£ g% *
V PR0^°
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
L/.S. Chemical Safety Board
Key Aspects of CSB
Information Security
Program Need Improvement
Report No. 15-P-0073
February 3, 2015
-------�
Report Contributors:
Rudolph M. Brevard
Vincent Campbell
Eric K. Jackson Jr.
Christina Nelson
Abbreviations
CSB
U.S. Chemical Safety and Hazard Investigation Board
EPA
U.S. Environmental Protection Agency
FISMA
Federal Information Security Management Act of 2002
GSS
General Support System
IT
Information Technology
NIST
National Institute of Standards and Technology
OIG
Office of Inspector General
OMB
Office of Management and Budget
RMF
Risk Management Framework
SSP
System Security Plan
Are you aware of fraud, waste or abuse in an
EPA or CSB program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
More information at www.epa.gov/oiq/hotline.html.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (241OT)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oig
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
February 3, 2015
* • U.S. Environmental Protection Agency 15-P-0073
mm "z Office of Inspector General
mZ I
At a Glance
Why We Did This Review
We performed this audit to
assess the U.S. Chemical
Safety and Hazard
Investigation Board's (CSB's)
compliance with the Federal
Information Security
Management Act of 2002
(FISMA).
FISMA requires federal
agencies to develop an
information security program
that protects the operations and
assets of the agency. The
Inspector General is to perform
an annual independent
evaluation of the security
program.
This report addresses the
following CSB goal:
• Preserve the public trust by
maintaining and improving
organizational excellence.
Key Aspects of CSB Information Security
Program Need Improvement
Send all inquiries to our public
affairs office at (202) 566 2391
or visit www.epa.gov/oiq.
The full report is at:
www.epa.qov/oiq/reports/2015/
20150203-15-P-0073.pdf
What We Found
CSB should improve key aspects of its information
security program to better manage practices
related to information security planning, physical
and environmental security controls, its
vulnerability testing process, and internal controls
over its information technology inventory.
CSB's ability to increase
its situational awareness
and reduce risk exposure
is challenged by its lack
of a real-time continuous
monitoring strategy.
The National Institute of Standards and Technology provides guidance for how
federal organizations should continuously monitor security control effectiveness
and remediate vulnerabilities. Office of Management and Budget Circular A-123,
Management's Responsibility for Internal Control, provides guidance on how
federal programs should develop internal controls to ensure that they achieve
their desired objectives.
Federal information systems are subject to threats, including environmental
disruptions, human and/or machine errors, and purposeful attacks. If CSB
information technology inventory is stolen or its network breached, CSB data,
information and configurations may be exposed.
Recommendations and Planned CSB Corrective Actions
We recommend that CSB update and maintain its system security plan,
implement a risk management framework, create a visitor access record for the
server room, formally accept risk of unimplemented privacy and security controls
and vulnerabilities, and develop a process for orderly shutdown of critical
information technology assets. We also recommend that CSB create plans to
remediate systems with known vulnerabilities and expand its monthly
vulnerability testing process to include all assets attached to the network. Further,
we recommend that CSB improve its inventory control practices to ensure
personnel do not perform incompatible duties, provide policies and procedures
for safeguarding inventory, review and document lost items, and recover costs for
lost items due to employee negligence.
CSB concurred with our recommendations and provided corrective actions with
estimated completion dates for each recommendation. All 17 recommendations
we made are resolved and corrective actions are completed or ongoing.
Noteworthy Achievements
CSB took significant action to implement processes to eliminate excessive
electronic device inventory and to document management's justification for
assigning multiple electronic devices to certain CSB personnel.
-------�
>c
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
February 3, 2015
The Honorable Rafael Moure-Eraso, Ph.D.
Chairperson and Chief Executive Officer
U.S. Chemical Safety and Hazard Investigation Board
2175 K Street, NW, Suite 400
Washington, DC 20037-1809
Dear Dr. Moure-Eraso:
This is our report conducted by the Office of Inspector General (OIG) of the U.S. Environmental
Protection Agency. This report represents our final position on our review of the U.S. Chemical Safety
and Hazard Investigation Board's (CSB's) implementation of the Federal Information Security
Management Act. The report contains findings that describe the issues the OIG has identified and
corrective actions the OIG recommends. This report represents the opinion of the OIG and does not
necessarily represent the final CSB position. CSB managers will make the final determinations on
matters in this report.
In responding to the draft report, CSB concurred with all recommendations and provided corrective
actions to address each recommendation.
We will post this report and CSB's response to the report on our website at http://www.epa.gov/oig.
Sincerely,
Arthur A. Elkins Jr.
-------�
Key Aspects of CSB Information Security Program
Need Improvement
15-P-0073
Table of Contents
Chapters
1 Introduction 1
Purpose 1
Background 1
Responsible Offices 2
Scope and Methodology 2
Noteworthy Achievements 3
2 Improvements Needed in CSB's Information Security Planning 4
Incomplete System Security Plan 4
Unimplemented Risk Management Framework 5
Conclusions 5
Recommendations 6
CSB Response and OIG Evaluation 6
3 Improvements Needed in CSB's Server Room Security Controls 7
Server Room Lacks Visitor Access Record 7
CSB Lacks Capability to Perform Orderly Shutdown of Critical IT Assets .. 7
Conclusions 8
Recommendations 8
CSB Response and OIG Evaluation 8
4 Known Vulnerabilities Threaten Security of CSB's Network 10
Known Vulnerabilities Not Remediated 10
Network-Connected Devices Not Tested 11
Conclusions 11
Recommendations 11
CSB Response and OIG Evaluation 12
5 Improvements Needed Over IT Assets Inventory 13
Segregation of Duties Lacking 13
Controls Needed to Prevent Lost Inventory 13
Conclusions 14
Recommendations 14
CSB Response and OIG Evaluation 15
Status of Recommendations and Potential Monetary Benefits 16
Appendices
A CSB's Response to Draft Report 18
B Distribution 22
-------�
Chapter 1
Introduction
Purpose
The Office of Inspector General (OIG) of the U.S. Environmental Protection
Agency (EPA) conducted this audit to assess the U.S. Chemical Safety and
Hazard Investigation Board's (CSB's) compliance with the Federal
Information Security Management Act of 2002 (FISMA) for fiscal year 2014.
Background
CSB is authorized by the Clean Air Act Amendments of 1990 and became
operational in January 1998. CSB is an independent federal agency charged with
investigating root causes for industrial chemical accidents. CSB does not issue
fines or citations, but does make recommendations to plants, regulatory agencies
such as the Occupational Safety and Health Administration and the EPA, industry
organizations, and labor groups. During fiscal year 2014, CSB's personnel
included 40 employees. CSB's investigative staff includes chemical and
mechanical engineers, industrial safety experts, and other specialists with
experience in the private and public sectors. The majority of CSB's staff are
stationed at its headquarters in Washington, D.C. The CSB also has a Western
Regional Office of Investigations, located in Denver, Colorado.
Title III of the E-Government Act of 2002, commonly referred to as FISMA,
focuses on improving oversight of federal information security programs and
facilitating progress in correcting agency information security weaknesses. FISMA
requires federal agencies to develop, document and implement an agencywide
information security program that provides security for the information and
information systems that support the operations and assets of the agency, including
those provided or managed by another agency, contractor or other source. FISMA
assigns specific responsibilities to agency heads and Inspectors General and is
supported by security policy promulgated through the Office of Management and
Budget (OMB) and risk-based standards and guidelines published in the National
Institute of Standards and Technology (NIST) Federal Information Processing
Standard and Special Publication series.
Under FISMA, agency heads are responsible for providing information security
protections commensurate with the risk and magnitude of harm resulting from the
unauthorized access, use, disclosure, disruption, modification or destruction of
information and information systems. FISMA directs federal agencies to report
annually to the OMB Director, Comptroller General of the United States, and
selected congressional committees on the adequacy and effectiveness of agency
information security policies, procedures, practices and compliance with FISMA.
15-P-0073
1
-------�
In addition, FISMA requires agencies to have an annual independent evaluation
performed of their information security programs and practices, and to report the
evaluation results to OMB.
FISMA states that the independent evaluation is to be performed by the agency
Inspector General or an independent external auditor as determined by the
Inspector General.
Responsible Offices
Within CSB's Office of Administration are CSB personnel responsible for CSB's
information technology (IT) security program. The Director of Information
Technology and the Chief Information Officer are responsible for making risk
management decisions regarding deficiencies, and their potential impact on
controls and the confidentiality, integrity and availability of systems. CSB
management is responsible, based on its risk management decisions, to implement
solutions that are appropriate for CSB's IT environment for its headquarters office
in Washington, D.C., and its Western Regional Office of Investigations in
Denver.
Scope and Methodology
We conducted our audit from June to October 2014 at CSB headquarters in
Washington, D C. We performed this audit in accordance with generally accepted
government auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our conclusions based on
our audit objective.
We assessed CSB's compliance, implementation and effectiveness over the
following FISMA micro agency reporting metrics: system inventory, asset
management, vulnerability and weakness management, and identity and access
management. The remaining metrics will be evaluated on a rotational basis during
future CSB FISMA audits. In addition, we also reviewed CSB server room
physical security and environmental controls as well as CSB IT security
processes, procedures and other documentation against guidance provided by
NIST.
We reviewed CSB's internal control processes over its IT asset inventory. We
selected a random sample of CSB assigned inventory to verify the inventory
listing and reconciliations performed by CSB inventory control officers.
We performed technical vulnerability testing at the CSB headquarters office in
July 2014. We tested all Internet Protocol addresses associated with CSB's
networked resources located at CSB headquarters and the Western Regional
15-P-0073
2
-------�
Office of Investigations. The purpose of this testing was to identify the existence
of commonly known technical vulnerabilities using a commercially available
network vulnerability assessment tool recognized by NIST. We did not attempt to
penetrate any system or device, or try to gain access to other network resources
using the identified vulnerabilities. We used the risk rating provided by the
network vulnerability assessment tool to determine the level of harm each
vulnerability could cause to a network resource.
We had no prior report recommendations to follow up on during this audit.
Noteworthy Achievements
CSB has taken significant action to implement processes to eliminate excess
electronic device inventory and to document management justification for CSB
personnel assigned multiple electronic devices. CSB Inventory Control Officers
review inventory for excess electronic items and annually dispose of excess
electronic inventory items through a General Services Administration-approved
recycler. CSB's Physical Inventory Guidelines also include a CSB Device
Justification form that CSB management uses to describe its decision for
assigning multiple computer and mobile devices to a CSB employee.
15-P-0073
3
-------�
Chapter 2
Improvements Needed in CSB's
Information Security Planning
CSB lacks a system security plan (SSP) that contains all the required information
needed to authorize its systems to operate. CSB has yet to implement the NIST
Risk Management Framework (RMF) for Federal Information Systems. Federal
guidance requires organizations to describe how they implement security controls
for federal systems and to make this information available to the individual that
will authorize the system to operate. Federal guidance outlines the six-step RMF
process organizations are to follow to continuously monitor IT systems and
networks. CSB security planning documents are incomplete because CSB lacks
processes to review and update the required information on an annual basis or as
major changes to the federal guidance occur. CSB also has not finalized its plans
for how it would implement the RMF. Updated data on implemented security
controls and an effectively implemented RMF are key to driving management
decisions on what is critical in protecting the network. Without complete
information, the Authorizing Official—the person formally assuming
responsibility for the organization's risks—could potentially make decisions to
operate the network that are outside the organization's risk tolerance or that can
be detrimental to the organization accomplishing its mission.
Incomplete System Security Plan
CSB's General Support System (GSS) SSP is incomplete since it does not include
all the required security control baselines for a moderate information system.
Specifically, CSB's GSS SSP does not include nine security controls and 24
security control enhancements as required by NIST Special Publication 800-53,
Security and Privacy Controls for Federal Information Systems and
Organizations, Revision 4, for a system that contains moderate-risk data. CSB's
GSS SSP also does not detail: how security controls are implemented, terms and
conditions CSB used to select the appropriate security controls to achieve
adequate security for its information systems, and personnel responsible for
implementing the security controls.
CSB reviews its system security planning documentation every 3 years or more
frequently based on significant changes. However, the CSB IT Department
Standard Operating Procedure does not consider updates to federal guidance as a
significant change that would require CSB management to review and update its
information system security documentation. Since CSB's last review of its GSS
SSP, NIST Special Publication 800-53 was revised and security controls and
control enhancements have been added and withdrawn for low, moderate and high
baselines.
15-P-0073
4
-------�
According toNIST Special Publication 800-18, Guide for Developing Security
Plans for Federal Information Systems, SSPs should be reviewed and updated at
least annually to ensure the information system status, functionality and design;
and that the plan reflects the correct information about the system.
Federal information systems are subject to threats, including environmental
disruptions, human or machine errors, and purposeful attacks. CSB risks being
unable to effectively mitigate security vulnerabilities and protect the
organization's resources and data from undue harm by using outdated security
controls. Furthermore, federal guidance states that management's Authorizing
Official authorization of information systems should be based on an assessment of
management, operational and technical controls. Without providing the
Authorizing Official with complete and up-to-date information, this person would
be making uninformed decisions on whether to operate the system in its current
state. This could ultimately result in the Authorizing Official deciding to operate a
system (1) outside of the organization's risk tolerance, (2) with the opportunity to
direct that personnel remediate weaknesses that senior agency officials deem
important, or (3) with weaknesses that are detrimental to the organization
accomplishing its mission.
Unimplemented Risk Management Framework
CSB has not finalized a strategy to transition from a 3-year certification and
authorization process to an RMF for continuously monitoring CSB's information
systems. NIST Special Publication 800-37, Guide for Applying the Risk
Management Framework to Federal Information Systems, requires federal
organizations to transform their traditional, static, procedural certification and
authorization process to a dynamic six-step RMF process. CSB has begun
developing an RMF strategy, but CSB management has not yet fully implemented
the strategy within CSB's IT environment.
By using an RMF strategy, CSB's management can effectively manage
information system security risks to be consistent with the organization's mission,
support ongoing security authorization decisions, and implement appropriate risk
mitigation strategies. Without a codified effective continuous monitoring strategy
in place, CSB inhibits its ability to gather the real-time status of its data, network,
end points, and cloud devices and applications, thereby reducing its situational
awareness and increasing its risk exposure.
Conclusions
The lack of up-to-date information on security controls and the lack of processes
to conduct real-time monitoring of CSB's network inhibits management's ability
to make risk-based decisions to continuously authorize CSB's network and to
effectively combat cyber threats.
15-P-0073
5
-------�
Recommendations
We recommend that the Chairperson, U.S. Chemical Safety and Hazard
Investigation Board:
1. Update the GSS SSP to be compliant with the latest NIST guidance on
privacy and information security controls for federal systems.
2. Create a policy and procedure that requires that all CSB information SSPs
are to be reviewed annually and updated based on changes to federal
guidance.
3. Perform an annual review of all CSB information SSPs and document the
review.
4. Develop and implement an RMF for continuous monitoring of CSB
information systems.
CSB Response and OIG Evaluation
In its response to our draft audit report, CSB agreed with our recommendations
and provided corrective actions with estimated completion dates. We consider the
recommendations open with corrective actions pending.
Subsequent to the issuance of our draft report, we met with CSB officials to
discuss their concerns with the draft report. Where appropriate, we modified the
report language to address management's concerns.
15-P-0073
6
-------�
Chapter 3
Improvements Needed in CSB's
Server Room Security Controls
CSB has not implemented key physical security controls necessary to track
visitors to its server room or mitigate loss of data due to a power failure. Federal
guidance requires that federal organizations develop, implement, assess, authorize
and continuously monitor security controls. However, the CSB server room does
not have a visitor access record or a strategy for an orderly shutdown of servers
during non-business hours. As a result, critical CSB IT equipment and associated
data may be susceptible to damage and/or loss due to untracked visitors to the
server room or unexpected power disruptions.
Server Room Lacks Visitor Access Record
CSB does not maintain a visitor access record to identify and track visitors and/or
non-IT CSB personnel entering the server room. NIST Special Publication
800-53, Security and Privacy Controls for Federal Information Systems and
Organizations, Revision 4, Monitoring Physical Access Security Control PE-8,
states that an organization should maintain and review visitor access records.
CSB representatives did not believe that a visitor access record was necessary
because (1) the server room is off-limits to non-IT CSB personnel, (2) the server
room is protected with two cipher locks, and (3) infrequent visitors to the server
room are always accompanied by CSB IT personnel. During fieldwork, CSB
representatives indicated that the organization accepts the risk of not keeping a
visitor access record. However, management's acceptance of the risk is not
documented in its GSS SSP. Furthermore, the organization's Authorizing
Official— the individual who accepts the risks for operating information systems
without controls in place—has not officially approved an authorization to operate
with this risk noted. If the server room is tampered with, the lack of server room
visitor access records inhibits CSB's ability to determine dates, times and names of
potential perpetrators. Prior to the issuance of the final report, CSB indicated that a
visitor log had been added to both the Washington and Denver server rooms.
CSB Lacks Capability to Perform Orderly Shutdown of Critical IT Assets
CSB IT critical assets support all CSB servers for CSB headquarters and the
Western Regional Office of Investigations. These servers could contain personal
identifiable information and other sensitive or confidential data. NIST Special
Publication 800-53, Security and Privacy Controls for Federal Information
Systems and Organizations, Revision 4, Emergency Power Security Control
PE-11, states that an organization should provide a short-term Uninterruptable
15-P-0073
7
-------�
Power Supply to facilitate an orderly shutdown of the information system in the
event of a loss of power from the primary power source.
CSB representatives stated that they do not have controls in place or have a
documented strategy to ensure an orderly shutdown of critical IT assets in the
event of power loss during non-business hours. We noted that CSB servers
receive emergency back-up power from Uninterruptable Power Supplies located
in the server room. According to CSB representatives, the Uninterruptable Power
Supplies provide approximately 15 minutes of back-up power and CSB has not
configured the Uninterruptable Power Supplies to automatically shut down
critical assets. As such, in the event of a power loss, there would not be sufficient
time for the IT staff to perform an orderly shutdown of the servers unless they
were in the server room or reasonably close by the CSB building.
CSB stated it performs regular backups of the server information. However, if
servers undergo an abnormal shutdown, CSB may lose up to 2 weeks of data
and/or CSB's critical IT equipment may become damaged.
Conclusions
Since CSB headquarters' servers store all of CSB headquarters and regional
investigation data, which may contain personal identifiable information and other
sensitive or confidential data, CSB must protect its servers from damage by power
loss or tampering by undocumented visitors.
Recommendations
We recommend that the Chairperson, U.S. Chemical Safety and Hazard
Investigation Board:
5. Create a visitor access record for the server room or document the
acceptance of the risk in the GSS SSP.
6. Require the Authorizing Official to reauthorize the GSS SSP to formally
accept the risks for all federally required unimplemented privacy and
information security controls.
7. Develop and implement a strategy to be able to conduct an orderly
shutdown of CSB servers in the event of a power outage when IT
personnel are not present.
CSB Response and OIG Evaluation
In its response to our draft audit report, CSB agreed with our recommendations
and provided corrective actions with estimated completion dates. CSB indicated
that corrective actions have been completed for Recommendation 5. The OIG thus
15-P-0073
8
-------�
considers Recommendation 5 to be closed and the other recommendations open
with corrective actions pending.
Subsequent to the issuance of our draft report, we met with CSB officials to
discuss their concerns with the draft report. Where appropriate, we modified the
report language to address management's concerns.
15-P-0073
9
-------�
Chapter 4
Known Vulnerabilities Threaten
Security of CSB's Network
CSB's network contained multiple high-risk and medium-risk vulnerabilities.
These vulnerabilities were identified on network-connected IT assets at CSB
headquarters and the Western Region Office. Federal guidance requires
organizations to assess the security posture, continually monitor information
systems, and identify and remediate vulnerabilities. CSB has not remediated or
identified many of the noted vulnerabilities. This is because CSB had not made
plans to replace assets it knew had vulnerabilities, and because CSB expanded its
regular vulnerability testing program to include all assets attached to the CSB
network. As a result, CSB's network continues to be susceptible to attack by
(1) known weaknesses that, if exploited, could cause significant harm to CSB; and
(2) unmonitored assets connected to the network that could be used as launching
points to attack other known vulnerable systems or to remove data from CSB.
Known Vulnerabilities Not Remediated
CSB indicated that it knew about the existence of several of the vulnerabilities
identified during our technical vulnerability testing. CSB had identified the same
vulnerabilities as a result of its regular vulnerability testing program and recorded
the vulnerabilities within the organization's Vulnerability Management Exception
Log. However, CSB had not prioritized the remediation of these vulnerabilities.
NIST Special Publication 800-53, Security and Privacy Controls for Federal
Information Systems and Organizations, Revision 4, Vulnerability Scanning
Security Control RA-5, states organizations need to remediate legitimate
vulnerabilities in accordance with an organizational assessment of risk and share
information obtained from the vulnerability scanning process to help eliminate
similar vulnerabilities in other information systems.
We noted that CSB is proactive and diligent in identifying and cataloging its
known vulnerabilities. CSB stated that systems with known vulnerabilities cannot
be remediated due to the lack of newer software available for the affected systems
or the lack of newer software that is compatible with the existing systems'
configurations. However, CSB had not created plans of actions and milestones to
plan remediation activities to reduce or eliminate the known vulnerabilities as
required by NIST Special Publication 800-53.
By not developing a strategy for remediating vulnerabilities, these known
weaknesses will continue to pose risks to CSB's network without an end date
when the organization can start focusing its limited resources on other critical
information security activities. By creating plans of action and milestones, CSB
would be in a better position to justify its security control investments and could
15-P-0073
10
-------�
use this information to help prioritize the necessary corrective actions for its
vulnerable systems.
Network-Connected Devices Not Tested
CSB does not test all IT assets attached to its network. NIST Special Publication
800-53, Security and Privacy Controls for Federal Information Systems and
Organizations, Revision 4, Vulnerability Scanning Security Control RA-5,
specifies that organizations are required to ensure networked devices—including
printers, scanners and copiers—are included in the agency's vulnerability tests.
CSB procedures require it to conduct regular vulnerability testing of its network.
Even though CSB's vulnerability testing methodology includes testing network
appliances as part of its scope for testing, CSB's vulnerability testing
methodology does not include testing printers or multi-functioning devices
connected to the network. These types of devices typically contain central
processing units and storage media, which would allow the devices to function as
computers. These devices are known to have multiple vulnerabilities and have
been identified as potential targets for launching attacks against an organization's
network. By not regularly testing these types of devices for vulnerabilities and
remediating them, CSB potentially leaves its network vulnerable to attack. As
such, an attacker could take control of one of these devices and use it to cause
significant harm to CSB's systems and data. Remediating vulnerabilities on these
types of devices reduces CSB's exposure to network attacks.
Conclusions
CSB's network is at risk of attack due to known weaknesses existing without
defined plans to remediate them, and because IT assets connected to the network
have not been tested for vulnerabilities. The combination of these two weaknesses
could potentially create a situation where untested IT assets could be used as a
staging area to (1) conduct attacks against known vulnerable CSB systems or
(2) remove data from CSB without detection.
Recommendations
We recommend that the Chairperson, U.S. Chemical Safety and Hazard
Investigation Board:
8. Create plans of action and milestones for when CSB would either update
or replace all systems with known vulnerabilities.
9. Update the GSS SSP and have the authorizing official formally accept the
risks of operating systems with known vulnerabilities when the
organization made a risk-based decision to accept the risks.
15-P-0073
11
-------�
10. Update the organization's vulnerability testing methodology to test all
devices connected to the network. This should include all printers and
multifunctioning devices.
CSB Response and OIG Evaluation
In its response to our draft audit report, CSB agreed with our recommendations
and provided corrective actions with estimated completion dates. CSB indicated
that corrective action has been completed for Recommendation 10. The OIG thus
considers Recommendation 10 to be closed and the other recommendations open
with corrective actions pending.
15-P-0073
12
-------�
Chapter 5
Improvements Needed Over IT Assets Inventory
CSB lacks segregation of duties internal controls to protect its inventory, and has
no process in place for recovering costs for inventory lost due to employee
neglect. OMB guidance requires the agency head to establish internal control
systems to safeguard assets from waste, loss, unauthorized use or
misappropriation. CSB neither implemented controls to ensure personnel do not
perform incompatible duties nor established processes to investigate or recover
the cost of inventory potentially lost due to employee neglect. As a result, CSB's
inventory is subject to misappropriation without detection or means to recover the
cost of items lost due to negligence.
Segregation of Duties Lacking
CSB had not segregated the duties for maintaining its IT inventory. For instance,
CSB has one employee serving as the Lead Inventory Control Officer, IT
Inventory Control Officer and Inventory System Database Administrator. This
allows the employee to enter, alter and delete information from the inventory
system database without independent oversight. OMB Circular A-123,
Management's Responsibility for Internal Control, requires the agency head to
implement control activities to ensure that accountability over assets are
safeguarded against waste, loss, unauthorized use or misappropriation.
CSB's IT assets may be misappropriated without detection due to CSB's lack of
compensating controls to ensure personnel do not perform incompatible duties.
While it is common for a small organization to have employees sharing various
duties and responsibilities, it is prudent to have compensating controls in place to
prevent opportunities for unauthorized or unintentional modification of the
inventory records. Since one CSB employee simultaneously manages all IT assets
and has the ability to add, edit and delete any inventory records from the system
database, CSB management limits its ability to detect theft activity.
Controls Needed to Prevent Lost Inventory
Improvements are needed to determine whether lost CSB property inventory is
due to employee negligence. CSB's current process for maintenance allows for
lost items to remain indefinitely in the inventory system. Over the past 10 years,
8 percent of CSB's inventories (87 out of 1,145 inventory items) were assigned to
lost departments. These 87 lost inventory items include:
• 3 iPhone 5s.
• 3 Laptops.
• 24 Digital Cameras.
15-P-0073
13
-------�
• 21 Voice Recorders.
• 3 Government-Issued PIV Identification Cards.
According to OMB Circular A-123, management is responsible for designing
internal controls to ensure assets are safeguarded against waste, loss, and
unauthorized use or misappropriation.
Although CSB has written procedures that require personnel to conduct an annual
physical inventory, CSB has not developed a method for investigating and making
a determination as to whether lost items were due to employee negligence. If
these items were lost due to employee negligence, CSB lacks policies and
procedures for recovering the cost of the lost item from the employee.
Internal controls over property accountability are the cornerstone for safeguarding
government assets. By not having processes to determine when items were lost
due to employee negligence, CSB creates the environment where employees may
not exercise reasonable due care when using government property because there
are no consequences for not safeguarding the asset and returning the asset to the
organization. By implementing processes to recover costs due to employee
negligence, CSB sets the tone that management takes property accountability
seriously and that employees are accountable for their actions.
Conclusions
CSB IT property is susceptible to potential misappropriation without putting in
place controls to detect errors in property record-keeping or hold employees
accountable for safeguarding assets in their possession.
Recommendations
We recommend that the Chairperson, U.S. Chemical Safety and Hazard
Investigation Board:
11. Implement processes where employees are not performing incompatible
property accountability duties.
12. Implement compensating controls to mitigate the risks for having one
employee responsible for entering, altering and deleting information
within the CSB inventory system without detection, if segregating the
property accountability duties are not possible.
13. Develop and implement policies and procedures for safeguarding
inventory from waste, loss, unauthorized use or misappropriation.
14. Conduct a review of all items recorded as lost within the CSB inventory
system and make a determination regarding the status of the items.
15-P-0073
14
-------�
15. Initiate actions to recover the costs for lost items if CSB determines the
items were lost due to employee negligence.
16. Update the CSB inventory system with a description for the items
designated as lost.
17. Make a determination as to whether lost items should be removed from the
CSB inventory system.
CSB Response and OIG Evaluation
In its response to our draft audit report, CSB agreed with our recommendations
and provided corrective actions with estimated completion dates. We consider the
recommendations open with corrective actions pending.
Subsequent to the issuance of our draft report, we met with CSB officials to
discuss their concerns with the draft report. Where appropriate, we modified the
report language to address management's concerns.
15-P-0073
15
-------�
No.
6
6
6
6
8
8
8
11
11
12
14
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Subject
Status1
Action Official
Planned
Completion
Date
Claimed
Amount
Ag reed-To
Amount
Update the GSS SSP to be compliant with the
latest NIST guidance on privacy and information
security controls for federal systems.
Create a policy and procedure that requires that all
CSB information SSPs are to be reviewed annually
and updated based on changes to federal
guidance.
Perform an annual review of all CSB information
SSPs and document the review.
Develop and implement an RMF for continuous
monitoring of CSB information systems.
Create a visitor access record for the server room
or document the acceptance of the risk in the GSS
SSP.
Require the Authorizing Official to reauthorize the
GSS SSP to formally accept the risks for all
federally required unimplemented privacy and
information security controls.
Develop and implement a strategy to be able to
conduct an orderly shutdown of CSB servers in the
event of a power outage when IT personnel are not
present.
Create plans of action and milestones for when
CSB would either update or replace all systems
with known vulnerabilities.
Update the GSS SSP and have the authorizing
official formally accept the risks of operating
systems with known vulnerabilities when the
organization made a risk-based decision to accept
the risks.
Update the organization's vulnerability testing
methodology to test all devices connected to the
network. This should include all printers and
multifunctioning devices.
Implement processes where employees are not
performing incompatible property accountability
duties.
Chairperson, U.S. Chemical 3/30/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 3/30/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 3/30/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 3/30/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 12/1/14
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 3/30/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 6/1/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 6/1/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 3/30/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 12/1/14
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 6/1/15
Safety and Hazard
Investigation Board
16
-------�
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
No.
Subject
Status1
Action Official
Planned
Completion
Date
12 14 Implement compensating controls to mitigate the
risks for having one employee responsible for
entering, altering and deleting information within
the CSB inventory system without detection, if
segregating the property accountability duties are
not possible.
13 14 Develop and implement policies and procedures for
safeguarding inventory from waste, loss,
unauthorized use or misappropriation.
14 14 Conduct a review of all items recorded as lost
within the CSB inventory system and make a
determination regarding the status of the items.
15 15 Initiate actions to recover the costs for lost items if
CSB determines the items were lost due to
employee negligence.
16 15 Update the CSB inventory system with a
description for the items designated as lost.
17 15 Make a determination as to whether lost items
should be removed from the CSB inventory
system.
Chairperson, U.S. Chemical
Safety and Hazard
Investigation Board
Claimed
Amount
Ag reed-To
Amount
6/1/15
Chairperson, U.S. Chemical 6/1/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 6/1/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 6/1/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 6/1/15
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 6/1/15
Safety and Hazard
Investigation Board
1 0 = Recommendation is open with agreed-to corrective actions pending.
C = Recommendation is closed with all agreed-to actions completed.
U = Recommendation is unresolved with resolution efforts in progress.
15-P-0073
17
-------�
Appendix A
CSB's Response to Draft Report
December 1, 2014
Rudy Brevard
Director, IRM Audits
U.S. Environmental Protection Agency
Office of Inspector General
1200 Pennsylvania Ave
Washington, DC 20460
Dear Mr. Brevard:
Thank you for the opportunity to review and comment on the draft report on the CSB's compliance with
the Federal Information Security Management Act (FISMA) for fiscal year 2014.
The CSB takes information security weaknesses seriously and works diligently each year to address the
recommendations from the FISMA audits. While the CSB agrees overall with the findings and
recommendations from this most recent report, the following is a detailed discussion of our concerns
(grouped by chapter title), which we hope you will take into consideration.
Improvements Needed in CSB's Information Security Planning
The report states that "CSB representatives indicated they have started to develop some aspects of the
organization's RMF strategy." As part of the documentation submitted during the audit, the CSB
provided a full draft Risk Management Framework (RMF) program document which we are in the
process of implementing. Indeed, many of the recommendations from this section of the report are
addressed in this program document. Consequently, we believe the background for this finding
understates the current status of the CSB's work towards full compliance.
Nevertheless, the agency certainly agrees with the importance of implementing this program and
associated documentation, and will be working as quickly as possible to address these issues. Please find
our plan of action and milestones attached.
Improvements Needed in CSB's Server Room Security Controls
The report states that CSB "did not believe that a visitor access record was necessary because non-IT
CSB personnel do not frequently visit the CSB server room ...." The CSB server room is in fact off
limits to non-IT personnel. It is kept locked behind a cipher lock door 24/7 and is inaccessible to non-IT
staff without a member of the IT staff present. The agency misinterpreted this to be a control
enhancement over the security control; however, we now understand this to be insufficient.
Consequently, we have added a visitor log to these rooms, as noted in the attached POA&M.
Known Vulnerabilities Threaten the Security of CSB's Network
The CSB will be working diligently to appropriately detail vulnerabilities in the Plan of Action and
Milestones, as recommended in the draft report, and has already made a change to regularly scan all
devices, including printers.
15-P-0073
18
-------�
Improvements Needed Over IT Assets Inventory
The report mentions approximately 90 missing items in the inventory system; however, it makes no
mention of the 10-year time period over which these items were lost. One of the items, for instance, was
a Nikon digital camera stolen in the fall of 2004. Without this detail, the reader may assume that these
items went missing in the course of one year which would certainly be indicative of a problem.
The report also states that the property inventory reports list eight (8) percent of the organization's
inventory as lost. Since we don't purge the inventory of lost items, but do de-inventory obsolete/surplus
items every year, this percentage is misleading. If this analysis factored in all the equipment we de-
inventoried as well, the percentage of lost items in the database would indeed be much lower.
The conclusion that CSB's IT property is "highly susceptible" to potential misappropriation appears
overstated given the level of lost devices in a 10-year period. We agree with the recommendations and
are working to address these issues and improve our inventory program.
The attached table summarizes CSB's plan of action for each recommendation. As you will note, the
CSB has already completed two (2) of the recommendations and will be working aggressively to
complete the balance within the next six (6) months.
If you or your staff have any questions about this response, please feel free to contact our CIO, Charlie
Bryant, at 202-261-7666.
Sincerely,
Rafael Moure-Eraso, Ph.D.
Chairperson & CEO
15-P-0073
19
-------�
Number
Recommendation
Planned/Completed
Action
2014-01
Update the GSS SSP to be compliant with the latest NIST
guidance on privacy and information security controls for
federal systems.
By March 30, 2015:
Update GSS SSP
2014-02
Create a policy and procedure that requires that all CSB
information SSPs are to be reviewed annually and updated
based on changes to federal guidance.
By March 30, 2015:
Finalize RMF policy and
procedure
2014-03
Perform an annual review of all CSB information SSPs
and document the review.
By March 30, 2015:
Implement RMF policy and
procedure
2014-04
Develop and implement a risk management framework for
continuous monitoring of CSB information systems.
By March 30, 2015:
Implement RMF policy and
procedure
2014-05
Create a visitor access record for the server room or
document the acceptance of the risk in the GSS SSP.
Completed.
Created and posted visitor
log in server room
2014-06
Require the Authoring Official to reauthorize the GSS
SSP to formally accept the risks for all federally required
unimplemented privacy and information security controls.
By March 30, 2015:
Finalize RMF policy and
procedure
2014-07
Develop and implement a strategy to be able to conduct
an orderly shutdown of CSB servers in the event of a
power outage when IT personnel are not present.
By June 1,2015:
Develop and implement
automated emergency
shutdown procedures for
servers
2014-08
Create plans of action and milestones for when CSB
would either update or replace all systems with known
vulnerabilities.
By June 1,2015:
Add POA&M items to
update or replace any
system with a known
vulnerability
2014-09
Update the GSS SSP and have the authorizing official
formally accept the risks of operating systems with known
vulnerabilities when the organization made a risk-based
decision to accept the risks.
By March 30, 2015:
Update GSS SSP
2014-10
Update the organization's vulnerability testing
methodology to test all devices connected to the network.
This should include all printers and multifunctioning
devices.
Completed.
Include all network devices
in the vulnerability scans
2014-11
Implement processes where employees are not performing
incompatible property accountability duties.
By June 1,2015:
Update inventory policies
and procedures
15-P-0073
20
-------�
2014-12
Implement compensating controls to mitigate the risks for
having one employee responsible for entering, altering
and deleting information within the CSB inventory system
without detection if segregating the property
accountability duties are not possible.
By June 1,2015:
Update inventory policies
and procedures
2014-13
Develop and implement policies and procedures for
safeguarding inventory from waste, loss, unauthorized
use, or misappropriation
By June 1,2015:
Update inventory policies
and procedures
2014-14
Conduct a review of all items recorded as lost within the
CSB inventory system and make a determination
regarding the status of the items.
By June 1,2015:
Conduct review of lost
items and document final
determination of these items
2014-15
Initiate actions to recover the costs for lost items if CSB
determines the item was lost due to employee negligence.
By June 1,2015:
Update inventory policies
and procedures
2014-16
Update the CSB inventory system with a description for
the items designated as lost.
By June 1,2015:
Update inventory database
2014-17
Make a determination whether lost items should be
removed from the CSB inventory system.
By June 1,2015:
Conduct review of lost
items and document final
determination of these items
15-P-0073
21
-------�
Appendix B
Distribution
Chairperson and Chief Executive Officer, U.S. Chemical Safety and Hazard Investigation Board
Chief Information Officer, U.S. Chemical Safety and Hazard Investigation Board
Deputy Chief Information Officer, U.S. Chemical Safety and Hazard Investigation Board
Managing Director, U.S. Chemical Safety and Hazard Investigation Board
Deputy Managing Director for Administration, U.S. Chemical Safety and Hazard
Investigation Board
Director of Administration, U.S. Chemical Safety and Hazard Investigation Board
Deputy Director of Administration, U.S. Chemical Safety and Hazard Investigation Board
15-P-0073
22
-------� |