EPA audit finds weaknesses in computer security
- By Jana Cranmer
- Feb 07, 2007
The Environmental Protection Agency needs to better assure that its contractor systems and incident reporting follow agency security requirements. EPA should strengthen its processes for managing contractor systems and incident reporting, the agency's Office of the Inspector General said.
Through site visits and teleconferences, auditors discovered that EPA 'had not established procedures to ensure identification of all contractor systems' and had not 'ensured that information security requirements were accessible by the contractors and appropriately maintained.'
EPA uses on- and off-site contractors to collect and process information, review their systems' compliance with information security requirements and report the results to EPA's security monitoring database. The report said that EPA could improve its annual contractor self-assessment procedure, which expects contractors to report system weaknesses and remediation plans through the Automated Security Self Evaluation and Remediation Tracking (ASSERT) database.
'EPA has no assurance that its contractors identified their systems' vulnerabilities and implemented appropriate security controls, or that they were promptly informed of their contractual obligations when EPA-specific information security requirements changed,' said Bill Roderick, acting inspector general, in the recent report
To resolve these weaknesses, auditors recommended that EPA assign duties for maintaining and updating information posted on its Web site, update its guidance for identifying contractor systems and establish procedures to ensure that all program offices update and maintain their contract clauses on a regular basis.
In addition, the IG reported weaknesses in the agency's computer security incident response policy. The audit said that many offices lacked local reporting procedures, failed to implement automated monitoring tools and did not adequately train employees on local procedures. The offices also lacked access to network attack trend information, which could hinder the EPA's ability to implement proactive defensive measures.
'EPA offices are not consistent in what, when and how they report security incidents to Computer Security Incident Response Capability (CSIRC) staff,' said Roderick. 'Without all relevant security incident data, CSIRC personnel cannot promptly respond to and contain security threats before they potentially affect wider portions of the agency's network.'
The EPA has not fully implemented its centralized monitoring software, which is designed to report, collect and analyze all recognized instances of computer security attacks at one location. The agency also lacks the capability to identify which locations have properly configured their software for centralized monitoring.
'The current situation compromises the effectiveness of EPA's computer security incident capability, as well as the agency's ability to control the availability and integrity of its network,' the report said.
Auditors recommended that the EPA update its computer security incident guide, establish a target date to configure the agency's antivirus software to utilize the central reporting feature, train Information Security Officers on new procedures and provide them with computer security incident reports.
The Office of Environmental Information (OEI) agreed with most of the recommendations, but objected to updating the computer security incident guide because it already includes specific instructions on incident types, incident reporting, information flows and proper response to incidents.
'While OEI accepts that there probably can never be enough training and communication, we do not accept that the data collected offers clear evidence that EPA lacks policies and procedures for reporting incidents,' said Linda Travers, OEI acting assistant administrator and chief information officer.
In response to the report's findings, EPA management provided the OIG planned actions and deadlines to improve contractor systems management and incident reporting.