At a Glance: CSB’s Information Security Program Is Not Consistently Implemented; Improvements Are Needed to Address Four Weaknesses


* *. U.S. Environmental Protection Agency	21-E-0071
§ ¦¦ \ Office of Inspector General	February 9,2021
USE J
At a Glance
Why We Did This Evaluation
This evaluation was performed
to assess the U.S. Chemical
Safety and Hazard
Investigation Board's
compliance with performance
measures outlined in the fiscal
year 2020 inspector general
reporting instructions for the
Federal Information Security
Modernization Act of 2014.
The SB & Company LLC was
contracted to perform this
evaluation under the direction
and oversight of the
U.S. Environmental Protection
Agency's Office of Inspector
General.
The FY 2020IG FISMA
Reporting Metrics outlines and
provides potential ratings for
security function areas to help
federal agencies manage
cybersecurity risks.
This report addresses the
following:
• Preserve the public trust by
maintaining and improving
organizational excellence.
CSB's Information Security Program Is Not
Consistently Implemented; Improvements
Are Needed to Address Four Weaknesses
The CSB has not consistently
implemented its information
security program's policies,
procedures, and strategies.
What We Found
The SB & Company assessed the
effectiveness of the CSB's information security
program at "Level 2, Defined." A Level 2
designation means that the CSB's policies,
procedures, and strategies are formalized and
documented but not consistently implemented. While the CSB has policies,
procedures, and strategies in place for information security, the SB & Company
identified the following four weaknesses:
•	The CSB did not have a governance structure to facilitate an
organizationwide risk-management monitoring and reporting process.
•	The CSB did not have a documented process that defines requirements for
remediating flaws, including using a plan of actions and milestones to monitor
the required remediation from initiation to resolution.
•	The CSB did not have processes to provide privacy awareness training to all
users and specialized training for individuals who support information
security- or technology-related areas.
•	The CSB discontinued information recovery testing and off-site backup
storage during the coronavirus pandemic—that is, the SARS-CoV-2 virus and
resultant COVID-19 disease. These issues were initially identified in
OIG Report No. 21-E-0016. CSB Discontinued Information Recovery Testing
and Off-Site Backup Storage During the Coronavirus Pandemic, issued
November 18, 2020.
Appendix A contains the results of the FISMA assessment.
Recommendations and Planned Corrective Actions
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
The SB & Company made five recommendations to the CSB. The CSB agreed
with the recommendations and provided acceptable corrective actions. Corrective
action is pending for Recommendations 1 and 2 and completed for
Recommendations 3, 4, and 5.
List of OIG reports.

-------