$ < 73 \ Ml C PRQrt^ o 2 Lll (3 T OFFICE OF INSPECTOR GENERAL Catalyst for Improving the Environment Audit Report Information Security Series: Security Practices Clean Air Markets Division Business System Report No. 2006-P-00024 May 4, 2006 ------- Report Contributors: Rudolph M. Brevard Charles Dade Neven Morcos Jefferson Gilkeson Scott Sammons Abbreviations ASSERT Automated Security Self-Evaluation and Remediation Tracking C&A Certification and Accreditation CAMDBS Clean Air Markets Division Business System EPA U.S. Environmental Protection Agency FISMA Federal Information Security Management Act NCC National Computer Center OAR Office of Air and Radiation OIG Office of Inspector General OMB Office of Management and Budget POA&M Plan of Action and Milestone RTP Research Triangle Park ------- $ < 73 \ (J T ^ c>s° pRQl^ U.S. Environmental Protection Agency Office of Inspector General At a Glance 2006-P-00024 May 4, 2006 Catalyst for Improving the Environment Why We Did This Review As part of our annual audit of the Environmental Protection Agency's compliance with the Federal Information Security Management Act (FISMA), we reviewed the security practices for a sample of key Agency information systems, including the Office of Air and Radiation's (OAR's) Clean Air Markets Division Business System (CAMDBS). Background FISMA requires agencies to develop policies and procedures commensurate with the risk and magnitude of harm resulting from the malicious or unintentional damage to the Agency's information assets. CAMDBS is the data system EPA uses to support the market-based emissions trading programs. For further information, contact our Office of Congressional and Public Liaison at (202) 566-2391. To view the full report, click on the following link: www.epa.aov/oia/reports/2006 /20060504-2006-P-00024.pdf Information Security Series: Security Practices Clean Air Markets Division Business System What We Found The Office of Air and Radiation (OAR) had substantially complied with many of the information security controls tested. In this regard, OAR developed and tested a contingency plan for the Clean Air Markets Division Business System (CAMDBS) and personnel with significant security responsibility completed the Agency's recommended specialized security training courses. However, our audit identified areas where OAR should place greater emphasis to comply with Federal and Agency information security requirements. We found that CAMDBS, a major application, was operating without (1) an up-to-date risk assessment and (2) effective practices to ensure that all production servers were monitored for known security vulnerabilities. OAR could have discovered the identified weaknesses had the office reviewed its implemented practices for completing these requirements as well as those of the National Computer Center (NCC), the group charged with primary responsibility for monitoring the servers. As a result, CAMDBS officials lacked key security management tools that could be used to proactively identify potential security weaknesses. What We Recommend We recommend that the CAMDBS System Owner: > Conduct a full formal risk assessment of CAMDBS in accordance with Federal and Agency requirements. > Coordinate with the NCC to verify that it is regularly monitoring all CAMDBS production servers for known vulnerabilities at least monthly. > Develop a Plan of Action and Milestone in the Agency's information security weakness tracking system for all noted deficiencies. We recommend that the OAR Information Security Officer: > Conduct a review of OAR's current information security oversight processes and implement identified process improvements. OAR agreed with the findings in the draft report and indicated that the office has moved forward aggressively to implement the recommendations. OAR's complete response is in Appendix A. ------- $ A \ \ Wi UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 OFFICE OF INSPECTOR GENERAL May 4, 2006 MEMORANDUM SUBJECT: Information Security Series: Security Practices Clean Air Markets Division Business System Report No. 2006-P-00024 TO: William Wehrum Assistant Administrator for Air and Radiation This is our final audit report on the information security controls audit of the Office of Air and Radiation's Clean Air Markets Division Business System. This audit report contains findings that describe problems the Office of Inspector General (OIG) has identified and corrective actions the OIG recommends. This audit report represents the opinion of the OIG, and the findings in this audit report do not necessarily represent the final U.S. Environmental Protection Agency (EPA) position. EPA managers, in accordance with established EPA audit resolution procedures, will make final determinations on matters in this audit report. Action Required In accordance with EPA Manual 2750, you are required to provide a written response to this report within 90 calendar days of the date of this report. You should include a corrective action plan for agreed upon actions, including milestone dates. We have no objection to further release of this report to the public. For your convenience, this report will be available at http://www.epa.gov/oig. If you or your staff has any questions regarding this report, please contact Rudolph M. Brevard, Director, Information Technology Audits, at (202) 566-0893, or Charles Dade, Assignment Manager, at (202) 566-2575. BnTATRoderi ck Acting Inspector General ------- Table of Contents At a Glance Purpose of Audit 1 Background 1 Scope and Methodology 2 CAMDBS' Compliance with Federal and Agency Security Requirements 3 Certification and Accreditation 4 System Monitoring for Known Vulnerabilities 4 Recommendations 5 Agency Comments and OIG Evaluation 5 Appendices A Agency Response to Draft Report 6 B Distribution 9 ------- Purpose of Audit Our objective was to determine whether the Office of Air and Radiation's (OAR's) Clean Air Markets Division Business System (CAMDBS) complied with Federal and Agency information security requirements. CAMDBS is the data system EPA uses to support the market-based emissions trading programs. Background We conducted this audit pursuant to Title III of the E-Government Act of 2002, commonly referred to as the Federal Information Security Management Act (FISMA). FISMA requires the Agency to develop policies and procedures commensurate with the risk and magnitude of harm resulting from the malicious or unintentional damage to the Agency's information assets. EPA's Chief Information Officer is responsible for establishing and overseeing an Agency- wide program to ensure the security of its network infrastructure is consistent with these requirements. Program office heads are responsible for ensuring that the security of each major application within their organization is managed in accordance with all appropriate government-wide and EPA-specific information technology policies, procedures, and standards. Program offices should create a Plan of Action and Milestone (POA&M) when it identifies a security control weakness. The POA&M, which documents the planned remediation process, is recorded in the Agency's Automated Security Self-Evaluation and Remediation Tracking (ASSERT) tool. ASSERT is used to centrally track remediation of weaknesses associated with information systems and serves as the Agency's official record for POA&M activity. FISMA requires the Inspector General, along with the EPA Administrator, to report annually to the Office of Management and Budget (OMB) on the status of EPA's information security program. The OIG provided the results of its review to OMB in Report No. 2006-S-00001, Federal Information Security Management Act, Fiscal Year 2005 Status of EPA 's Computer Security Program. During our annual FISMA review, we selected one major application each from five EPA program offices and reviewed the office's security practices surrounding these applications. Our overall review noted instances where EPA could improve its security practices and the OIG reported the results to EPA's Chief Information Officer in Report No. 2006-P-00002, EPA Could Improve Its Information Security by Strengthening Verification and Validation Processes. This audit report is one in a series of reports being issued to the five program offices that had an application reviewed. This report addresses findings and recommendations related to security practice weaknesses identified in OAR. In particular, this report summarizes our results regarding how OAR implements Federal and EPA security policies and procedures. This report also includes our 1 ------- evaluation of how OAR implemented, tested, and evaluated CAMDBS' information security controls to ensure continued compliance with selected information security requirements. The Scope and Methodology section contains the specific information security controls audited during this review. Scope and Methodology We conducted our field work from March 2005 to July 2005 at EPA Headquarters in Washington, DC; and the National Computer Center (NCC), Research Triangle Park (RTP), North Carolina. We interviewed Agency officials at both locations and contract employees at the NCC. We reviewed relevant Federal and Agency information security standards. We reviewed application security documentation to determine whether it complied with selected standards. We reviewed system configuration settings and conducted vulnerability testing of servers for known vulnerabilities. We reviewed training records for personnel with significant security responsibilities. We reviewed the following security practices for CAMDBS: • Security Certification and Accreditation (C&A) Practices — We evaluated whether application security plans, risk assessments, and authorizations for operation complied with Federal and Agency standards. We also reviewed the C&A package to determine whether the security plan was updated and re-approved at least every 3 years and the application was reauthorized at least every 3 years, as required by OMB (Office of Management and Budget) Circular A-130 and EPA policy. • Application Contingency Plans ~ We reviewed whether the contingency planning practices complied with requirements outlined in EPA Directive 2195A1 (EPA Information Security Manual), National Institute of Standards and Technology Special Publication 800-34 (Contingency Planning Guide for Information Technology Systems), and EPA Procedures Document (Procedures for Implementing Federal Information Technology Security Guidance and Best Practices). • Security Controls ~ We reviewed two areas of security controls: (1) system vulnerability monitoring, which included conducting vulnerability testing; and (2) physical controls. The NCC manages the servers that run CAMDBS and provides the primary security controls for the application. Therefore, when evaluating system vulnerability monitoring, we reviewed practices at the NCC. We did not test physical controls at the NCC, because the NCC was undergoing an audit of these controls at the time of our review and the audit found instances where EPA could improve its physical controls at RTP. The OIG reported the results of this audit in Report No. 2006-P-00005, EPA Could Improve 2 ------- Physical Access and Service Continuity/Contingency Controls for Financial and Mixed-Financial Systems Located at its Research Triangle Park Campus. • Annual Training Requirements — We reviewed whether employees with significant security responsibilities satisfied annual training requirements. We conducted this audit in accordance with Government Auditing Standards, issued by the Comptroller General of the United States. CAMDBS' Compliance with Federal and Agency Security Requirements We found that (1) OAR had developed and tested a contingency plan for CAMDBS and (2) personnel with significant security responsibility satisfied the Agency's recommended specialized security training necessary to perform their duties. However, we noted instances where OAR should place more emphasis to comply with established Federal and Agency information security requirements. In particular, our review noted: • Although the CAMDBS system owner maintained a list of risks associated with the application, the system owner did not conduct a full formal risk assessment, which includes testing the controls as required by Federal and EPA requirements. Upon notification of our finding, OAR officials indicated that they entered POA&Ms in the Agency's security tracking database to track the completion of the risk assessment. • One of the two CAMDBS production servers was not being monitored for known vulnerabilities. NCC personnel indicated that the server had been added to the routine vulnerability monitoring list and the Agency took immediate action to remediate the identified vulnerabilities. Promptly conducting risk assessments and monitoring servers for security vulnerabilities help to assist managers in ensuring the Agency's network infrastructure is adequately protected. These widely recognized preventive controls aid in identifying potential security weaknesses and assist security personnel in taking the necessary remediation steps to prevent security incidents. By not emphasizing these key security controls, CAMDBS officials lacked key security management tools that could be used to proactively identify potential security weaknesses. 3 ------- Certification and Accreditation OAR could improve procedures to ensure that key security tasks are completed. Although OAR maintained a Risk Inventory and Assessment Table in the current security plan, OAR did not complete a full formal risk assessment to include testing the controls to ensure the controls were effective and operated as intended; 3 years had past since OAR last tested the controls. OAR officials indicated that they would complete the risk assessment. OAR also indicated that they have entered tasks in ASSERT to identify and track the requirements of incorporating National Institute of Standards and Technology Special Publication 800-53 Recommended Security Controls for Federal Information Systems; update the security plan; modify the C&A package; and obtain accreditation of CAMDBS by the end of September 2006. The information used by OAR officials to make the reauthorization decision is contained in the CAMDBS C&A package, which includes documents such as the most recent system security plan, authorization for operation, and risk assessment. The assessment of risk is an important activity in the Agency's information security program that directly supports security accreditation (management's authorization to operate an information system). Maintaining an up-to-date C&A package is essential because senior OAR officials use these documents to determine whether CAMDBS' current security controls are sufficient and whether adjustments to security controls are necessary before reauthorizing CAMDBS and its subsystems to operate. System Monitoring for Known Vulnerabilities OAR security control processes did not ensure that all CAMDBS production servers were monitored for known vulnerabilities. The NCC manages the servers that run CAMDBS and provides the primary security controls for the application. Interviews with NCC personnel and vulnerability tests of the CAMDBS production servers revealed that one of the two CAMDBS production servers (1) was not being routinely monitored and (2) contained known vulnerabilities. Upon being notified of these weaknesses, NCC personnel informed us that the unmonitored server would be added to the routine vulnerability scanning list and the NCC took immediate action to remediate the identified vulnerabilities. Routine monitoring of servers for vulnerabilities is widely recognized as a preventive control to assist security personnel in proactively identifying and eliminating commonly known threats before they can be exploited. With a formalized process to ensure this function is being performed, management has more assurance that OAR mission-critical information systems are adequately protected against publicized computer attacks. 4 ------- Recommendations We recommend that the Clean Air Markets Division Business System (CAMDBS) System Owner: 1. Conduct a full formal risk assessment of CAMDBS in accordance with Federal and Agency requirements. 2. Coordinate with the National Computer Center to verify that it is regularly monitoring all CAMDBS production servers for known vulnerabilities at least monthly. 3. Develop a Plan of Action and Milestones in the Agency's security weakness tracking system (ASSERT database) for all noted deficiencies. We recommend that the Office of Air and Radiation (OAR) Information Security Officer: 4. Conduct a review of OAR's current information security oversight processes and implement identified process improvements. Agency Comments and OIG Evaluation OAR agreed with the findings in the draft report and indicated that the office has moved forward aggressively to implement the recommendations. OAR's complete response is in Appendix A. 5 ------- Appendix A Agency Response to Draft Report April 24, 2006 MEMORANDUM SUBJECT: Final Response to the OIG Draft Report on the 2005 CAMDBS Audit FROM: Elizabeth Craig /s/ Deputy Assistant Administrator TO: Rudolph M. Brevard, Director Information Technology Audits Office of the Inspector General Thank you for the opportunity to review the revised draft report of the FY 2005 FISMA Audit of OAR's Clean Air Markets Division Business System (CAMDBS). Attached is our response to the report and we agree with the findings and appreciate you bringing them to our attention. As you know, many of the minor problems were quickly resolved and activities are underway to address the remaining issues. We look forward to seeing the final version, which should offer a balanced characterization of the identified problems. cc: Brian McLean Jerry Kurtzweg 6 ------- April 20, 2006 Comments of OAR/OAP/Clean Air Markets Division On the Findings and Recommendations in the Revised OIG Final Audit Report, "Information Security Series: Security Practices, Clean Air Markets Division Business System, " March 30, 2006 We have reviewed the revised Audit Report, "Information Security Series: Security Practices, Clean Air Markets Division Business System," Assignment No. 2005-000661, dated March 30, 2006. We concur with the findings and recommendations presented. FINDINGS Finding 1: CAMDBS is operating with an expired Risk Assessment. We concur with this finding. The last full, formal, independent Risk Assessment for CAMDBS was completed in February 2002. We do understand and agree that "The assessment of risk is an important activity in the Agency's information security program [which] directly supports security accreditation (management's authorization to operate an information system)." This is, we believe, reflected by the fact that OAR has been performing annual risk assessments of CAMDBS through ASSERT. Nevertheless, a new full, formal, independent Risk Assessment should have been completed, triggered by the requirements for triennial review or major changes to the system. (Although the CAMDBS application itself was not changed significantly, there were changes in the underlying hardware when CAMDBS was moved from one data base server to another.) As noted in the report, OAR did begin conducting a Risk Assessment in February 2005, and plans to complete the effort by the end of June 2006. This will result in certification and an updated Security Plan by early September 2006, and reaccreditation by the end of September 2006, when the current CAMDBS certification and accreditation would expire. (CAMDBS was last certified and accredited in October 2003.) The delay in completing the Risk Assessment begun in 2005 was in response to an April 4, 2005 memorandum from the Deputy CIO, Risk Based Decision to Temporarily Suspend the Requirement for Completion of Formal Risk Assessments to Support Security Plan Updates for Certain Systems: "[T]his temporary suspension is ... to allow for a reasonable, cost-effective transition to Agency-wide implementation of the new security life cycle being promulgated by the National Institute of Standards and Technology." A Plan of Action and Milestones (POA&M) regarding the Risk Assessment was entered into ASSERT and is being tracked. 7 ------- Finding 2: CAMDBS was operating without effective practices to ensure that all production servers were monitored for known security vulnerabilities. We concur with this finding. We recognize that some technical vulnerabilities were identified in the OIG-performed scans of these systems and that coordination between CAMDBS and NCC staff needed improvement. Results of system scans have been shared with CAMDBS on an "exception" basis: problems requiring coordination were identified, but full results were not. We are working with NCC to develop a system of sharing system scan information that will meet both our needs. Staff and managers responsible for the operation and security profile of the CAMDBS application are in regular and frequent (at a minimum, biweekly, and usually, at the staff level, daily) contact with staff and managers at the NCC to discuss coordination and collaboration on matters of common interest and potential interaction and issue resolution. Finding 3: OAR developed and tested a contingency plan for CAMDBS. We concur with this finding. In fact, we believe that our efforts in this area are critically important and worthy of specific recognition. Finding 4: Personnel with significant security responsibility completed the Agency recommended specialized security training We concur with this finding. RECOMMENDATIONS We concur with all of the recommendations. In fact, we have moved ahead aggressively to implement these recommendations. 8 ------- Appendix B Distribution Office of the Administrator Assistant Administrator for Air and Radiation Acting Assistant Administrator for Environmental Information Director, Technology and Information Security Staff Audit Followup Coordinator, Office of Air and Radiation Audit Followup Coordinator, Technology and Information Security Staff Agency Followup Official (the CFO) Agency Followup Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Acting Inspector General 9 ------- |