$
<
33
\

T>
2
O
'¦*> /
PRO**4,
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
2007-P-00008
January 29, 2007
Why We Did This Review
We sought to determine if
access to and modification of
mainframe system software at
the U.S. Environmental
Protection Agency (EPA)
National Computer Center in
Research Triangle Park in
Raleigh, North Carolina, is
controlled in accordance with
Agency and Federal guidance,
as well as best practices.
Background
The EPA's Office of Inspector
General contracted KPMG,
LLP (KPMG) to conduct an
audit of mainframe system
software. Controls over
system software access and
modifications are designed to
(1) limit and/or monitor access
to system software resources
to protect against unauthorized
modification, loss, and
disclosure; (2) reduce the risk
of the introduction of
unauthorized changes; and (3)
limit and monitor access to
powerful system software
programs.
For further information,
contact our Office of
Congressional and Public
Liaison at (202) 566-2391.
To view the full report,
click on the following link:
www.epa.qov/oiq/reports/2007/
20070129-2007-P-00008.pdf
Catalyst for Improving the Environment
EPA Could Improve Controls Over Mainframe
System Software
What KPMG Found
KPMG identified several weaknesses in EPA's internal controls over its
mainframe system software, including:
>	Roles and responsibilities were not clearly assigned.
>	Change controls were not performed in accordance with Agency policies.
>	Policies, procedures, and guides could be strengthened.
>	Security settings for sensitive datasets and programs were not effectively
configured or implemented.
As a result of these weaknesses, EPA is exposed to greater risk since its
mainframe system software could potentially be compromised.
What KPMG Recommends
KPMG recommends that the Office of Environmental Information:
>	Improve management oversight and review of primary support contractor
activity, and clearly assign roles and responsibilities to ensure personnel
are held accountable.
>	Ensure change control procedures are performed in accordance with
existing Agency and Federal guidance.
>	Strengthen existing policies, procedures, and guides to establish standards
for implementing key security controls for mainframe system software.
>	Appropriately configure and implement security settings for sensitive
datasets and programs.
This report contains material that is confidential business information, proprietary
information, or source selection information. Unauthorized disclosure of this
Appendix or any of its content may violate the provisions of the Trade Secrets
Act, 18 U.S.C. 1905; the Procurement Integrity Act, 41 U.S.C. 423; the Freedom
of Information Act, 5 U.S.C. 552; the Privacy Act, 5 U.S.C. 552a; and/or the
Federal Acquisition Regulation, Section 3.104 (48 CFR 3.104). Due to the
sensitive nature of the report's technical findings, the Office of Inspector General
removed Appendices A and B from the public version of the report.

-------