At a Glance: Key Aspects of CSB Information Security Program Need Improvement


February 3, 2015
*	• U.S. Environmental Protection Agency	15-P-0073
mm "z Office of Inspector General
mZ I
At a Glance
Why We Did This Review
We performed this audit to
assess the U.S. Chemical
Safety and Hazard
Investigation Board's (CSB's)
compliance with the Federal
Information Security
Management Act of 2002
(FISMA).
FISMA requires federal
agencies to develop an
information security program
that protects the operations and
assets of the agency. The
Inspector General is to perform
an annual independent
evaluation of the security
program.
This report addresses the
following CSB goal:
• Preserve the public trust by
maintaining and improving
organizational excellence.
Key Aspects of CSB Information Security
Program Need Improvement
Send all inquiries to our public
affairs office at (202) 566 2391
or visit www.epa.gov/oiq.
The full report is at:
www.epa.qov/oiq/reports/2015/
20150203-15-P-0073.pdf
What We Found
CSB should improve key aspects of its information
security program to better manage practices
related to information security planning, physical
and environmental security controls, its
vulnerability testing process, and internal controls
over its information technology inventory.
CSB's ability to increase
its situational awareness
and reduce risk exposure
is challenged by its lack
of a real-time continuous
monitoring strategy.
The National Institute of Standards and Technology provides guidance for how
federal organizations should continuously monitor security control effectiveness
and remediate vulnerabilities. Office of Management and Budget Circular A-123,
Management's Responsibility for Internal Control, provides guidance on how
federal programs should develop internal controls to ensure that they achieve
their desired objectives.
Federal information systems are subject to threats, including environmental
disruptions, human and/or machine errors, and purposeful attacks. If CSB
information technology inventory is stolen or its network breached, CSB data,
information and configurations may be exposed.
Recommendations and Planned CSB Corrective Actions
We recommend that CSB update and maintain its system security plan,
implement a risk management framework, create a visitor access record for the
server room, formally accept risk of unimplemented privacy and security controls
and vulnerabilities, and develop a process for orderly shutdown of critical
information technology assets. We also recommend that CSB create plans to
remediate systems with known vulnerabilities and expand its monthly
vulnerability testing process to include all assets attached to the network. Further,
we recommend that CSB improve its inventory control practices to ensure
personnel do not perform incompatible duties, provide policies and procedures
for safeguarding inventory, review and document lost items, and recover costs for
lost items due to employee negligence.
CSB concurred with our recommendations and provided corrective actions with
estimated completion dates for each recommendation. All 17 recommendations
we made are resolved and corrective actions are completed or ongoing.
Noteworthy Achievements
CSB took significant action to implement processes to eliminate excessive
electronic device inventory and to document management's justification for
assigning multiple electronic devices to certain CSB personnel.

-------