GAO report says EPA must keep improving IT security

GAO report says EPA must keep improving IT security

By Shruti Dat'

GCN Staff

In a follow-up to its review last winter of security at the Environmental Protection Agency, the General Accounting Office has advised the agency that its information security programs still need work.

'Our review found serious and pervasive problems that essentially rendered EPA's agencywide information security program ineffective,' the GAO concluded in the report, Information Security: Fundamental Weaknesses Place EPA Data and Operations at Risk.

A recent GAO report accused EPA of failing to follow risk management planning as recommended by OMB and NIST.

The report, released last month, updates a review by the congressional watchdog agency that was done at the behest of Rep. Thomas Bliley (R-Va.), House Commerce Committee chairman.

The earlier review and urging from Bliley prompted EPA to shut down its Web site in mid-February [GCN, March 6, Page 1]. The site is now about 80 percent back online [GCN, Aug. 7, Page 12].

Many holes

In the original review, GAO found deficiencies in EPA's password protection, access controls, incident detection and mitigation capabilities. The audit team, in fact, successfully penetrated the agency's firewall and took control of other perimeter defenses, gaining access to systems on EPA's internal network.

The agency has worked to reduce the exposure of its systems and data and to correct identified weaknesses, auditors found.

Its efforts include the establishment of a technical information security staff and a review of the agency's information protection policies.

'EPA's actions show that the agency is taking a comprehensive and systematic approach that should help ensure that its efforts are effective,' the report said. The agency must, however, intensify its efforts, GAO said.

EPA officials agree with this finding. 'Even though we have made many enhancements in our program since the first of the year, we recognize that the agency must continue to improve our security procedures,' noted Margaret Schneider, principal deputy assistant administrator, in a written response to the report.

Recently, George A. Bonina, director of EPA's information security staff, acknowledged that the agency has more work to do because advances in technology have surpassed EPA's data management and security programs [GCN, Aug. 7, Page 12]. But he denies that EPA was neglectful; it just did not act quickly enough.

EPA has taken steps to strengthen access controls, enhance intrusion detection and improve the information security management structure.

It also plans to establish a program to test access controls and procedures, improve risk management and enhance security training.

GAO urged EPA's Office of Environmental Information to follow a risk management process endorsed by the Office of Management and Budget and the National Institute of Standards and Technology.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.