vi£D sr^ U.S. Environmental Protection Agency 10-P-0146 s? T> ~-r June 15,2010 I® I X *1 PRO"*^ 0* U ¦ O • L. I I V11 Ul IIIICI I Lul a I UlCvl \ Office of Inspector General At a Glance Catalyst for Improving the Environment\ Why We Did This Review The Office of Inspector General contracted with Williams, Adley & Company, LLP, to perform an independent review of the U.S. Environmental Protection Agency's (EPA's) information security program to determine whether it meets the requirements of the Federal Information Security Management Act. Background The Federal Information Security Management Act requires inspectors general, or the independent evaluators they choose, to perform an annual evaluation of their agencies" information security programs and practices. Improvements Needed in Key EPA Information System Security Practices What Williams, Adley & Company, LLP, Found Williams Adley found that EPA program offices lacked evidence that they planned and executed tests of information system security controls as required by federal requirements. In addition, Williams Adley found that contingency plans developed and maintained by program offices were not current and accurate, and the certification and accreditation process and review of security plans needed improvements. EPA also had two authoritative system inventories that did not reconcile. Finally, EPA had contractor-owned and -operated systems in operation without proper oversight monitoring. What Williams, Adley & Company, LLP, Recommends Williams Adley's recommendations to the Director of the Office of Technology Operations and Planning include communicating and training EPA's information security community on testing and documenting information systems security controls. Williams Adley also recommends the Director enhance the quality assurance process to verify that self-assessments evaluate all required security controls. Williams Adley recommends that the Principal Deputy Assistant Administrator of Environmental Information and Deputy Chief Information Officer direct offices to design and implement a process to perform a periodic reconciliation between its two authoritative system inventories. For further information, Agency officials did not provide comments to the draft audit report and indicated contact our Office of they will provide a response to the final report. Congressional, Public Affairs and Management at (202) 566-2391. To view the full report, click on the following link: www.epa.aov/oia/reports/2010/ 20100615-10-P-0146.pdf ------- |