$ < 73 \ V PRO^4-0 o LU a U.S. Environmental Protection Agency Office of Inspector General At a Glance 10-P-0058 February 2, 2010 Catalyst for Improving the Environment Why We Did This Review We sought to determine whether the U.S. Environmental Protection Agency (EPA) implemented management control processes for maintaining the quality of data in the Automated System Security Evaluation and Remediation Tracking (ASSERT) system. Background EPA uses the ASSERT online tool to gather information regarding testing and evaluating Agency information systems, and tracking progress made in fixing identified security weaknesses. EPA also uses ASSERT to generate reports provided to the Office of Management and Budget pursuant to the Federal Information Security Management Act. Self-reported Data Unreliable for Assessing EPA's Computer Security Program What We Found The oversight and monitoring procedures for ASSERT provide limited assurance the data are reliable for assessing EPA's computer security program. As a result: • Unsubstantiated responses for self-reported information contribute to data quality problems. • Limited independent reviews and lack of follow-up inhibit EPA's ability to identify and correct data inaccuracies. • Independent reviews lack coordination with certification and accreditation activities. • Information security personnel believe they need more training on how to assess security controls and feel pressure to answer system security questions in a positive manner. • Limited internal reporting on required security controls and missing information in security plans inhibit external reporting. Further, incomplete security documentation raises concerns as to whether the ASSERT application contractor is meeting federal requirements. What We Recommend We recommend that the Assistant Administrator for Environmental Information issue a memorandum to Assistant Administrators and Regional Administrators emphasizing the importance of ensuring personnel accurately assess and report information in ASSERT. For further information, contact our Office of Congressional, Public Affairs and Management at (202) 566-2391. To view the full report, click on the following link: www.epa.aov/oia/reports/2010/ 20100202-10-P-0058.pdf We also recommend that the Director, Office of Technology Operations and Planning, integrate ongoing independent reviews with the Agency's Certification and Accreditation process, provide periodic training on how to assess and document required minimum security controls, expand the Agency's security reporting process to include collecting information on all required minimum security controls, and implement a process to verify that Agency security plans incorporate all the minimally required system security controls. The Agency agreed with all of our findings and recommendations. ------- |