IG: EPA could improve controls over mainframe system software
Tightening controls would prevent compromise of information, report says
- By Rutrell Yasin
- Feb 23, 2007
The Environmental Protection Agency needs to strengthen controls governing access to and modification of mainframe system software located in the agency's National Computer Center (NCC) to ensure that sensitive information is not compromised, according to a report by EPA's Office of Inspector General.
An audit, conducted by KPMG in 2006, did not uncover any breaches in mainframe system software security. While noting that EPA management and the primary support contractor have taken a proactive approach to improving mainframe system security and protecting the agency's information assets, the OIG audit found several weaknesses in internal controls over access to and modification of system software that needs improvement.
The report, 'EPA Could Improve Controls Over Mainframe System Software,'
issued Jan. 29, 2007, focused on the mainframe at the NCC in Research Triangle Park in Raleigh, N.C. EPA's mainframe is a general support system that provides a national data repository for the agency's environmental, administrative, financial and scientific systems. It is used by the agency's program and regional offices, laboratories and external business partners.
KPMG identified several weaknesses, including:
- Roles and responsibilities were not clearly assigned.
- Change controls were not performed in accordance with agency policies.
- Policies, procedures and guides could be strengthened.
- Security settings for sensitive datasets and programs were not effectively configured or implemented.
The OIG recommends that EPA's Office of Environmental Information (OEI):
- Improve management oversight and review of primary support contractor activity, and clearly assign roles and responsibilities to ensure personnel are held accountable.
- Ensure change control procedures are performed in accordance with existing agency and federal guidance.
- Strengthen existing policies, procedures and guides to establish standards for implementing key security controls for mainframe system software.
- Appropriately configure and implement security settings for sensitive datasets and programs.
'EPA does not have effective oversight processes in place to help ensure that technical controls over sensitive data sets and programs are appropriately implemented,' the report states. Agency guidelines require information managers to receive a written request before creating system accounts or granting users privileges to use a system. They are also required to conduct monthly reviews of system logs, support requests and previous review findings. In addition, monitoring of systems and user activity for security violations is to be performed daily and in real time.
Auditors found that NCC personnel did not follow established policy. They were not able to verify that NCC personnel performed periodic reviews and revalidation of mainframe access, the report states. Further, NCC personnel had not activated system logging to create the necessary audit trails to verify system changes and users' activity.
'These weaknesses exist because EPA had not assigned the roles and responsibilities for monitoring and reviewing mainframe system software security' to specific groups, personnel or contractors to ensure accountability, according to the report.
EPA's OEI generally agreed with the recommendation to improve management oversight. EPA OEI has updated and formalized its processes for documentation of approvals for system software access. Additionally, management updated EPA's Standards and Procedures for the NCC Enterprise Server manual to include a matrix on EPA and federal contractor personnel roles and responsibilities as it applies to managing the mainframe system software activities, according to the report.
The report noted that EPA has documented policies and procedures regarding system software change controls. However, during testing of the selection of change requests, auditors found EPA management is not enforcing current policies and procedures and providing the necessary oversight to ensure that mainframe system software changes are appropriate.
'We found software changes are not adequately and consistently authorized, tested, approved, implemented or reconciled,' the report states. These weaknesses exist because the NCC does not enforce the existing policy for authorizing, testing and approving systems software changes.
EPA management generally disagreed with the report's assessments on change control. EPA managers claim that operational approvals are recorded within the agency's change control systems, the report states. Additionally, all changes are discussed and documented during the weekly Enterprise Server manager's meeting with the primary support contractor, EPA officials said. Plus, a review of changes is performed, reconciled and maintained on file with the contractor. Management also has implemented controls to prevent system programmers from testing and implementing their own changes into the production environment.
After meeting with NCC officials to clarify findings, the auditors agreed to revise recommendations and NCC officials agreed to provide additional documentation for the audit team's consideration and review.
EPA has updated its Enterprise Server Standards and Procedures document to include lists of sensitive datasets and is currently revising the policy document that outlines procedures for limiting access to system software, which has not been updated in at least four years, the report states.
Rutrell Yasin is is a freelance technology writer for GCN.