\ c" prO^^ O 2 LU O J OFFICE OF INSPECTOR GENERAL Catalyst for Improving the Environment Audit Report Information Security Series: Security Practices Safe Drinking Water Information System Report No. 2006-P-00021 March 30, 2006 ------- Report Contributors: Rudolph M. Brevard Charles Dade Neven Morcos Jefferson Gilkeson Scott Sammons Abbreviations ASSERT Automated Security Self-Evaluation and Remediation Tracking Tool C&A Certification and Accreditation EPA U.S. Environmental Protection Agency FISMA Federal Information Security Management Act NCC National Computer Center OIG Office of Inspector General OMB Office of Management and Budget OW Office of Water POA&M Plan of Action and Milestones RTP Research Triangle Park SDWIS Safe Drinking Water Information System ------- \ ^tos% 5&. b 2 ui O If PRO"*4- U.S. Environmental Protection Agency Office of Inspector General At a Glance 2006-P-00021 March 30, 2006 Catalyst for Improving the Environment Why We Did This Review As part of our annual audit of the Environmental Protection Agency's (EPA's) compliance with the Federal Information Security Management Act (FISMA), we reviewed the security practices for a sample of key Agency information systems, including the Office of Water's (OW's) Safe Drinking Water Information System (SDWIS). Background FISMA requires agencies to develop policies and procedures commensurate with the risk and magnitude of harm resulting from the malicious or unintentional damage to the Agency's information assets. SDWIS supports EPA's initiative to protect public health by allowing EPA to provide a repository of national public drinking water data to interested stakeholders. For further information, contact our Office of Congressional and Public Liaison at (202) 566-2391. To view the full report, click on the following link: www.epa.aov/oia/reports/2006 /20060330-2006-P-00021 .pdf Information Security Series: Security Practices Safe Drinking Water Information System What We Found We found that the Office of Water (OW) substantially complied with many of the information security controls reviewed and had implemented practices to ensure production servers are monitored for known vulnerabilities, physical access controls are adequate, and personnel with significant security responsibility completed the Agency's recommended specialized security training. However, we found that the Safe Drinking Water Information System (SDWIS), a major application, did not have complete certification and accreditation documents. In addition, the contingency plan did not contain all elements specified by Federal and Agency requirements. OW officials could have discovered the identified weaknesses had the office reviewed its implemented practices for completing these requirements. As a result, SDWIS had security control weaknesses that could affect OW's operations, assets, and individuals. What We Recommend We recommend that the SDWIS System Owner: r Complete the independent review of security controls, complete a full formal risk assessment of SDWIS, and update the certification and accreditation package. y Update and test the SDWIS contingency plan and implement a process to periodically test and maintain the plan. > Develop a Plan of Action and Milestones in the Agency's security weakness tracking system (ASSERT database) for all noted deficiencies. We recommend that the OW Information Security Officer: ^ Conduct a review of OW's information security oversight processes. OW agreed with the report's findings, indicated that it was in the process of completing the risk assessment, and expected to complete the assessment by the end of March 2006. OW also stated it would update and test the SDWIS contingency plan as a follow-up to the formal risk assessment. OW expressed concerns that some of the findings could give a misleading picture of the security of SDWIS at the time of our review and we updated the report to reflect efforts OW took to address the findings. OW's complete response is in Appendix A. ------- UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 OFFICE OF INSPECTOR GENERAL March 30, 2006 MEMORANDUM SUBJECT: Information Security Series: Security Practices Safe Drinking Water Information System Report No. 2006-P-00021 FROM: Rudolph M. Brevard /s/ Director, Information Technology Audits TO: Benjamin H. Grumbles Assistant Administrator for Water This is our final audit report on the information security controls audit of the Office of Water's Safe Drinking Water Information System. This audit report contains findings that describe problems the Office of Inspector General (OIG) has identified and corrective actions the OIG recommends. This audit report represents the opinion of the OIG, and the findings in this audit report do not necessarily represent the final Environmental Protection Agency (EPA) position. EPA managers, in accordance with established EPA audit resolution procedures, will make final determinations on matters in this audit report. Action Required In accordance with EPA Manual 2750, you are required to provide a written response to this report within 90 calendar days of the date of this report. You should include a corrective action plan for agreed upon actions, including milestone dates. We have no objection to further release of this report to the public. For your convenience, this report will be available at http://www.epa.gov/oig. If you or your staff has any questions regarding this report, please contact me at (202) 566-0893. ------- Table of Contents At a Glance Purpose of Audit 1 Background 1 Scope and Methodology 2 SDWIS' Compliance with Federal and Agency Security Requirements 3 Certification and Accreditation 4 Contingency Planning 4 Recommendations 5 Agency Comments and OIG Evaluation 5 Appendices A Agency Response to Draft Report 7 B Distribution 9 ------- Purpose of Audit Our objective was to determine whether the Office of Water's (OW's) Safe Drinking Water Information System (SDWIS) complied with Federal and Agency information system security requirements. SDWIS supports EPA's initiative to protect public health by allowing EPA to provide a repository of national public drinking water data to interested stakeholders to enable them to monitor the quality of the Nation's drinking water. Background We conducted this audit pursuant to Title III of the E-Government Act of 2002, commonly referred to as the Federal Information Security Management Act (FISMA). FISMA requires the Agency to develop policies and procedures commensurate with the risk and magnitude of harm resulting from the malicious or unintentional damage to the Agency's information assets. EPA's Chief Information Officer is responsible for establishing and overseeing an Agency- wide program to ensure the security of its network infrastructure consistent with these requirements. Program offices are responsible for managing the implementation of these security requirements within their respective organizations. Program offices should create a Plan of Action and Milestones (POA&M) when it identifies security control weaknesses. The POA&M, which documents the planned remediation process, is recorded in the Agency's Automated Security Self-Evaluation and Remediation Tracking (ASSERT) tool. ASSERT is used to centrally track remediation of weaknesses associated with information systems and serves as the Agency's official record for POA&M activity. FISMA requires the Inspector General, along with the EPA Administrator, to report annually to the Office of Management and Budget (OMB) on the status of EPA's information security program. The OIG provided the results of its review to OMB in Report No. 2006-S-00001, Federal Information Security Management Act, Fiscal Year 2005 Status of EPA's Computer Security Program. During our annual FISMA review, we selected one major application each from five EPA program offices and reviewed the office's security practices surrounding these applications. Our review noted instances where EPA could improve its security practices overall and the OIG reported the results to EPA's Chief Information Officer in Report No. 2006-P-00002, EPA Could Improve Its Information Security by Strengthening Verification and Validation Processes. This audit report is one in a series of reports being issued to the five program offices that had an application reviewed. This report addresses findings and recommendations related to security practice weaknesses identified in OW. In particular, this report summarizes our results regarding how OW implemented 1 ------- Federal and EPA information security policies and procedures. This report also includes our evaluation of how OW implemented, tested, and evaluated information security controls to ensure continued compliance with Federal and Agency requirements for selected security objectives. The Scope and Methodology section contains the specific security objectives we audited. Scope and Methodology We conducted our field work from March 2005 to July 2005 at EPA Headquarters in Washington, DC, and the National Computer Center (NCC), Research Triangle Park (RTP), North Carolina. We interviewed Agency officials at both locations and contract employees at the NCC. We reviewed relevant Federal and Agency information security standards. We reviewed application security documentation to determine whether it complied with selected standards. We reviewed system configuration settings and conducted vulnerability testing of servers for known vulnerabilities. We reviewed training records for personnel with significant security responsibilities. During the audit, OW was operating two production versions of SDWIS: • SDWIS-current, a mainframe-based application hosted at the NCC in RTP, North Carolina; and • SDWIS-modern, a Web-enabled, tiered application also hosted at the NCC in RTP, North Carolina. OW replaced SDWIS-current with the SDWIS-modern system. When OW placed the SDWIS-modern system into production, the office operated it in parallel with the SDWIS-current application. We only evaluated the SDWIS- modern application for compliance with Federal and Agency requirements and all references to SDWIS, in this report, pertain to the SDWIS-modern application. We assessed the following security practices for SDWIS: • Security Certification and Accreditation (C&A) practices — We reviewed SDWIS' C&A package to determine whether the security plan was updated and re-approved at least every 3 years and the application was reauthorized at least every 3 years, as required by OMB Circular A-130 and EPA policy. • Application contingency plans — We reviewed SDWIS' contingency planning practices to determine whether it complied with requirements outlined in EPA Directive 2195A1 (EPA Information Security Manual), National Institute of Standards and Technology Special Publication 800-34 (Contingency Planning Guide for Information Technology 2 ------- Systems), and EPA Procedures Document (.Procedures for Implementing Federal Information Technology Security Guidance and Best Practices). • Security controls — We reviewed two areas of security controls (1) system vulnerability monitoring, which included conducting vulnerability testing, and (2) physical access controls. OW operates SDWIS servers in its Washington, DC, Headquarters and at the NCC in RTP. At the Headquarters office, we evaluated the location for both system vulnerability monitoring and physical access controls. At the NCC, we only evaluated system vulnerability monitoring. We did not evaluate physical access controls at the NCC, because the NCC was undergoing an audit of these controls at the time of our review. This audit identified instances where EPA could improve its physical controls at RTP and the OIG reported the results in Report No. 2006-P-00005, EPA Could Improve Physical Access and Service Continuity/Contingency Controls for Financial and Mixed-Financial Systems Located at its Research Triangle Park Campus. • Annual Training Requirements — We reviewed whether employees with significant security responsibilities satisfied annual training requirements. We conducted this audit in accordance with Government Auditing Standards, issued by the Comptroller General of the United States. SDWIS' Compliance with Federal and Agency Security Requirements The SDWIS production servers were being monitored for known vulnerabilities, physical access controls were adequate, and personnel with significant security responsibility had completed the Agency's recommended specialized security training. Our audit (1) noted that SDWIS had weaknesses related to key security practices, and (2) highlighted areas where OW should place more emphasis to comply with established information security requirements. OW officials could have discovered these weaknesses had they implemented procedures to ensure that Federal and Agency information security requirements were followed. In particular, SDWIS had the following information security planning weaknesses: • The C&A package did not contain a completed independent review of SDWIS' security controls and a completed full formal risk assessment. • The contingency plan did not contain fully developed essential elements identified by Federal and Agency guidance and was not tested. Preparing and maintaining updated C&A documents and contingency plans help to ensure the Agency's network infrastructure is adequately protected. These widely recognized preventive controls aid in reducing the likelihood that security 3 ------- incidents will occur and by not emphasizing these key security controls, OW places the integrity and availability of SDWIS at risk. In addition, testing these controls provides management with assurance that the controls are adequately implemented and working as intended. For example, an inadequately designed security control could result in a breach in SDWIS' security and result in reduced system availability or affect the integrity of the system's data. This could hinder the ability of Federal officials and other stakeholders to use SDWIS to monitor the quality of the Nation's drinking water. Certification and Accreditation We found areas where OW could implement more comprehensive procedures to ensure C&A documents are complete. Specifically, the system owners had not conducted an independent review of SDWIS' security controls and performed a full formal risk assessment of SDWIS prior to authorizing the application for operation as required by Federal and Agency guidance. The information used by OW officials to make the initial authorization decision is contained in the SDWIS C&A package, which includes documents such as the most recent system security plan, authorization for operation, test of implemented security controls, and risk assessment. These documents support the OW risk management process and are necessary for senior OW officials to decide whether SDWIS' security controls are sufficient, and if adjustments to security controls are necessary before authorizing SDWIS for operation. During our audit, OW was conducting a Capital Planning and Investment Control review of SDWIS. OW officials indicated that the review highlighted the need to conduct a risk assessment, and to prepare and implement a risk management plan for all aspects of SDWIS. OW officials indicated an assessment would identify weaknesses that need to be addressed, and that they will address these through a process of defining each weakness and establishing a POA&M to deal with each one. OW officials indicated the risk assessment would be completed in March 2006. Contingency Planning We found that OW could improve its contingency planning procedures for SDWIS. Although OW had included a contingency planning section in the SDWIS security plan, OW had not fully developed the plan to include essential elements that make up an effective contingency plan as outlined in Federal and Agency guidance. In addition, OW had not conducted a test of the contingency planning procedures outlined in the security plan. OW stated that they would update and test the SDWIS contingency plan as a follow-up to the formal risk assessment performed during March 2006. 4 ------- An effective contingency plan should include Supporting Information, a Notification/activation phase, a Recovery Phase and a Reconstitution phase. Federal and EPA standards require that plans be (1) reviewed and tested annually, and (2) updated as necessary when changes in business needs, technology, or new internal or external policies occur. Testing the plan would enable OW to become familiar with the recovery steps and help management identify where additional emphasis is needed. Recommendations We recommend that the Safe Drinking Water Information System (SDWIS) System Owner: 1. Complete the independent review of SDWIS' security controls, complete a full formal risk assessment of SDWIS, and update the certification and accreditation package in accordance with Federal and Agency requirements. 2. Update and test the SDWIS contingency plan in accordance with Federal and EPA requirements; implement a process to test the plan annually; and update the contingency plan whenever significant changes occur to the system, supported business processes, key personnel, or the contingency plan itself. 3. Develop a Plan of Action and Milestones in the Agency's security weakness tracking system (ASSERT database) for all noted deficiencies. We recommend that the Office of Water (OW) Information Security Officer: 4. Conduct a review of the information security oversight processes within OW and develop and implement a plan to implement needed process improvements. Agency Comments and OIG Evaluation The Office of Water (OW) agreed with our finding that the Safe Drinking Water Information System (SDWIS) had not undergone a risk assessment and the office indicated that it has plans to complete the assessment. OW did not agree that SDWIS' security plan did not accurately reflect the system's appropriate operational status, citing differences between how OW and the EPA's Chief Information Officer define a "production" system. OW contends that at the time of our review, SDWIS did not have substantiated data in the system and provided additional detail regarding SDWIS' implementation. We modified the report to update the section related to SDWIS' operational status and to reflect efforts OW took to address the findings. 5 ------- OW did not agree with our finding that SDWIS did not have a contingency plan and provided additional information on the system's plan. Although OW documented some contingency planning information, our research disclosed that the information provided was not fully developed as required by Federal and Agency requirements. OW's complete response is in Appendix A. 6 ------- Appendix A Agency Response to Draft Report MEMORANDUM SUBJECT: Draft Audit Report Information Security Series: Security Practices Safe Drinking Water Information System Assignment No. 2005-000661 FROM: Benjamin H. Grumbles Assistant Administrator, Office of Water TO: Rudolph M. Brevard Director, Information Technology Audits Thank you for the opportunity to respond to the draft Audit Report on Security Practices pertaining to the Safe Drinking Water Information System (SDWIS). While we found your review instructive relative to the requirements of the Federal Information Security Management Act (FISMA), we believe that your draft Audit Report gives a misleading picture of the security of SDWIS at the time of your review. At the time of your review, the Office of Water (OW) had in place approved security plans consistent with the status of the various system components. As you know, OW has been modernizing the entire SDWIS data flow since 2001, and that modernization was still underway at the time you conducted your review. Key points that I believe conflict with your office's evaluation include: Even though SDWIS/Federal (the system in use at the time of your review) and SDWIS/Operational Data System (ODS) (the system under development) were operating in parallel, the data in SDWIS/ODS were test data and were not available to the public, peers, educational institutions or other federal agencies. These data were strictly for test purposes, and were maintained in separate test environment. Hence the SDWIS/ODS was under development as described in the OW security plan. OW defines "production" differently than the Office of Environmental Information (OEI). OEI defines a system as in "production" when the relevant server is connected to the network. However, OW does not consider a system to be in production until we have substantiated data that we can provide to our peers. In the case of SDWIS/ODS, at the time of your review, OW did not have substantiated data in the system, and thus we did not consider the system to be in production. The SDWIS security plan in place at the time of your review appropriately covered SDWIS in its status of "under development, and included a contingency planning process. 7 ------- I would also like to note that at the time of your review, OW was also responding to the Office of Management and Budget's Capital Planning and Investment Control (CPIC) review of SDWIS. The CPIC review highlighted the need to conduct a risk assessment, and to prepare and implement a risk management plan for all aspects of SDWIS. We are in the process of completing that assessment now and expect to be finished in March 2006. In addition, as required by FISMA, OW has been conducting a self-assessment of SDWIS. The results of this self assessment will be documented in the Agency's Automated Security Self Evaluation and Remediation Tracking (ASSERT) system. Along with the self-assessment, Plans of Actions and Milestones will be documented in ASSERT. OW expects to complete this effort by the end of March 2006. The information in ASSERT will be used by OW for continuous monitoring of the overall security of SDWIS, in keeping with the use of ASSERT as the Agency's standard for implementing continuous security self-assessments. For example, OW undertakes tabletop exercises, and documents the results of those exercises in ASSERT, as part of our annual contingency planning. We look forward to continuing to work with you and your staff on these important issues. We will also be sending you under separate cover a more detailed set of technical comments for your consideration. If you or your staff have any questions regarding this response, please contact Steve Heare, Director, Drinking Water Protection Division, at 202-564-7992 or Terry Howard, OW Information Security Officer, at 202-564-0385. 8 ------- Appendix B Distribution Office of the Administrator Assistant Administrator for Water Acting Assistant Administrator for Environmental Information Acting Director, Technology and Information Security Staff Audit Followup Coordinator, Office of Water Audit Followup Coordinator, Technology and Information Security Staff Agency Followup Official (the CFO) Agency Followup Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Acting Inspector General 9 ------- |