S74^v *. U.S. Environmental Protection Agency 12-P-0899 | \ Office of Inspector General September 27,2012 s "V—'—J" s v\|/v S At a Glance Why We Did This Review The U.S. Environmental Protection Agency (EPA) Office of Inspector General (OIG) conducted this audit to (1) identify which tools EPA uses to identify, analyze, and resolve cyber-security incidents; (2) identify steps implemented to resolve known weaknesses in its incidence response capabilities; and (3) evaluate how users report security incidents. Continually monitoring network threats through intrusion detection and prevention systems and other mechanisms is essential. Establishing clear procedures for assessing the current and potential business impact of incidents is critical, as is implementing effective methods of collecting, analyzing, and reporting data. This report addresses the following EPA Goal or Cross-Cutting Strategy: • Strengthening EPA's Workforce and Capabilities Improvements Needed in EPA's Network Security Monitoring Program For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. The full report is at: www.epa.aov/oia/reports/2012/ 20120927-12-P-0899.pdf What We Found EPA's deployment of a Security Incident and Event Management (SIEM) tool did not comply with EPA's system life cycle management procedures, which require planning project activities to include resources needed, schedules, and structured training sessions. EPA did not develop a comprehensive deployment strategy for the SIEM tool to incorporate all of EPA's offices or a formal training program on how to use the tool. When EPA staff are not able to use an information technology investment, the investment has limited value in meeting organizational goals and users' needs. EPA does not have a computer security log management policy consistent with federal requirements. While EPA has a policy governing minimum system auditing activities to be logged, EPA has yet to define a policy for audit log storage and disposal requirements along with log management roles and responsibilities. EPA risks not having logged data available when needed, and program officials may not implement needed security controls. EPA did not follow up with staff to confirm whether corrective actions were taken to address known information security weaknesses. EPA had not taken steps to address weaknesses identified from internal reviews as required. Known vulnerabilities that remain unremediated could leave EPA's information and assets exposed to unauthorized access. Recommendations and Planned Agency Corrective Actions We recommended that the Assistant Administrator for Environmental Information develop and implement a strategy to incorporate EPA's headquarters program offices within the SIEM environment, develop and implement a formal training program for the SIEM tool, develop a policy or revise the Agency's Information Security Policy to comply with audit logging requirements, and appoint a central point of contact to track remediation of internal assessment weaknesses. Office of Environmental Information officials concurred with and agreed to take corrective actions to address all recommendations. Noteworthy Achievements We found that EPA employees are aware of the reporting procedures for when they experience an information security incident. Additionally, EPA has recently deployed technical tools to combat cyber-security attacks and conduct forensic analyses of security activity. ------- |