Chapter 3
Recommendation 1: We recommend that the
Deputy Administrator formalize and prioritize a
plan for developing and revising policies,
standards and procedures which addresses the
issues presented hi this finding.
a) Review existing IRM guidance documents and
incorporate them as necessary into IRM policies,
standards, and procedures under Directive 1315.
b) Immediately issue temporary directives for
informal guidance and standards as set forth in
Directive 1315 on critical IRM guidance
documents until green border detailed review of
the guidance documents can be performed.
c) Develop additional comprehensive, formal,
authoritative policies, standards, and procedures
for information systems as prescribed by Federal
and EPA IRM requirements based on the above
plan.
Recommendation 2: We recommend thai the
Deputy Administrator establish and maintain a
central repository for IRM policies, standards,
procedures, and guidance.
j.ea(J and
Supporting
Organizations
QJfiM
NDPD
MOD
OiRM
NDPD
MOD
NDPD
MOD
MOP
FMSD
OIRM
Agree/
Disagree
Agree
Agree
Agree
Agree
Summary of Response
OIRM will cooidinate with NDPD and the SIRMO
community to review existing guidance documents
and formalize a plan for developing and revising
policies, standards and procedures which addresses
the issues presented in the audit report. The plan will
identify lead organizations who will provide subject
matter experts on the respective topics and will-
prioritize the activities to ensure a mutually clear
understanding between OJRM/NDPD and its clients.
The plan may be adjusted as necessary to
accommodate new oversight agency or EPA-spccific
requirements. This plan will reflect contributions by
the Management and Organization Division to
develop a strategy to issue temporary directives, as
necessary, for relevant documents that have not yet
gone through the green border process.
Since most, if not all. of the IRM documents will be
issued as either permanent or temporary directives,
the Management and Organization Division, in
coordination with the Agency's Distribution Center,
will serve as a central repository and clearinghouse
for all of these documents, as it does for other
Agency directives.
It
H
0
I
-------�
O
-J
Response to OIG Draft PCIE Audit Report of 8/6/92
Recommendations
Chapter 4
Recommendation 1: We recommend that the
Deputy Administrator establish a formal,
Agencywide, integrated planning process for the
direction, coordination, and control of IRM
activities and resources that will provide
management involvement and accountability at
all levels, which at a minimum should include
the: '
a) Development and implementation of an action
plan to accomplish Agencywide mission-based
bottom-up IRM planning.
b) Establishment of an evaluation and review
process for program offices' IRM mission-based
plans to ensure the plans support a consolidated
Agencywide mission-based IRM plan.
c) Integration of the responsibilities for IRM
planning and budgeting.
d) Modification of the methodology for IRM
planning to include dear policies and procedures
for linkage of the planning and budgeting
processes.
Lead and
Supporting
Organizations
OIRM
oc
OPPE
OIRM
OPPE
OIRM
OPPE
OC
OPPE
NDPD
OIRM
OC
OPPE
Agree/
Disagree
Agree
Agree
Agree
Agree
Agree
Summary of Response
We agree to develop a pun to broaden the scope and depth of the
IRM punning process. An action plan 10 accomplish ibis will be
completed by April, 1993. As noted in the draft audit, din is die
Tint step to establishing a more permanent and effective planning
process; ilia not a one year, quick fix.
We agree thai the process for implementation should be
Agencywide and mission-based with bottom-up input. However,
it is also critical thai top-down guidance be a part of the process.
OSA's August 1990 publication * A Model IRM Program" cites
top-down guidance, as well as bottom-up input, as essential
qualities of a strategic tRMptarwin| process. The process we
develop shall combine both approaches, and not be solely
bottom-up in its orientation.
An evaluation and review process will be part of the overall IRM
punning process. The process will review program offices' IRM
plans to ensure that they I) address the key issues in the top-down
Agencywide guidance, and 2) are mission-based, i.e. consistent
with the policies, procedures, •**** methodologies established for
mission-based IRM planning.
OIRM. NDPD. and the Office of die Comptroller (OC) will work
together with OPPE to better integrate the responsibilities for IRM
punning and budgeting. This will reflect OPPE's rotes in
Agencywide strategic planning and information collection
budgeting, as well as OCs rote in budget formutaiion/execuiion,
and OIRM/NDPD roles in strategic and tactical IRM planning.
Wei|TMswiUilht>tp|)ra*chloimpn>vui((heinlegrukinofp)iinning«nd
budgeting Kiiviiiet. Linkage between the budget and IRM pfenning it an
important goal. OIRM and OC will work to establish we necessary
ie* •»! procedure! for linknge of die IRM planning and budgeting
process.
ft
s
ft
\
H
a
it
I
-------�
*
ft
•8
N
rt-
Response to OIG Draft PCIE Audit Report of 8/6/92
Recommendations
Chapters
Recommendation 1: We recommend thai the
Deputy Administrator develop a comprehensive
Agency wide oversight and enforcement program
which focuses on software quality and the system
development life cycle and which at a minimum
should include the:
a) Development and implementation of an action
plan to accomplish Agencywide quality
assurance for information systems.
b) Establishment of an oversight and
enforcement function to be responsible for (he
overall information systems quality assurance
program to include independently reviewing and
evaluating information systems.
c) Establishment of dear policies, standards,
procedures, and guidelines on information
system quality assurance and incorporation of
them into formal EPA directives.
d) Provision of training on information system
quality assurance.
Lead and
Supporting
Organizations
OIRM
NDPD
OIRM
OIRM
MOD
OIRM
Agree/
Disagree
Agree
Agree
Agree
Agree
Summary of Response
a) OIRM will develop an action pint for information syuemi quality
assurance. The plan will reflect both out future efforts and our
established initiatives. For example. EPA has already established die
System Development Center as a mechanism to ensure the best practices
are followed during development of EPA information systems. EPA ha$
already developed a plan to revise its System Design and Development
Guidance, which codifies the process by which systems an developed
and ensures thai the software is of high quality and meets Agency
mission needs. In the future. EPA will further emphasize quality
assurance by conducting independent reviews of all IRM delivery orders
being processed under major IRM contracts. This will further ensure Iba
quality assurance is built into IRM work pofutneJ by contractors.
b) Ttie Director. OIRM has committed to organize an IRM Oversight
team in MPES. OIRM wiB follow up to formalize the transfer of this
evaluation function tarn IMSD to MPES fat die EPA Directive] system.
Tfcis group would perform the tame function as the recommended
"quality assurance entity" referenced in the draft audit report.
c) EPA has already established formal ETA policy directives and
implement ing guidelines addressing information systems quality
assurance. These include die Agency's software msnagcmem policy and
EPA's System Design and Development Guidance. The Ufecycle
document will be revised to improve coverage of key topics, including
quality assurance.
d) OIRM has already provided (raining to key members of the Agency
IRM community on the approach it will lake to ensure the quality of
systems developed at the Systems Development Center. In the future.
OIRM will provide training in selected aspects of we revised Systems
Design and Development Guidance to ensure that the document!
messages about software quality arc umlci stood.
-------�
Response to OIG Draft PCIE Audit Report of 8/6/92
I
ft
o
vo
H
H
Ul
I
O
o
w
H
O
O
01
Recommendations
Chapter 6
Recommendation 1: We recommend that the
Deputy Administrator provide detailed guidance
in the Agency's FMFIA instructions requiring
sensitive systems to be incorporated into FMFIA
risk assessments, event cycle documentation, and
management control plans to ensure that these
systems are reviewed.
Recommendation 2: We recommend that the
Deputy Administrator use the FMFIA reviews,
as appropriate, to certify or recertify sensitive
systems in accordance with OMB Circular
A-130.
Lead and
Supporting
Organizations
QC
O1RM
OIRM
OC
Agree/
Disagree
Agree
Agree
Summary of Response
The Agency is including sensitive systems and
sensitive systems reviews as part of its 1992 assurance
letter guidance. Additionally, the Agency will
acknowledge sensitive systems as part of its 1993
FMFIA detailed guidance. In advance of receipt of
this guidance, OIRM's event cycle documentation has
already been updated to include known sensitive
systems for which OIRM is responsible.
Use of the FMFIA process to ensure periodic security
reviews for the Agency's sensitive systems is
certainly appropriate. As of I September 1992.16 of
22 known sensitive application systems in use by the
EPA have been certified.
As an example of quick response to the intent of th
recommendation. Assessable Unit #1210 (OIRM) I
intent of the
has
already scheduled a review of its sensitive systems in
its Management Control Plan for 1993. As a result of
both guidance documents (see above), other AU's will
be required to schedule future reviews to certify or
recertify their sensitive systems.
H
M
-------�
Response to OIG Draft PCIE Audit Report of 8/6/92
1
Recommendations
Chapter 7 : We recommend that the Deputy
Administrator ...
Recommendation 1: develop specific, formal
Agencywide computer system security standards
and procedures for the protection of EPA's
valuable and sensitive information resources.
Recommendation 2: formally designate qualified
officials as security officers in all information
technology installations to carry out the
responsibilities of EPA's computer system
security program.
Recommendation 3: require the completion of
risk analyses, security reviews, certifications, and
updated security plans for all sensitive
information systems.
Recommendation 4: require the completion of
the NCC updated facility risk analysis.
Recommendation 5: establish mandatory
periodic training in security awareness for all
persons involved in the management, use, or
operation of EPA's sensitive computer systems.
Recommendation 6: develop, and support with
budget and staff, an information security
monitoring program capable to ensure that all
Agency organizational units are in compliance
with the information security program.
Supporting
Organizations
OIRM
NDPD
MOD
FMSD
OIRM
Regions
ORD
NDPD
QIRM
NDPp
OIRM
NDPD
FMSD
OIRM
NDPD
FMSD
Agree/
)fsagree
Agree
Agree
Agree
Agree
Agree
Agree
Summary of Response
The Information Security Manual is being revised in
FY93 and will be made more formal via the directives
process. The Risk Analysis Guidance will also be
finalized and made formal.
A qualified IT installation security officer has already been designated fa
all OARM installations -- Bob Uwii. His work is supplemented by
on-sitc security managers; Mike Stein at WtC. Shannon McFuland at
Cincinnati, a position yet-to-be designated at Bay City. Other IT
installation security officers wiO be formally designated after presentatioi
of security awareness training to SIRMCta, who will play a key role in
identifying these individuals
Certified, updated security plain for all sensitive systems are
already being required by IMSD as a condition of approval of any
new TOSS delivery orders. The supporting security reviews and
risk analyses will be required in the near future, in concert with the
CY92 organizational security reports.
The facility risk analysis for NCC is in progress and
is expected to be complete by the end of CY92.
Planning for mandatory security awareness training
is underway as pan of a MOSES delivery order. The
ARAs were briefed on their security responsibilities
on September 2, 1992. Other groups will follow
according to the plan to be developed.
As stated in die OARM response to the recent systems software
audit. OIRM and NDPD will work together to define resource
requirements for such a monitoring program. In addition, OIRM
is establishing an IRM oversight program, which will include
information security among its oversight topics.
•a
H
N
H
|
ft
a)
H
1ft
ft
g
M
0
ft
fi
H-
$
-------�
Response to OIG Draft PCIE Audit Report of 8/6/92
I
N
ft
I
Recommendations
Chaptcr8
We recommend that the Deputy Administrator:
Recommendation I: ... establish event cycles
specific to IRM processes and include the
appropriate control objectives and techniques.
Recommendation 2: ...update the risk
assessment for the assessable units 1210 and
1212 to more adequately account for the risks
associated with EPA's information resources.
Recommendation 3: ^schedule formal AICRs
specifically addressing policies and procedures,
planning and budgeting, quality assurance,
individual sensitive information systems, and
security of sensitive systems and facilities in the
next MCP.
Lead and
Supporting
Organizations
OIRM
NPPD
OC
OIRM
NDPD
OC
OIRM
NDPD
OC
Agree/
Disagree
Agree
Agree
Agree
Summary of Response
OIRM has established its own event cycles specific
to IRM processes, including appropriate updated
control techniques and objectives. OIRM. with
input from NDPD, will provide IRM event cycle
guidance to the Agency during FY93.
OARM has established updated risk assessments for
AUs 1210 and 1212 which account for the risks
associated with EPA's information resources..
OIRM has updated its Management Control Plan
to include forma) reviews which specifically address
the security of sensitivesysiems and facilities, and
oversight and enforcement of information security.
OlRM's and NDPD's FY93 Management Control
Plans will reflect the formal reviews needed in the
other specific areas mentioned in the recommendation.
fT
8
H
U
ft-
-------�
Computer Systems Integrity
APPENDIX Z
Appendix B
Agency Response to OMB Regarding
Proposed Changes to OMB Circular A-130
9/10/92
112
Report MO. E1NMP1-15-0032-2100641
-------�
computer systaas Integrity
APPENDIX Z
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON. D.C. 20460
AUG 2 6 1992
OWCEOF
ADMINISTRATION
AND RE SOURCES
MANAGEMENT
Mr. Bruce McConnell, Chief •
Information Policy Branch . •
Office of Information and Regulatory Affairs
Office of Management and .Budget
Room 3235
, New Executive Office Building
'Washington, D.C. 20503
Dear Mr. McConnell:
Thank you for the opportunity to comment on the proposed
revision of OMB Circular A-130. As you know, my staff and I
participated in the June 10, 1992, inter-agency seminar
sponsored by Syracuse University. I .think this was an
excellent forum to promote dialogue on this important Federal
policy and enlist recommendations from a wide spectrum of
organizations impacted by this policy. The recommendations
resulting from thar session were very useful and we would
certainly encourage you to factor them into your analysis as
you revise the Circular, ind its Appendices.
The -following reactions and recommendations reflect the
collective comments of EPA's IRM managers and representatives
of our client organizations. A number of them reinforce
recommendations which have been offered by the group at the
June 10 seminar, especially the need to resolve conflicts
between existing legislation, regulation and policy and
provide more detailed guidance in the Appendices to promote
consistent implementation of this policy across the
Government.
Overall, the revisions proposed in the document provide
an improved framework for (1).IRM planning (focused on
information life cycle), (2) State and local government roles
in managing IRM resources and information, (3) managing
records, especially electronic, (4) promoting the electronic
collection of information and (5) promoting more active
dissemination of Federal information. The comments which
follow relate to specific functional areas and issues
addressed in the policy. .
113
Report Mo. E1NKF1-15-003?-2100641
-------�
Computer Systems Integrity
APPENDIX I
IRV Planning
we strongly endorse the policy that agencies should plan
in an integrated manner for managing information throughout
its life cycle. We applaud the policy's emphasis on
consideration of the impact of decisions and actions at one
life cycle stage on subsequent stages.
He are also pleased that the policy requests that
agencies integrate planning for information systems with
planning for resource allocation and use, including
budgeting, acquisition, and subsequent use of information
technology. This is particularly relevant to EPA's
development of systems, which traditionally has been along
media-specific lines but in recent years has moved to a more
integrated approach.
Sections 8.a(l)(a) and (b) consider the effects of an
agency's actions on the public and State/local governments
respectively, but do hot specifically recommend that Federal
agencies work together in determining these effects on each
other's actions. An example is the collection of water
quality monitoring data by USEPA and USGS-. Though the
missions of USEPA and USGS are different, there is potential
overlap in data collected, methods, quality assurance,
storage, and retrieval capabilities which might be optimizes
through cooperative IRM program review,
^
We are pleased to see that Section 8 a (d) promotes
interagency or intergovernmental sharing of information
before creating or collecting new information. This lends
strong support to the effort EPA has been promoting with the
Federal Geographic Data Committee in developing Memoranda of
Understanding with other members of the Committee to obtain
geographic data.
Records Management•
As noted above, we are pleased that the revised draft
clearly incorporates records management into IRM and
identifies many of the basic- records management functions as
key parts of the IRM framework. We also think it helpful
that the revised draft incorporates the concept of the
information life cycle as the basis for information
management planning and specifies that records management and
archival functions must be incorporated into the design,
development, and implementation of information systems. It
has also been useful to incorporate management of audiovisual
productions into IRM and specify that the program must
conform to the requirements in 36 C.F.R. 1232.4.
114
Report NO. E1NMF1-15-0032-2100641
-------�
computer Systams Integrity
APPENDIX I
We strongly recommend that a records management appendix
be added to the revised Circular. EPA's Records Management
Officer was a participant on the inter-agency task force that
drafted such an appendix, a copy of which I have enclosed for
your reference. We think the addition of this appendix would
be very helpful to ensure that Federal managers understand
more clearly how to implement their responsibilities in the
records management area. Additional recommendations in the
records management area include the following:
Add the Federal Records Act to the list of
authorities (Section 2) .
Strengthen Section 8a(4> by revising it as follows:
"Establish recordkeeping requirements to properly
manage agency records to ensure adequate and proper
documentation of Federal government policies,
activities, and transactions;"
Di« seminar Son
We are very supportive of the Circular's endorsement of
active information dissemination to the public. As you know,
EPA's experience with the Toxic Release inventory has
provided a number of useful examples of how the availability
of information spurred both the public and industry to reduce
the danger from these releases.
The revised draft encourages agencies to make
information products available to GPO.for inclusion in the
depository library program but is silent on a reciprocal
responsibility of GPO to make its information products, such
as the Federal Register and Code of Federal Regulations,
easily available. We recommend that A-130 require GPO to
make its products available to agencies in formats they can
easily use, such as standard word processing or ASCII
formats .
He are pleased to see that the policy. also recommends
that agencies ensure that safeguards are in place to protect
the information resource from loss, misuse, or unauthorized
access or modification of such information.
As in the Electronic Information Collection section, the
policy statements concerning information dissemination should
reference cooperative efforts of Federal agencies to optimize
their IRM resources and work toward elimination of
unnecessary, overlapping or redundant information collection,
storage, and dissemination.
115
Report MO. E1NMP1-15-OOM-2100641
-------�
Computer Byst«as Integrity
APPENDIX I
r Librar
The Circular should promote agencies' use of standard
software in providing information products to the Depository
Libraries.
Tnformation Collection
As you know, EPA is a strong supporter of the electronic
collection of information and has published an Agency policy
on this topic, we are pleased to see this issue incorporated
in the revised draft Circular.
While this policy revision states that government
information is a valuable national resource to the citizens
and unrestricted flow of information between government and
citizens is essential (7.b and 7.c), the policy also
specifies that the expected public and private benefits
derived from government information should exceed the public
and private cost of the information H.d). We suggest that
this cost benefit analysis statement include information
collected under State/local agency delegated programs.
We further suggest an additional policy item under
8a(3) which recommends that an agency periodically review its
regulatory requirements for reporting information
periodically to assure that the information is necessary and
of known quality to support the agency's mission. Cost
benefit would, of course, be explicit in the review.
Unrestricted Aeeess
We recommend that you clarify the language in the
Circular to permit the controlled .public access of non-
sensitive portions of a database while protecting the overall
confidentiality of the database. We think this would help to
ensure a proper balance between promoting public access and
protecting sensitive information.
Information
We recommend that the Circular be updated to be more
consistent with the Department of Commerce's FIPS Pub
regarding the development of risk analyses and contingency
plans specific to application systems. The current draft
only requires risk analyses and contingency plans for
installations.
We look forward to the revised appendix on information
security which will provide more guidance on developing and
updating security plans, specific requirements for security
training and security awareness programs and how A-130 will
116
Report Mo. E1NMF1-15-0032-2100641
-------�
Computer Systans Integrity
APPENDIX Z
effect improved coordination with the requir enter: ts of
Circular A-123.
I'ser Chares
He also look forward to reviewing the revised Appendix
which addresses Cose Accounting, Cost Recovery, and
Interagency Sharing of Information Technology Facilities. We
see the need to provide more specific information on the
topic of user charges.
le of Sfatf» and Local
The relationship between the federal Government and the
Indian nations is not addressed in the revised draft. In our
State/EPA Data Management Program, we promote the inclusion
of Indian Tribes as partners along with the States since the
Federal Government is beginning to delegate more authority to
these groups.
Quality Assurance "
EPA's Office of Inspector General is particularly
concerned about the need for the Circular to provide guidance
to Federal agencies regarding establishment of quality
assurance programs for application systems. My colleagues in
this organization see this as one of the most significant and
long-standing IRM problems in the Federal Government; one
that has been cited in numerous SAO and OIG audits throughout
the Federal agencies over the last 10-15 years.
I commend you for the efforts you have taken in
addressing this very important issue of Federal information
resources management and hope these comments are useful to
you as you revise the Circular. If you have any questions,
please contact me at (202) 260-4465.
Sincerely
Alvin M. Pesachowitz, Director'
Office of Information Resources Management
Enclosure
cc: Richard Morgenstern, Acting Assistant Administrator
Office of Policy, Planning and Evaluation
117
Report MO. E1HMF1-15-0032-2100641
-------�
Computer Systems Integrity
(This page intentionally left blank)
118
Report NO. E1NMF1-15-0032-2100641
-------�
APPENDIX II
Computer Systems Znt*grity
OTG EVALUATION OP AGENCY COMMENTS
We appreciate the positive response by the Assistant
Administrator for Administration and Resources Management to
our draft report and the many substantive actions already
initiated to strengthen EPA's IRM management structure. The
following notes present the OIG's response to certain
portions of the Assistant Administrator's September 15, 1992,
memorandum.
In order to be more specific about organizational and
planning issues we modified Recommendations 3 and 4 in
Chapter 2 and added additional comments at the end of
Chapters 2 and 4 under the caption, "Agency Comments and
OIG Evaluation."
As indicated in the Scope and Methodology section of the
report "we did not report on the OIG's IRM activities
during this audit because it would violate the auditing
standard on independence." However, we have discussed
personnel security issues developed during the audit
with OIG management, and they are addressing these
issues internally.
We agree that not all NDPD operational policies have to
go through the green border process. However, we
believe that all minimum Federally mandated policies,
standards, and procedures and any critical EPA IRM
Agencywide requirements should be mandatory and
documented in the Agencywide formal/mandatory EPA
directives system. We further believe that with the
proper establishment of a DSO and the IRM. Steering
Committee the cumbersome green border approval process
could be expedited for EPA's implementation of Federally
mandated policies, standards, and procedures.
We agree that the Agency's "IRM Strategic Plan 1991-
1995" is of some value to the IRM decision-making
process. However, we strongly believe that it falls far
short of a true IRM Strategic Plan which should be the
instrument for integrating the IRM planning process with
the budgeting process. We made adjustments to the
wording in Chapter 4 to reflect these comments.
119
Report Ho. E1NMF1-15-0032-2100641
-------�
APPENDIX ZZ
Computer Systems Integrity
5 We agree that IBM at EPA will never be as simple as
implementing recommendations extracted from an IRM
textbook. However, the majority of our recommendations
address basic management functions and concepts which-
are generally accepted practices in the Federal IRM
community as well as in private industry. What these
recommendations will require is a firm commitment from
the top levels of EPA management and strong centralized
IRM leadership and oversight.
6 The FMFIA issues described in Chapter 8 were not
considered a principal finding and therefore were not
included in this sub-section of the Executive Summary.
However, we have added some comments about Chapter 8
under the Results In Brief section of the Executive
Summary and the Scope and Methodology section in
Chapter 1.
7 While we agree that the current Steering Committee was
established in 1985, the Agency has had an IRM steering
committee as far back as 1975. As stated in the report
the earlier Steering Committee was a high-level
decision-making group composed of Assistant
Administrators. The current Steering Committee is
composed of senior officials and it functions as more of
an advisory group. In addition, we clarified our
statement in Chapter 1 that the senior officials were
primarily Office and Division Directors. Our message is
that the Steering Committee needs "top management1*
involvement to allow it to be a decision making group
rather than, an advisory and coordination organization.
8 Based on our audit referencing process (quality
assurance review) we eliminated only 4 of the 54 prior
reports listed in our Appendices V and VI. Even though
some of the titles of the remaining 50 reports do not
appear to'be IRM-related, all of these reports cited
IRM-related problems.
9 Page 10 of our draft report cited GAO and 6SA
recommended criteria. We support the GAO criteria which
cited that the Steering Committee assist in establishing
Agencywide policy (i.e., initiates and approves).
However, we believe that the policies that the Steering
Committee approves should be formalized through the
Agency's Directive 1315 process. Also, see our comments
120
Report No. E1NMF1-15-0032-2100641
-------�
Computer Byatems Integrity
at the end of Chapter 2 under caption, "Agency Comments
and OIG Evaluation."
10 We believe.that "real change" will result from
appointing a OSO at the AA level. First, no formal
designation of the DSO exists which is contrary to the
specific requirements of the Paperwork Reduction Act of
1980. Second, once officially designated the DSO should
have the authority and responsibilities for Agencywide
IRM. The DSO will deal directly with the Administrator
on IRM matters, chair the Executive Steering Committee,
and have direct authority over all program offices for
all IRM matters—these authorities and responsibilities
should not be re-delegated. Third, we envision that the
functions for IRM will be re-delegated to OIRM to carry
out the majority of the Agencywide IRM functions and
oversight, but under the authority and direction of the
DSO. We believe that this is clearly a change from the
current IRM infrastructure, and if appropriately
implemented will result in "real changes" to the IRM
program at EPA.
11 The thrust of our concern was the IRM policies,
standards, and procedures which were non-existent, not
complete, outdated, or not mandatory. Furthermore, the
extensive review process to which OARM refers is not
formal or required, and there is no assurance that
comments are adequately considered or appropriate
adjustments are made. Review comments we have provided
in the past for various IRM guidance (e.g., OIG written
comments on EPA's System Design and Development
Guidance) did not result in changes in the final version
of the guidance, nor was feedback provided as to why the
changes were not' used.
12 We examined Order 1000.2la on the metric system and do
not consider this an IRM-related order.
13 We disagree because the 17 audit reports cited during
this 12-year period utilized the appropriate IRM-related
criteria during the 12-year time-period. For example,
the Paperwork Reduction of 1980 was in force throughout
the entire 12-year period and OMB Circular A-130
replaced OMB Circulars A-71, A-90, A-108, and A-121
which were in place during the period of 1980 through
1985.
121
Report Ho. E1NMF1-15-0032-2100641
-------�
APPENDIX II
Computer systems Integrity
14 In the report we meant that OIRM needs to make a
distinction between formal or mandatory documents (i.e.,
policies, standards, and procedures) and informal or
optional guidance documents which may or may not need to
be mandatory. He adjusted the wording in Chapter 3 to
make that clarification. As indicated in our report
these formal or mandatory documents are addressed in EPA
Directive 1315, but guidance is not defined. OARM's MOD
is currently reviewing the IRM guidance documents which
should clarify which documents should go through the
green border process.
15 We agree that this is difficult to implement because of
the current decentralized, separate, and distinct
environmental programs. However, IRM is set up on a
centralized basis to support all programs and the
Paperwork Reduction Act requires that this function be
managed centrally. Because of this structure, in our
view, OARM has a unique opportunity to be a leader in
promoting a cross-media focus on EPA systems and data.
16 In Chapter 3 we recommended that the Agency develop
comprehensive, formal, authoritative, IRM policies,
standards, and procedures which cover all minimum
Federal IRM requirements to include risk analyses and
certifications for sensitive systems. We agree that if
adequate Federal documents exist the Agency does not
need to duplicate Federal documents. These Federal
requirements should be incorporated in the formal Agency
policies, standards, and procedures by reference. Our
concern is that Agency is issuing guidance which is
identified as "not mandatory" (e.g., EPA's Risk Analysis
Guideline) covering mandatory Federal requirements.
17 Our report portrays only the vulnerability to hackers in
stating that prior reports address "security problems
such as inadequate controls over...and illegal entry of
computer systems by hackers."
122
Report NO. E1NMF1-15-0032-2100641
-------�
Office of Policy, Planning, and Evaluation
« M
s s
Office of
Policy Analysis
Economic Analysis
and Innovation*
Division
Air and
Energy
Policy Division
Water and
Agriculture
Policy Division
Waste and
Chemical
Policy Division
Climote
Change
Division
Assistant Administrator
for Policy. Planning.
and Evaluation
Program Administration
and RoMMircM
Manaaamant Staff
Office of Strategic
Planning and
Environmental Data
Strategic
Planning and
environmental
Statistic* and
Information
DMclon
Office of Regulatory
Management and
Evaluation
Program
Evaluation
Division
Regulatory
Management
Division
-------�
Computer Systems Integrity
(This page intentionally left blank)
124
Report Ho. E1NMF1-15-0032-2100641
-------�
Office of Administration and Resources Management
Assistant Administrator
for Administration Sc
Resources Management
Program
Operations
Support Staff
1
to
Ui
Office
of
Administration
ProJMt
I********
and C«ntraate
rt£won
Offtes
of
Human
ftssouress
Uonogsmsnt
EPA
ln*tltut«
Division
_L
Office
of the
Comptroller
Budget
Division
financial
Manoosmsi
DtvTsJon
±
Offlc* of
Information
Resource*
Management
Scientific
y*te
Staff
SteW
Program
System*
Division
OARM -
Research
Triangle
Park
Contracts
Division
OhCSll
OARM -
Cincinnati, OH
Contracts
Division
Human
|
B
•d
f
tf
It
-------�
Computer Systems Integrity
(This page intentionally left blank)
126
Rttport MO. B1NKF1-15-0032-2100641
-------�
Sy»t«a« Integrity
APPENDIX V
REPORT
i
2
3
4
5
7
8
9
10
11
12
13
14
15
16
17
IS
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
31
39
40 BCED-U-32
41 OOD47-34BR
42 RCED-86-94
43 RCED-I6-9SFS
44 PMR
45 KCED-86-34
46 RCED-85-73
47 RCBD-85-3
48 FPCD-82-34
49 CED-W-18
50 PaiiSD-80.il
orrec-92-w
ElNMFl-15-00:
ElNMEI-04-Oli
E1SPO1-15-500
PBMD-92-16
T'RCED-92-33
RCED-92-83
IMTBC-92-U
R/PMR
T-IMTBC-92-3
E6EMPO-15-00!
ElRMat-1540
PEMD-91-21
RCED-9M21
RCED-91-166
KCED-91-131
T.PEMD-91-4
RCED-91-75
RCHD-90-ZJ2
RCED-90-139
3090 PASSWORD
EXPOSURES
AFMD-90-20
E1SPP9-15-00
PEMD-90-J
B1NMGO-154
RCED-90-22
FLASH RPT-
E1NWF8-15-0
AFMD-89-24
RCHD-89-27
E1NWF8-JS-0
RCED.8S.t92
RCED-SS-101
f-i'J L> ' V 'A'l*) 'itfj WtJ/.Wr.' ^1 nJL'^fJ
DATE STRUCTURE
5-2100590 <»mm
04/02/92 X
2-2100300 03/31/92 X
19.210029$ 03/31/92
1-2400027 03/27/92
01/23/92
02/26/92
0245/92
01/31/92
1991 X
10/30/91
9-1400060 09/30/91
IM400061 09/30/91
OS/05/91
06/27/91
06/17/91
06/13/91
05/02/91
04/29/91
9.1100153 03/29/91 X
11-1100152 03/29/91 X
E7.1100151 03/29/91
•4400037 09/24/90
09/21/90
08/30/90
D . 05/07/90
03/16/90
141100187 03/12/90
02/09/90
234400003 12/21/89
12/14/89
BMP 04/25/89
il-9100192 02/15/89
02/09/89
11/29/88
11-9100025 10/20/88 .
08/24/88
08/16/88 X
12/17/87
12/07/47
01/30/87
04/22/86
02/28/86
1985 X
11/13/85
04/04/85
12/28/84
03/16/82
03/10/80 X
12/11/79
REPORTS,
POLICY
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
ANpTESTTMC
PLANNING
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
OTEj
Oft
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
us.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
SECURITY
X
X
X
X
X
X
X
X
17
16
127
Report MO. B1NMP1-15-0032-2100641
-------�
Computer Systems integrity
(This page intentionally left blank)
128
Report No. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX VI
OIG. GAP. AND GSA REPORTS AND TESTIMONIES
ISSUED SINCE FISCAL 1980 CITING IRM PROBLEMS AT EPA
1. "SOFTWARE INTEGRITY: EPA Needs To Strengthen General
Controls Over System Software" (OIG Draft Report No.
E1NMF1-15-0055-2100591, issued September 22, 1992)
2. "ENVIRONMENTAL ENFORCEMENT: EPA Needs a Better Strategy
to Manage Its Cross-Media Information" (GAO/IMTEC-92-
14, issued April 2, 1992)
3. "CONTRACT MANAGEMENT: EPA Needs To Strengthen The
Acquisition Process For ADP Support Services Contracts"
(OIG Report No. E1NMF1-15-0032-2100300, issued March 31,
1992)
4. "EPA's Management of Computer Sciences Corporation (CSC)
Contract Activities" (OIG Report No.
E1NME1-04-0169-2100295, issued March 31, 1992)
5. "Special Review On Follow-Up Of CERCLIS Reporting And
Post-Implementation" (OIG Report No. E1SFG1-15-5001-
2400027, issued March 27, 1992)
6. "WASTE MINIMIZATION: Major Problems of Data Reliability
and Validity Identified" (GAO/PEMD-92-16, issued March
23, 1992)
7. "FOOD SAFETY: Difficulties in Assessing Pesticide Risks
and Benefits" (GAO Testimony T-RCED-92-33, issued
February 26, 1992)
8. "ASBESTOS REMOVAL AND DISPOSAL: EPA Needs to Improve
Compliance With Its Regulations" (GAO/RCED-92-83,
issued Febrary 25, 1992)
10. GSA's "Information Resources Procurement and Management
Review, Environmental Protection Agency" (No report
number, issued 1991)
11. "PESTICIDES: EPA's information Systems Provide
Inadequate Support for Reregistration" (GAO Testimony
T-IMTE092-3, issued October 30, 1991)
129
Report MO. B1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX VI
12. "Special Reviev of EPA's Major Information Systems"
(016 Report No. E1RMG1-15-0041-1400061, issued September
30, 1991)
13. "Special Reviev of Allegations of improprieties and
Management of the Interim Computer Workstation Contract"
(OIG Report No. E6EMPO-15-0039-1400060, issued September
30, 1991)
14. "WASTE MINIMIZATION: EPA Data Are Severely Flawed"
(GAO/PEMD-91-21, issued August 5, 1991)
15. "TOXIC CHEMICALS: EPA's Toxic Release Inventory Is
Useful but Can Be Improved" (GAO/RCED-91-121, issued
June 27, 1991)
16. "ENVIRONMENTAL ENFORCEMENT: Penalties May Not Recover
Economic Benefits Gained by Violators" (GAO/RCED-91-
166, issued June 17, 1991)
17. "HAZARDOUS WASTE: Data Management Problems Delay EPA's
Assessment of Minimization Efforts" (GAO/RCED-91-131,
issued June.13, 1991)
18. "SARA Capacity Assurance: Data Problems Underlying the
1989 State Assessments" (GAO Testimony T-PEMD-91-4,
issued May 2, 1992)
19. "PESTICIDES: EPA Could Do More to Minimize Groundwater
Contamination" (GAO/RCED-91-75, issued April 29, 1991)
20. "Significant Savings Possible By Increasing IBM 3090
Computer Operations Efficiency" (OIG Report No. E1NMBO-
15-0021-1100152, issued March 29, 1991)
21. "Improvements Needed in EPA's Resource Access Control
Facility (RACF) Security Software" (OIG Report No.
E1NMBO-15-0027-1100151, issued March 29, 1991)
22. "Integrated Financial Management System: Managing
Implementation Of The New Accounting System" (OIG
Report E1AMFO-11-0029-1100153, issued March 29, 1991)
130
Report HO. B1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX VI
23. "Special Review - Hotline Complaint Concerning the
Office of Research and Development's Modeling and
Monitoring Tracking System" (OI6 Report E1NBGO-15-0038-
0400037, issued September 24, 1990)
24. "DISINFECTANTS: Concerns Over the Integrity of EPA's
Data Bases" (GAO/RCED-90-232, issued September 21,
1990)
25. "DISINFECTANTS: EPA Lacks Assurance They Work"
(GAO/RCED-90-139, issued August 30, 1990)
26. "Flash Audit Report — Disclosure of User Passwords On
EPA's IBM 3090 Computer Mainframes" (OIG Flash Report,
no report number, issued May 7, 1990)
27. "FINANCIAL AUDIT: EPA's Financial Statements for Fiscal
Years 1988 and 1987" (GAO/AFMD-90-20, issued March 16,
1990)
(
28. "Report on CERCLIS Reporting" (OIG Report No.
E1SFF9-15-0023-0100187, issued March 12, 1990)
29. "HAZARDOUS WASTE: EPA's Generation and Management Data
Need Further Improvement" (GAO/PEMD-90-3, issued
February 9, 1990)
30. "Special Review - ADCR IBM Mainframe Password Exposure"
(OIG Report No. E1NMGO-15-0023-0400003, issued December
21, 1989)
31. "SUPERFUND: A More Vigorous and Better Managed
Enforcement Program Is Needed" (GAO/RCED-90-22, issued
December 14, 1989)
32. "Flash Report On Computer Security" (OIG Flash Report,
no report number, issued April 25, 1989)
33. "Report on the permit Compliance System" (OIG Report
E1NWF8-15-0021-9100192, issued February 15, 1989)
34. "Financial Audit: Examination of EPA's Financial
Statements for Fiscal Year 1987" (Report GAO/AFMD-89-
24, issued February 9, 1989)
131
Report HO. B1NMP1-1S-0032-2100641
-------�
Computer Systems Integrity
APPENDIX VI
35. "SUPERFUND: Hissed Statutory Dealines Slow Progress in
Environmental Programs" (GAO/RCED-89-27, issued
November 29, 1988)
36. "Heeded Security Improvements over Programs and Data in
the NCC ADABAS Environment1* (OIG Report No. E1NWF8-15-
0021-9100025, issued October 20, 1988)
37. "AIR POLLUTION: Reliability and Adequacy of Air Quality
Dispersion Models" (GAO/RCED-88-192, issued August 24,
1988)
38. "ENVIRONMENTAL PROTECTION AGENCY: Protecting Human
Health and the Environment Through Improved Management"
(GAO/RCED-88-101, issued August 16, 1988)
39. "SUPERFUND: Extent of Nation's Potential Hazardous
Waste Problem Still Unknown" (GAO/RCED-88-44, issued
December 17, 1987)
40. "AIR POLLUTION: Information on EPA's Efforts to Control
Emissions of Sulfur Dioxide" (Report GAO/RCED-88-32,
issued December 7, 1987)
41. "STATISTICAL REPORTS: Information on Standard
Industrial Classification Codes" (GAO/GGD-87-34BR,
issued January 30, 1987)
42. "AIR POLLUTION: Improvements Needed in Developing and
Managing EPA's Air Quality Models" (GAO/RCED-86-94,
issued April 22, 1986)
43. "SUPERFUND: Status of Superfund Management Information
Systems" (GAO/RCED-86-98FS, issued February 28, 1986)
44. GSA "Procurement Management Review, Environmental
Protection Agency" (No report number, issued 1985)
45. "EPA-FMFIA: EPA's Implementation of the Federal
Managers' Financial Integrity Act" (GAO/RCED-86-34,
issued November 13, 1985)
46. "EPA's Delegation of Responsibilities To Prevent
Significant Deterioration Of Air Quality: How Is It
Working?" (GAO/RCED-85-73, issued April 4, 1985)
132
Report NO. E1NHF1-15-0032-2100641
-------�
computer Systems integrity
APPENDIX VT
47. "EPA Could Benefit From Comprehensive Management
Information On Superfund Enforcement Actions"
(GAO/RCED-85-3, issued December 28, 1984)
48. "Overtime Management and Controls at the Environmental
Protection Agency Headquarters Are Deficient"
(GAO/FPCD-82-34, issued March 16, 1982)
49. "Stronger Management of EPA's Information Resources Is
Critical To Meeting Program Needs" (GAO/CED-80-18,
issued March 10, 1980)
50. ^"Environmental Protection Agency Acts To Improve
Computer-Produced Reports" (GAO/FGMSD-80-il, issued
December 11, 1979)
133
Report NO. B1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
(This page intentionally left blank)
134
Report NO. B1NMF1-15-0032-2100641
-------�
I
u
01
H
I
H
Ul
I
e
o
M
I
10
O
O
OFFICES WITH RESPONSIBILITIES UNDER THE
PAPERWORK REDUCTION ACT OF 198O. (AS AMENDED)
AnniMiCTOATOR " Unofficial alignment
ADMINISTRATOR of port|0, OSo function.
X DEPUTY ADMINISTRATOR — Official delegations
X" including DSO function*
-X fl-22 1-6. l.lfrt
_Ulf*
X* Delegation 1-22 Delegation* 1-6.1-1O
f
OPPE
1
1
1
ORME
,
RMD
f~\ A Oh A
S
/
^
^IDK. OARM _ OARM
OIRM r-s-rr-. ^>-
RTP Cinn
1 1
IMSD MPES NDPD IRMD
*
s
-------�
Computer System Integrity
(This page intentionally left blank)
136
Report HO. E1NKF1-15-0032-2100641
-------�
Computer systems Integrity
APPENDIX VIII
•FRAGMENTATION OF PAPERWORK REDUCTION
ACT fAS AMENDED! RESPONSIBILITIES
EPA Program Offices
DSO Responsibilities OPPE OARM
l. Carry out its information
management activities in an
efficient an economical way x x
2. Comply with information policies,
principles, standards, and guidance x x
3. Systematically inventory
major systems x
4. Periodically review its
information mananagement activities.. x
5. Ensure that information systems
do not overlap each other x
6. Develop procedures for assessing the
paperwork burden of proposed
legislation x
7. Accountability for acquisition
made pursuant to DPA. x
8. Ensure that information requests
are proper x
9. Ensure compliance with the Federal
Locator system x
10. Periodically evaluate accuracy,
completeness, and reliability of data
and records contained in information
systems x
11. Develop and annually revise a 5-year
plan for meeting agency information
technology needs x
137
Report MO. E1HMF1-1S-0032-2100641
-------�
Computer Systoma Integrity
(This page intentionally left blank)
138
Report HO. E1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX IX
QIRM/NDPD ISM POLICIES. STANDARDS.
PROCEDURES, AND GUIDANCE
FORMAL IRM POLICY DIRECTIVES AND ORDERS (see Note 1)
1. Directive 2100, "Information Resources Management Policy
Manual" (dated July 1987). The chapters are: (1) IRM
Management Controls/Review and Approval; (2) Mission-
Based Planning; (3) state/EPA Data Management; (4)
Software Management; (5) Data Standards; (6) ADP ;
Resources Management; (7) Voice Communications; (8)
Information Security; (9) Information Collection; (10)
Records Management; (11) Privacy; (12) - Library
Services; and (13) Locational Data.
2. Directive 2115, "Guide for ADP Reviews" (dated October
1984).
3. Directive 2130, "Library Systems Manual" (dated January
1977).
4. Directive 2160, "Records Management Manual" (dated July
1984).
5. Directive 2190, "Privacy Act Manual" (dated January
1986).
6. EPA Order 2180.1, "Chemical Abstract Service Registry
Number Data Standard" (dated June 1987).
7. EPA Order 2180.2, "Data Standards for the Electronic
Transmission of Laboratory Measurement Results" (dated
December 1987).
8. EPA Order 2180.3, "Facility Identification Data
Standard" (dated April 1990).
9. EPA Order 7500.1, "Minimum Set Of Data Elements for
Ground-Water" (dated September 1989).
139
Report HO. B1NMF1-15-0032-2100641
-------�
Computer systems Integrity
APPENDIX ZZ
IRM GUJDANCE DOCUMENTS fsee Note 21
l. "Revised Local Area Network Policy Directive1* (dated
March 1989).
2. "NDPD Operational Policies Manual" (dated August 1987).
3. "Interagency Agreement (IA6) Guideline on Use of
National Computer Center Licensed Software" (dated July
1988).
4. "EPA Information Security Manual" (dated December 1989).
5. EPA "Information Security Manual for Personal Computers"
(dated December 1989).
6. Draft "EPA IRM Hardware & Software Standards" (dated
September 1991).
7. "EPA System Design & Development Guidance" (dated June
1989).
8. EPA "Operations And Maintenance Manual" (dated April
1990).
9. EPA "RACF User's Guide" (dated April 1991).
10. "Administrative Procedures: Office of Information
Resources Management ADP Approvals" (dated October
1990).
11. "User's Guide For The TOSS Contract" (dated August
1991).
12. "EPA System Design & Development Guidance: Supplemental
Guidance to Volume B: EPA/ADP Applications Guidance to
Hardware/Software Selection" (dated August 1990).
13. Draft "Agency Catalog of Data Policies and Standards"
(dated July 1991).
14. "Guidance for Developing Image Processing Systems in
EPA" (dated February 1991).
140
Report HO. BHJMFl-15-0032-2100641
-------�
Computer systems Integrity
APPENDIX IX
15. "Image Processing Systems: IPS Contract Users Guide"
(dated January 1992). ,
16. "IRM Support Services - Delegation of Procurement
Authority Guide" (dated November 1991).
17. EPA "Geographic Information Systems (GIS) Guidelines
Document" (dated January 1988).
18. "Change Management Procedures Manual" (dated April
1990).
19. "Central Data Base Management Standards" (dated October
1985).
Notes:
1. Formal IRM Policies Directives and Orders: Formal IRM
policy directives and orders are permanent directives as
defined in Directive 1315. The above list includes IRM
directives issued under Directive 1315 which impact the
entire Agency and/or IRM directives that are required by
public lav, executive order, OMB, Office of Personnel
Management, Comptroller General, or other outside authorities
(i.e., mandatory directives). The list also includes orders
that are short formal directives which cannot be logically
included in a manual, but are necessary for effective
management and operation of the Agency. A manual is a rather
lengthy directive or combination of closely related
directives which usually consists of several chapters used to
prescribe or establish policies and operating procedures in
functional areas. In addition, Directive 1315 provides for:
(1) internal directives and orders that impact only the
office from which they originate; and (2) temporary
directives which carry the same authority as a permanent
directive, but remain in effect for a limited, fixed period
of time, usually not to exceed one year. However, OIRM and
NDPD have not issued any internal or temporary
directives/orders under Directive 1315.
2. IRM Guidance Documents; During the course of the audit we
obtained the above IRM documents from OIRM and NDPD which
were referred to as "Guidance Documents." None of these
141
Report HO. E1HMP1-1S-0032-2100641
-------�
Computer Systems Integrity
APPENDIX IX
guidance documents were processed through the formal green
border review. Further, Directive 1315 does not cover the
treatment of IBM guidance documents. In addition, OIRM does
not have a central repository for the issuance of such
guidance, and thus the list may not be all inclusive.
3. Formal Regulations! OPPE issued a notice entitled "EPA -
Policy On Electronic Reporting" (dated July 30, 1990) which
establishes a uniform Agency approach to electronic
reporting. This was issued under the Agency's "Red Border"
process which applies to internal and external groups. OIRM
has also issued guidance entitled "State/EPA Data Management
Financial Assistance Program-Regional Guidance" (dated
January 1992) and "State/EPA Data Management Financial
Assistance Program - Guidance for Applicants" (dated March
1991) which implemented a financial assistance program as
published in the Federal Register on December 18, 1990.
142
Report NO. B1NMF1-15-0032-2100641
-------�
Coaputar Bjmtmmm Integrity
APPENDIX X
BM MXJCV. GUIDANCE AND ffTANDAinS HHRUTIVE8
NAME
OTATtB
PUBLIC ACCESS POLICY
RUU3MADNO DOCKET fOUCY
ELECTRONIC SIGNATURE POLICY
DELEGATION ON MICROCOMPUTER
REQUESTS
GENERAL ADP DELEGATION
TELECOMMUNICATIONS POLICY Ml
STANDARDS FOR WAGE FILES. ax
TRANSFER. INDEXES
POUCY WUBCnVB ON COMPUTBR Mti
SERVICES FOR DISABLED
POUCY DttBCTIVE ON LANS
STANDARDS FOR UCROORAFfOCS mat
MEDIA * CONVERSION
FORMS POLICY
IMSD
D4SD
ASD/DffiD
Ai/MPBS/NDFD/
PCMDflMSD
Al/MPESrtTOPD/
IMSD
NDPD.TI
fccftiiiiM WMJBDI
PRIVACY ACT POLICY MB
RECORDS MANAGEMENT POLICY M>
BIOLOGICAL TAXONOMY *ct
DATA STANDARD
DATA ADMINISTRATION POLICY M
POUCY ON DM MOMT. CONTROLS
POUCY ON SOFTWARE MOMT.
AGENCY HWSW/ARCH. STANDARDS talnvie*
LOC. DATA POLICY IMPLEMENT
GUIDANCE
dnft
ASDWDPD/D4SD
WIC/OHRM
D4SD/NDPD
IMSD/ASDWDPD
IMSD/OARM-CB/
ASD
D4SD/ASD
IMSD
PSD/SSSAMSD
ASD/NDFD/IMSD/
PSD
IMSD
D4SIVPSD/ASD
NDPD-AMPB
PSIVD4SD
toOSAIRMPi
I to be renoled. off be eovcnd fcy
NDPD OpoMiiMi Polic»i OB LANi
fiwwy
^n^ri
rvI|n
NARA
Act of IvftS
<9>(Md.
l MmA poBcy «o
Note DKAVT-
rbrOIRM/NDPD
143
Rttport Mo. E1NMP1-15-0032-2100641
-------�
Computer 8y»t«a» Integrity
APPENDIX z
OTATUB
LEAD
FACILITY ID DATA STANDARD
IMPLEMENTATION PLAN
SYSTEMS DESIGN * DEVELOPMENT
GUIDANCE
REGIONAL RECORDS MANAGEMENT
PROCEDURES GUIDANCE
CD-ROM GUIDANCE
PC BULLETIN BOARD POLICY
dnft
MINIMUM SET OF DATA ELEMENTS Morivk
POROROUNDWATER IKMSMer
EMAILOPER, POLICY fenvfakn
CUSTOMER SERVICES OPER. POLICY k nvwon
MAINFRAME SBCURTTY OPER. POL. fcnvkioa
DB2 OPER. POLICY
IMAGE PROCESSING OPER. POLICY
SOFTWARE REVIEW COUNCIL
ELECTRONIC DATA INTERCHANGE mat.
GUIDELINES FOR MOSES PROJECT
WORKPLANS A PROGRESS REPORTING
PStWMSD
PSD/ASD/
NDPD/IMSD
USD
NDPD
NDPD
IMSD/OGWP
NDPD
NDPD
NDPD
NDPD
NDPD
NDPD
NDPDKHRM
PSD-SPAB
•d •DOOM FINDS voik
i Imcrf tnm ROMWuc MI
NDPD Opcr. Policy to OMM nawsf •
dtntoH, review by IRM
Steer.
raviwd to nflect oar AD-io One «yrtan
nvM to icfl«ct RACF •PROTBCTALL*
defiw VK aMfe tad •VP0* • *e TOMS
Note: DRAFT - Requira review by OiSM/NDPD
144
BO. B1NMF1-15-0032-2100641
-------�
Computer Sy»t«m« Integrity
APPENDIX XI
IRM PLANNING EFFORTS* UNDERTAEN BY KPA
Planning Effort
Automated Data
Management Plan for
Environmental
Research Laboratory
at Athene
NDPD Fiscal Year
1991 Tactical Plans
IRM Strategic Plan
1991-1995
NDPD Architectural
Management and
Planning Branch
Projects Fiscal 1992
OIRM Administrative
Systems Division
Information Strategy
Plan
Office of Solid Waste
and Emergency Response
(OSWER) strategic
Information Resources
Management Plan
Data Purpose
March To document the data
1990 management need* of the Lab,
and define a plan of action
which maintain* the Lab's
computational potential
required over 5 year*.
September Lists OIRM goals and NDPD
1990 objectives and IRM projects
for fiscal 1991.
November Defines BPA's IRM mission,
1990 lists external factors
impacting IRM, discusses an
IRM strategic vision, and
provides broad IRM strate-
gic goals and objectives.
October , Lists IRM projects approved
1991 by NDPD for fiscal 1992.
December To organize and focus the
1991 investments which support
the automation of the EPA
administrative community.
December To ensure that IRM support
1991 is sufficient and available,
provide a basis for the
future direction of IRM, and
provide OSWER managers a
common vision of the future
IRM.
1 The IRM plans listed above may not represent all the IRM plane in the
Agency, we obtained these plans based on interviews with OIRM officials at
Headquarters and regional locations we visited. During our review, the Office
of Water and ORD were in the process of developing IRM plans, however, as of
May 1992, these plans had not been finalized.-
145
Report NO. E1NMP1-15-0032-2100641
-------�
computer Systeaa integrity
(This page intentionally left blank)
146
Report NO. E1NMF1-15-0032-2100641
-------�
Computer 8y»t«tta Integrity
APPENDIX ZZZ
SUMMARY OF IBM REVIEWS PERFORMED
FROM FISCAL 1989 TO 1991
Maior Functional No. of Maxtor Ho. of Raviawg on
Reviews Systems SYftOTl Development
1. Records Management 8
2. Data Sharing 2
3. ZRM Policy 6
4. Poet-Implant. Review 7 6
5. Pre-Zmplem. Review 4 3
6. Security 2
7. Telecommunications 2
8. Architecture Study 1
9. integrated Admin.
System Concept
TOTAL
NOTES:
Major Functional Area--The predominant IRK area of study covered in BPA's
reviews under the GSA IRM triennial review program. Nine functional IRM
areas were covered in the 33 reports over the three fiscal years.
Major System—Post implementation reviews were performed on major
information systems including STORET, IFMS, EPAYS, ADCR, FINDS, and TRI.
Pre-implementation reviews were performed on ICMS, RCRIS, and SCRIPS.
(See Appendix XVI for the Glossary of Acronyms and Abbreviations.)
System Development—Two of the reviews focused on updating or creating
information systems development life cycle policy. Of the four pre-
implementation reviews: SCRIPS and RCRIS were on system development pilot
programs; ICMS review involved requirements analysis; and STARS involved
prototyping.
147
Report He. E1NMF1-15-0032-2100641
-------�
Computer System Integrity
(This page intentionally left blank)
148
Report NO. B1NMF1-1S-0032-2100641
-------�
Computer Systems Integrity
APPENDIX XIII
GLOSSARY OF TERMS USED INTHE FMFIA PROCESS
Internal Control Review flCRi - a detailed examination of a
system of internal controls using the methodology specified
in the Internal Control Guidelines published by OMB. All
reviews should produce written materials documenting what was
done and what was found. (Source: OMB Circular A-123)
Alternative Internal Control Review fAICRi — a process such
as OMB Circular A-130 computer security reviews, OMB Circular
A-127 financial system reviews, Inspector General audits, and
other management and consulting reviews to determine that the
control techniques in an agency component are operating in
compliance with this circular. Such alternative reviews must
determine overall compliance and include testing of controls
and the development of required documentation. (Source: OMB
Circular A-123)
Primary Organization Head fPOHl - the Deputy Administrator,
Assistant Administrator, Regional Administrators, the
Inspector General and the General Counsel. There are 22 POHs
within EPA. (Source: EPA Order 1000.24)
Sensitive System - a system that processes sensitive
information and requires protection because of the loss or
harm which could result from the improper operation or
deliberate manipulation of the application itself. Automated
decision-making application systems are highly sensitive if
the wrong decisions could cause serious loss. (Source: EPA
Directive 2100)
Event Cvcle - the process used to initiate and perform
related activities, create the necessary documentation, and
gather and report related data. (Source: EPA Order 1000.24)
Risk Assessment - a documented review by management of the
components susceptibility to waste, loss, unauthorized use,
or misappropriation. Risk assessments are of two types:
vulnerability assessments and alternative procedures.
(Source: OMB Circular A-123)
149
Report NO. E1NMP1-1S-0032-2100641
-------�
Computer Systems integrity
APPENDIX ZZZZ
System Certification - agency official certifies that the
system meets all applicable Federal policies, regulations,
and standards, and that the results of the tests demonstrate
that the installed security safeguards are adequate for the
application. (Source: OMB Circular A-130)
Management Control Plan - a brief written plan which
summarizes the agency's risk assessments, planned actions,
and internal control evaluations to be undertaken to provide
reasonable assurance that controls are in place and working
and is used to manage FHFIA implications. (Source: OMB
Circular A-123)
Assessable Unit - a program operation or administrative
function which is to be the subject of a vulnerability
assessment. An assessable unit is comprised of related event
cycles. (Source: EPA Order 1000.24)
150
Report MO. B1MMF1-15-0032-2100641
-------�
Computer 8Y«t«a» Integrity
APPBMDIX XIV
STATISTICS FOR SENSITIVE INFORMATION SYSTEMS (1)
REVIEW ' REVIEW
COMPLETED PLANNED IN EVENT
OFFICE SYSTEM 1OT9 -1991 1992 -1996 CYCLE
ADMINISTRATOR'S OFFICE FREEDOM OP INFORMATION ACT TRACKWO SYSTEM , NO NO NO
EXBCUnVEANOCONORESSIONALCOBKBSFONDBNCESYSTBM NO NO NO
OFFICE OF AIR AND ABROMETMC INFORMATION RETRIEVAL SYSTEM YES YES NO
RADIATION
OFFICE OF ADMINISTRATION AUTOMATED INFORMATION SYSTEM FOR CAREER MANAOBMENT NO NO NO
AND RESOURCES MANAGEMENT CONTRACT DELIVERY ORDER TRACKING SYSTEM NO NO NO
CONTRACT INFORMATION SYSTEM (I) NO YES YES
AUTOMATED PROCUREMENT DOCUMENTATION SYSTEM NO NO YES
BPAYSPAYROLL/PBHSONNELSYSTEMBt of 4« field wotk. Beoue iyMoni we c
wttodm ij»im, of become atnolrtf in ^» •taveaiBt tant.
Thw ieanlive iy«BB» n*> up S of (he 8 een|nHat«y«eM oftte EPA I
151
Report No. B1NMP1-15-0032-2100641
-------�
Computer Systems Integrity
(This page intentionally left blank)
152
Report NO. E1HMP1-15-0032-2100641
-------�
Computer Systems integrity
APPENDIX XV
SECURITY PROGRAM STATUS FOR SENSITIVE INFORMATION SYSTEMS
ftfi
MAJOR APPLICATIONS SYSTEM2
1. AIRS
2. IFMS
3. EPAYS . ,
4 . GICS
5. RMIS
6. RCRIS
7. CERCLIS
8 . PCS
9. NEEDS
10. STORET
11. CRIMINAL DOCKET
12. CRIMINAL INVESTIGATION
13. DEFENSIVE DOCKET
14. ENFORCEMENT DOCKET
15. CIS
16. APDS
17. CDOTS
18. ECSERIS
19. AISCM
20. TSCA CBI
21. OTS CBI
22. CPS
23. TAIS
GENERAL SUPPpRT SYSTEMS3
24. Contracts Minicomputer
25. Nat'l Computer Center
26. EPA Telecom. Network
REPLACEMENT SYSTEMS
27. FOIMATS
28. CTIMS
29. SSTS
OF JUNE 30. 19921
RISK ANALYSIS
FORMAL OTHER
YES
YES
YES
NO
NO
NO
NO
YES
YES
NO
NO
NO
NO
NO
NO
NO
NO
NO
YES
NO
NO
YES
YES
NO
YES
NO
NO
NO
MO
CERTIFIED
YES
YES
YES
NO
NO
NO
NO
YES
YES
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
YES
YES
NO
NO
NO
NO
NO
NO
UPDATED
SECURITY
PLAN
NO
YES
YES
YES
YES
YES
NO
YES
YES
NO
YES
YES
YES
YES
NO
NO
NO
YES
NO
NO
NO
YES
YES
NO
YES
YES
NO
NO
MO
TOTAL 'NO1
20
22
13
153
Report Ho. B1MMF1-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX XV
1. The above listing of sensitive systems is based on phone
conversations and documents provided by system managers.
Supporting documentation must have been provided by June 30, 1992
in order to be considered completed. The 016 sensitive
application and general support systems were not included in this
evaluation in order to maintain independence as required by
Auditing Standards (1988 Revision) .
2. The following sensitive application systems reported in
January 1989 were not considered because they were either no
longer operational or had been combined with other systems:
HWDMS, FIFRA & TSCA, FIATS, and ECCS.
3. The following sensitive general support system was not
considered because it no longer supports sensitive systems: WIC.
154
Report Ho. B1NMF1-15-0032-2100641
-------�
computer Systems integrity
APPENDIX XVI
of ACRONYMS MID
ADCR - Automated Document Control Register
ADP - Automatic Data Processing
AICR - Alternative Internal Control Review
AIRS - Aerometric Information Retrieval System
CDO - Central Directives Officer
CERCLIS .- Comprehensive Environmental Response,
Compensation and Liability Information System
CICS - Customer Information Control System
CIRO - Chief Information Resources Officer
CLU-IN - Technology Transfer Bulletin Board
DOC - Department of Commerce
DSO - Designated Senior Official
EPA - Environmental Protection Agency
EPAAR - EPA Acquisition Regulations
EPAYS - EPA Payroll System
FATES - FIRFA and TSCA Enforcement System
FINDS - Facilities Index System
FIP - Federal Information Processing
FIPS - Federal Information Processing Standards
FIRMR - Federal Information Resources Management
Regulations
FMFIA -Federal Managers' Financial Integrity Act
GAO - General Accounting Office
GSA - General Services Administration
ICMS - Integrated Contract Management System
ICR - Internal Control Review
IDEA - Integrated Data for Enforcement Analysis
IFMS - Integrated Financial Management System
IMSD - Information Management and Services Division, EPA
INFIMIS - Office of Underground Storage Tanks1 Funds
Management Information System
IRM - Information Resources Management
IRMD - Information Resources Management Division, EPA
MCP - Management Control Plan
MOD - Management and Organization Division, EPA
MPES — Management Planning and Evaluation Staff, EPA
NCC - National Computing Center, EPA
NDPD - National Data Processing Division, EPA
NIST - National Institute of Standards and Technology
NSA - National Security Agency
OA - Office of Administration, EPA
OAR - Office of Air and Radiation
155
Report MO. B1NM71-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX XVI
OARH - Office of Administration and Resources
Management, EPA
OE - Office of Enforcement, EPA
OIG - Office of Inspector General, EPA
OIRM - office of Information Resources Management, EPA
OMB - office of Management and Budget
OPP - Office of Pesticides Programs, EPA
OPPE - Office of Policy, Planning, and Evaluation, EPA
OPPTS - Office of Prevention, Pesticides and Toxic
Substances, EPA
ORD - Office of Research and Development, EPA
ORME - Office of Regulatory Management and
Evaluation, EPA
OSWER - Office of Solid Waste and Emergency Response, EPA
PC - Personal Computer
PCIE - President's Counsel on Integrity and Efficiency
PCS - Permit Compliance System
POH - Primary Organization Head
RCRA - Resource Conservation and Recovery Act
RCRIS - Resource Conservation and Recovery Information
System
RTP - Research Triangle Park, North Carolina
SCRIPS - Superfund Cost Recovery Image Processing System
SIRMO - Senior IRM Official
STORET * Storage and Retrieval of Hater Quality
Information System
TRI - Toxic Release Inventory
TOSS - Technical and Operational Support Service
156
Report MO. B1NMF1-15-0032-2100641
-------�
computer systems integrity
APPENDIX XVII
REPORT DISTRIBUTION
Office of Inspector General
Inspector General (A-109)
EPA Headquarters
Administrator (A-100)
Deputy Administrator (A-101)
Assistant Administrator for Administration and Resources
Management (PM-208)
Assistant Administrator for Policy, Planning, and
Evaluation (PM-219)
Assistant Administrator for International Activities
(A-106)
>
Assistant Administrator for Enforcement (LE-133)
Office of General Counsel (LE-130)
Assistant Administrator for Water (WH-556)
Assistant Administrator for Solid Waste and Emergency
Response (OS-100)
Assistant Administrator for Air and Radiation (ANR-443)
Assistant Administrator for Pesticides and Toxic
Substances (TS-788)
Assistant Administrator for Research and Development
(RD-672)
Associate Administrator for Regional Operations (A-101)
Director, Office of Administration (PM-217)
Director, Procurement and Contracts Management Division
(PM-214F)
157
Report HO. E1NMF1-15-0032-2100641
-------�
Computer Systems integrity
APPENDIX XVII
Comptroller (PM-225)
Director, Financial Management Division (PM-226)
Director, Office of Information Resources Management
(PM-211)
Agency Followup Official (PM-225)
Attn: Director, Resource Management Division
Agency Follpwup Official (PM-208)
Audit Followup Coordinator (PM-208)
Attn: Program Operations Support Staff
Director, Office of Regulatory Management and Evaluation
(PM-223)
Director, Facilities Management and Services Division
(PM-215)
Director, Management and Organization Division (PM-213)
Office of Congressional Liaison (A-103)
Office of Public Affairs (A-107)
Regional Offices
Regional Administrator, Region 1
Regional Administrator, Region 2
Regional Administrator, Region 3
Regional Administrator, Region 4
Regional Administrator, Region 5
Regional Administrator, Region 6
Regional Administrator, Region 7
Regional Administrator, Region 8
158
Report NO. E1NMF1-15-0032-2100641
-------�
Computer Systems Integrity
APPENDIX XVII
Regional Administrator, Region 9
Regional Administrator, Region 10
Research Triangle Park. North Carolina
Director, Office of Administration and Resources
Management (MD-20)
Director, National Data Processing Division/OARM (MD-34)
Director, Atmospheric Research and Exposure Assessment
Laboratory (AREAL)/ORD (MD-75)
Director, Office of Air Quality Planning and Standards
(OAQPSJ/OAR (MD-10) (Durham)
Cincinnati. Ohio
. Director, Office of Administration and Resources
Management
Director, Information Resources Management Division
Athena. Georgia
Director, Environmental Research Laboratory
Annapo1ia. Maryland
Director, Chesapeake Bay Program
External
President's Council on Integrity and Efficiency
Office of Management and Budget
General Accounting Office
General Services Administration
159
Report MO. B1HMP1-15-0032-2100641
-------�
Computer Systems Integrity
(This page intentionally left blank)
160
Report HO. B1HMP1-15-0032-2100641
-------� |