^EDSX * JL \ | g U.S. ENVIRONMENTAL PROTECTION AGENCY \ / OFFICE OF INSPECTOR GENERAL Catalyst for Improving the Environment Evaluation Report Evaluation of U.S. Chemical Safety and Hazard Investigation Board's Compliance With the Federal Information Security Management Act (Fiscal Year 2010) Report No. 11-P-0148 March 8, 2011 ------- Abbreviations CSB U.S. Chemical Safety and Hazard Investigation Board FISMA Federal Information Security Management Act of 2002 IG Inspector General NIST National Institute of Standards and Technology OMB Office of Management and Budget ------- ^6DSX O W \ ro •Z LU 0 T p* U.S. Environmental Protection Agency Office of Inspector General At a Glance 11-P-0148 March 8, 2011 Catalyst for Improving the Environment Why We Did This Review The review was performed to assess the U.S. Chemical Safety and Hazard Investigation Board's (CSB's) compliance with the Federal Information Security Management Act of 2002 (FISMA). Background FISMA requires federal agencies to develop an information security program that protects the operations and assets of the agency. An annual independent evaluation of the program must be performed by the Inspector General or an independent external auditor, who shall report the results to the Office of Management and Budget. The U.S. Environmental Protection Agency, Office of Inspector General, contracted with KPMG LLP to perform the fiscal year 2010 evaluation. For further information, contact our Office of Congressional, Public Affairs and Management at (202) 566-2391. The full report is at: www.epa.aov/oia/reports/2011/ 20110308-11 -P-0148.pdf Evaluation of U.S. Chemical Safety and Hazard Investigation Board's Compliance With the Federal Information Security Management Act (Fiscal Year 2010) What KPMG Found KPMG noted that CSB does have an information security program in place that appears to be functioning as designed. KPMG also noted that CSB does take information security weaknesses seriously, as 8 of the 10 prior-year recommendations were resolved. However, KPMG identified areas in which CSB could improve upon its vulnerability scanning management process. In addition to reviewing CSB's information security practices, KPMG conducted a security assessment of key CSB system and network devices. This assessment revealed several challenges CSB faces in securing its main information technology system. KPMG found insecure system protocols, default configuration settings, and unpatched network devices, which significantly elevated CSB's risk of system and data compromise by unauthorized users. KPMG provided detailed results of its assessment to CSB officials, and CSB worked proactively during the testing to address any identified high-risk issues. What KPMG Recommends KPMG recommends that CSB perform vulnerability scans and document audit log reviews consistently; implement baseline configurations for network devices; and develop, maintain, and test a contingency plan for the Information Technology System in accordance with National Institute of Standards and Technology guidance. CSB agreed with the recommendations and provided agreed-upon corrective actions. ------- UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 THE INSPECTOR GENERAL March 8, 2011 MEMORANDUM SUBJECT: Evaluation of U.S. Chemical Safety and Hazard Investigations Board's Compliance With the Federal Information Security Management Act (Fiscal Year 2010) Report No. ll-P-0148 FROM: Arthur A. Elkins, Jr. Inspector General TO: The Honorable Rafael Moure-Eraso, Ph.D. Chairman and Chief Executive Officer U.S. Chemical Safety and Hazard Investigation Board This final report on the above subject area summarizes the results of information technology security work performed by KPMG LLP under the direction of the U.S. Environmental Protection Agency, Office of Inspector General. The report also includes the U.S. Chemical Safety and Hazard Investigations Board's completed Fiscal Year 2010 Federal Information Security Management Report Template, as prescribed by the Office of Management and Budget. The estimated cost for performing this audit, which includes contract costs and Office of Inspector General contract management oversight, is $42,026. If you or your staff have questions regarding this report, please contact Patricia H. Hill, Assistant Inspector General for Mission Systems, at (202) 566-0894 or hill.patricia@epa.gov; or Rudolph M. Brevard, Director for Information Resources Management Assessments, at (202) 566-0893 or brevard.rudv@epa. gov. # JL \ K&Z! ------- January 4, 2011 SUBJECT: Evaluation of the U.S. Chemical Safety and Hazard Investigation Board's Compliance with Federal Information Security Management Act for Fiscal Year 2010. THRU: Arthur A. Elkins, Jr. Inspector General U.S. Environmental Protection Agency Office of Inspector General TO: The Honorable Rafael Moure-Eraso, Ph.D. Chairman and Chief Executive Officer U.S. Chemical Safety and Hazard Investigation Board Attached is the KPMG LLP final report on the above subject audit. KPMG LLP performed the Federal Information Security Management Act (FISMA) evaluation on behalf of the U.S. Environmental Protection Agency, Office of Inspector General. This report includes the test results for selected minimally required information security controls defined by the National Institute of Standards and Technology. If you or your staff have any questions regarding this report, please contact Rudolph Brevard at (202) 566-0893 or brevard.rudv@epa.gov; or GinaRoss, Project Manager, at (202) 566-1041 or ross. gina@epa. gov. ------- Evaluation of U.S. Chemical Safety and Hazard Investigation Board's Compliance With the Federal Information Security Management Act (Fiscal Year 2010) 11-P-0148 Table of C Purpose 1 Background 1 Scope and Methodology 2 Findings 2 Vulnerability Scanning 2 Contingency Plan 3 Audit Logs 3 Recommendations 3 CSB Response and KPMG Comments 4 Status of Recommendations and Potential Monetary Benefits 5 Appendices A Microagency FISMA Reporting Template 6 B CSB Response to Draft Report 11 ------- Purpose The U.S. Environmental Protection Agency, Office of Inspector General, initiated this evaluation to assess the U.S. Chemical Safety and Hazard Investigation Board's (CSB's) compliance with the Federal Information Security Management Act of 2002 (FISMA) for fiscal year 2010. Background On December 17, 2002, the President signed into law H.R. 2458, the E-Government Act of 2002 (Public Law 107-347). Title III of the E-Government Act of 2002, commonly referred to as FISMA, focuses on improving oversight of federal information security programs and facilitating progress in correcting agency information security weaknesses. FISMA requires federal agencies to develop, document, and implement an agency-wide information security program that provides security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA assigns specific responsibilities to agency heads and inspectors general (IGs) and is supported by security policy promulgated through Office of Management and Budget (OMB) and risk-based standards and guidelines published in the National Institute of Standards and Technology (NIST) Special Publication series. Under FISMA, agency heads are responsible for providing information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. FISMA directs federal agencies to report annually to the OMB Director, Comptroller General, and selected congressional committees on the adequacy and effectiveness of agency information security policies, procedures, and practices, and compliance with FISMA. In addition, FISMA requires agencies to have an annual independent evaluation performed of their information security programs and practices, and to report the evaluation results to OMB. FISMA states that the independent evaluation is to be performed by the agency IG or an independent external auditor as determined by the IG. CSB management is responsible for making risk management decisions regarding deficiencies, and their realizable/potentially realizable impacts on controls and the confidentiality, integrity, and availability of systems. CSB management is responsible, based on its risk management decisions, to implement solutions that are appropriate for CSB's information technology environment. Conditions may exist that mitigate the risk of an identified deficiency, but were not identified during our testing. 11-P-0148 1 ------- Scope and Methodology The scope of our testing included the CSB Information Technology System, the only CSB information technology system subject to FISMA reporting requirements. We conducted our testing by making inquiries of CSB personnel, inspecting relevant documentation, and performing limited technical security testing. Some examples of our inquiries of agency management and personnel included, but were not limited to, the process for documenting audit log reviews and vulnerability scanning. We inspected the training sign-off sheets for key CSB staff and CSB-published information security policies and procedures. We performed this evaluation in accordance with generally accepted government auditing standards, issued by the Comptroller General of the United States. Those standards require that we plan and perform the evaluation to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our evaluation objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We conducted the evaluation from September through November 2010. Findings During our evaluation for fiscal year 2010, we noted that CSB does have an information security program in place that appears to be functioning as designed. We also noted that CSB does take information security weaknesses seriously, as CSB has addressed 8 of the 10 recommendations made in our report for fiscal year 2009. However, during this year's assessment, we identified areas in which CSB could improve its vulnerability scanning management process. We also reissued two of the prior-year recommendations: (1) develop, maintain, and periodically test a contingency plan for the Information Technology System in accordance with CSB Board Order 034, Information Technology Security Program, and NIST guidance; and (2) continue to document audit log reviews in accordance with CSB's audit log review standard operating procedure. Vulnerability Scanning Our security assessment of key CSB system and network devices revealed vulnerabilities related to insecure system protocols, default configurations, and unpatched devices. We have provided the details to CSB management separately. While CBS Board Order 034 provides policies and procedures for maintaining device security, and CSB drafted and implemented additional supplemental standard operating procedures, CSB personnel did not always follow this guidance to ensure that network devices were appropriately secured. Insecure protocols, default configurations, and unpatched devices significantly elevate 11-P-0148 2 ------- CSB's risk of system and data compromise by unauthorized users, which could lead to the alteration or deletion of critical data and a degradation of system performance. Contingency Plan CSB does not have a documented and tested contingency plan for the Information Technology System. CSB Board Order 034 documents a policy and procedure for developing and maintaining a system contingency plan. Further, CSB performs some contingency planning activities, including the periodic backup of data and the rotation of backup data to an offsite location. However, a system-specific contingency plan has not been developed or tested. CSB management did not commit the required resources and leadership to develop a contingency plan for the Information Technology System. Without a documented and tested contingency plan completed in accordance with NIST guidance, CSB is at increased risk that it would not be able to recover Information Technology System capabilities should a significant incident occur. Audit Logs CSB has developed a procedure for performing and documenting log reviews for the Information Technology System. According to CSB officials, security staff members perform a daily or weekly review of the Information Technology System audit logs. However, CSB did not begin documenting the log reviews until October 2010. The lack of a documented procedure for performing and documenting system audit log reviews increases CSB's risk that the log reviews will not be conducted in a consistent manner, which could lead to increased risk of not detecting key security violations and events. Recommendations We recommend that the Chairman, U.S. Chemical Safety and Hazard Investigation Board: 1. Perform vulnerability scans on a regular basis, such as monthly or quarterly. 2. Develop and implement standard baseline configurations for network devices. 3. Develop, maintain, and periodically test a contingency plan for the Information Technology System in accordance with CSB Board Order 034 and NIST guidance. 4. Continue to document audit log reviews in accordance with CSB's audit log review standard operating procedure. 11-P-0148 3 ------- CSB Response and KPMG Comments CSB concurred with the report findings and recommendations, and provided planned actions to address each finding and milestones for completion. In addition, CSB believed that it completed actions to address recommendation 1. KPMG considers all recommendations open and will review CSB's actions during the fiscal year 2011 audit. 11-P-0148 4 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS Rec. No. Page No. Subject Status Action Official 3 Perform vulnerability scans on a regular basis, such as monthly or quarterly. POTENTIAL MONETARY BENEFITS (in $000s) Chairman, U.S. Chemical Safety and Hazard Investigation Board Planned Completion Date Claimed Amount Ag reed-To Amount 02/01/11* 3 Develop and implement standard baseline configurations for network devices. Chairman, U.S. Chemical Safety and Hazard Investigation Board 03/30/11 Develop, maintain, and periodically test a contingency plan for the Information Technology System in accordance with CSB Board Order 034 and NIST guidance. Chairman, U.S. Chemical Safety and Hazard Investigation Board 09/30/11 Continue to document audit log reviews in accordance with CSB's audit log review standard operating procedure. Chairman, U.S. Chemical Safety and Hazard Investigation Board 09/30/11 O = recommendation is open with agreed-to corrective actions pending C = recommendation is closed with all agreed-to actions completed U = recommendation is undecided with resolution efforts in progress The determination to close recommendation 1 will be made in the next audit. 11-P-0148 ------- Appendix A Microagency FISMA Reporting Template This appendix contains a printout of the information security data that CBS submitted to OMB in response to the annual FISMA reporting instructions. The following data were obtained from OMB's CyberScope system. 11-P-0148 6 ------- Micro Agency Report ¦ 2010 Annual FISMA Section Report Report Chemical Safety Board 71-P-0148 ------- Section 1: System Inventory 1. For each of the subparts in this question, provide the total number of Agency operational systems (both Agency operated and contractor operated) by Agency component (i.e. Bureau or Major Operating Element). 1a. 1b. 1c. Agency/ Component Agency Operated Systems Contractor Operated Systems Total Systems Number of Systems with a Current Authorization to Operate CSB High 0 0 0 0 Moderate 1 0 1 1 Low 0 0 0 0 Not Categorized 0 0 0 0 Sub-Total 1 0 1 1 Agency Totals High 0 0 0 0 Moderate 1 0 1 1 Low 0 0 0 0 Not Categorized 0 0 0 0 Sub-Total 1 0 1 1 71-P-0148 8 ------- Section 2: Asset Management 2. Provide the estimated total number of Agency Information Technology assets (e.g. router, server, workstation, laptop, blackberry, etc.). 356 Comments: 2a. Provide the estimated number of Agency information technology assets (e.g. router, server, workstation, laptop, blackberry, etc.) where an automated capability provides visibility at the Agency level into detailed asset inventory information. 188 Comments: Section 3: Vulnerability Management 3. Provide the estimated number of Agency information technology assets where an automated capability provides visibility at the Agency level into detailed vulnerability information (e.g. Common Vulnerability Enumerations). 110 Section 4: Identity and Access Management 4. Provide a working URL to the Agency's progress update for HSPD-12 implementation. http://www.csb.gov/UserFiles/file/CSB HSPD-12.pdf 5. What is the estimated number of Agency network user accounts? 52 Comments: 6. What estimated number of Agency network user accounts are configured to require PIV credentials to authenticate to the Agency network(s)? 0 71-P-0148 9 ------- Section 5: Data Protection 7. Provide the estimated number of: 7a. Portable computers (i.e. laptops). 115 7b. Those portable computers in (a) that have all user data encrypted with FIPS 140-2 validated encryption. 9 Section 6: Boundary Protection 8. Provide the percentage of external connections passing through a TIC/MTIPS. 0% to 0% Section 7: Training and Education 9. Provide the number of Agency users with log-in privileges that have been given security awareness training annually. 49 Comments: Section 8: Remote Access and Telework 10. Provide the estimated number of remote access connection methods (connection methods the Agency offers to allow users to connect remotely such as VPN, RSA, etc.) to Agency LAN/WAN resources/services. 3 71-P-0148 10 ------- Appendix B CSB Response to Draft Report Chemical Safety and 21 75 K Street, NW • Suite 650 • Washington, DC 20037-1809 Hazard Investigation Board Phone: <202) 261-7500 • Fax: (202) 261-7550 www.csb.flov Rafael Moure-Eraso, Ph.D. Chairperson February 1, 2011 Rudolph Brevard Director, Information Resource Management Assessments U.S. Environmental Protection Agency Office of Inspector General 1200 Pennsylvania Ave Washington, DC 20460 Dear Mr. Brevard: We have reviewed your draft report on the independent evaluation of the Chemical Safety and Hazard Investigation Board's (CSB) compliance with the Federal Information Security Management Act (FISMA). As reported, the CSB made significant progress in completing actions on FISMA findings from prior years. Specifically, the CSB took the necessary steps to close eight out of ten FY 2009 findings. The agency has since closed recommendation FY09-OIG-IT-08. The final remaining recommendation, FY09-OIG-IT-05, is on schedule for completion by September 30, 2011. We also agree with the FY 2010 findings and recommendations listed on page 3 of your draft report. Attached is table with our planned actions to address each finding and milestones for completion. Please contact Allen Smith at 202-261-7638, or Charlie Bryant at 202-261-7666 for further information on any of these items. Sincerely, Chairperson & CEO Enclosure 11-P-0148 11 ------- 1. Perform vulnerability scans on a regular basis, such as monthly or quarterly. Completed. SOP updated to require quarterly vulnerability scans and scans completed in October 2010 and Jan 2011. 2. Develop and implement standard baseline configurations for network devices. By March 30, 2011, the CSB will: Develop and implement baseline network device configurations. 3. Develop, maintain, and periodically test a contingency plan for the Information Technology System in accordance with CSB Board Order 034 and NIST guidance. By September 30, 2011, the CSB will: Develop and implement a Contingency Plan for the CSB General Support System (GSS). 4. Continue to document audit log reviews in accordance with CSB's audit log review standard operating procedure. By September 30, 2011, the CSB will: Continue documenting audit log reviews in the GSS following guidance in CSB IT SOP on log management. P-0148 ------- |