tffcD STA, .0 U.S. Environmental Protection Agency 11-P-0725 ^ Office of Inspector General September 30,2011 SiU! ^ At a Glance Catalyst for Improving the Environment Why We Did This Review The U.S. Environmental Protection Agency (EPA), Office of Inspector General (OIG), conducted this audit to identify technical vulnerabilities associated with the Agency's network devices located in EPA's Region 9 headquarters building, and to assess the security posture of the Region 9 computer room. Results of this audit were provided to the appropriate EPA officials who can then promptly remediate and/or document their planned actions to resolve the identified technical vulnerabilities and computer room security findings. Background This audit was conducted in support of the annual audit of EPA's compliance with the Federal Information Security Management Act. Region 9 Technical and Computer Room Security Vulnerabilities Increase Risk to EPA's Network What We Found OIG technical vulnerability scans conducted at Region 9 headquarters revealed a multitude of high-risk and medium-risk vulnerabilities. These vulnerabilities were identified on Region 9 servers, desktops, and printers. The exploitation of unidentified and unremediated vulnerabilities could greatly impact the network security posture of Region 9 headquarters and/or the entire EPA network by exposing Agency data, information, and configurations to unauthorized access. The OIG physical and environmental control review of the Region 9 computer room found that sufficient protections were not in place to safeguard critical information technology assets and associated data from the risk of damage and/or loss. What We Recommend We recommend that the Senior Information Official, Region 9: • Remediate high-risk and medium-risk technical vulnerabilities • Remediate physical and environmental control deficiencies The full report is not available to the public due to the sensitive nature of its technical findings. For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. ------- |