tftD STA^
s	U.S. Environmental Protection Agency	2006-P-00005
£ %M \ Office of Inspector General	December 14,2005
/ fi

- At a Glance
Catalyst for Improving the Environment
Why We Did This Review
We sought to determine
whether the U.S.
Environmental Protection
Agency's (EPA) current
physical access and service
continuity/contingency
controls for selective
applications at the Research
Triangle Park (RTP) campus
adhere to Federal and EPA
guidelines.
Background
The Office of Inspector
General (OIG) contracted with
KPMG, LLP, to audit physical
access controls and service
continuity/contingency
planning controls for select
financial and mixed-financial
systems hosted at EPA's RTP
campus. Physical access
controls protect EPA's
resources from unauthorized
access, theft, or destruction.
Service continuity/
contingency controls ensure
that EPA can continue
operations of critical financial
and mixed-financial
applications should an outage
occur.
For further information,
contact our Office of
Congressional and Public
Liaison at (202) 566-2391.
To view the full report,
click on the following link:
www.epa.aov/oia/reports/2006/
20051214-2006-P-00005.pdf
EPA Could Improve Physical Access and
Service Continuity/Contingency Controls for
Financial and Mixed-Financial Systems Located
at its Research Triangle Park Campus
What KPMG Found
Physical Access. Controls needed to be improved in areas such as visitor access
to facilities, use of contractor access badges, and general physical access to the
National Computer Center (NCC), computer rooms outside the NCC, and media
storage rooms.
Service Continuity/Contingency. Controls needed to be improved in areas such
as completing a Business Impact Analysis, application contingency plans,
authorizing to move backup data between key facilities, and environmental
controls.
In many cases, EPA has in place compensating controls that help reduce the risk
of the above issues. However, KPMG believes that controls can be improved to
further reduce the risks.
What KPMG Recommends
KPMG recommends that EPA
Improve controls, processes, and procedures related to physical access to
the RTP campus and associated facilities.
Improve controls, processes, and procedures related to moving tape
backups between key facilities.
Provide additional training regarding physical access and service
continuity planning.
Revisit the service continuity strategies for key applications to ensure that
all necessary recovery strategies and efforts are ranked in terms of
priority, then developed, documented, implemented, and tested.
Improve environmental controls at key RTP facilities.

-------