Improvements Needed in Key EPA Information System Security Practices

vi£D sr^
U.S. Environmental Protection Agency 10-P-0146
s? T> ~-r June 15,2010
I® I
X
*1 PRO"*^
0* U ¦ O • L. I I V11 Ul IIIICI I Lul a I UlCvl
\ Office of Inspector General
At a Glance
Catalyst for Improving the Environment\
Why We Did This Review
The Office of Inspector
General contracted with
Williams, Adley & Company,
LLP, to perform an
independent review of the
U.S. Environmental Protection
Agency's (EPA's) information
security program to determine
whether it meets the
requirements of the Federal
Information Security
Management Act.
Background
The Federal Information
Security Management Act
requires inspectors general, or
the independent evaluators
they choose, to perform an
annual evaluation of their
agencies" information security
programs and practices.
Improvements Needed in Key EPA
Information System Security Practices
What Williams, Adley & Company, LLP, Found
Williams Adley found that EPA program offices lacked evidence that they
planned and executed tests of information system security controls as required by
federal requirements. In addition, Williams Adley found that contingency plans
developed and maintained by program offices were not current and accurate, and
the certification and accreditation process and review of security plans needed
improvements. EPA also had two authoritative system inventories that did not
reconcile. Finally, EPA had contractor-owned and -operated systems in operation
without proper oversight monitoring.
What Williams, Adley & Company, LLP, Recommends
Williams Adley's recommendations to the Director of the Office of Technology
Operations and Planning include communicating and training EPA's information
security community on testing and documenting information systems security
controls. Williams Adley also recommends the Director enhance the quality
assurance process to verify that self-assessments evaluate all required security
controls.
Williams Adley recommends that the Principal Deputy Assistant Administrator of
Environmental Information and Deputy Chief Information Officer direct offices to
design and implement a process to perform a periodic reconciliation between its
two authoritative system inventories.
For further information, Agency officials did not provide comments to the draft audit report and indicated
contact our Office of they will provide a response to the final report.
Congressional, Public Affairs
and Management at
(202) 566-2391.
To view the full report,
click on the following link:
www.epa.aov/oia/reports/2010/
20100615-10-P-0146.pdf

-------