EPA, auditors disagree over IT security risks
- By Jana Cranmer
- Feb 14, 2007
One of the Environmental Protection Agency's mainframe systems possesses IT security risks, external auditors said.
The National Computer Center in Raleigh, N.C.'s mainframe system software's internal controls were found to be lacking in how they 'limit access to system software resources to protect against unauthorized loss and disclosure, reduce the risk of the introduction of authorized changes and limit and monitor access to system software programs,' according to the audit
conducted between March and June by KPMG, LLP of New York.
The evaluation discovered major weaknesses in EPA's internal controls, such as:
- Roles and responsibilities were not clearly assigned
- Change controls were not performed according to agency policies
- Policies, procedures and guidelines were not up to date
- Security settings for sensitive data sets and programs were not effectively configured and implemented
'The EPA does not have effective oversight processes in place to help ensure that technical controls over sensitive datasets and programs are appropriately implemented,' said Bill Roderick, acting EPA inspector general, whose office contracted for the review. 'These weaknesses exist because EPA had not assigned the roles and responsibilities for monitoring and reviewing mainframe system software security.'
EPA disagreed with the auditors, stating that the agency conducts weekly reviews of system software and roles and responsibilities are formally assigned.
The auditors also stated that EPA change control policies, which outline practices for normal and emergency system software modifications, are 'not adequately and consistently authorized, tested, approved, implemented or reconciled.'
This may potentially lead to data corruption or system downtime, which could lead to system changes without the agency's knowledge.
In response to this finding, EPA management created a new procedure to document and log system changes, which will provide the agency with greater control over the mainframe environment.
EPA's policies, procedures and guidelines are out of date, as the Office of Environmental Information's information security manual and EPA's security manual have not been updated for more than four years, auditors said. OEI management is now in the process of updating these manuals, EPA said.
Auditors recommended that the agency improve management oversight through clearly assigning roles and responsibilities. EPA disagreed with this evaluation, arguing that changes made to the present system are documented and discussed at the weekly manager's meeting with the primary support contractor.
The audit also recommended EPA adhere to existing federal and agency guidelines, configure and implement security settings for sensitive data sets and programs and establish standards for implementing security controls for mainframe software.