At a Glance: Results of Technical Network Vulnerability Assessment: EPA's National Health & Environment Effects Research Laboratory, Western Ecology Division


 j

 \
U.S. Environmental Protection Agency
Office of Inspector General
   11-P-0429
Augusts, 2011
      ,            At   a   Glance
Why We Did This Review

The Environmental Protection
Agency (EPA), Office of
Inspector General, conducted
this audit to identify
vulnerabilities associated with
the Agency's network devices
located in EPA's National
Health & Environment Effects
Research Laboratory
(NHEERL) Western Ecology
Division building, and provide
the results to the appropriate
EPA officials who can then
promptly remediate and/or
document planned actions to
resolve the identified
vulnerabilities. This audit was
conducted in support of the
annual audit of EPA's
compliance with the Federal
Information Security
Management Act.
                                                             Catalyst for Improving the Environment
           Results of Technical Network Vulnerability
           Assessment: EPA's National Health &
           Environment Effects Research Laboratory,
           Western Ecology Division
            What We Found
           Vulnerability testing of EPA's NHEERL Western Ecology Division network
           conducted in March 2011 identified Internet Protocol addresses with numerous
           high-risk and medium-risk vulnerabilities. The Office of Inspector General met
           with EPA information security personnel to discuss the findings. If not resolved,
           these vulnerabilities could expose EPA's assets to unauthorized access and
           potentially harm the Agency's network.
            What We Recommend
           We recommend that the Senior Information Official, Office of Research and
           Development, and Director, Enterprise Desktop Solutions Division, Office of
           Environmental Information:

             •   Provide the Office of Inspector General a status update for all identified
                 high-risk and medium-risk vulnerability findings contained in this report.
             •   Create plans of action and milestones in the Agency's Automated Security
                 Self-Evaluation and Remediation Tracking system for all vulnerabilities
                 that cannot be corrected within 30 days of this report.
             •   Perform a technical vulnerability assessment test of assigned network
                 resources within 60 days to confirm completion of remediation activities.

           The full report is not available to the public due to the sensitive nature of its
           technical findings.
For further information,
contact our Office of
Congressional, Public Affairs
and Management at
(202)566-2391.

-------