#«'osx f Q\ U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL U.S. Chemical Safety Board CSB Discontinued Information Recovery Testing and Off-Site Backup Storage During the Coronavirus Pandemic Report No. 21-E-0016 November 18, 2020 Off-Site Backup Media ------- Abbreviations CSB U.S. Chemical Safety and Hazard Investigation Board EPA U.S. Environmental Protection Agency OIG Office of Inspector General SB&C SB & Company Cover Image: The coronavirus pandemic—that is, the SARS-CoV-2 virus and resultant COVID-19 disease—prevented the CSB from sending information backups to a secure off-site location and performing disaster recovery testing. (EPA OIG and Centers for Disease Control and Prevention imagery) Are you aware of fraud, waste, or abuse in an EPA or CSB program? EPA Inspector General Hotline 1200 Pennsylvania Avenue, NW (2431T) Washington, D.C. 20460 (888) 546-8740 (202) 566-2599 (fax) OIG Hotline@epa.gov Learn more about our OIG Hotline. EPA Office of Inspector General 1200 Pennsylvania Avenue, NW (2410T) Washington, D.C. 20460 (202) 566-2391 www.epa.gov/oiq Subscribe to our Email Updates Follow us on Twitter @EPAoig Send us your Project Suggestions ------- x^fcD ST/if. U.S. Environmental Protection Agency 21-E-0016 Office of Inspector General November 18,2020 * O kSBz.! At a Glance Why We Did This Evaluation This report results from work performed for the Office of Inspector General to assess the U.S. Chemical Safety and Hazard Investigation Board's compliance with performance measures outlined in the fiscal year 2020 Inspector General reporting instructions for the Federal Information Security Modernization Act of 2014, commonly referred to as FISMA. We contracted with the SB & Company, referred to as SB&C, to complete the FISMA work and to report separately on concerns that related to the impact of the coronavirus pandemic—that is, the SARS-CoV-2 virus and resultant COVID-19 disease— on the CSB's backup process and disaster recovery testing. This report addresses the following: • Preserve the public trust by maintaining and improving organizational excellence. This report addresses a top CSB management challenge: • Continue operations during the coronavirus pandemic. CSB Discontinued Information Recovery Testing and Off-Site Backup Storage During the Coronavirus Pandemic Findings The CSB was at risk of not being able to readily restore information technology operations if they were disrupted during the coronavirus pandemic. The SB&C found that the CSB did not perform disaster recovery testing on major information systems during FY 2020 and did not store copies of backup media at an off-site location. The National Institute of Standards and Technology's guidance indicates that contingency plans should be tested to determine the effectiveness and readiness of the plans, that the test results should be reviewed, and that necessary corrective actions should be taken. The guidance also specifies that system backups should be stored securely at an off-site location. The CSB indicated that the coronavirus pandemic impeded its disaster recovery testing and exercises, as well as its ability to move backup media to an off-site location. As a result, in the event of a disaster or isolated incident, the CSB may not be readily able to recover its systems' operations. Recommendations and Planned or Completed Corrective Actions We concur with the recommendations in the attached report from the SB&C and recommend that the CSB: 1. Test its disaster recovery plan at least annually. 2. Evaluate alternate methods to store backup media off-site. The CSB concurred with these recommendations and provided acceptable corrective actions and milestone dates. The CSB indicated that a disaster recovery test will be performed and documented by December 31, 2020. We consider Recommendation 1 resolved with corrective action pending. Also, subsequent to the SB&C's report, the CSB reinstated its off-site backups. We consider Recommendation 2 completed. Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.gov. List of OIG reports. ------- UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 THE INSPECTOR GENERAL November 18, 2020 Katherine A. Lemos, PhD Chairperson and Chief Executive Officer U.S. Chemical Safety and Hazard Investigation Board 1750 Pennsylvania Avenue NW, Suite 910 Washington, D.C. 20006 RE: Report No. 21-E-0016, CSB Discontinued Information Recovery Testing and Off-Site Backup Storage During the Coronavirus Pandemic Dear Dr. Lemos: This report synopsizes the results of a review the consideration of internal controls for the U.S. Chemical Safety and Hazard Investigation Board in determining whether the coronavirus pandemic had an adverse impact on the day-to-day support processes, testing was performed by the SB & Company under the direction of the U.S. Environmental Protection Agency's Office of Inspector General. The project number for this evaluation was OA&E-FY20-0034. This evaluation was conducted in accordance with Quality Standards for Inspection and Evaluation, published in January 2012 by the Council of the Inspectors General on Integrity and Efficiency. The SB&C is responsible for the enclosed report, which is dated October 9, 2020, as well as the opinions and conclusions expressed in the report. The OIG verified the CSB's corrective actions in response to the report. This report contains findings that describe the problems the SB&C has identified and corrective actions the SB&C recommends. Final determinations on matters in this report will be made by the CSB in accordance with established audit resolution procedures. The CSB provided acceptable corrective actions and estimated milestone dates in response to the recommendations in this report. All recommendations are resolved, and no final response to this report is required. However, if you submit a response, it will be posted on the OIG's website, along with our memorandum commenting on your response. Your response should be provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want to be released to the public; if your response contains such data, you should identify the data for redaction or removal along with corresponding justification. We will post this report to our website at www.epa.gov/oig. Sincerely, Sean W. O'Donnell Enclosure ------- cc: Thomas Goonan, General Counsel, CSB Anna Brown, Director of Administration and Audit Liaison, CSB Charlie Bryant, Information Technology Director/Chief Information Officer, CSB ------- SB & COMPANY,n.c Knowledge • Quality - Client Service MANAGEMENT LETTER COMMENTS U.S. CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD October 9, 2020 Charlie Bryant IT Director/CIO U.S Chemical Safety and Hazard Investigation Board 1750 Pennsylvania Ave NW, Suite 910 Washington, DC 20006 Dear Mr. Bryant: Our consideration of internal control was for the limited purpose of assisting the U.S. Chemical Safety and Hazard Investigation Board (CSB) in determining if COVID-19 had an adverse impact on any of the day-to-day support processes and was not designed to identify all deficiencies in internal controls that might be significant deficiencies or material weaknesses and therefore, there can be no assurance that all deficiencies, significant deficiencies, or material weaknesses have been identified. We did not identify any deficiencies in internal controls that we consider to be material weaknesses. However, as discussed below, we identified certain matters involving the internal controls and other operational matters that are presented for your consideration. We will review the status of these comments during our next engagement. Our comments and recommendations, all of which have been discussed with appropriate members of management, are intended to improve the internal controls or result in other operating efficiencies. Our results are summarized as follows: 1. Disaster Recover Testing Condition: During the performance of the procedures, we noted that the disaster recovery testing has not been performed for CSB applications during the fiscal year ended September 30, 2020. Cause: Discussions with management indicated the while disaster recovery testing has been performed in prior years; due to the pandemic, disaster recovery testing was not performed during the fiscal year ended September 30, 2020. The CSB Contingency Plan requires testing to be done at a minimum annually. 10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P410.584.0060 F 410.584.0061 ------- SB & COMPANY,llc Knowledge • Quality - Client Service Criteria: National Institute of Standards and Technology (NIST) guidelines state the following: CP-4 CONTINGENCY PLAN TESTING Control: The organization: a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions, if needed. Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. Effect: Without adequate, testing the opportunity to practice, prepare, identify gaps, and ensure that the plan will work has not been completed. Recommendations: SBC recommends that CSB performs disaster recovery testing, at least annually. Response from CSB Management: The CSB agrees with the recommendation. A disaster recovery test will be performed and documented by 12/31/2020. 10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P410.584.0060 F 410.584.0061 ------- SB & C O M PA NY,llc Knowledge • Quality ¦ Client Service 2. Maintaining Back-up Media Off-site Condition: We noted that backup media is not being maintained at an alternate location. The discussions with Information Technology management indicated that due to COVID-19 protocols, backups were not rotated off-site. Cause: Discussions with CSB Information Technology management indicated that the process of maintaining backups at an offsite location were discontinued due to the pandemic and remote work protocol. Criteria: National Institute of Standards and Technology (NIST) guidelines state the following: CP9 INFORMATION SYSTEM BACKUP (3) INFORMATION SYSTEM BACKUP \ SEPARATE STORAGE FOR CRITICAL INFORMATION The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. (4) INFORMATION SYSTEM BACKUP \ PROTECTION FROM UNA UTHORIZED MODIFICATION [Withdrawn: Incorporated into CP-9], (5) INFORMATION SYSTEM BACKUP \ TRANSFER TO ALTERNATE STORAGE SITE The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives], 10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P 410.584.0060 F 410.584.0061 ------- SB & COMPANY,n.c Knowledge • Quality - Client Service Supplemental Guidance: Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media. (6) INFORMATION SYSTEM BACKUP \ REDUNDANT SECONDARY SYSTEM The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. Effect: There is risk exposure that critical systems cannot be recovered timely if the primary location is not available. Recommendations: SBC recommends that CSB evaluate alternate methods to store backup media offsite (e.g., cloud, electronic vaulting etc.) Response from CSB Management: The CSB agrees with the recommendation. Rotation of backup drives to an offsite location has been suspended due to the pandemic and telework. The regular offsite backup process will begin again on an on-call basis. 10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P 410.584.0060 F 410.584.0061 ------- SB & COMl'AN Y.llc Knowledge • Quality • Cl ;m Service We believe that the implementation of these recommendations will provide the U. S. Chemical and Safety Hazard Investigation Board with a stronger system of internal controls while also making its operations more efficient. We will be happy to discuss the details of these recommendations with you at your convenience. This communication is intended solely for the information and use of management of the U.S. Chemical and Safety Hazard Investigation Board, others within the organization, and the Environmental Protection Agency Office of the Inspector General and is not intended to be and should not be used by anyone other than these specified parties. Respectfully, SB & Company, LLC October 9, 2020 10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P410.584.0060 F 410.584.0061 ------- |