tftD STA^ s U.S. Environmental Protection Agency 2006-P-00005 £ %M \ Office of Inspector General December 14,2005 / fi - At a Glance Catalyst for Improving the Environment Why We Did This Review We sought to determine whether the U.S. Environmental Protection Agency's (EPA) current physical access and service continuity/contingency controls for selective applications at the Research Triangle Park (RTP) campus adhere to Federal and EPA guidelines. Background The Office of Inspector General (OIG) contracted with KPMG, LLP, to audit physical access controls and service continuity/contingency planning controls for select financial and mixed-financial systems hosted at EPA's RTP campus. Physical access controls protect EPA's resources from unauthorized access, theft, or destruction. Service continuity/ contingency controls ensure that EPA can continue operations of critical financial and mixed-financial applications should an outage occur. For further information, contact our Office of Congressional and Public Liaison at (202) 566-2391. To view the full report, click on the following link: www.epa.aov/oia/reports/2006/ 20051214-2006-P-00005.pdf EPA Could Improve Physical Access and Service Continuity/Contingency Controls for Financial and Mixed-Financial Systems Located at its Research Triangle Park Campus What KPMG Found Physical Access. Controls needed to be improved in areas such as visitor access to facilities, use of contractor access badges, and general physical access to the National Computer Center (NCC), computer rooms outside the NCC, and media storage rooms. Service Continuity/Contingency. Controls needed to be improved in areas such as completing a Business Impact Analysis, application contingency plans, authorizing to move backup data between key facilities, and environmental controls. In many cases, EPA has in place compensating controls that help reduce the risk of the above issues. However, KPMG believes that controls can be improved to further reduce the risks. What KPMG Recommends KPMG recommends that EPA Improve controls, processes, and procedures related to physical access to the RTP campus and associated facilities. Improve controls, processes, and procedures related to moving tape backups between key facilities. Provide additional training regarding physical access and service continuity planning. Revisit the service continuity strategies for key applications to ensure that all necessary recovery strategies and efforts are ranked in terms of priority, then developed, documented, implemented, and tested. Improve environmental controls at key RTP facilities. ------- |