$ < 73 \ Ml C PRQrt^ o 2 Lll (3 T OFFICE OF INSPECTOR GENERAL Catalyst for Improving the Environment Audit Report EPA Could Improve Physical Access and Service Continuity/Contingency Controls for Financial and Mixed-Financial Systems Located at its Research Triangle Park Campus Report No. 2006-P-00005 December 14, 2005 ------- tftD STA^ s U.S. Environmental Protection Agency 2006-P-00005 £ %M \ Office of Inspector General December 14,2005 / fi - At a Glance Catalyst for Improving the Environment Why We Did This Review We sought to determine whether the U.S. Environmental Protection Agency's (EPA) current physical access and service continuity/contingency controls for selective applications at the Research Triangle Park (RTP) campus adhere to Federal and EPA guidelines. Background The Office of Inspector General (OIG) contracted with KPMG, LLP, to audit physical access controls and service continuity/contingency planning controls for select financial and mixed-financial systems hosted at EPA's RTP campus. Physical access controls protect EPA's resources from unauthorized access, theft, or destruction. Service continuity/ contingency controls ensure that EPA can continue operations of critical financial and mixed-financial applications should an outage occur. For further information, contact our Office of Congressional and Public Liaison at (202) 566-2391. To view the full report, click on the following link: www.epa.aov/oia/reports/2006/ 20051214-2006-P-00005.pdf EPA Could Improve Physical Access and Service Continuity/Contingency Controls for Financial and Mixed-Financial Systems Located at its Research Triangle Park Campus What KPMG Found Physical Access. Controls needed to be improved in areas such as visitor access to facilities, use of contractor access badges, and general physical access to the National Computer Center (NCC), computer rooms outside the NCC, and media storage rooms. Service Continuity/Contingency. Controls needed to be improved in areas such as completing a Business Impact Analysis, application contingency plans, authorizing to move backup data between key facilities, and environmental controls. In many cases, EPA has in place compensating controls that help reduce the risk of the above issues. However, KPMG believes that controls can be improved to further reduce the risks. What KPMG Recommends KPMG recommends that EPA Improve controls, processes, and procedures related to physical access to the RTP campus and associated facilities. Improve controls, processes, and procedures related to moving tape backups between key facilities. Provide additional training regarding physical access and service continuity planning. Revisit the service continuity strategies for key applications to ensure that all necessary recovery strategies and efforts are ranked in terms of priority, then developed, documented, implemented, and tested. Improve environmental controls at key RTP facilities. ------- ^tos% 0x> ^ S UNITED STATES ENVIRONMENTAL PROTECTION AGENCY \ ^ ? WASHINGTON, D.C. 20460 *l PRO"*^ OFFICE OF INSPECTOR GENERAL December 14, 2005 MEMORANDUM SUBJECT: EPA Could Improve Physical Access and Service Continuity/Contingency Controls for Financial and Mixed-Financial Systems Located at its Research Triangle Park Campus Report No. 2006-P-00005 FROM: Rudolph M. Brevard /s/ Director, Information Technology Audits TO: Kimberly T. Nelson Assistant Administrator for Environmental Information and Chief Information Officer Luis A. Luna Assistant Administrator for Administration and Resources Management Lyons Gray Chief Financial Officer George M. Gray, Ph.D. Assistant Administrator for Research and Development Thomas P. Dunne Acting Assistant Administrator for Solid Waste and Emergency Response This is the final report on physical access and service contingency/continuity controls audit conducted by KPMG, LLP, on behalf of the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This audit report contains findings that describe areas of improvements that KPMG consultants have identified and corrective actions that KPMG recommends. ------- 2 This audit report represents the opinion of KPMG and the findings in this audit report do not necessarily represent the final EPA position. EPA managers, in accordance with established EPA audit resolution procedures, will make final determinations on matters in this audit report. The OIG reviewed KPMG's report and related documentation and inquired of their representatives and found no instances where KPMG did not comply, in all material respects, with Generally Accepted Government Auditing Standards. Action Required In accordance with EPA Manual 2750, you are required to provide a written response to this report within 90 calendar days of the date of this report. You should include a corrective action plan for agreed upon actions, including milestone dates. We have no objection to further release of this report to the public. For your convenience, this report will be available at http://www.epa.gov/oig. If you or your staff has any questions regarding this report, please contact me at (202) 566-0893, or Charles Dade, Assignment Manager, at (202) 566-2575. ------- Final Audit Report EPA Could Improve Physical Access and Service Continuity/Contingency Controls for Financial and Mixed- Financial Systems Located at its Research Triangle Park Campus Report No. 2006-P-00005 December 14, 2005 ------- Key Abbreviations Used in this Report BIA Business Impact Analysis CIO Chief Information Officer DRS Disaster Recovery Services EPA Environmental Protection Agency FISMA Federal Information Security Management Act FISCAM Federal Information Systems Control Audit Manual NCC National Computer Center NIST National Institute of Standards and Technology OARM Office of Administration and Resources and Management OCFO Office of the Chief Financial Officer OEI Office of Environmental Information OIG Office of Inspector General OMB Office of Management and Budget OTOP Office of Technology Operations and Planning RTP Research Triangle Park SP Special Publication ------- Table of Contents Chapters 1 Overview 3 Background 3 Objectives and Scope 3 Methodology 4 Results in Brief. 5 2 Physical Access 6 Contractor Access Badges 6 NCC Data Center Door Alarms 8 Evacuation Re-Entrv 8 Computer Room Sign-in Procedures 9 RTF Campus Visitor Identification 9 3 Service Continuity/Contingency Planning 12 Business Impact Analysis 12 Application Contingency Planning 13 Authorization to Move Tapes to the Alternate Storage Site 17 Local Alternate Processing Site Access 17 Environmental Controls 18 Appendices A Criteria 20 B Applications Reviewed 23 C Distribution 27 EPA's Response to the Draft Report D Office of Environmental Information 28 E Office of Administration and Resources Management 32 F Office of Research and Development 37 G Office of Solid Waste and Emergency Response 41 H Office of the Chief Financial Officer 43 2 ------- Chapter 1 Overview Background In support of the Environmental Protection Agency (EPA) Office of Inspector General (OIG), KPMG audited physical access controls and service contingency/continuity planning controls for select financial and mixed-financial applications hosted at EPA's Research Triangle Park (RTP) Campus. The RTP Campus is located in the greater Raleigh/Durham, North Carolina area and is a major EPA center for air pollution research and regulation. RTP supports EPA's mission by working towards a cleaner environment by concentrating on three major functions: administration and management, regulations, and research and development. The main RTP campus facility consists of seven buildings: A, B, C, D, E, H, and the National Computing Center (NCC) and two associated off-campus facilities: the local alternate processing site and the local storage facility. NCC opened in January 2002 and provides large-scale computing services for EPA nationwide, including support for regulatory program offices and administrative activities, as well as advanced super-computing for scientific research in air quality protection and other environmental studies. While the major computing activities occur at the NCC, other buildings have smaller computer and communication rooms that host financial and mixed financial applications that connect to the campus' network. Objectives and Scope The objectives of our review were focused on three primary areas: • Gather the inventory of financial and mixed financial applications hosted at the RTP facility to guide our review; • Evaluate physical security controls in accordance with relevant Federal and EPA criteria and best practices; and • Evaluate service continuity/contingency controls in accordance with relevant Federal and EPA criteria and best practices. For the service continuity/contingency testing portion of the audit, we initially received from EPA a listing of 33 financial and mixed-financial applications residing at the RTP campus. We discussed and validated these applications with EPA RTP officials to ensure the accuracy of the listing. We then selected a judgmental sample of 12 applications for detailed review based primarily on whether the Agency indicated, within EPA's Automated Security Self-Evaluation and Remediation Tracking (ASSERT), that the applications had a contingency plan and/or the 3 ------- criticality of the applications to EPA. EPA uses ASSERT to centrally track remediation of weaknesses associated with information technology systems. ASSERT serves as the Agency's official record for Plan of Actions and Milestones activities. Appendix B contains the list of applications included in the scope of our audit. Our review did not include an evaluation of financial and mixed-financial applications that did not have service contingency/continuity plans in place. Additionally, our review did not include the assessment of logical access controls for EPA systems or applications. Methodology Our evaluation methodology was derived primarily from the Government Accountability Office's (GAO's) Federal Information Systems Control Audit Manual (FISCAM). FISCAM is designed to provide guidance to information technology auditors on the scope of issues that generally should be considered in any review of controls over the integrity, confidentiality, and availability of computerized data associated with Federal systems and applications. We specifically addressed the following two FISCAM control areas: • Access control. These controls limit and/or monitor access to computer resources (data, programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure. Examples of tests we performed under this control area included interviewing data center managers and personnel, reviewing data center access listings, observing data center physical access security controls, and observing data center environmental controls. In addition, we conducted tests over the adequacy of physical access security controls for entry onto the RTP campus and into RTP facilities. • Service continuity. These controls involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur. Examples of tests we performed under this control area included interviewing application owners, reviewing application contingency plans, and reviewing data backup and recovery processes. Additionally, we supplemented our FISCAM based approach with relevant EPA policy requirements and relevant guidance from the National Institute of Standards and Technology (NIST). Appendix A contains the complete list of applicable criteria. Our audit was conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). 4 ------- Results in Brief In summary, we noted that although EPA has many controls in place regarding physical access and service continuity/contingency planning, controls can be improved. For example: • Physical access. We noted that controls needed to be improved in areas such as visitor access to facilities, use of contractor access badges, and general physical access to the National Computer Center (NCC), computer rooms outside the NCC, and media storage rooms. • Service continuity. We noted that controls needed to be improved in areas such as the completion of a Business Impact Analysis (BIA), application contingency plans, authorization to move backup data between key facilities, and environmental controls. In many cases, EPA has in place compensating controls that help reduce the risks in the above areas. However, we believe that controls can be improved to further reduce the risks. In this report, we have provided detailed recommendations for each identified issue. In general, we recommend that EPA: • Improve controls, processes, and procedures related to physical access to the NCC, media storage rooms, server rooms, and associated facilities; • Improve controls, processes, and procedures related to the movement of tape backups between key facilities; • Provide additional training regarding physical access and service continuity controls; • Revisit the service continuity strategies for key applications to ensure that all necessary recovery strategies and efforts are documented, implemented, and tested; and • Improve environmental controls at key RTP facilities. 5 ------- Chapter 2 Physical Access Access controls should provide reasonable assurance that information technology resources (data files, application programs, and computer-related facilities and equipment) are protected against unauthorized modification, disclosure, loss, or impairment. These controls include physical controls, such as keeping computers in locked rooms to limit physical access, and logical controls, such as security software programs designed to prevent or detect unauthorized access to sensitive files. KPMG conducted a review of physical access controls surrounding select information technology assets within the RTP campus. Specifically, we reviewed the physical security of assets within the NCC, computer rooms outside of the NCC, and media storage rooms (specific names of the local storage and processing sites are not provided for security reasons). As previously noted, our review did not assess logical security controls over EPA systems or applications. Although EPA had many physical access controls in place, we noted conditions associated in the following areas, which increased the risks to the RTP physical security environment: • Contractor Access Badges • NCC Data Center Door Alarms • Evacuation Re-entry • Computer Room Sign-in Procedures • RTP Campus Visitor Identification Additional details on each of these areas, as well as related recommendations, follow. Contractor Access Badges Per inspection, 29 of the 144 (20%) of the NCC data center access badges we reviewed were either assigned to temporary contractors or to temporary EPA staff. This issue occurred because NCC has many contractors that require access to the data center 24 hours per day in case of system emergencies. We inquired about assigning badges to specific contractor personnel and NCC officials informed us that this would be difficult to implement because of the need for contractor maintenance support during emergencies. In these situations, the specifically badged contractor may not be available and another contractor from the same company may arrive to perform the required maintenance support. In addition, similarly to the maintenance support contractors, the janitorial service contractors use generic badges to access the data center to perform routine cleaning services. Therefore, management felt that assigning the badges to specific contractors was not practical. 6 ------- Subsequent to our testing, we met with management officials to discuss this issue, and management identified several compensating controls, such as the data center is staffed continuously, entrances are monitored by a video surveillance system, and NCC officials perform a limited badge reconciliation review. Management provided documentation supporting the NCC's badge reconciliation process. However, we reviewed the badge reconciliation documentation and noted that it was not detailed enough to sufficiently reconcile the badges. Specifically, we noted that the badge reconciliation only accounted for the total number of badges opposed to being used as a control to ensure that badges are issued to authorized contractors. Also, there was no documentation to support that the NCC maintained a valid contractor personnel roster listing authorized employees from the contracting company and that these contractors had appropriate background security screenings. Furthermore, management provided no evidence to support that the NCC implemented controls to ensure that contractors without current and appropriate background security screenings are escorted while inside the NCC. Although management has some compensating controls in place, we believe management should enhance controls by enforcing individual accountability for access to the data center. By not enforcing accountability there is an increased risk that inappropriate access may be gained to a sensitive processing area. Also, should any damage result from the unauthorized access, it would be difficult and time consuming for the NCC to identify the perpetrator and possibly limit NCC's ability to recoup damages and/or take appropriate legal action. Recommendations: We recommend that the Director, Office of Technology Operations and Planning (OTOP) implement policies and controls to ensure that: 1) All contractors who have access to the data center have individually identifiable badges. 2) More comprehensive periodic reviews of contractor access to the data center are performed, and badge access is adjusted as necessary. However, if the Director of OTOP determines that the current process is sufficient and accepts the risk, then OTOP should: 3) Obtain a complete access roster from the contractor companies (e.g., maintenance support and the janitorial services contractor) with the employee names and the current status of the employee background security screening. 4) Implement a procedure where only contractors with current and the appropriate background security screenings are allowed unescorted access in the NCC. 5) Implement a procedure to ensure that contractor personnel have appointments and are on their company's access roster before issuing them temporary badges to the NCC. 7 ------- 6) Implement a procedure where contractors without current and appropriate background security screenings are escorted while inside the NCC. Agency's Response andKPMG's Evaluation: Management agrees there are 29 temporary contractor badges that not assigned to specific individuals. In addition, management agrees that the NCC should conduct more frequent reviews of contractor access to the data center. However, management disagrees with some elements of this finding and believes that compensating controls are in place to mitigate some of the risk. As noted earlier, KPMG believes that although some compensating controls are in place, additional accountability over contractors could be obtained by requiring contractors to possess individually identifiable access badges. Subsequent to the completion of fieldwork, we meet with EPA officials to discuss this finding. Based on our discussions and review of additional documentation, we modified this finding where appropriate. NCC Data Center Door Alarms Per inspection and observation, we noted that the NCC data center doors do not emit an audible alarm if a door is open for an extended period. By not having an audible alarm on the data center doors, the data center employees would not be aware of potential security breaches until a security guard in building C contacts them. In this regard, equipment could be stolen or intentionally damaged prior to any data center personnel being alerted of the breach. We noted some compensating controls for this issue, such as: 1) the NCC data center door alarms are monitored centrally by the main guard facility in building C, 2) the doors are continuously monitored by a video surveillance system, and 3) the data center is constantly staffed. Although these compensating mitigate a portion of this risk controls, the lack of audible door alarms elevate the risk that unauthorized individuals could access sensitive NCC areas. Recommendation: 7) We recommend that the Director of OTOP install audible alarms on all key access points to the NCC data center that would promptly alert NCC security personnel should a door be left open for a designated period of time. Agency's Response and KPMG's Evaluation: Management concurs with this finding. Evacuation Re-Entry Per inspection and observation, we noted that there is no apparent evidence of documented policies or procedures regarding reentry requirements in the event of a personnel emergency evacuation from RTP. By not having policy and procedures for re-entry, there is an increased 8 ------- risk of unauthorized access by large numbers of personnel returning after an evacuation, particularly if pre-planned entry points are not designated and monitored. This control weakness increases the risk of unauthorized access to other RTP campus facilities and computer equipment, because these areas lack implemented compensating controls present at the NCC. Recommendations: 8) We recommend that the Director of the Office of Administration and Resources Management (OARM) at RTP implement detailed policies and procedures regarding the re-entry of staff to the RTP campus and buildings after an event that would trigger an emergency evacuation. Agency's Response andKPMG's Evaluation: Management concurs with the recommendation. Management officials stated that procedures are currently being written requiring all employees to badge in upon reentry into the buildings after an emergency evacuation. Computer Room Sign-in Procedures We noted that there is no sign-in sheet for visitors to other computer rooms outside the NCC or to several media storage rooms. Access to the rooms is currently logged by the badge access card system, but the system does not log visitor access. A sign-in sheet is a key operational control because it serves as a visitor registry, providing auditable documentation containing the date of visit, the visitor's name, company, purpose of visit, local employee escorting the visitor, time of arrival, and time of departure. This documentation provides a means for management to assign accountability to the employee escorting the visitor and to each individual for actions occurring in the computer room. Generally, this issue existed because the computer rooms outside of the NCC and media storage rooms were not originally designed as computing facilities and do not generally have visitors. Subsequent to the completion of fieldwork, we met with EPA officials to discuss this finding. Based on our discussions, management took immediate actions to correct this deficiency and implemented a sign-in sheet. We subsequently reviewed management's implementation of the control and found it to be sufficient. RTP Campus Visitor Identification Per inspection and observation, we noted the following issues that, if corrected, could help enhance the physical security controls at the RTP campus: • Perimeter gate security guards did not consistently stop vehicles with a permanent (non- visitor) parking pass and check the vehicle occupants' identification. Rather, the perimeter gate security guards place assurance in the removable vehicle-parking pass. 9 ------- • Perimeter gate security guards did not inspect the identification of all vehicle occupants for vehicles with a visitor parking pass. We noted on several occasions that the guards inspected the identification of the driver only and not the passenger. Additionally, our test, of the "identification verification" process, revealed that a vehicle was allowed onto the RTP campus without the occupants' identification being properly checked. • Internal building security guards did not consistently verify RTP visitor's identification. Once a visitor has passed through the security screening station, they are allowed to approach the front desk to sign the visitor log and state their purpose, which will then be verified by the security officer. However, our walkthrough determined that the security officer did not consistently verify or check identification. • Unmanned entry points are not properly controlled. On several occasions at different locations, we were able to gain access through unguarded side doors controlled by the badge access card and video surveillance systems by following behind EPA employees who gained authorized building access "piggybacking. " We noted that these issues occurred because the RTP security guards are not required to verify the identification of each vehicle occupant, and that security guards are not verifying permanent parking decals assigned to RTP employees. Also, the security guards are not consistently following procedures for verifying visitor's identification, and access to other campus buildings and the NCC is not limited to the main entrance. Therefore, employees and contractors may enter through doors with no security guard presence. Although compensating controls exist, such as a security guard presence and 24 hour monitoring of campus entry and exit points for vehicles, there is an increased risk that unauthorized individuals may gain inappropriate access to sensitive campus areas. Recommendations: We recommend that the Director of OARM at RTP: 9) Issue guidance to remind the security guards at RTP campus entrances to randomly inspect the identification of all occupants in vehicles entering the campus. 10) Ensure that guards randomly check that the permanently assigned parking passes correspond to the appropriate individual. 11) Conduct periodic checks to ensure that procedures are consistently followed for verifying visitor identification. 12) Provide, periodically, additional security training to other RTP program offices' employees/contractors addressing good physical security practices. The training should include lessons on challenging persons whom are attempting to enter the building without a RTP badge, not allowing individuals to piggyback through unguarded doors, other security concerns. 10 ------- Agency's Response andKPMG's Evaluation: Management concurred with these findings and indicated that they are taking steps to improve physical access security. Management also indicated that various checks have been conducted during conferences held at RTP and coordination has been done to inform personnel of a heightened security posture and asking them to not allow others to "piggyback" into the building once one person badges through a door. 11 ------- Chapter 3 Service Continuity/Contingency Planning Losing the capability to process, retrieve, and protect information maintained electronically can significantly affect an agency's ability to accomplish its mission. For this reason, an agency should have: 1) procedures in place to protect information resources and minimize the risk of unplanned interruptions and 2) a plan to recover critical operations should interruptions occur. These plans should consider the activities performed at general support facilities, such as data processing centers and telecommunications facilities, as well as the activities performed by users of specific applications. To determine whether recovery plans will work as intended, they should be tested periodically in disaster simulation exercises, understood by personnel with key responsibilities, and supported by management and staff throughout the organization. KPMG conducted a review of service continuity/contingency planning controls surrounding select financial and mix-financial applications located at the RTP campus. We noted that the Chief Information Officer (CIO) issues high-level policy and guidance regarding EPA's contingency planning strategies. Program offices are responsible for implementing controls to comply with the CIO policy and guidance, such as contingency plan development and testing. The NCC provides service continuity services for many mission critical EPA applications through the Disaster Recovery Services (DRS) program, which is a fee for service arrangement through EPA's working capital fund. In addition, program offices that do not subscribe their applications to the DRS are required to implement full contingency planning strategies for their applications. Therefore, program offices should coordinate closely with NCC officials, as NCC hosts many of the financial and mixed-financial applications. During our audit, we noted conditions associated with the following areas which increased the risks to EPA's service continuity/contingency planning strategy: • Business Impact Analysis (BIA) • Application Contingency Planning • Authorization to Move Tapes to the Alternate Storage Facility • Local Alternate Processing Site Access • Environmental Controls Business Impact Analysis We noted a formal BIA for the NCC has not been conducted to address the identification and prioritization of critical data and operations for major applications. Consequently, the NCC does not have a BIA, approved by senior leadership that reflects the current information technology processing conditions. NCC is critical because it provides large-scale computing services for EPA nationwide, including financial reporting applications. Additionally, the NCC supports 12 ------- EPA program offices by providing supercomputing resources for research in its environmental studies. Although EPA established formal policies, procedures, and guidance for developing BIAs, the NCC did not complete the analysis. Without performing a BIA, there are risks that EPA may not be fully characterizing the necessary system requirements, processes, and interdependencies for its information technology contingency planning and business continuity strategies. Such risks could have a significant impact should a major outage occur. Recommendations: We recommend that the Director of the OTOP: 13) Reiterate the importance of completing the BIA to system owners through existing training vehicles and established policies, procedures, and guidance. 14) Conduct a BIA at the NCC that is consistent with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, and utilize the results to conduct a forum with the appropriate EPA program offices leadership to facilitate a decision-making process on the program offices' behalf on updating and/or modifying their current contingency planning and business continuity strategies. Agency's Response andKPMG's Evaluation: Management agreed with the finding to conduct a BIA at the NCC. However, management did not agree that additional training is necessary since the Agency has already documented the requirement to conduct BIA and conducted contingency planning training at the 2004 Security and Operations conference. However, during our testing, personnel we interviewed were not aware of the policies, procedures, and guidance. As such, we believe additional efforts are necessary to help ensure personnel are aware of the requirements and management's commitment to develop a BIA for the NCC. Application Contingency Planning Although, in some cases, the reviewed contingency plans contained many of the necessary elements, eleven of the twelve plans did not fully comply with relevant Federal or EPA requirements. We noted that the following areas needed improvement: Applications Included in DRS: We noted that for the applications included in DRS, the contingency plans did not consistently identify all elements guided by NIST SP 800-34. For example: 13 ------- • The NCC DRS contingency plan for the Integrated Financial Management System (IFMS); Management and Accounting Reporting System (MARS); and the Combined Payroll Redistribution and Reporting System (CPARS), does not clearly identify the: 1) alternate processing procedures and 2) critical requirements for hardware, software, telecommunications, office facilities, and offices supplies. In addition, it was difficult to determine which steps in the plans related to the recovery of the three applications, nor had the plan been updated since PeoplePlus replaced the CPARS application. Finally, we noted that the contingency plan test results did not include definitive results regarding the recovery of the applications. • The NCC contingency plan does not contain a section on reconstitution and returning to normal operations. • The PeoplePlus contingency plan does not list primary and secondary contacts; although the contacts are included in the Critical Applications Disaster Recovery Plan. Furthermore, neither plan clearly specifies which of the two plans would be in operation should an outage occur. Applications Not Included in DRS: • We noted that the following applications, not subscribing to the NCC DRS program, contained contingency plan information in the application's security plans: > Integrated Grants Management System (IGMS); > Travel Manager +; > Financial Data Warehouse (FDW); > Working Capital Fund (WCF); and > Bank Card. However, the information was vague, incomplete, and/or inconsistent regarding some contingency plan procedures. For example, the IGMS security plan contains a contingency planning section that indicates how critical IGMS is to EPA, but it does not contain detailed procedures for how the system would be recovered during an outage. In addition, the security plans for Travel Manager +, FDW, WCF, and Bank Card do not document detailed steps to recover application hardware, software, or telecommunications, and the contingency information does not identify alternative processing locations for the applications. In addition, for the applications that had separate contingency plans, the level of detail in these plans was not consistent with Federal and EPA requirements. For example: • The Budget Automation System (BAS) is not referenced in the Office of the Chief Financial Officer (OCFO), Office of Budget contingency plan. In addition, in reviewing the OCFO's Annual Planning and Budget Division Disaster Preparedness and Recovery Guide - Budget Automation System, version six, we noted many incomplete elements. These incomplete elements included the emergency telephone list and listings of vendors, suppliers, and other service providers. Such inconsistencies and incomplete information can present significant 14 ------- challenges for EPA should a significant BAS outage occur, as some in the organization may believe that BAS has a well-documented recovery strategy, when in fact the planning efforts are inconsistent and incomplete. • The Comprehensive Environmental Response, Compensation and Liability Information System (CERCLIS) contingency plan does not identify critical resources needed during an outage (e.g., personnel, telecommunications, and hardware and office facilities and supplies). In addition, the contingency plan's recovery test does not address the recovery of the application. We were also unable to determine whether contracts are in place for the restoration of the application. • The Office of Research and Development Management Information System (OMIS) contingency plan call tree contained only business phone numbers for essential personnel, and did not include the information that should be relayed to the personnel. In addition, we noted that the recovery operations section of the contingency plan did not adequately document the steps necessary to restore operations, and it did not document whether the contingency plan had been tested. Subsequent to our review, OMIS took immediate action to remedy these conditions. These various issues appear to have occurred because of inconsistency in training for relevant contingency planning officials. For example, for the applications that are not part of the DRS program, EPA officials informed us that any contingency planning efforts and agreements are the responsibility of the application owner, thereby increasing the possibility of developing and implementing contingency plans and procedures that are inconsistent with relevant Federal and EPA requirements. These application contingency plan weaknesses are critical for EPA, because without documenting the essential operations and supporting resources, management may not be able to: 1) predict the negative effects of lost data and interrupted operations and 2) determine how long specific operations can be suspended or postponed. Additionally, without current and complete application contingency plans, management may not be able to efficiently recover from unplanned service interruptions. Recommendations: We recommend that the Director of OTOP: 15) Use existing training vehicles to remind all EPA application owners about the importance of: 1) developing application contingency plans/procedures in accordance with Federal and EPA requirements, 2) documenting test results, and 3) revising the contingency plans/procedures based on the test results. 16) Ensure that the NCC DRS contingency plan is updated and tested on an annual basis. The updated NCC DRS contingency plan should identify: 1) applicable recovery steps for IFMS, MARS, and PeoplePlus; 2) alternate processing procedures; 3) critical requirements; and 4) definitive test results regarding the recovery of all applications. 15 ------- 17) Revisit the NCC contingency plan and ensure it contains a section on reconstitution and returning to normal operations. We recommend that the Office of the Chief Financial Officer ensure that the: 18) Director, Office of Financial Services revises the PeoplePlus contingency plan to: 1) contain primary and secondary personnel information consistent with the Critical Applications Disaster Recovery Plan, and 2) clearly describe which plan takes precedence during a recovery process. 19) Director, Office of Financial Management revises contingency plans for all of their applications not subscribing to the NCC DRS plan (e.g., Financial Data Warehouse), in accordance with relevant Federal and EPA requirements. 20) Director, Office of Budget revises the BAS contingency plan to contain an emergency contact list and listings of vendors, suppliers and service providers. We recommend that the Director of the Office of Solid Waste and Emergency Response: 21) Revisit CERCLIS contingency plan and ensure that it: 1) identifies critical resources; 2) ensures the recovery test addresses all elements of application recovery; and 3) specifies which contracts are in place for the restoration of the application. Agency's Response andKPMG's Evaluation: In general, all the affected program offices agreed with our findings and recommendations. However, OEI requested that recommendations to correct the noted contingency plan weaknesses be addressed to the applicable program office. Further, OEI disagreed with the recommendation to analyze all contingency plan test results, adjust contingency plans and send a "lessons learned" report to senior management. OEI also did not agree with the recommendation to establish monitoring procedures to ensure that application contingency plans are tested at least once every year, because OEI already has such a procedure in place and uses the ASSERT system to track the status of contingency plan testing. KPMG agrees that guidance is available to EPA program offices related to the development of contingency plans. However, given that we identified inconsistent approaches within the program offices for developing and testing contingency plans, we believe that additional management emphasis and training is necessary. Subsequent to the completion of fieldwork, management officials, in several cases, provided additional documentation, such as updated contingency plans and details regarding EPA's contingency planning practices. KPMG inspected this information and where appropriate modified this finding. 16 ------- Authorization to Move Tapes to the Alternate Storage Site The alternate storage site serves as a temporary storage location for backup tapes being sent from NCC to the backup tape storage vendor. We inspected the logs tracking the movement of backup tapes between NCC and the alternate storage site and noted that there is no documented authorization to move the tapes, although there are comparable logs tracking the movement of backup tapes from the alternate storage site to tape store vendor. According to RTP officials, the movement of backup tapes from the NCC to the alternate storage site is an informal process, and there are only a few people involved in the process, which limits the risk. For example, there is one primary person and one alternate person authorized to approve the moving of tapes between the NCC and the alternate storage site. Consequently, formal procedures for this process have not been developed. We recognize that the limited number of people involved in this process reduces the risk. However, there is an increased risk that accountability for the tapes may be lost if there is no documented authorization supporting the movement of tapes. Recommendation: 22) We recommend that the Director of OTOP implement a procedure and control whereby the backup tapes being sent from NCC to the alternate storage site have documented authorization for movement. Agency's Response andKPMG's Evaluation: Management concurs with the recommendation and indicated OEI will document procedures to authorize movement of backup tapes from NCC to the alternate storage site. Local Alternate Processing Site Access The local alternate processing site is utilized as a continuity of operations facility for the NCC data center and is located on the border of the RTP campus. Additionally, the site contains research equipment and serves as a general warehouse. The NCC has one room designated as a contingency facility for emergency situations, and this room is equipped with several operational computers, telephones, and one television. However, we noted that the site lacks an active security monitoring process, such as camera surveillance or security guards. The security present at the facility consists of badge access card system, which is used to control entry. EPA officials indicated that a previous physical security assessment categorized the facility as low risk, therefore not requiring a strong security presence. Additionally, EPA officials indicated that should an event occur that raises the threat level of the campus, additional guards and security measures would be deployed at all facilities. The emergency response process for the facility is dependant on the threat level to the campus, which is directed by the Department of Homeland Security threat level. However, by not actively controlling access to the facility, there 17 ------- is an increased risk that unauthorized individuals may gain inappropriate access to a sensitive area, especially during a continuity of exercise or actual continuity of operations activities. Recommendation 23) We recommend that the Director of the NCC coordinate with the Director of OARM at RTP to document the expected physical security controls for the local processing site in the event of an emergency and include these procedures in the National Computer Center's contingency plan. Agency's ResponseKPMG's Evaluation: OEI concurs with the recommendation, and agreed to work with OARM to assess the risks, costs and benefits to make a risk-based decision on additional controls. OARM responded by stating that a Physical Security Assessment of the RTP main campus facility was performed in 2004, which identified the facility as a "LOW Threat Level Facility." Based on this finding, OARM decided to mitigate this risk by including some of these corrections in a future lease agreement KPMG recognizes EPA's need to implement cost effective security controls to mitigate risks. However, the acceptance of risks should be coordinated, documented, and approved by appropriate senior Agency officials. As such, we believe that OARM's rationale for accepting the risks associated with the local processing site should be formally documented and communicated to all affected Agency offices so that appropriate contingency planning activities can occur. Based on discussions with Agency officials, we modified the recommendation. Environmental Controls KPMG noted examples where EPA environmental controls at key RTP facilities could be improved: • KPMG noted during the walkthrough of the NCC data center that food and drinks were allowed in the computer areas. This violates posted signs throughout the data center stating that eating and drinking are prohibited. • KPMG noted, during the walkthrough of the computer rooms outside of the NCC, that emergency procedures were not posted in case of fire, plumbing leakage, or premature water release from the sprinklers. Additionally, during our walkthrough of another computer room, we observed a water stain from a previous leak on the ceiling tiles. We also noted that emergency water shut-off values and electric power sources were not easily identifiable. It appears that these issues existed because: 1) EPA management officials have not fully enforced the requirement of not having food and drinks in the NCC data center, and 2) EPA did not develop and implement processes for these critical procedures for the computer rooms outside of the NCC. One computer room was not originally designed to host computer 18 ------- equipment; as such, water lines run through the room thereby increasing the risk of water damage from a leak or burst pipe. Allowing food and drink in the NCC data centers increases the risk that key processing equipment or other materials, such as recovery plans and procedures, could be damaged by a spill. In addition, if the appropriate EPA personnel are not aware of the emergency procedures and can not easily locate the emergency water shut-off values and electrical power sources, EPA personnel may not promptly respond to an emergency to protect the computer equipment in case of a burst water pipe or plumbing leakage. Subsequent to completing fieldwork, RTP personnel provided KPMG with additional documentation regarding environmental controls over the computer rooms. Specifically, KPMG was provided with documents containing bullet-point procedures for both fire and water emergencies in the computer rooms and EPA OIG auditors observed these policies posted in the computer rooms. Additionally, RTP personnel also provided work orders to identify the shut off valves for the water and plumbing lines and for the installation of water detectors. EPA OIG auditors inspected the computer rooms and verified that environmental controls existed. Recommendations: 24) We recommend that the Director of OTOP should make a determination whether to enforce the posted notices regarding not having food and drinks in the NCC data center and remind employees of the policy. If management decides to accept the risk of allowing food and drinks in the data center, then the acceptance of the risk should be documented in the NCC security risk assessment. Agency's Response andKPMG's Evaluation: Management officials agree with our findings and recommendations. OARM at RTP disagreed with implementing compensation controls such as having security guards perform visual inspections of computer rooms. As such, OARM officials provided additional documentation and details regarding its efforts to provide effective environmental controls over the computer rooms. Where appropriate, we modified this finding. 19 ------- Appendix A Criteria The following laws, requirements, and/or guidelines were used as criteria in guiding our review of physical security and service continuity at RTP. • The EPA Information Security Manual states that: > Physical security measures be in place to protect information systems against unauthorized access, theft, or destruction. > Continuity of support and/or contingency plans must be developed. Specifically, the manual requires that: 1) contingency and continuity of support plans should be reviewed and updated on an annual basis and in coordination with COOP planning efforts; 2) recovery plans should be developed for re-establishing a permanent, ongoing processing site; 3) the plans should be tested; 4) EPA should conduct training on the plan and its elements; 5) the plans should be documented; and 6) the plans should be periodically re- tested and revised. > Food, smoke, heat, and excess moisture can damage equipment. • The Federal Information Security Management Act (FISMA), issued as part of the E- Government Act of 2002, requires Federal agencies to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency. FISMA further requires Federal agencies to follow information security guidance issued by NIST. • The Federal Manager's Financial Integrity Act (FMFIA) requires Federal agencies to maintain accountability over assets. • National Institute of Standards and Technology's (NIST) Special Publication (SP) 800-12, An Introduction to Computer Security: The NIST Handbook guides that contingency planning should address all the resources needed to perform a function, regardless whether they directly relate to a computer. This will allow an organization to assign priorities to resources since not all elements of all resources are crucial to the critical functions. • NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, guides that organizations should require users to identify themselves uniquely before being allowed to perform any actions on the system. • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems guides that: 20 ------- > The completion of a BIA is a key step in the contingency planning process, as it helps identify and prioritize critical information technology systems and components. According to NIST, the BIA enables the organization to fully characterize the system requirements, processes, and interdependencies and use this information to determine contingency requirements and priorities. The BIA purpose is to correlate specific system components with the critical services that they provide, and based on that information, to characterize the consequences of a disruption to the system components. Results from the BIA should be appropriately incorporated into the analysis and strategy development efforts for the organization's contingency planning and business continuity strategies. > Contingency plan testing is a critical element of a viable contingency capability, and each element of the contingency plan should be tested, first individually and then as a whole, to confirm the accuracy of individual recovery procedures and the overall effectiveness of the plan. Additionally, it states that this testing should occur at least annually and when significant changes occur to the IT system, supported business process(es), or the IT contingency plan. > Common fire prevention measures include water sensors in the computer room ceiling and floor. • NIST SP 800-53, Recommended Security Controls for Federal Information Systems guides that Federal agencies should: > Develop and keep current lists of personnel with authorized access to facilities containing information systems and issue appropriate authorization credentials (e.g., badges, identification cards, smart cards). > Assign designated officials within the organization to review and approve access lists and authorization credentials per a defined time period, but at least annually. > Centrally monitor real-time intrusion alarms and surveillance equipment, and employ automated mechanisms to ensure potential intrusions are recognized and appropriate response actions initiated. > After an emergency-related event, restrict reentry to facilities to authorized individuals only. > Authenticate visitors (including government contractors) prior to authorizing access to facilities or areas. > Maintain a visitor access log that includes: (i) name and organization of the person visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v) time of entry and departure; (vi) purpose of visit; and (vii) name and organization of person visited. NIST further guides that designated officials within the organization should review the access logs. 21 ------- > Consider surveillance and security guards as key physical access controls. • Office of Management and Budget (OMB) Circular Number A-123, Management Accountability and Control, requires that accountability for the custody and use of resources be assigned and maintained. • OMB Circular A-13 0, Management of Federal Automated Information Resources, guides that agencies shall: > Implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications. > Establish policies and assign responsibilities to assure that appropriate contingency plans are developed and maintained by end users of information technology applications. The intent of such plans is to assure that users continue to perform essential functions in the event their information technology support is interrupted. 22 ------- Appendix B Applications Reviewed Application Pro^niin Office Description M:i.jor Application Risks 1. BAS (Budget Automation System) Office of the Chief Financial Officer (OCFO) BAS is the central Agency system used to integrate strategic planning, annual planning, budgeting, and financial management. The system contains resource (dollars and FTE), planning and performance data. The system supports budget formulation, annual planning and operating plan development. BAS links to the IFMS to send the Agency's Initial Operating Plan in the format of IFMS Appropriation & Apportionment (AA) documents. BAS receives from IFMS the revised operating plan and actual obligations/outlays data. Yes High 2. CERCLIS (Comprehensive Environmental Response, Compensation and Liability Information System) Office of Superfund Remediation and Technology Innovation (OSRTI) The Agency's system for supporting the Superfund program. CERCLIS receives downloads of IFMS Superfund financial transactions. This is not an OCFO application and no information from this system is sent to the Integrated Financial Management System (IFMS). Yes High 3. CPS (Contracts Payment System) Office of the Chief Financial Officer CPS is an NCC mainframe application with AD ABAS database. The application tracks and pays EPA contractors. This application is a subscriber to the NCC Disaster Recovery Program. Yes High 4. MARS (Management and Accounting Reporting System) Office of the Chief Financial Officer MARS provides standard and ad hoc financial reports based on data from IFMS. The source for the MARS data is the IFMS journal. It is run out of the NCC and is an ADABAS/Mainframe application. Yes High 23 ------- Application IVo^nim Office Description M:i.jor Application Risks 5. IGMS (Integrated Grants Management System) Office of Administration and Resources Management (OARM) IGMS is the Agency's system for the processing and management of all forms of assistance agreements with State and local governments, non-profit organizations, educational institutions, and individuals, as well as interagency agreements with other Federal agencies. IGMS receives commitment data from IFMS. This Lotus Notes application is owned by the Grants Department. Yes High 6. OMIS (Office of Research and Development Management Information System) Office of Research and Development (ORD) OMIS is comprised of five independent modules. Only the Integrated Resource Management System (IRMS) interface with IFMS. The real-time interfaces are used to electronically transmit transactions (commitment and reprogramming) to IFMS. Extract files are created after the nightly IFMS close to bring down to IRMS the approvals/disapprovals of the reprogramming transactions as well as operating plan, commitments, obligations, and expenditures from the Suballowance Spending Control Inquiry Table (SASP) and General Ledger tables. Yes High 7. TM+ (Travel Manager +) Office of the Chief Financial Officer TM+ is a COTS product used to streamline and fully automate the Agency's travel process. TM+ sends Travel Order (TO) and Travel Voucher (TV) documents to IFMS. TM+ automates the travel process for EPA. It was developed by Gelco and runs on its own servers. The application will be phased out in September 2006 when E-Travel (a.k.a. GovTrip) is implemented. EPA had one of three choices in the replacement of TM+ and opted for the Northrop Grumman GovTrip web- based application. Yes High 24 ------- Application Program Office Description Major Application Risks 8. WCF (Working Capital Fund) Office of Environmental Information (OEI) WCF Service Providers generate monthly entries to record depreciation, cost transfers, and application of Overhead and G&A as well as customer billing information. They transmit that data automatically via an interface file containing Asset Voucher (AV)/Month End Adjustment Voucher (MV), and Project Charge (CH) documents to IFMS. All information is placed on the IFMS SUSF table for the RTP, FMC staff to review and process online or through batch mode. Any errors found are researched and corrected prior to processing. WCF is run by the Office of Technology Operations and Planning (OTOP) group. Some servers are maintained at RTP, however OCFO does not know what is contained on them. Regular backups are performed for the application. Yes High 9. IFMS (Integrated Financial Management System) Office of the Chief Financial Officer IFMS is a mainframe application hosted at the NCC. It is the EPA's core financial system and does subscribe to Disaster Recovery services at the NCC. Yes High 10. People Plus Office of the Chief Financial Officer and the Office of Human Resources and Organizational Services (OHROS) EPA's new payroll processing system. People Plus is a co-owned system between the OCFO and the OHROS. The application is hosted at the NCC on a UNIX machine. Yes High 11. Bankcard Office of the Chief Financial Officer Bank Card Interface System was developed to properly allocate funds in paying for items purchased with credit cards. The daily files of transactions are maintained on an Oracle Database with an upload to the financial statements. The application has a web interface to allow users the ability to see payments and obligations. No Medium 25 ------- Application Program Office Description Major Application Risks 12. Financial Data Warehouse (FDW) Office of Financial Management and Office of Financial Services FDW houses periodic snapshots of IFMS data to provide reporting capability. The FDW offers standard reports from IFMS, EPAYS, CPARS and CPS. Access to FDW is controlled by FSD. The application is hosted at NCC on a Unix NIX Digital machine with Oracle 8.1 database tables. Yes High 26 ------- Appendix C Distribution Office of the Administrator Director, Office of Technology Operations and Planning Director, Office of Administration and Resources Management at RTP Director, Technical Information Security Staff Director, National Computer Center National Computer Center Security Operations Manager Agency Follow-up Coordinator Audit Follow-up Coordinator, Office of Administration and Resources Management Audit Follow-up Coordinator, Office of Environmental Information Audit Follow-up Coordinator, Office of the Chief Financial Officer Audit Follow-up Coordinator, Office of Research and Development Audit Follow-up Coordinator, Office of Solid Waste and Emergency Response General Counsel Associate Administrator for Congressional and Intergovernmental Relations Association Administrator for Public Affairs Inspector General 27 ------- Appendix D Office of Environmental Information Draft Report Response from the Office of Environmental Information (OEI) October 21, 2005 MEMORANDUM FROM: Kimberly T. Nelson /s/ Assistant Administrator and Chief Information Officer TO: Rudolph M. Brevard Acting Director, Business Systems Audits Office of Inspector General Thank you for the opportunity to respond to the draft audit report on Information System Service Contingency and Physical Access Controls. We appreciate your efforts to hold informational meetings to ensure clarity of your findings and recommendations and to give us an opportunity to recommend revisions. As we discussed at the informational meetings on October 4, 2005, we have concerns about some of the findings and recommendations regarding the physical access and information system service contingency findings. We conveyed these concerns to your staff at the October 4 meeting and appreciate their receptivity to ensuring that the findings are accurate and that the final recommendations will effectively address real deficiencies. Our detailed comments are attached. Please feel free to contact George Bonina, Director of the Technology and Information Security Staff and Chief Information Security Officer at 202- 566-0304, if you have any questions or need additional information. Attachment cc: Linda Travers Mark Day Myra Galbreath George Bonina Robin Gonzalez John Gibson Physical Access Contractor Access Badges 28 ------- OEI agrees with the finding that 29 badges were identified as contractor temporary badges not assigned to a specific individual. The NCC developed a procedure for issuing contractor temporary badges as a result of a prior audit finding that the data center had too many people with permanent access. Consequently, NCC issues contractor temporary badges for personnel whose data center access frequency is less than three times per week. OEI disagrees with the finding that these contractor temporary badges have no names associated with the badges. Unescorted temporary badges are only assigned if the individual's name appears on a predefined controlled access list, maintained in the data center. As each temporary badge is issued, the individual's name is entered in a visitor access control log. OEI disagrees with the finding that the temporary badges are not kept in EPA facilities. All badges are maintained at the NCC. OEI disagrees with the finding that there is no formal process for identifying the contractor using the badge. The formal process for issuing and documenting temporary badges is in place as described above. OEI disagrees with the finding that contractors do not identify specific individuals to support the NCC in cases of each emergency, and that the NCC issues generic access badges to the contractor companies rather than to specific individuals. Any contractor who does not currently have a permanently issued badge or whose name does not exist on the pre-defined access control list is required to have an escort during their presence in the data center. Each of these individuals must be identified by the vendor prior to their arrival. OEI disagrees with recommendation (1); given the existence of the current process that explicitly associates all badges and access to the NCC with individual identification. OEI agrees with recommendation (2) to conduct more frequent reviews of contractor access to the data center. NCC Data Center Door Alarm OEI agrees with this recommendation. Local Alternate Processing Site Access OEI will work with OARM to assess the risks, costs and benefits to make a risk-based decision on additional controls. Service Continuity/Contingency Planning Completion of the BIA 29 ------- OTOP conducted training on contingency planning at the 2004 Security and Operations Conference. Staff from OTOP's Technology and Information Security Staff (TISS) provide support to system owners on an ongoing basis. Since there is already a well-documented EPA requirement to conduct BIAs, the recommendation to document that requirement (18) is not necessary. The recommendation to conduct additional training on contingency planning (17) is not necessary due to the clarity of the NIST document, OEI's supplemental guidance, the prior training conducted by OTOP and the availability of TISS support to program offices. OEI agrees with the recommendation that the NCC conduct a BIA (19). OEI disagrees with the recommendation to conduct a forum with EPA program offices leadership to update/modify current contingency planning and business continuity processes (19). This audit contains no finding that would be addressed through this recommendation. Application Contingency Plan Weaknesses OEI Response Most of the recommendations appear to be based on an incorrect conclusion that problems with individual system contingency plans are the result of a systemic problem with the Agency-wide contingency planning program. As noted above, it appears that the auditors were not aware of the Agency procedures and guidance on contingency planning. OEI believes that it is inappropriate to place the responsibility for correcting deficiencies in program office system contingency plans on the OTOP Director. Placing this responsibility on the OTOP Director is in contradiction to FISMA which places the responsibility for system security on program officials for systems under their control. Therefore, OEI believes that recommendations (24) and (26) thru (30) should be directed to the Assistant Administrator of the appropriate office. OEI believes that the recommendation to analyze all contingency plan test results, adjust contingency plans and send a "lessons learned" report to senior management (25) is unnecessary because there is nothing in the audit findings to support a conclusion that there is a systemic problem to be addressed through this recommendation. Also, consistent with FISMA, analyzing test results and adjusting plans is the responsibility of the program officials. For reasons noted above, OEI disagrees with the recommendation to provide consistent training to all EPA application owners (20). It is not clear why the recommendation to establish monitoring procedures to ensure that application contingency plans are tested at least once every year or more often (21) is included since the findings identify only one plan that may not have been tested. This recommendation is also unnecessary because OEI already has such a procedure in place. OEI uses the ASSERT system to track the status of contingency plan testing. This percentage of systems with tested contingency plans is measured on the E-gov scorecard of the President's Management Agenda as 30 ------- well as an OMB performance measure that is reported quarterly to OMB. For the FY 2005 Annual FISMA report to OMB, EPA reported that 97% of the Agency's major applications and general support systems had tested contingency plans. OIG auditors have access to ASSERT and can verify this information. OEI agrees with recommendations (22) and (23). Authorization to Move Tapes to Alternate Storage Facility OEI Response: OEI will document procedures to authorize movement of backup tapes from NCC to a local storage facility. Environmental Controls OEI Response: OEI agrees with recommendation (32) to address the risks of food and drinks in the NCC data center. OEI will work with OARM to assess the risks, costs and benefits to make a risk-based decision on additional controls (33). OARM Response: OARM will respond directly to the IG in a separate document. 31 ------- Appendix E Office of Administration and Resources Management Draft Report Response from the Office of Administration and Resources Management at RTP (OARM) October 25, 2005 MEMORANDUM SUBJECT: OARM Response to Draft Audit Report: Audit of Information System Service Contingency\Continuity and Physical Access Controls of EPA's Financial and Mixed-Financial Systems that Reside at Research Triangle Park Assignment/Project No: 2004-001383 FROM: William G. Laxton, Director /s/ Office of Administration and Resources Management, RTP (C604-02) TO: Vincent Campbell, Auditor/Project Officer Office of Inspector General (242IT) The enclosed report addresses the recommendations identified in the original audit report for OARM-RTP action. Our reply addresses each recommendation for Chapters 2 and 3. The point of contact for Chapter 2, Physical Access, is Sam Pagan, (919) 541-5001; for Chapter 3, Service Continuity/Contingency Planning, the contact point is Alex Montilla (919) 541-0324. Attachment 32 ------- Chapter 1: Overview No findings or recommendations requiring OARM lead Chapter 2: Physical Access With regard to: Evacuation Re-Entry: Recommendation 8: Coordinate the implementation of detailed policies and procedures regarding the reentry of staff to the campus and buildings after an event that would trigger an emergency evacuation, (from page 5 of draft report) Response: Procedures are currentlv being written requiring all employees to badge in upon reentry into the buildings after an emergency evacuation. Recommendation 9: Provide additional security training to employees/contractors addressing good physical security practices; such as challenging persons whom are attempting to enter the building without an EPA badge, (from page 5 of draft report) Response: Emplovees at RTP have been reminded of these procedures through various all hands memos informing them of a heightened security posture and asking them to not allow others to piggyback in to the building once one person badges through a door. We will continue to inform our employees of these procedures through other means of communication. With regard to: RTP Computer Room Visitor Identification: Recommendation 10: Coordinate with the applicable program offices to consistently enforce policies and procedures that would require all visitors entering the computer room in building C, to sign a visitor log which should be maintained and kept on file, (from page 6 of draft report) Response: On 21 Julv 2005 OARM posted access logs in each of the four computer rooms (C160, C131, C240 and N147) to include the main distribution facility (C160A). The policy was disseminated to system administrators via email directing that all visitors escorted into server rooms and the MDF sign in and out of the rooms accordingly. Escorts are required to record their identification badge number by each of their visitor's information. Recommendation 11: Ensure the consistent enforcement of policies and procedures that would require all visitors entering the silo room at the local storage facility to sign a visitor log which should be maintained and kept on file, (from page 6 of draft report) Response: Though this recommendation is made to OARM, the silo room in question is operated by the NCC. This recommendation should be addressed by OEI-OTOP. OARM has coordinated this finding with the appropriate NCC personnel and has provided an electronic copy of its computer room access log 33 ------- accordingly. OARM security will coordinate with the Director of OTOP to establish a procedure that would require everyone entering the silo room to sign a visitor log. With regard to: Campus Visitor Identification: Recommendation 12: Issue guidance to remind the security guards at RTP campus entrances to inspect the identification of all vehicles and individuals entering the campus, (from page 7 of draft report) Response: Security into the RTP campus is based on a two tiered system. The first tier is a preliminary check at the gates. This check makes sure that each vehicle entering the RTP campus has an authorized vehicle pass. Visitors are issued a one day vehicle pass upon presenting proper identification. A more thorough security check is conducted during our second tier check. Each visitor is checked at the entrance to each of our main buildings. Visitors must go through a magnetometer and show proper identification prior to gaining entrance to our buildings. Recommendation 13: Ensure that guards check that the removable parking passes correspond to the appropriate vehicle/individual, (from page 7 of draft report) Response: Our main securitv check is conducted at the entrance to each one of our buildings and not at the gates. The main reason is that the RTP campus has a very porous perimeter. The gates are the principle way to get into the campus but there are many ways to enter through the wooded areas surrounding the campus. Because of this, we conduct our personnel security checks at the entrance to our buildings. Delivery trucks are stopped by bollards and another security gate inside the main campus. This gate is also manned by a security guard. Delivery trucks are not allowed through the bollards until positive identification of the driver and the program expecting the delivery is made. Recommendation 14: Ensure that procedures are consistently followed for verifying visitor identification, (from page 7 of draft report) Response: Various checks have been conducted during conferences held at RTP to assure the correct visitor procedures are followed. Recommendation 15: Coordinate with other RTP program office to provide additional security training to employees/contractors addressing good physical practices; such as Response: Coordination has been done via various all hands memos informing them of a heightened security posture and asking them to not allow others to "piggyback" into the 34 ------- challenging persons whom are attempting to enter the building without a RTP badge, (from page 7 of draft report) building once one person badges through a door. We will continue to inform our employees of these procedures through other means of communication. With regard to the alternate processing site: Recommendation 16: We recommend that the Director of OTOP and Director of OARM at RTP coordinate to develop a strategic plan to deploy security controls at the alternate processing site facility in the event of an emergency. Alternatively, the Director OTOP and the Director of OARM should coordinate to accept the security risk of the facility, and document the risk in the facility security risk assessment, (from page 8 of draft report) Response: The Physical Security Assessment of the Research Triangle Park's (RTP) Main Campus Facility done in 2004 identified the local processing site facility as a "LOW Threat Level Facility". Based on this finding, we decided to mitigate this risk by including some of these corrections in a future lease agreement. Additionally, we decided to "accept the risk" of not having a visitor control system in place. One of the many functions done at local processing site is the initial drop-off of all incoming mail and packages into our facilities. These items are then x-rayed at the warehouse before they are delivered to our other facilities by our contractor. Furthermore, deliveries to the local processing site are made by different companies and drivers each day. We chose to accept this risk in order to protect our main facilities from vulnerabilities from unknown deliveries. Chapter 3: Service Continuity/Contingency Planning With regard to: Environmental Controls: Recommendation 33: Install the equipment to implement necessary detective and preventive controls such as the identification of shut off valves for plumbing lines and water sprinklers, installation of water detection equipment, and the development of water emergency procedures that deal with plumbing line leakage and premature water release from sprinklers. Alternatively, compensating controls and related procedures, such as periodic monitoring of the computer room by security guards, should be implemented, (from Response: In FY 2004 OARM installed water detection sensors in all computer rooms (CI60, C131, C240 and N147) as well as the main distribution facility (C160A). Materials have been purchased and procedures are in place to drape plastic over the computer cabinets in each server room should there be a water emergency. OARM has installed a redundant Storage Area Network that performs synchronous mirroring between appliances in Building C and the NCC. OARM has offered this service to OCFO and the other campus program offices as a means of 35 ------- page 16 of draft report) mitigating this water incident vulnerability. The OARM LAN Manager monitors the computer rooms through physical inspection of each area. He tracks UPS Load, Humidity Levels and Temperature as well as looks for leaks in ceiling tile. The O&M contractor is advised of any water present beneath the raised floors and advises the OARM LAN Manager accordingly. The OARM LAN Manager does not recommend that Security Guards (contractors) be allowed into computer rooms or the MDF unescorted. OIG (Cheryl Reid) visited computer rooms in building C to verify that water detectors are in fact installed beneath the raised floor. She has seen the detectors that have been installed and to the best of our knowledge we have satisfied that portion of the recommendation. She recommended that procedures be posted in each room outlining our response actions to a water leak incident. We have submitted and received 5 poster boards containing such procedures for each computer room. Furthermore, we have submitted the work order to identify the shut off valves for the water sprinklers and plumbing lines. The O&M contractor (CHI) is responsible for those systems and would shut off the appropriate valves in the event of any water leaks. Finally, we provided OIG (Cheryl Reid) a copy of reports substantiating our periodic monitoring (weekly) of each computer room. The report substantiates our response that the computer rooms are being actively monitored. In short, we have water detectors in each computer room, we have posted compensating procedures, as well as, perform active monitoring of the computer rooms. 36 ------- Office of Appendix F Research and Development Draft Report Responses from the Office of Research and Development (ORD) November 4, 2005 MEMORANDUM SUBJECT: ORD Response to Draft OIG Report, Audit of Information System Service Contingency/Continuity and Physical Access Controls of EPA's Financial and Mixed-Financial Systems that Reside at Research Triangle Park, No. 2004-001383 FROM: George Gray /s/Lek Kadeli for Assistant Administrator (8101R) TO: Rudolph M. Brevard Acting Director, Business Systems Audits (242IT) Purpose The purpose of this memorandum is to provide the Office of Research and Development's (ORD) comments on the subject draft OIG report. Background/Discussion The draft report dated September 13, 2005, noted several areas which needed improvement. ORD took a proactive approach and immediate action to remedy those areas. Specifically, the ORD Management Information System (OMIS) Contingency Plan (attached) was revised as follows: (1) Appendix A, Personnel Contact List, was updated to include all business, home, and cell phone numbers; and (2) Appendix D, Disaster Recovery Testing, was added to include the type of test, test date, and the result. The revised OMIS Contingency Plan, dated September 26, 2005, was provided to the Office of Environmental Information on October 3, 2005 and to your staff on October 14, 2005. It should be noted that the OMIS Contingency Plan clearly states that the database is exported nightly from Research Triangle Park, NC to our backup servers in Washington, DC. If the contingency plan is put into effect, the Washington, DC servers would be converted to our 37 ------- production servers. We have successfully tested this Plan with the procedures outlined in Appendix C and documented it in Appendix D: Disaster Recovery Testing. Detailed comments are attached that we believe will sharpen the quality and accuracy of the draft report. Should you or your staff have questions or require further information, please have them contact Cheryl Varkalis at 202-564-6688. Attachments (2) cc: LekKadeli Jack Puzak Alice Sabatini Amy Battaglia Jorge Rangel Tom Tracy John Sykes Cheryl Varkalis 38 ------- OR I) Comments on OIG Draft Audit Report Audit of Physical Access and Service Continuity/Contingency Controls for Financial and Mixed-Financial Systems located at the Environmental Protection Agency's (EPA's) Research Triangle Park Campus 1. On page 12 , paragraph 2, line 1, the draft report states: "In reviewing the Office of Research and Development Management Information System (OMIS) contingency plan, we noted that the call tree within the contingency plan contains only business phone numbers for essential personnel, and does not include the information that should be relayed to critical personnel. In addition, we noted that the recovery operations sections of the contingency plan does not adequately document the steps necessary to restore operations, and it does not appear that the contingency plan has been tested." RESPONSE: We request this paragraph be deleted from the report, or the report adjusted to reflect actions already taken by ORD. Discussion: Appendix A: Personnel Contact List, has been updated to include all business, home, and cell phone numbers. The steps necessary to restore operations are contained in Appendix C: OMIS Technical Disaster Recovery Procedures, which details all of the steps necessary to restore operations. This has been tested and noted in OMIS Contingency Plan Appendix D: Disaster Recovery Testing. 2. On page 14, Recommendation 29, the draft report states: "We recommend that the Director of OTOP work collaboratively with the Office of Research and Development to revisit: 29) OMIS contingency plan and ensure that the call tree within the contingency plan contains home phone numbers and cell phone numbers for essential personnel, and it also contains the key information that should be relayed to critical personnel. Further, the OMIS contingency plan should document the steps necessary to restore operations, and should also be tested on a regular basis." RESPONSE: We request this paragraph be deleted from the report, or the report adjusted to reflect actions already taken by ORD. 39 ------- Discussion: Section 3.3, Activation, of the OMIS Contingency Plan, states the key information that is relayed to critical personnel. The steps to restore operations are documented in Appendix C. OMIS Disaster Recovery Testing is included in Appendix D. The most recent test was performed in August 2005; testing will be performed on an annual basis. 3. On page 21, Appendix B, item 6, the draft report states: "OMIS is comprised of six independent modules. Only the Integrated Resource Management System (IRMS) and the Laboratory Implementation Plan (LIP) interface with IFMS. The real-time interfaces are used to electronically transmit transactions (commitment and reprogramming) to IFMS. Extract files are created after the nightly IFMS close to bring down to IRMS the approvals/disapprovals of the reprogramming transactions as well as the operating plan, commitments, obligations, and expenditures from the Suballowance Spending Control Inquiry Table (SASP) and General Ledger tables. RESPONSE: We request the following change to this portion of the draft report: OMIS is comprised of five independent modules. Only the Integrated Resource Management System (IRMS) interfaces with IFMS. The real-time interfaces are used to electronically transmit transactions (commitment and reprogramming) to IFMS. Extract files are created after the nightly IFMS close to bring down to IRMS the approvals/disapprovals of the reprogramming transactions as well as the operating plan, commitments, obligations, and expenditures from the Suballowance Spending Control Inquiry Table (SASP) and General Ledger tables. Discussion: The Laboratory Implementation Plan (LIP) has been retired and is no longer in production. Thus, there are only five independent modules. References to the LIP should be removed. 40 ------- Appendix G Office of Solid Waste and Emergency Response Draft Report Response from the Office of Solid Waste and Emergency Response (OSWER) November 11, 2005 MEMORANDUM SUBJECT: OSWER Response to Draft Audit Report "Audit of Information System Service Contingency\Continuity and Physical Access Controls of EPA's Financial and Mixed-Financial Systems that Reside at Research Triangle Park" Assignment/Project No: 2004-001383 FROM: Barry N. Breen/s/ Deputy Assistant Administrator TO: Rudolph M. Brevard Acting Director, Business Systems Audits Office of Inspector General Thank you for the opportunity to respond to the draft audit report on Information System Service Contingency and Physical Access Controls. We appreciate your efforts to hold informational meetings to ensure clarity of your findings and recommendations and to give us an opportunity to recommend revisions. Our comment on the OIG recommendation is as follows: OIG Recommendation We recommend that the Director of OTOP work collaboratively with the Office of Solid Waste and Emergency Response to revisit CERCLIS contingency plans and ensure that it identifies critical resources; ensure that the recovery test addresses all elements of application recovery; and ensure that contracts are in place for the restoration of the application. OSWER Response We agree with the Office of Environmental Information's (OEI) October 21, 2005 response regarding the recommendation. Over the past year, the Office of Superfund Remediation and Technology Innovation (OSRTI) has worked closely with RTP to centralize the CERCLIS Regional databases. Since then, the Contingency Plan for CERCLIS has been revised. Furthermore, a coordinated effort with RTP has taken place to perform a table-top review of the 41 ------- CERCLIS application. This review was conducted in September 2005. In complying with Agency standards, OSRTI has used the two NIST documents which focus specifically on COOP Guidance. The first Document is 800-84 Guide to Single-Organization IT Exercises describes the procedures for the table-top review. The second guide, NIST 800-34, Contingency Planning Guide for Information Technology Systems describes in detail how to write a COOP Plan. Please feel free to contact Robert King at 703.603.8792 or William Bushee at 703.603.8963, if you have any questions or need additional information. 42 ------- Appendix H Office of the Chief Financial Officer Draft Report Response from the Office of the Chief Financial Officer (OCFO) October 13, 2005 MEMORANDUM SUBJECT: Office of the Chief Financial Officer (OCFO) Response to the Office of Inspector General's (OIG) Information Technology Position Paper #2 - Internal Control - Compliance with Federal Guidelines, Fiscal Year 2005 Financial Statement Audit FROM: Michael W. S. Ryan Deputy Chief Financial Officer /s/ TO: Rudy Brevard Acting Director, Business Systems Audits We appreciate the opportunity to provide written comments on the subject Position Paper. The OCFO remains firmly committed to securing its systems and data in a cost effective manner and in accordance with Federal guidance, EPA policy, and best practices. If you or your staff have any questions or need additional information concerning our response to the subject Position Paper, contact Krista Mainess, Director of the Office of Program Management, at 202-564-5903. cc: Paul Curtis, OIG Bill Samuel, OIG 43 ------- OIG recommendations and corresponding OCFO responses are as follows: OIG Recommendation #1: Responsible office directors provide training to all application owners on the importance of developing, maintaining, and testing contingency plans in accordance with EPA and NIST guidelines and ensure the plans clearly define necessary recovery steps for each application. OCFO Response to Recommendation #1: In accordance with EPA requirements, OCFO mandates role-based training for employees with significant security responsibilities, which includes application owners. In addition, beginning in December 2005, the OCFO will conduct quarterly IT Security Council meetings for application owners. OIG Recommendation #2: Director, Office of Budget revise the BAS contingency plan to contain (1) complete contact information for key personnel and (2) alternate processing and return to normal operations procedures. OCFO Response to Recommendation #2: We will include additional contact information for key personnel in the BAS contingency plan. The full record of contact information will include the individual's team position, name, home, work, and pager numbers, and e-mail address. In addition, we will clearly state the procedures for alternate processing and returning to normal operations. OIG Recommendation #3: Director, Office of Financial Services revise the CPS contingency plan to identify critical recovery requirements and alternate processing procedures. OCFO Response to Recommendation #3: The critical recovery requirements and alternate processing procedures for CPS are provided in the NCC/CPS Critical Applications Disaster Recovery Plan (Sixth Edition, Revision 6-5), dated February 18, 2005. We are providing the following document references for your consideration. • Critical Hardware: Appendix C • Critical Software: Appendix D • Telecommunications: Section 4.6.9.2 • Facilities: Section 5.0 OIG Recommendation #4: Director, Office of Financial Services (OFS) revise contingency plan for People Plus to (1) contain primary and secondary personnel information consistent with the Critical Applications Disaster Recovery Plan and (2) clearly describe which plan takes precedence during the recovery process. OCFO Response to Recommendation #4: The primary and secondary contacts for PeoplePlus are contained in both the OCFO COOP and Critical Applications Disaster Recovery Plan. The OCFO COOP takes affect if a failure occurs 44 ------- in the DC area, in accordance with the Agency's overall contingency plan. On the other hand, the Critical Applications Disaster Recovery Plan takes affect if a failure occurs at RTP. We will ensure the PPL contingency plan clearly states the order of precedence between itself and the Critical Applications Disaster Recovery Plan. OIG Recommendation #5: Director, Office of Financial Management (OFM) revise contingency plans, for all of their applications not subscribing to the NCC DRS plan (e.g. Financial Data Warehouse), in accordance with relevant Federal and EPA criteria and best practices. OCFO Response to Recommendation #5: We are in the process of subscribing to the NCC Disaster Recovery Service for the Financial Data Warehouse. In addition, we will revise the contingency plan for SCORPIOS in accordance with relevant Federal and EPA criteria and best practices. 45 ------- |