At a Glance: Fiscal Year 2013 Federal Information Security Management Act Report: Status of EPA's Computer Security Program


^£Dsrx
• A v
lSi
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
14-P-0033
November 26, 2013
Why We Did This Review
The U.S. Environmental
Protection Agency's (EPA's)
Office of Inspector General
(OIG) conducted this review to
assess the EPA's compliance
with the Federal Information
Security Management Act
(FISMA). FISMA requires
Inspectors General to prepare
an annual evaluation of their
agencies' information security
programs and practices.
The Department of Homeland
Security issued reporting
guidelines requesting
information on 11 information
system security practices within
federal agencies.
This report addresses the
following EPA theme:
• Embracing EPA as a high
performing organization.
Fiscal Year 2013 Federal Information Security
Management Act Report: Status of EPA's
Computer Security Program
The EPA's network
and data could be
exploited without
processes to evaluate
risks and timely
remediate
vulnerabilities. Data
processed by EPA
contractors could be
at risk because
adequate controls may
not be in place.
What We Found
The EPA has established an agencywide information
security program that assesses the security state of
information systems that is consistent with FISMA
requirements and applicable policy and guidelines for
the following areas:
•	Continuous Monitoring Management
•	Identity and Access Management
•	Incident Response and Reporting
•	Security Training
•	Plan of Action and Milestones
•	Remote Access Management
•	Contingency Planning
•	Security Capital Planning
However, the EPA should place more management emphasis on remediating
significant deficiencies found within the agency's configuration management, risk
management and contractor systems management practices. The agency should
take steps to:
•	Improve processes for timely remediation of scan result deviations.
•	Address risks from an organizational, mission and business, and
information system perspective.
•	Obtain sufficient assurance that security controls for contractor systems
are effectively implemented and comply with federal and organization
guidelines.
We briefed the agency on the results of our audit work and, where appropriate,
made adjustments to address its concerns.
For further information,
contact our public affairs office
at (202) 566-2391.
The full report is at:
www.epa.qov/oiq/reports/2014/
20131126-14-P-0033.pdf

-------