x-^tD ST/ij. U.S. Environmental Protection Agency 18-P-0234 i ftA \ Office of Inspector General August 28,2018 ~ SB?* 3 \\|// ? At a Glance Why We Did This Project The U.S. Environmental Protection Agency (EPA), Office of Inspector General (OIG), conducted this audit to assess the EPA's implementation of security controls for agency file servers. A file server provides file sharing services so that only authorized users can access, modify, store and delete files. File servers are considered components of an information system and therefore should meet the security guidance of National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. This report addresses the following: • Compliance with the law. • Operating efficiently and effectively. Without a Process for Monitoring Sensitive Data, EPA Region 4 Risks Unauthorized Access to File Servers and Share Folders What We Found We determined that a share folder found on EPA Region 4 file servers did not comply with federal and agency guidance for access administration. The Region 4 share folder contained sensitive data, and the region did not have a process to monitor user activity or content in file servers' share folders. Sensitive data are vulnerable to unauthorized disclosure without a tool or process in place to monitor user activity and access to share folders found on EPA Region 4 file servers. Federal and agency guidance requires agencies to implement security controls for their information systems and related components. Information system components include file servers and the share folders they host. Region 4 lacked documented procedures for EPA information technology security control requirements applicable to file servers and share folders. In addition, Region 4 lacked documented procedures for monitoring share folder access or content. EPA data were vulnerable to unauthorized access because Region 4 did not create procedures to ensure that EPA security control requirements were implemented for file servers and share folders. The lack of procedures, combined with the lack of audit logging or an audit log review process, put the EPA at risk for unauthorized activity being undetected and uninvestigated. Recommendation and Agency Corrective Actions Taken We recommend that the Regional Administrator for Region 4 develop a process to approve and monitor access to share folder content that is consistent with requirements contained in National Institute of Standards and Technology Special Publication 800-53 and EPA information security procedures. Region 4 agreed with our report and recommendation. The region completed all Send all inquiries to our public proposed corrective actions by August 14, 2018, and those actions satisfy the affairs office at (202) 566-2391 intent of the recommendation, or visit www.epa.gov/oiq. Listing of OIG reports. ------- |