At a Glance: EPA’s Office of Environmental Information Should Improve Ariel Rios and Potomac Yard Computer Room Security Controls


S74^v
*. U.S. Environmental Protection Agency	12-P-0879

|	\ Office of Inspector General	September 20, 2012
s
"V—'—J"
s v\|/v S
At a Glance
Why We Did This Review
The U.S. Environmental
Protection Agency (EPA) Office
of Inspector General (OIG)
conducted this audit to assess
the security posture and
in-place environmental controls
of the computer rooms in the
EPA Ariel Rios and Potomac
Yard buildings in Washington,
DC, and Arlington, Virginia,
respectively. This audit was
conducted in support of the
audit of EPA's directory service
system authentication and
authorization servers.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Strengthening EPA's
workforce and capabilities.
EPA's Office of Environmental Information
Should Improve Ariel Rios and Potomac Yard
Computer Room Security Controls
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
What We Found
The security posture and in-place environmental control review of the computer
rooms in the Ariel Rios and Potomac Yard buildings revealed numerous security
and environmental control deficiencies. These control deficiencies greatly reduce
the ability of the Office of Environmental Information (OEI) to safeguard critical
information technology assets and associated data from the risk of damage
and/or loss.
Recommendations/Planned Agency Corrective Actions
We recommended in our draft report that OEI remediate physical and
environmental control deficiencies. Following the issuance of the draft report, OEI
provided a corrective action plan with milestone dates to address agreed-upon
recommendations. In its response, OEI agreed with recommendations 1 and 2,
and stated that it had completed corrective actions for recommendation 1. OEI
did not agree with recommendations 3 and 4 because it asserts that the Office of
Administration and Resources Management bears responsibility for remediation
for these recommendations. For recommendation 5, OEI did not agree because it
stated that it is already monitoring environmental variable information which
would alert it to the presence of a computer room water leakage. During the
audit, the OIG requested policies and procedures that address limiting water
damage to IT assets. OEI did not provide any documentation in response to this
request and the OIG concluded that such policies did not exist.
We consider recommendation 1 closed with agreed-upon corrective actions
complete. Recommendation 2 is open with agreed-upon corrective actions
pending. The OIG believes that OEI bears the responsibility for addressing
recommendations 3, 4, and 5 because it is responsible for managing IT assets in
the Ariel Rios and Potomac Yard computer rooms. We consider
recommendations 3, 4, and 5 unresolved with resolution efforts in progress.
The full report is at:
www.epa.qov/oiq/reports/2012/
20120926-12-P-0879.pdf

-------