At a Glance: PeoplePlus Security Controls Need Improvement


<
33
\
^t0SrX
&
V PRO^4-0
o
2
Lll
o
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
2005-P-00019
July 28, 2005
Why We Did This Review
Our objectives were to
determine whether: (1) the
Environmental Protection
Agency (EPA) adequately
configured People Plus"
application security and
technical infrastructure to
protect the confidentiality,
integrity, and availability of
system data; and (2)
implemented controls were
working as intended.
Background
People Plus is the EPA's new
integrated human resources
(HR), benefits, payroll, and
time and labor system that is
managed jointly by the Office
of the Chief Financial Officer
(OCFO) and the Office of
Administration and Resources
Management (OARM). Both
HR and payroll data are
processed to comply with
Federal, State, and EPA
reporting requirements.
For further information,
contact our Office of
Congressional and Public
Liaison at (202) 566-2391.
To view the full report,
click on the following link:
www.epa.gov/oig/reports/2005/
20050728-2005-P-00019.pdf
Catalyst for Improving the Environment
PeoplePlus Security Controls Need Improvement
What We Found
Our review identified three significant issues in the security administration of
PeoplePlus (PPL). First, the Agency had not followed prescribed procedures for
managing user access privileges, monitoring changes in employee responsibilities,
and processing system access requests. Second, EPA did not verify or conduct the
required National Agency Check with Inquiries and Credit background screenings
for 45 percent (10 of 22) of contractor personnel with PPL access. Third, EPA
implemented PPL without adequately implementing security controls for two key
processes. Specifically, OCFO had not properly secured default user IDs and did
not adequately separate incompatible duties performed by the Security
Administrator.
What We Recommend
We recommend the Directors of EPA's Office of Financial Services (OFS) and
Office of Human Resources (OHR) take 13 actions to improve PPL security
controls. These recommendations address areas where EPA could improve user
access management and contractor background screening procedures. These
recommendations include: (1) reinforcing the requirements to follow prescribed
policies and procedures; (2) providing a training program to increase awareness
and ability to perform security duties; (3) evaluating the need for system
development contractors to have access to the production environment; and
(4) establishing a milestone date to complete contractor background screening.
We recommend that EPA evaluate all default user IDs to secure them, and assign
Security Administrators" responsibilities in a manner that provides adequate
separation of incompatible duties. EPA concurred with all of our
recommendations and provided a plan of action to address concerns.

-------