tfED STAf. *. U.S. Environmental Protection Agency 13-P-0307 Office of Inspector General June 28 2013 / rn \.o At a Glance Why We Did This Review This review was performed to assess the U.S. Chemical Safety and Hazard Investigation Board's compliance with the Federal Information Security Management Act of 2002. FISMA requires federal agencies to develop an information security program that protects the operations and assets of the agency. An annual independent evaluation of the program must be performed by the inspector general or an independent external auditor, who shall report the results to the Office of Management and Budget. The U.S. Environmental Protection Agency, Office of Inspector General, which also serves as the Inspector General for the CSB, contracted with KPMG LLP to perform this fiscal year 2012 evaluation. This report addresses the following CSB goal: • Preserve the public trust by maintaining and improving organizational excellence. For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. The full report is at: www.epa.qov/oiq/reports/2013/ 20130628-13-P-0307.pdf Evaluation of the U.S. Chemical Safety and Hazard Investigation Board's Compliance with the Federal Information Security Management Act (Fiscal Year 2012) What KPMG Found KPMG noted that the CSB has an information security program in place that appears to be functioning as designed. KPMG also noted that the CSB takes information security weaknesses seriously, as the CSB is performing vulnerability assessments on its network devices and security configuration assessments on a subset of its network devices. However, KPMG identified areas in which the CSB could improve upon its vulnerability scanning, patch and configuration management, device encryption, scanning software configuration, and inventory of IT assets. In addition to reviewing the CSB's information security practices, KPMG conducted a security assessment of key CSB system and network devices. As a result of this assessment, KPMG found un-patched network devices and mobile devices that were not encrypted, which elevated the CSB's risk of system and data compromise by unauthorized users. KPMG also identified that the scanning tool used by the CSB for providing visibility into its network devices was not providing adequate visibility for its IT devices included within its physical inventory. KPMG also identified 130 personal computers for a staff of 44 members, six decommissioned Blackberries, two decommissioned servers, and 57 obsolete assets identified in the prior year audit that were not retired, which could allow for misuse or loss of IT devices or data. KPMG is responsible for the content of the final audit report. The OIG performed the procedures necessary to obtain reasonable assurance about KPMG's independence, objectivity, qualifications, technical approach and audit results. Recommendations and CSB Corrective Actions KPMG recommends that the CSB take several actions to remediate the identified weaknesses. These include: • Patching network devices and implementing baseline configurations. • Implementing encryption on mobile assets and completing plans to implement tools for continuous monitoring of network devices. The CSB agreed with the report's findings and recommendations. The CSB asserted that it was in the process of implementing the baseline configurations during the audit and will have the baseline configurations implemented by September 30, 2013. The CSB provided agreed-upon corrective actions for all the recommendations. ------- |