$
<
73
\
Ml
C
PRQrt^
o
2
Lll
(3
T
OFFICE OF INSPECTOR GENERAL
Catalyst for Improving the Environment
Audit Report
EPA Needs to Strengthen
Financial Database Security
Oversight and Monitor Compliance
Report No. 2007-P-00017
March 29, 2007
-------�
Report Contributors:
Rudolph M. Brevard
Chuck Dade
Corey Costango
Sejal Shah
Abbreviations
BAS Budget Automation System
CSIRC Computer Security Incident Response Capability
DBMS Database Management System
EPA U.S. Environmental Protection Agency
FDW Financial Data Warehouse
IFMS Integrated Financial Management System
ISO Information Security Officer
IRMS Integrated Resource Management System
NIST National Institute for Standards and Technology
OCFO Office of the Chief Financial Officer
OEI Office of Environmental Information
OIG Office of Inspector General
OPPIN Office of Pesticide Programs Information Network
ORD Office of Research and Development
OTOP Office of Technology Operations and Planning
SLATE Strategic Leasing and Asset Tracking Enterprise
-------�
<
33
\
^t0SrX
&
V PRO^4-0
o
2
Lll
o
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
2007-P-00017
March 29, 2007
Catalyst for Improving the Environment
Why We Did This Review
We sought to determine
whether the U.S.
Environmental Protection
Agency (EPA) (1)
implemented and maintained
database hardware and
software in accordance with
EPA policy requirements; and
(2) secured critical financial
information by restricting
access to high-level database
functions, such as database
administrator authorities.
Background
EPA's core financial
application, the Integrated
Financial Management System
(IFMS), shares data with
many financial management
system databases. An
inadequately designed and
implemented security control
could be more easily
breached, which could
compromise the integrity of
the data IFMS uses for
financial reporting and
decisionmaking.
For further information,
contact our Office of
Congressional and Public
Liaison at (202) 566-2391.
To view the full report,
click on the following link:
www.epa.aov/oia/reports/2007/
20070329-2007-P-00017.pdf
EPA Needs to Strengthen Financial Database Security
Oversight and Monitor Compliance
What We Found
We discovered weaknesses in how EPA offices (1) monitor databases for known
security vulnerabilities, (2) communicate the status of critical system patches, and
(3) monitor the use of and access to database administrator accounts and
privileges. These weaknesses exist because EPA had not implemented security
processes to (1) actively monitor systems that share data with IFMS, (2) share and
collect information on the implementation of critical system patches, and
(3) effectively manage access controls. Without these processes, the integrity of
critical data in key Office of the Chief Financial Officer (OCFO) systems could be
undermined. As a result, OCFO cannot ensure that the integrity of the data it
provides to senior Agency officials is adequately protected.
We also identified specific technical weaknesses in three of the financial databases
that share data with IFMS.
What We Recommend
We recommend that OCFO, the Office of Environmental Information (OEI), and
the Office of Research and Development address areas where EPA could improve.
Specifically, we recommend that:
• OCFO update the Memorandum of Understanding process to include
formal security standards that require the program/regional offices to
actively monitor the security status of systems that share data with IFMS.
• OEI strengthen, formalize, and evaluate the effectiveness of the followup
procedures for obtaining complete responses from program and regional
offices regarding high-level critical system patch alerts, as well as share
status reports on the implementation of critical system patches.
• The system owners for each reviewed application correct all identified
system weaknesses, and develop a Plan of Action and Milestones in the
Agency's security weakness tracking system for all noted deficiencies.
The Agency agreed with all of our recommendations.
Due to the sensitive nature of the report's technical findings, we removed
Appendices A, C, and D from the public version of the report.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
OFFICE OF
INSPECTOR GENERAL
March 29, 2007
MEMORANDUM
SUBJECT: EPA Needs to Strengthen Financial Database Security Oversight and
Monitor Compliance
Report No. 2007-P-00017
Chief Financial Officer
Molly A. O'Neill
Assistant Administrator for Environmental Information
George M. Gray, Ph.D.
Assistant Administrator for Research and Development
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). This report contains findings that describe the
problems the OIG has identified and corrective actions the OIG recommends. This report
represents the opinion of the OIG and does not necessarily represent the final EPA position.
Final determinations on matters in this report will be made by EPA managers in accordance with
established audit resolution procedures.
The estimated cost of this report - calculated by multiplying the project's staff days by the
applicable daily full cost billing rates in effect at the time - is $356,118.
Action Required
In accordance with EPA Manual 2750, the Office of the Chief Financial Officer is required to
provide a written response to this report within 90 calendar days. You should include a
corrective action plan for agreed upon actions, including milestone dates.
FROM
Patricia H. Hill
Assistant Inspector General for Mission Systems
TO
Lyons Gray
-------�
The Office of Environmental Information and Office of Research and Development do not have
to provide a response to this report. The offices' response to the draft report contained an
adequate corrective action plan with milestone dates to address the recommendations.
Accordingly, we are closing this report on issuance.
Due to the sensitive nature of the technical findings, we have removed Appendices A, C, and D
from the report version made available to the public. The public copy of this report will be
available at http://www.epa.gov/oig. Additional copies of the full report can be obtained by
contacting our Office of Congressional and Public Liaison at (202) 566-2391.
If you or your staff has any questions, please contact me at 202-566-0894 or
hill.patricia@epa.gov; or Rudolph M. Brevard, Director, Information Resources Management
Assessments, at (202) 566-0893 or brevard.rudv@epa.gov.
-------�
EPA Needs to Strengthen Financial Database Security Oversight
and Monitor Compliance
Table of C
Chapters
1 Introduction 1
Purpose 1
Background 1
Scope and Methodology 2
2 Effective Oversight and Continuous Monitoring Needed to
Improve Financial Database Security 4
Consistent Practices Needed to Identify Weaknesses 4
Improvements Needed in Reporting Status of Critical System Patches 5
Database Administrator Accounts and Privileges Not Managed Properly 6
Recommendations 7
Agency Response and OIG Comments 8
Status of Recommendations and Potential Monetary Benefits 10
Appendices
A High-Level Summary of Specific Technical Weaknesses by
EPA Program Office and System 11
B Non-Sensitive Portion of OCFO's and OEI's Combined Response
to Draft Audit Report 12
C OCFO's Response to Recommendations Associated with
Sensitive Technical Control Weaknesses Disclosed in Appendix A 16
D ORD's Response to Recommendations Associated with
Sensitive Technical Control Weaknesses Disclosed in Appendix A 17
E Distribution 18
-------�
Chapter 1
Introduction
Purpose
We completed this audit to determine whether the U.S. Environmental Protection
Agency (EPA) (1) implemented and maintained database hardware and software
in accordance with EPA policy requirements; and (2) secured critical financial
information by restricting access to high-level database functions, such as
database administrator authorities.
Background
The Integrated Financial Management System (IFMS) is EPA's core financial
management accounting system. IFMS (1) supports the standard general ledger,
(2) is the source of data for preparing financial statements and budgetary reports,
and (3) supports program offices in managing and controlling funds. IFMS
depends heavily upon data processed by many other systems in order to provide
senior Agency officials with timely and accurate information. Although the
Office of the Chief Financial Officer (OCFO) is the IFMS system owner, many of
the financial management systems that share data with IFMS are managed by
other program offices. Therefore, OCFO must coordinate the implementation of
security controls between offices to protect the integrity of shared data.
OCFO must implement a security program that is consistent with EPA's current
security philosophy. Currently, EPA distributes the implementation and
management of information security to multiple organizations. Under the current
EPA security structure, the Office of Environmental Information (OEI) is
responsible for:
• Developing and defining the Agency's information security program in
accordance with all applicable Federal laws and regulations;
• Providing guidance on selecting and implementing safeguards; and
• Establishing the minimum information security control environment
required to protect both its automated data processing resources and its
information from theft, damage, and unauthorized use.
EPA regional and program offices are responsible for:
• Establishing an organization-wide information security program consistent
with Agency policy, and
1
-------�
• Protecting information and applications by implementing (1) appropriate
safeguards into all new organizational information systems, and (2) major
modifications to existing systems.
Scope and Methodology
We conducted this audit in accordance with Government Auditing Standards,
issued by the Comptroller General of the United States. We conducted this audit
from January through July 2006 at the National Computer Center in Research
Triangle Park, North Carolina, and EPA Headquarters in Washington, DC. We
reviewed EPA database security policies and procedures. We tested configuration
settings for both the database and operating system software. We interviewed
EPA employees and contractors responsible for database maintenance and
security.
We selected a judgmental sample of five major financial management database
systems that share data with IFMS. We reviewed the following applications
during preliminary research:
Application
Acronym
Program Office
Budget Automation System
BAS
Office of the Chief Financial Officer
Financial Data Warehouse
FDW
Office of the Chief Financial Officer
Integrated Resource
Management System
IRMS
Office of Research and Development
Office of Pesticide Programs
Information Network
OPPIN
Office of Prevention, Pesticides, and
Toxic Substances
Strategic Leasing and Asset
Tracking Enterprise
SLATE
Office of Administration and Resources
Management
We did not review PeoplePlus, EPA's combined human resources and payroll
application, because the OIG conducted a security review of the application
within the past 12 months.
During preliminary research, we (1) documented management controls
surrounding database security, and (2) tested the systems' configuration settings.
• Management Controls - We surveyed the respective system owners to
determine whether management issued formal policies and procedures for
the following key areas: database system configuration, database
administrator duties, and system maintenance management. We collected
and reviewed the responses, and conducted followup interviews with EPA
personnel and contractors. For each system, we reviewed the results of
management's latest security control tests.
2
-------�
• Systems' Configuration Settings - We conducted vulnerability testing of
the selected systems' databases and operating systems to identify common
security weaknesses. We used two vulnerability-testing tools recognized
by the National Institute for Standards and Technology (NIST). These
tools identify potential vulnerabilities and validate that the operating
systems and major applications have the latest software versions. We used
one tool to test application servers' operating systems for vulnerabilities.
We used the other tool to test the database software for vulnerabilities and
key database configuration settings. We provided our scanning results to
the respective program offices to evaluate the validity of the identified
high vulnerabilities. We were unable to conduct vulnerability testing of
OPPIN because the program office was relocating the system at the time
of our audit. As such, we eliminated OPPIN from our sample.
During field work, we selected three of the five database systems for detailed
review. We based our selection on (1) whether an office had documented its
database security management control structure, and (2) the total number of
"high-risk" vulnerabilities discovered during preliminary testing. We selected
BAS, FDW, and IRMS for further review.
We have not performed prior audits related to database security controls for these
EPA systems. As such, there were no recommendations to follow up on during
this audit.
3
-------�
Chapter 2
Effective Oversight and Continuous Monitoring
Needed to Improve Financial Database Security
We discovered weaknesses in how EPA offices (1) monitor financial databases
for known security vulnerabilities, (2) share information regarding the
implementation of critical system updates, and (3) monitor the use of and access
to database administrator accounts and privileges. EPA policies require offices to
establish an organization-wide information security program consistent with
Agency policy. This includes establishing processes for actively monitoring
systems, promptly implementing systems updates, and effectively managing
access to network resources and systems. OCFO's policy requires system owners
to enter into a Memorandum of Understanding (MOU) when their system
interfaces with IFMS. However, this current security oversight process does not
incorporate methods that actively monitor the security status of these systems
once the MOU is signed. In addition, this policy does not currently apply to
systems using means other than an electronic interface to share data with IFMS.
As a result, OCFO has limited assurance that the security controls of critical
systems adequately protect the accuracy of financial data used for decisionmaking
and financial reporting. OCFO needs a more collaborative framework and
stronger oversight processes to ensure that systems, which share financial data
with IFMS, comply with prescribed Agency security practices.
Consistent Practices Needed to Identify Weaknesses
Offices lack consistent processes to conduct vulnerability testing of systems to
identify and correct commonly known security weaknesses. NIST states that it is
imperative that organizations routinely test systems for vulnerabilities and
misconfigurations to reduce the likelihood of system compromise. EPA policy
2195.1A4, Agency's Network Security Policy, requires EPA offices to monitor,
test, evaluate, and verify their systems to ensure adequate security in accordance
with information sensitivity and other Federal and Agency requirements. Based
on interviews with the system owners, we determined that the frequency of
vulnerability testing was inconsistent among offices. The vulnerability testing
schedules ranged from monthly to only performing the testing in conjunction with
completing the major risk assessment, which usually takes place every 3 years.
During the time between risk assessments, OCFO does not utilize processes to
check the security status of systems that share data with IFMS. As a result,
OCFO relies on the implementation of security controls that have become, over
time, ineffective due to system changes and emerging system weaknesses.
Our vulnerability test results identified 47 "high-risk," commonly-known security
vulnerabilities among the three database systems. Each system had at least 13
4
-------�
"high-risk" vulnerabilities. Some of the identified vulnerabilities had the
potential to affect the availability and integrity of the system's financial data.
Management could have identified all of the noted vulnerabilities had OCFO's
MOU process specified the frequency of vulnerability testing and the offices
implemented a routine vulnerability testing process, as required by EPA policy.
In addition, NIST Special Publication 800-42, Guideline on Network Security
Testing, recommends that system owners conduct vulnerability testing at least
quarterly to identify and correct vulnerabilities before they are exploited. NIST
notes that organizations with an active, priority-driven security-testing program
are in a much better position to make prudent investments to enhance the security
posture of their systems.
Since IFMS relies heavily on these database systems as the primary source for
financial data, vulnerabilities in these systems could allow manipulated data to
transfer between systems without notice. Consequently, users of IFMS data could
potentially make decisions based on inaccurate data.
We provided the program offices with copies of our vulnerability test results, and
the offices indicated they are taking action to remediate the weaknesses.
Appendix A contains a high-level summary of the specific technical weaknesses
found in each application.
Improvements Needed in Reporting Status of Critical System Patches
OCFO lacks sufficient information to determine whether system owners for
systems that share data implement critical system patches. Critical system
patches are manufacturer updates to correct significant security vulnerabilities and
include other fixes that are prerequisites for the security fixes included in the
Critical Patch Update. EPA communicates critical system patches using a high-
level alert issued by the Computer Security Incident Response Capability
(CSIRC).1 The CSIRC Centralized Reporting Guidance requires the primary
Information Security Officer (ISO) for each program and regional office to report
status of implementation in accordance with the alert direction. We evaluated
whether the applicable program offices adequately reported the implementation
status for one high-level alert that affected the three reviewed systems sharing
data with IFMS. We found that the primary ISO for the program office
responsible for the IRMS system (Office of Research and Development [ORD])
did not report the status for implementing the critical patch to CSIRC or to
OCFO. Although ORD officials did not report the patch status to CSIRC, the
office indicated that the patch was applied within the specified time period. This
occurred, in part, because OCFO management had not implemented processes to
(1) inform them when systems that share data requires a critical system patch, and
1 OEI established CSIRC under the Office of Technology Operations and Planning (OTOP) to serve as the Agency's
central system for receiving notifications regarding critical security updates for EPA's information resources.
CSIRC is also responsible for notifying system owners when there is a major security update available for their
respective applications and tracking the system owners' progress in implementing the system update.
5
-------�
(2) check whether all the systems with which IFMS shares data implemented
critical patches. OCFO needs these processes and information to maintain the
security and integrity of data shared with IFMS. Without this information, OCFO
cannot assess the impact of security threats to IFMS or weaknesses in database
systems that could affect the quality of data used for financial management and
decisionmaking.
We also determined that the CSIRC could improve its processes for collecting and
sharing information regarding the implementation of critical system patches. We
reviewed the CSIRC status report regarding each office's implementation of the
reviewed high-level alert. We found that 30 percent (7 of 23) of EPA offices
provided a complete response to the alert. A complete response indicated that the
office took the advised action or the action was not applicable. CSIRC officials
indicated that they follow up on incomplete responses with phone calls and
emails. However, CSIRC did not document these followup measures in its
procedure manual. Nonetheless, at the time of our field work, 4 months had
elapsed since the CSIRC issued the alert and many offices had not provided a
complete response. In addition, CSIRC does not maintain an inventory of
systems in order to determine which offices a particular critical system patch
impacts. Also, CSIRC does not share the status report regarding critical system
patches with program offices to help them identify and mitigate unresolved
security vulnerabilities in systems with which they share data. Sharing the status
of implemented critical system patches would (1) provide ISOs with a tool to
more proactively manage the security of their database systems, and (2) allow the
CSIRC to focus its limited resources on analyzing emerging security threats.
Because of these weaknesses, EPA's CSIRC lacks the capability to assess the
potential impact that unimplemented critical patches have on the Agency's
network resources.
Database Administrator Accounts and Privileges Not Managed
Properly
System owners do not adequately control users' access to and use of database
administrator accounts and privileges, as required by EPA policy 2195.1A4,
Agency's Network Security Policy. In particular, the policy requires passwords
and user login IDs to be unique and not shared. The policy also requires system
authorizations to be restricted to the minimum level of access necessary for a
person to do their job. Our testing found instances where:
• Multiple people were sharing database administrator account user login
IDs and passwords. The database administrator account privileges
provide complete and unrestricted access to all data in the database.
When user login IDs and passwords are shared, EPA loses the ability to
hold users accountable for their actions within the system.
6
-------�
• Users could excessively access sensitive database components or execute
high-level commands. A database component or "object" could be the
database table or information stored in the database table. A high-level
command or "privilege" allows the user to create or manipulate objects,
such as data tables and/or reassign system privileges to other personnel
without authorization.
Properly controlling/administering these features is important because they allow
management to (1) hold users that make inappropriate system changes
accountable, (2) limit system privileges of each user to only those the user needs
to perform their job, and (3) control unauthorized reassignment of system
privileges to other personnel.
These weaknesses exist, in part, because the OCFO's MOU process does not
specify the standards for monitoring the access and use of high-level database
accounts. In addition, the system owners did not implement effective
management control processes to ensure that security personnel comply with EPA
security policy. Furthermore, management had not implemented processes to
review access to and use of database administrator accounts and privileges. As a
result, offices granted many of the database security privileges in a way that
allowed users to re-assign their system access to other users without the
knowledge of the office. We provided the respective program offices with copies
of our test results, and the offices indicated that they are taking action to
remediate the weaknesses. Appendix A contains a high-level summary of the
specific technical weaknesses found in each application.
Recommendations
We recommend that the Office of the Chief Financial Officer, Information
Security Officer:
1. Update the MOU process to include formal security Standards that
require program and regional offices to actively monitor the security
status of systems that share data with IFMS. These standards should
require all system owners to:
a. Perform network vulnerability testing at least quarterly in
accordance with NIST 800-42, Guideline on Network Security
Testing, and remediate identified vulnerabilities in a timely
manner.
b. Monitor the use of and access to high-level system functions (such
as Accountability, Least Privilege, Separation of Duties, etc.) at
least monthly to ensure adequate controls are applied and effective.
7
-------�
c. Certify that the program/regional office has put in place oversight
processes to ensure these information security standards are met.
2. Request from OEI access to information regarding the implementation
status of high-risk CSIRC critical system patches for systems that
share data with IFMS.
3. Develop and implement formal procedures to ensure all OCFO system
owners timely and accurately report progress for implementing
Computer Security Incident Response Capability critical system
patches.
We recommend the Director of Office of Technology Operations and Planning within
the Office of Environmental Information:
4. Strengthen, formalize, and evaluate the effectiveness of the followup
procedures for obtaining complete responses from program and
regional offices regarding high-level critical system patch alerts.
5. Develop and implement a formal process to share EPA-wide status
reports with ISOs regarding implementation of CSIRC critical system
patches.
We recommend the system owners for the (1) Budget Automated System (OCFO
System), (2) Financial Data Warehouse (OCFO System), and (3) Integrated
Resources Management System (ORD System):
6. Correct all identified system weaknesses disclosed in Appendix A.
7. Develop a Plan of Action and Milestones in the Agency's security
weakness tracking system (ASSERT database) for all uncorrected
deficiencies disclosed in Appendix A.
Agency Response and OIG Comments
ORD concurred with the report findings and recommendations. However, OCFO
officials did not agree with the report recommendations, citing that its current
MOU process provided the appropriate level of oversight. OEI officials also did
not agree with the report's recommendations. OEI indicated the office has a
process in place for tracking responses to high-level critical system patch alerts.
In addition, OEI indicated that the office's current status report provided to
management and ISOs for the purpose of their distributed oversight is sufficient.
We met with Agency officials from all three offices subsequent to receiving their
responses to the draft report. Based on our discussions, OCFO and OEI officials
agreed that the offices could take more steps to improve the current processes and
8
-------�
strengthen database security. As such, OCFO agreed to modify its MOU process
to provide more specificity to system owners with systems that share data with
IFMS. OCFO also agreed to take steps to ensure all OCFO system owners timely
and accurately report progress for implementing critical system patches. OEI
officials agreed to formalize their CSIRC followup procedures and make critical
patch reports more available. Where appropriate, we modified the report to
address the offices' concerns and our discussions.
OEI and ORD provided a corrective action plan to address the report's findings
and recommendations. OCFO updated its response to the report and indicated
that the office would provide a corrective action plan to address the remaining
open recommendations. Complete responses are provided in Appendices B, C,
and D.
9
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion Date
Claimed
Amount
Agreed To
Amount
Update the MOU process to include formal security
Standards that require program and regional
offices to actively monitor the security status of
systems that share data with IFMS. These
standards should require all system owners to:
a. Perform network vulnerability testing at least
quarterly in accordance with NIST 800-42,
Guideline on Network Security Testing, and
remediate identified vulnerabilities in a timely
manner.
b. Monitor the use of and access to high-level
system functions (such as Accountability, Least
Privilege, Separation of Duties, etc.) at least
monthly to ensure adequate controls are applied
and effective.
c. Certify that the program/regional office has put
in place oversight processes to ensure these
information security standards are met.
Request from OEI access to information regarding
the implementation status of high-risk CSIRC
critical system patches for systems that share data
with IFMS.
Develop and implement procedures to ensure all
OCFO system ownes timely and accurately report
progress for implementing CSIRC critical system
patches.
Strengthen, formalize, and evaluate the
effectiveness of the followup procedures for
obtaining complete responses from program and
regional offices regarding high-level critical system
patch alerts.
Develop and implement a process to share EPA-
wide status reports with Information Security
Officers regarding implementation of CSIRC critical
system patches.
Correct all identified system weaknesses disclosed
in Appendix A.
Develop a Plan of Action and Milestones in the
Agency's security weakness tracking system
(ASSERT database) for all uncorrected
deficiencies disclosed in Appendix A.
Information Security Officer,
Office of the Chief Financial
Officer
Information Security Officer,
Office of the Chief Financial
Officer
Information Security Officer,
Office of the Chief Financial
Officer
Director, Office of
Technology Operations and
Planning
Director, Office of
Technology Operations and
Planning
BAS System Owner
FDW System Owner
IRMS System Owner
BAS System Owner
FDW System Owner
IRMS System Owner
08/01/2007
08/01/2007
BAS-05/2006
FDW-08/2006
IRMS-04/ 2006
BAS - N/A
FDW - N/A
IRMS - N/A
1 O = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is undecided with resolution efforts in progress
10
-------�
Appendix A
High-Level Summary of Specific Technical
Weaknesses by EPA Program Office and System2
This Appendix is for restricted distribution. This Appendix contains
material that is confidential business information, proprietary
information, or source selection information. Unauthorized
disclosure of this Appendix or any of its content may violate the
provisions of the Trade Secrets Act, 18 U.S.C. 1905; the Procurement
Integrity Act, 41 U.S.C. 423; the Freedom of Information Act, 5
U.S.C. 552; the Privacy Act, 5 U.S.C. 552a; and/or the Federal
Acquisition Regulation, Section 3.104 (48 CFR 3.104). Due to the
sensitive nature of these findings, the Office of Inspector General
removed this Appendix from the public version of the report.
2 A detailed listing of technical weaknesses was provided to the respective Program Office officials. The detailed
listing identified the specific weaknesses, to include background information on the weaknesses and possible
methods the system owner could use to correct the weaknesses.
11
-------�
Appendix B
Non-Sensitive Portion of OCFO's and OEi's
Combined Response to Draft Audit Report
February 23, 2007
MEMORANDUM
SUBJECT: Office of the Chief Financial Officer (OCFO) Response to the Office of Inspector
General's (OIG) Draft Audit Report - EPA Needs to Strengthen Financial
Database Security Oversight and Monitor Compliance, Dated January 11, 2007,
Assignment No. 2006-000442
FROM: Krista Mainess, Director
Office of Program Management
Office of the Chief Financial Officer
TO: Rudy Brevard
Acting Director, Business Systems Audits
We appreciate the opportunity to provide written comments on the subject draft audit
report. The OCFO remains firmly committed to securing its systems and data in a cost effective
manner and in accordance with Federal guidance, EPA policy, and best practices.
If you or your staff have any questions or need additional information concerning our
response to the subject draft report, contact Bob Shields, IT Team Leader, at 202-564-0123.
cc: Lyons Gray, OCFO
Maryann Froehlich, OCFO
Lorna McAllister, OCFO
David Bloom, OCFO
Mitch Gray, OCFO
Myra Galbreath, OEI
Marian Cody, OEI
Pat Hill, OIG
12
-------�
Below you will find general comments on the entire report as well as specific comments related
to each recommendation.
OCFO's General Comment:
Much of the audit text appears to be based on the assumption that IFMS "shares data" with
FDW, BAS, and IRMS, but the report provides no details on what this means.
Here are details on each system's relationship to IFMS. The FDW copies data from IFMS for
reporting. IFMS receives no data from the FDW. BAS has no connection to send or receive data
with IFMS. IRMS transmits commitment and reprogramming documents to IFMS. Those
documents are subject to all IFMS edits before they are processed so there are already safeguards
built into the process.
Transactions entered in IFMS are monitored by a particular user community. For example, if
IRMS transmitted invalid commitments to IFMS that still passed the accounting string and funds
availability edits, they would be discovered by ORD (the owner of IRMS) and corrected. The
OCFO, Office of Budget in their annual closeout memo requires allowance holders to monitor
their available funds. They issued their 2007 closeout memo on December 18, 2006.
Another example of a transaction control on IFMS data is the annual year-end certification of
unliquidated obligations. Allowance holders are required to certify to OFM that their
unliquidated obligation balances in IFMS are correct. This requirement is documented in the
annual financial statement audit commitment memorandum signed by the Chief Financial
Officer and the Inspector General. Details on the process are included in the OFM year end
closing memo.
Finally, many of the recommendations directed toward the OCFO ISO are the responsibility of
the individual system owners, according to EPA's Information Security Manual 2195A.
OARM's General Comment:
SLATE does not receive nor send data to IFMS.
OEI's General Comment:
The procedures requested for developing and implementing recommendation #3 were in place
prior to this audit finding and have been previously provided.
In addition, the following inaccuracies in the draft audit are noted. One area of concern is the
apparent confusion regarding CSIRC's roles and responsibilities. CSIRC maintains an inventory
of the Agency's technologies so that they can notify the Information Security Officers to upgrade
or patch their systems. CSIRC is not responsible for determining which informational systems
are critical to the Agency. However, CSIRC does determine which patch is critical.
13
-------�
OIG recommendations and corresponding OCFO/OEI responses are as follows:
OIG Recommendation #1:
The Information Security Officer (ISO) within the Office of the Chief Financial Officer (OCFO)
update the Memorandum of Agreement process to include formal security standards that require
the program/regional offices to actively monitor the security status of systems that share data
with IFMS. These standards should require all system owners to:
a. Perform network vulnerability testing at least quarterly in accordance with
NIST 800-42, Guideline on Network Security Testing, and remediate identified
vulnerabilities in a timely manner.
b. Monitor the use of and access to high-level system functions (such as
Accountability, Least Privilege, Separation of Duties, etc.) at least monthly to
ensure adequate controls are applied and effective.
c. Certify that the program/regional office has put in place oversight processes to
ensure these information security standards are met.
CFO Response to Recommendation #1:
The OCFO agrees with this recommendation.
OIG Recommendation #2:
The ISO within OCFO request from OEI access to information regarding the implementation
status of high risk CSIRC critical system patches for systems that share data with IFMS.
OCFO Response to Recommendation #2:
The OCFO agrees with this recommendation.
OIG Recommendation #3:
The ISO within OCFO send out a notification to all OCFO system owners reminding them of the
criticality of timely and accurately reporting the status of implementing CSIRC critical system
patches.
OCFO Response to Recommendation #3:
The OCFO agrees with this recommendation.
OEI Recommendation #4:
Develop and implement follow-up procedures to obtain complete responses from program and
regional offices regarding high-level critical system patch alerts.
OEI Response to Recommendation #4:
OEI does not concur with this recommendation.
14
-------�
OEI/OTOP has a process in place for tracking responses to high-level critical system patch
alerts, which includes following up with Information Security Officers (ISOs). If the system is a
Microsoft based platform, CSIRC uses PatchLink for progress reports and contacts ISOs
regarding any delay in patch implementation. In addition, CSIRC acts as a liaison between
Network Infrastructure Services (NIS http://lansys.epa.gov/ )ISOs and PatchLink
Administrators regarding any problems with patch deployment. If the system is not a Microsoft
based platform, the ISOs are responsible for reporting the patch status to CSIRC. CSIRC
follows up according to the time constraints provided in the CSIRC-Alert. For a critical or high-
level patch, response is required within two business days. If a response is not received, CSIRC
contacts all ISOs with applicable systems in their area for patch status information. It should be
noted that the responsibility for the patching of systems does not fall under CSIRC. It is the
responsibility of each region and program office to act on CSIRC-Alerts and patch their systems
accordingly.
In addition, CSIRC has provided information to NCC Security regarding the potential impact
that unimplemented critical patches have on the Agency's network resources in emails, Security
Incident Request (SIR) tickets, and Quarterly Reports. CSIRC does not implement or govern
patch deployment, nor does it have the authorization to enforce.
OIG Recommendation #5:
Develop and implement a process to share EPA-wide status reports with Information Security
Officers regarding implementation of CSIRC critical system patches.
OEI Response to Recommendation #5:
OEI does not concur with this recommendation.
Traditionally, the Agency has maintained that the specific vulnerabilities and security postures of
the regions and program offices will not be shared EPA-wide. However, we currently provide
reporting status to management and ISOs for the purpose of their distributed oversight. OTOP
will continually work to create a more streamlined reporting process.
15
-------�
Appendix C
OCFO's Response to Recommendations Associated
with Sensitive Technical Control Weaknesses
Disclosed in Appendix A
This Appendix is for restricted distribution. This Appendix contains
material that is confidential business information, proprietary
information, or source selection information. Unauthorized
disclosure of this Appendix or any of its content may violate the
provisions of the Trade Secrets Act, 18 U.S.C. 1905; the Procurement
Integrity Act, 41 U.S.C. 423; the Freedom of Information Act, 5
U.S.C. 552; the Privacy Act, 5 U.S.C. 552a; and/or the Federal
Acquisition Regulation, Section 3.104 (48 CFR 3.104). Due to the
sensitive nature of these findings, the Office of Inspector General
removed this Appendix from the public version of the report.
16
-------�
Appendix D
ORD's Response to Recommendations Associated
with Sensitive Technical Control Weaknesses
Disclosed in Appendix A
This Appendix is for restricted distribution. This Appendix contains
material that is confidential business information, proprietary
information, or source selection information. Unauthorized
disclosure of this Appendix or any of its content may violate the
provisions of the Trade Secrets Act, 18 U.S.C. 1905; the Procurement
Integrity Act, 41 U.S.C. 423; the Freedom of Information Act, 5
U.S.C. 552; the Privacy Act, 5 U.S.C. 552a; and/or the Federal
Acquisition Regulation, Section 3.104 (48 CFR 3.104). Due to the
sensitive nature of these findings, the Office of Inspector General
removed this Appendix from the public version of the report.
17
-------�
Appendix E
Distribution
Office of the Administrator
Chief Financial Officer (CFO)
Assistant Administrator for Environmental Information
Assistant Administrator for Research and Development
Agency Followup Coordinator
Audit Followup Coordinator, Office of the Chief Financial Officer
Audit Followup Coordinator, Office of Environmental Information
Audit Followup Coordinator, Office of Research and Development
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Office of General Counsel
Acting Inspector General
18
-------� |