^£DSrx
• A v
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
18-P-0298
September 28, 2018
Why We Did This Project
The Office of Inspector
General (OIG) for the U.S.
Environmental Protection
Agency (EPA) conducted this
audit in response to an OIG
hotline complaint. Our objective
was to determine whether the
EPA implemented security
controls to protect personally
identifiable information (Pll)
processed by the agency's
incident tracking system, which
is used to troubleshoot
information technology issues.
Pll is defined as information
that can be used to distinguish
or trace an individual's identity
(such as name, date of birth
and address), either alone or
when combined with other
information that is linked or
linkable to a specific individual.
Sensitive Pll (SPII) is a subset
of Pll, and includes Social
Security numbers or
comparable identification
numbers, biometric data, and
financial or medical information
associated with an individual.
This report addresses the
following:
• Operating efficiently and
effectively.
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oia.
Listing of OIG reports.
Management Alert: EPA's Incident Tracking System Lacks
Required Controls to Protect Personal Information
What We Found
The EPA's current incident tracking
system lacks the required security controls
to (1) protect the confidentiality of Pll and SPII;
and (2) enforce password management
requirements, even though the requirements
are specified in federal and agency guidance.
The EPA's incident tracking
system lacks the required
privacy and security controls
to protect Pll and SPII, which
could lead to identity theft.
The EPA was unaware that Pll and SPII were included on incident tickets
handled by help desk technicians, and retained in the current incident tracking
system where it can be viewed by all registered users (EPA employees and
contractors). We found that current operating procedures do not instruct help
desk technicians to exclude Pll and SPII within incident tickets, or to follow the
EPA's information security and privacy directives to protect the confidentiality of
Pll and SPII. As a result, we identified 25 incident tickets within the agency's
current incident tracking system. The incident tickets disclosed Social Security
numbers, W-2 information, dates of birth, home addresses and Thrift Savings
Plan account information.
The EPA began a partial rollout of a replacement incident tracking system in
May 2018. The rollout has an anticipated completion date of September 30,
2018. Current standard operating procedures will be used with the replacement
incident tracking system as well. Therefore, we are issuing this report to reiterate
the need for management to address current weaknesses, so that the
weaknesses do not continue to impair the EPA's ability to protect the
confidentiality of Pll and SPII.
Recommendations and Planned Agency Corrective Actions
We made several recommendations to the Assistant Administrator for
Environmental Information. We recommended that the EPA implement a strategy
to protect the confidentiality of Pll and SPII contained in the EPA's current
incident tracking system, and to update standard operating procedures for help
desk technicians to follow when handling incident tickets that require collecting
Pll and SPII.
Throughout the audit process, we worked closely with EPA representatives
and kept them informed about any issues identified. On June 5, 2018, we
met with agency representatives concerning the OIG's discussion document
pertaining to this audit. The agency agreed with Recommendations 1 and 2, and
we consider these recommendations resolved with corrective actions pending.
Recommendations 3 and 4 are unresolved pending EPA management's
response to this report.

-------