Self-reported Data Unreliable for Assessing EPA's Computer Security Program


$
<
73
\
V PRO^4-0
o
LU
a
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
10-P-0058
February 2, 2010
Catalyst for Improving the Environment
Why We Did This Review
We sought to determine
whether the U.S.
Environmental Protection
Agency (EPA) implemented
management control processes
for maintaining the quality of
data in the Automated System
Security Evaluation and
Remediation Tracking
(ASSERT) system.
Background
EPA uses the ASSERT online
tool to gather information
regarding testing and
evaluating Agency
information systems, and
tracking progress made in
fixing identified security
weaknesses. EPA also uses
ASSERT to generate reports
provided to the Office of
Management and Budget
pursuant to the Federal
Information Security
Management Act.
Self-reported Data Unreliable for Assessing
EPA's Computer Security Program
What We Found
The oversight and monitoring procedures for ASSERT provide limited assurance
the data are reliable for assessing EPA's computer security program. As a result:
•	Unsubstantiated responses for self-reported information contribute to data
quality problems.
•	Limited independent reviews and lack of follow-up inhibit EPA's ability to
identify and correct data inaccuracies.
•	Independent reviews lack coordination with certification and accreditation
activities.
•	Information security personnel believe they need more training on how to
assess security controls and feel pressure to answer system security
questions in a positive manner.
•	Limited internal reporting on required security controls and missing
information in security plans inhibit external reporting.
Further, incomplete security documentation raises concerns as to whether the
ASSERT application contractor is meeting federal requirements.
What We Recommend
We recommend that the Assistant Administrator for Environmental Information
issue a memorandum to Assistant Administrators and Regional Administrators
emphasizing the importance of ensuring personnel accurately assess and report
information in ASSERT.
For further information,
contact our Office of
Congressional, Public Affairs
and Management at
(202) 566-2391.
To view the full report,
click on the following link:
www.epa.aov/oia/reports/2010/
20100202-10-P-0058.pdf
We also recommend that the Director, Office of Technology Operations and
Planning, integrate ongoing independent reviews with the Agency's Certification
and Accreditation process, provide periodic training on how to assess and
document required minimum security controls, expand the Agency's security
reporting process to include collecting information on all required minimum
security controls, and implement a process to verify that Agency security plans
incorporate all the minimally required system security controls.
The Agency agreed with all of our findings and recommendations.

-------