« U.S. Environmental Protection Agency 2007-P-00019 Office of Inspector General Apnl 23 2007 At a Glance Catalyst for Improving the Environment Why We Did This Review We sought to determine whether the U.S. Chemical Safety and Hazard Investigation Board's (CSB's) information security program complies with the Federal Information Security Management Act (FISMA). We also sought to determine whether CSB complied with Office of Management and Budget (OMB) Memorandum M-06-16 requirements for protecting sensitive information. Background The Office of Inspector General (OIG) contracted with KPMG, LLP to assist in performing the Fiscal Year 2006 FISMA independent evaluation of the CSB information security program, and the Agency's efforts to protect its sensitive information. This evaluation adheres to the OMB reporting guidance for micro-agencies, which CSB is considered. For further information, contact our Office of Congressional and Public Liaison at (202) 566-2391. To view the full report, click on the following link: www.epa.aov/oia/reports/2007/ 20070423-2007-P-00019.pdf Evaluation of U.S. Chemical Safety and Hazard Investigation Board's Compliance with the Federal Information Security Management Act and Efforts to Protect Sensitive Agency Information (Fiscal Year 2006) What KPMG Found In Fiscal Year 2006, CSB made significant changes that enhanced the security of information system resources. CSB reorganized its Information Technology department by promoting and hiring key management officials. CSB also consolidated three information system functions into one Agency-owned General Support System (GSS) that mitigated a portion of the prior year weakness related to the implementation of security controls. The new GSS was certified and accredited for the operating environment. Further, CSB took steps to correct all of the security weaknesses identified during Fiscal Year 2005. However, KPMG found areas where CSB could further strengthen its information security program. KPMG found that: • CSB's new consolidated GSS Security Plan did not address many of the Federal requirements prescribed by the National Institute of Standards and Technology. CSB also had not tested the new GSS' security controls for effectiveness. In addition, CSB had not assigned a risk categorization to the GSS in accordance with Federal requirements. • While CSB reported a computer theft to the Federal Protective Service and the local police department, the incident was not reported to the United States Computer Emergency Readiness Team. Additionally, the theft was not documented in a formal incident report as required by CSB policy. • CSB had not identified or implemented policies and procedures that address the protection of sensitive personally identifiable information. • Although checklists are used to set up computers, there is no policy that mandates the use of the checklists, and the checklists did not contain security configuration settings. In addition, CSB had not developed an Agency-wide security configuration policy. • CSB had not tested the GSS' contingency plan during Fiscal Year 2006 and the content of the plan needs improvement. Further, CSB had not conducted an e-authentication risk assessment. ------- |