At a Glance: Without a Process for Monitoring Sensitive Data, EPA Region 4 Risks Unauthorized Access to File Servers and Share Folders

x-^tD ST/ij.
U.S. Environmental Protection Agency 18-P-0234
i ftA \ Office of Inspector General August 28,2018
~ SB?*
3 \\|// ?
At a Glance
Why We Did This Project
The U.S. Environmental
Protection Agency (EPA),
Office of Inspector General
(OIG), conducted this audit
to assess the EPA's
implementation of security
controls for agency file servers.
A file server provides file
sharing services so that only
authorized users can access,
modify, store and delete files.
File servers are considered
components of an information
system and therefore should
meet the security guidance of
National Institute of Standards
and Technology Special
Publication 800-53, Revision 4,
Security and Privacy Controls
for Federal Information
Systems and Organizations.
This report addresses the
following:
• Compliance with the law.
• Operating efficiently and
effectively.
Without a Process for Monitoring Sensitive Data,
EPA Region 4 Risks Unauthorized Access to
File Servers and Share Folders
What We Found
We determined that a share folder found on
EPA Region 4 file servers did not comply with
federal and agency guidance for access
administration. The Region 4 share folder
contained sensitive data, and the region did not
have a process to monitor user activity or
content in file servers' share folders.
Sensitive data are vulnerable
to unauthorized disclosure
without a tool or process in
place to monitor user activity
and access to share folders
found on EPA Region 4 file
servers.
Federal and agency guidance requires agencies to implement security controls
for their information systems and related components. Information system
components include file servers and the share folders they host.
Region 4 lacked documented procedures for EPA information technology security
control requirements applicable to file servers and share folders. In addition,
Region 4 lacked documented procedures for monitoring share folder access or
content.
EPA data were vulnerable to unauthorized access because Region 4 did not
create procedures to ensure that EPA security control requirements were
implemented for file servers and share folders. The lack of procedures, combined
with the lack of audit logging or an audit log review process, put the EPA at risk
for unauthorized activity being undetected and uninvestigated.
Recommendation and Agency Corrective Actions Taken
We recommend that the Regional Administrator for Region 4 develop a process
to approve and monitor access to share folder content that is consistent with
requirements contained in National Institute of Standards and Technology
Special Publication 800-53 and EPA information security procedures.
Region 4 agreed with our report and recommendation. The region completed all
Send all inquiries to our public proposed corrective actions by August 14, 2018, and those actions satisfy the
affairs office at (202) 566-2391 intent of the recommendation,
or visit www.epa.gov/oiq.
Listing of OIG reports.

-------