EPA Needs to Improve Physical Security at Its Offices in Las Vegas, Nevada


£
<
33
V
**«tosr^
pro'*4'0
z
III
o
<7
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
10-P-0059
February 3, 2010
Why We Did This Review
The Office of Inspector
General (OIG) sought to
determine whether the U.S.
Environmental Protection
Agency (EPA) implemented
oversight practices for securing
access to key EPA locations in
Las Vegas, Nevada.
Background
EPA occupies space in six
buildings on or near the
University of Nevada-Las
Vegas campus. These buildings
use a card access system to
control personnel access to
these buildings. The Office of
Research and Development
(ORD) is responsible for
managing the process for
authorizing and removing
personnel access to these
buildings and for administering
the computer system that
controls the card access system.
EPA's Security Management
Division within the Office of
Administration and Resources
Management is the responsible
and primary agent within EPA
for physical security.
For further information, contact
our Office of Congressional,
Public Affairs and Management
at (202) 566-2391.
To view the full report,
click on the following link:
www.epa.aov/oia/reports/2010/
20100203-10-P-0059.pdf
Catalyst for Improving the Environment
EPA Needs to Improve Physical Security at Its
Offices in Las Vegas, Nevada
What We Found
EPA needs to improve physical security at its Las Vegas facilities. The Las Vegas
Finance Center's (LVFC's) server room and other key areas are susceptible to
unauthorized access by personnel not a part of LVFC. The LVFC areas are protected
by an access control system, but the system operator - ORD - does not administer the
system in a manner that allows LVFC to monitor access to its area. As a result, ORD
granted personnel access to sensitive LVFC areas without proper authorization.
During our audit of EPA's financial statements, we found that these problems are not
limited to the LVFC. ORD does not administer the system in a manner that permits
the other organizations in Las Vegas supported by the system to monitor access to
their space. Also, ORD did not perform its responsibilities associated with managing
and administering the computer-controlled card access system supporting all of the
EPA buildings in Las Vegas.
During subsequent communications with ORD, the office agreed with the findings
and indicated that it planned to negotiate the transfer of the responsibility for the
maintenance and oversight of the portion of the card access system relied upon by the
other offices within Las Vegas to one of the other offices.
What We Recommend
We recommend that the ORD Office of Science Information Management develop
and implement procedures to ensure that all organizations are provided with the
information necessary to monitor and review the access to their space until one of the
offices accepts responsibility for oversight and maintenance of the card access
system. Until ORD completes the transfer, we recommend that each Las Vegas
office develop and implement a formal procedure that ensures it reviews the access
reports provided by ORD for anomalies on at least a monthly basis.
Once one of the offices accepts the responsibility from ORD, we recommend that the
office develop and implement a formal procedure for managing the card access
system under its control. After the transfer, we recommend that each of the offices
establish a formal procedure for reviewing and monitoring the access for the space
used by their office. We also recommend that the Security Management Division
conduct an assessment of the physical security practices at EPA's Las Vegas
locations and conduct outreach to the Las Vegas offices to provide assistance. EPA
agreed with the findings and recommendations.

-------