#«'osx
f Q\
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
U.S. Chemical Safety Board
CSB Discontinued
Information Recovery
Testing and Off-Site Backup
Storage During the
Coronavirus Pandemic
Report No. 21-E-0016 November 18, 2020
Off-Site
Backup
Media
-------�
Abbreviations
CSB U.S. Chemical Safety and Hazard Investigation Board
EPA U.S. Environmental Protection Agency
OIG Office of Inspector General
SB&C SB & Company
Cover Image: The coronavirus pandemic—that is, the SARS-CoV-2 virus and resultant
COVID-19 disease—prevented the CSB from sending information backups to
a secure off-site location and performing disaster recovery testing.
(EPA OIG and Centers for Disease Control and Prevention imagery)
Are you aware of fraud, waste, or abuse in an
EPA or CSB program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, D.C. 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, D.C. 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
x^fcD ST/if.
U.S. Environmental Protection Agency 21-E-0016
Office of Inspector General November 18,2020
* O
kSBz.!
At a Glance
Why We Did This Evaluation
This report results from work
performed for the Office of
Inspector General to assess
the U.S. Chemical Safety and
Hazard Investigation Board's
compliance with performance
measures outlined in the fiscal
year 2020 Inspector General
reporting instructions for the
Federal Information Security
Modernization Act of 2014,
commonly referred to as
FISMA.
We contracted with the
SB & Company, referred to as
SB&C, to complete the FISMA
work and to report separately
on concerns that related to the
impact of the coronavirus
pandemic—that is, the
SARS-CoV-2 virus and
resultant COVID-19 disease—
on the CSB's backup process
and disaster recovery testing.
This report addresses the
following:
• Preserve the public trust by
maintaining and improving
organizational excellence.
This report addresses a top
CSB management challenge:
• Continue operations during
the coronavirus pandemic.
CSB Discontinued Information Recovery Testing
and Off-Site Backup Storage During the
Coronavirus Pandemic
Findings
The CSB was at risk of
not being able to readily
restore information
technology operations if
they were disrupted
during the coronavirus
pandemic.
The SB&C found that the CSB did not perform
disaster recovery testing on major information
systems during FY 2020 and did not store copies of
backup media at an off-site location. The National
Institute of Standards and Technology's guidance
indicates that contingency plans should be tested to
determine the effectiveness and readiness of the
plans, that the test results should be reviewed, and that necessary corrective
actions should be taken. The guidance also specifies that system backups
should be stored securely at an off-site location.
The CSB indicated that the coronavirus pandemic impeded its disaster recovery
testing and exercises, as well as its ability to move backup media to an off-site
location. As a result, in the event of a disaster or isolated incident, the CSB may
not be readily able to recover its systems' operations.
Recommendations and Planned or Completed Corrective Actions
We concur with the recommendations in the attached report from the SB&C and
recommend that the CSB:
1. Test its disaster recovery plan at least annually.
2. Evaluate alternate methods to store backup media off-site.
The CSB concurred with these recommendations and provided acceptable
corrective actions and milestone dates. The CSB indicated that a disaster
recovery test will be performed and documented by December 31, 2020. We
consider Recommendation 1 resolved with corrective action pending. Also,
subsequent to the SB&C's report, the CSB reinstated its off-site backups. We
consider Recommendation 2 completed.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
November 18, 2020
Katherine A. Lemos, PhD
Chairperson and Chief Executive Officer
U.S. Chemical Safety and Hazard Investigation Board
1750 Pennsylvania Avenue NW, Suite 910
Washington, D.C. 20006
RE: Report No. 21-E-0016, CSB Discontinued Information Recovery Testing and Off-Site Backup Storage
During the Coronavirus Pandemic
Dear Dr. Lemos:
This report synopsizes the results of a review the consideration of internal controls for the U.S. Chemical
Safety and Hazard Investigation Board in determining whether the coronavirus pandemic had an adverse
impact on the day-to-day support processes, testing was performed by the SB & Company under the direction
of the U.S. Environmental Protection Agency's Office of Inspector General. The project number for this
evaluation was OA&E-FY20-0034. This evaluation was conducted in accordance with Quality Standards for
Inspection and Evaluation, published in January 2012 by the Council of the Inspectors General on Integrity
and Efficiency. The SB&C is responsible for the enclosed report, which is dated October 9, 2020, as well as
the opinions and conclusions expressed in the report. The OIG verified the CSB's corrective actions in response
to the report.
This report contains findings that describe the problems the SB&C has identified and corrective actions the
SB&C recommends. Final determinations on matters in this report will be made by the CSB in accordance
with established audit resolution procedures.
The CSB provided acceptable corrective actions and estimated milestone dates in response to the
recommendations in this report. All recommendations are resolved, and no final response to this report is
required. However, if you submit a response, it will be posted on the OIG's website, along with our
memorandum commenting on your response. Your response should be provided as an Adobe PDF file that
complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended.
The final response should not contain data that you do not want to be released to the public; if your response
contains such data, you should identify the data for redaction or removal along with corresponding justification.
We will post this report to our website at www.epa.gov/oig.
Sincerely,
Sean W. O'Donnell
Enclosure
-------�
cc: Thomas Goonan, General Counsel, CSB
Anna Brown, Director of Administration and Audit Liaison, CSB
Charlie Bryant, Information Technology Director/Chief Information Officer, CSB
-------�
SB & COMPANY,n.c
Knowledge • Quality - Client Service
MANAGEMENT LETTER COMMENTS
U.S. CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD
October 9, 2020
Charlie Bryant
IT Director/CIO
U.S Chemical Safety and Hazard Investigation Board
1750 Pennsylvania Ave NW, Suite 910
Washington, DC 20006
Dear Mr. Bryant:
Our consideration of internal control was for the limited purpose of assisting the U.S. Chemical
Safety and Hazard Investigation Board (CSB) in determining if COVID-19 had an adverse impact
on any of the day-to-day support processes and was not designed to identify all deficiencies in
internal controls that might be significant deficiencies or material weaknesses and therefore, there
can be no assurance that all deficiencies, significant deficiencies, or material weaknesses have
been identified. We did not identify any deficiencies in internal controls that we consider to be
material weaknesses.
However, as discussed below, we identified certain matters involving the internal controls and
other operational matters that are presented for your consideration. We will review the status of
these comments during our next engagement. Our comments and recommendations, all of which
have been discussed with appropriate members of management, are intended to improve the
internal controls or result in other operating efficiencies. Our results are summarized as follows:
1. Disaster Recover Testing
Condition: During the performance of the procedures, we noted that the disaster recovery
testing has not been performed for CSB applications during the fiscal year ended
September 30, 2020.
Cause: Discussions with management indicated the while disaster recovery testing has been
performed in prior years; due to the pandemic, disaster recovery testing was not
performed during the fiscal year ended September 30, 2020. The CSB
Contingency Plan requires testing to be done at a minimum annually.
10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P410.584.0060 F 410.584.0061
-------�
SB & COMPANY,llc
Knowledge • Quality - Client Service
Criteria: National Institute of Standards and Technology (NIST) guidelines state the
following:
CP-4 CONTINGENCY PLAN TESTING Control:
The organization:
a. Tests the contingency plan for the information system [Assignment:
organization-defined frequency] using [Assignment: organization-defined
tests] to determine the effectiveness of the plan and the organizational
readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
Supplemental Guidance: Methods for testing contingency plans to determine the
effectiveness of the plans and to identify potential weaknesses in the plans include,
for example, walk-through and tabletop exercises, checklists, simulations (parallel,
full interrupt), and comprehensive exercises. Organizations conduct testing based
on the continuity requirements in contingency plans and include a determination of
the effects on organizational operations, assets, and individuals arising due to
contingency operations. Organizations have flexibility and discretion in the breadth,
depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3.
Effect: Without adequate, testing the opportunity to practice, prepare, identify gaps, and ensure
that the plan will work has not been completed.
Recommendations: SBC recommends that CSB performs disaster recovery testing, at least
annually.
Response from CSB Management: The CSB agrees with the recommendation. A disaster
recovery test will be performed and documented by 12/31/2020.
10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P410.584.0060 F 410.584.0061
-------�
SB & C O M PA NY,llc
Knowledge • Quality ¦ Client Service
2. Maintaining Back-up Media Off-site
Condition: We noted that backup media is not being maintained at an alternate location. The
discussions with Information Technology management indicated that due to
COVID-19 protocols, backups were not rotated off-site.
Cause: Discussions with CSB Information Technology management indicated that the process
of maintaining backups at an offsite location were discontinued due to the
pandemic and remote work protocol.
Criteria: National Institute of Standards and Technology (NIST) guidelines state the
following:
CP9 INFORMATION SYSTEM BACKUP
(3) INFORMATION SYSTEM BACKUP \ SEPARATE STORAGE FOR CRITICAL
INFORMATION
The organization stores backup copies of [Assignment: organization-defined critical
information system software and other security-related information] in a separate
facility or in a fire-rated container that is not collocated with the operational system.
Supplemental Guidance: Critical information system software includes, for
example, operating systems, cryptographic key management systems, and intrusion
detection/prevention systems. Security-related information includes, for example,
organizational inventories of hardware, software, and firmware components.
Alternate storage sites typically serve as separate storage facilities for organizations.
Related controls: CM-2, CM-8.
(4) INFORMATION SYSTEM BACKUP \ PROTECTION FROM
UNA UTHORIZED MODIFICATION
[Withdrawn: Incorporated into CP-9],
(5) INFORMATION SYSTEM BACKUP \ TRANSFER TO ALTERNATE
STORAGE SITE
The organization transfers information system backup information to the alternate
storage site [Assignment: organization-defined time period and transfer rate
consistent with the recovery time and recovery point objectives],
10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P 410.584.0060 F 410.584.0061
-------�
SB & COMPANY,n.c
Knowledge • Quality - Client Service
Supplemental Guidance: Information system backup information can be transferred
to alternate storage sites either electronically or by physical shipment of storage
media.
(6) INFORMATION SYSTEM BACKUP \ REDUNDANT SECONDARY SYSTEM
The organization accomplishes information system backup by maintaining a
redundant secondary system that is not collocated with the primary system and that
can be activated without loss of information or disruption to operations.
Effect: There is risk exposure that critical systems cannot be recovered timely if the primary
location is not available.
Recommendations: SBC recommends that CSB evaluate alternate methods to store backup
media offsite (e.g., cloud, electronic vaulting etc.)
Response from CSB Management: The CSB agrees with the recommendation. Rotation of
backup drives to an offsite location has been suspended due to the pandemic and
telework. The regular offsite backup process will begin again on an on-call basis.
10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P 410.584.0060 F 410.584.0061
-------�
SB & COMl'AN Y.llc
Knowledge • Quality • Cl ;m Service
We believe that the implementation of these recommendations will provide the U. S. Chemical and
Safety Hazard Investigation Board with a stronger system of internal controls while also making
its operations more efficient. We will be happy to discuss the details of these recommendations
with you at your convenience.
This communication is intended solely for the information and use of management of the U.S.
Chemical and Safety Hazard Investigation Board, others within the organization, and the
Environmental Protection Agency Office of the Inspector General and is not intended to be and
should not be used by anyone other than these specified parties.
Respectfully,
SB & Company, LLC
October 9, 2020
10200 Grand Central Avenue Suite 250 Owings Mills Maryland 21117 P410.584.0060 F 410.584.0061
-------� |