Skip to main content

Information Security: Fundamental Weaknesses Place EPA Data and Operations at Risk

AIMD-00-215 Published: Jul 06, 2000. Publicly Released: Aug 11, 2000.
Jump To:
Skip to Highlights

Highlights

Pursuant to a congressional request, GAO provided information on the Environmental Protection Agency's (EPA) information security program, focusing on: (1) EPA's computer-based controls; (2) the extent and impact of computer security incidents at EPA; and (3) the agency's information security program management.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to complete efforts to develop and implement an action plan for strengthening access controls associated with EPA's major computer operating systems and agencywide network. This will require ongoing cooperative efforts between EPA's Office of Environmental Information and EPA's program and regional offices. GAO provided EPA a detailed list of these control weaknesses and related recommendations in the Limited Official Use report.
Closed – Implemented
In response, EPA adopted a disciplined project management approach to managing its Information Security Action Plan. Action plans were developed to guide the near-term and mid-term actions. Re-establishment of connection to the Internet was accomplished using a risk-based approach after defining a baseline set of firewall business rules and implementing a full firewall. EPA has established a rigorous review process that must be completed prior to systems and applications being allowed to go into production on the Agency's network. EPA lists all 100 detailed recommendations GAO made in the Limited Official Use report as completed.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators, and the regional administrators to implement policy and procedures for monitoring suspicious activity in log files and audit trails on a regular schedule commensurate with current threats and potential impact of damage or disruption.
Closed – Implemented
In response, EPA developed and implemented a methodology for log reviews in their central environment. Log review procedures have been developed and disseminated for all Agency platforms. Agency organization heads have confirmed increased reviews of daily audit logs. A certification checklist was developed to address password management, technical controls, and management controls. Senior managers certified in writing that controls in the checklist had been implemented in their environments. A quality assurance check was performed on all senior management certifications.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators, and the regional administrators should restrict access to security incident data so that only those individuals involved in monitoring and investigating incidents can view such data.
Closed – Implemented
In response, EPA has reduced the number of individuals with access to security incident data. EPA has also segregated its security incident data and restricted access. According to the most recent status report, EPA has substantially completed the process of developing a more formal program to manage access to security incident data. Officials are currently reviewing and updating incident handling procedures as part of the development of an enterprise-wide incident handling program.
Environmental Protection Agency To strengthen EPA's ongoing security posture and incident management efforts, the Administrator, EPA, should direct EPA's Principal Deputy Assistant for the Office of Environmental Information to develop, document, and enforce standards, controls, and procedures for security intrusion and misuse detection, recording, response, follow-up, analysis, and reporting, including clear assignment of responsibilities for government and contractor employees to ensure appropriate oversight of security functions.
Closed – Implemented
EPA has deployed intrusion detection systems to observe network activity both inside and outside the Agency firewalls. According to the most recent EPA status report, agency management receives alerts and reviews logs daily. The Deputy CIO reviews a weekly summary of security incidents. The final stages of instituting a Managed Security Services (MSS) program for monitoring EPA's intrusion detection sensors are being completed. According to EPA's status report, the agency has an ongoing effort to develop methods for more effective post-incident analyses.
Environmental Protection Agency To strengthen EPA's ongoing security posture and incident management efforts, the Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to analyze existing and future problem reports to identify deficiencies in system controls, incident records, and problem responses.
Closed – Implemented
EPA has implemented a process to receive regular incident reports from all programs and Regions, and officials are regularly evaluating incident reports to identify trends. The agency has an ongoing effort to enhance its computer security incident handling program to more fully analyze incident data and then use this data to identify deficiencies and corresponding controls.
Environmental Protection Agency To strengthen EPA's ongoing security posture and incident management efforts, the Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to periodically report summaries of security incidents and responses to senior EPA and application managers in order to raise awareness of security risks, ensure that response actions and control improvements are appropriately managed, and ensure that the related risks are considered in security planning.
Closed – Implemented
In response, EPA has limited direct access from the Internet and completed a risk assessment of critical/priority systems and applications. They have developed a plan for conducting awareness/training sessions. Information security awareness training has been conducted for senior EPA career executives, senior political and career executives, managers, and Information Security Officers. Information from the incident reporting program has been incorporated into awareness materials. There is a continuing effort to provide updated material and additional guidance on the classification of sensitive information.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators for other EPA offices, and the regional administrators to work together to identify and rank their information assets and computer-supported operations according to their sensitivity and criticality to EPA's mission.
Closed – Implemented
In response, each EPA program office and Region is now required to identify and rank their information assets as part of the security planning process using established criteria for identification of information sensitivity. An agency-wide workgroup was established to further assess the classification of the sensitivity of the EPA's information holdings.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators for other EPA offices, and the regional administrators to work together to select procedures and controls that provide this protection.
Closed – Implemented
In response, the agency reviewed its data classification structure and decided not to make any changes. Implementation assistance has been provided based on the agency's experience with the current classification scheme.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators for other EPA offices, and the regional administrators to work together to identify and prioritize improvement actions needed.
Closed – Implemented
In response, EPA established a priority list for its actions related to the GAO audit. An action plan was prepared and work began on this recommendation beginning the first quarter of fiscal year 2002. The agency prioritized its implementation of GAO recommendations and prepared the required supporting near-term and mid-term action plans.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators for other EPA offices, and the regional administrators to work together to implement a program of routine and periodic testing and evaluation of the procedures and controls adopted, with emphasis on those procedures and controls affecting the most sensitive and critical information assets.
Closed – Implemented
In response, EPA established a schedule to periodically run independent scans of the network to test the effectiveness of network controls. The agency subsequently conducted scans and penetration testing of firewalls, conducted scans of other Headquarters and Regional perimeters, and conducted significant testing of systems and controls. EPA also acquired automated monitoring tools to examine compliance with configuration standards. Headquarters and Regional campuses were scanned as part of the Agency's risk assessments.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to proactively assist EPA offices in understanding and implementing EPA's agencywide information security policy.
Closed – Implemented
EPA's senior management has received many communications regarding information security. For example, senior management has received multiple briefings, weekly updates at the Administrator's staff meetings, and memorandums from the Deputy Administrator and Principal Deputy Administrator, Office of Environmental Information (OEI). An information security awareness program has been developed for all agency staff. Training and awareness forums are held annually.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to assist EPA program and regional offices in understanding the information security risks associated with their operations, including those risks stemming from their reliance on general support systems, such as the agencywide network maintained by EPA's National Computer Center.
Closed – Implemented
In response, each EPA program office and Region is now required to identify and rank their information assets as part of the security planning process using established criteria for identification of information sensitivity. An agency-wide workgroup was established to further assess the classification of the sensitivity of EPA information holdings. All risk assessments of regional campuses were completed to incorporate as part of the annual assessments required by the law. In addition, system managers offered to share information from general support system security plans to assist application developers.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to assist offices in developing and implementing plans for testing key information security controls associated with systems under their control.
Closed – Implemented
In response, EPA implemented a program of ongoing penetration testing of resources. The CIO's office provides support as part of the risk assessment process to identify sensitive information systems and assist programs and Regions in interpreting the results of tests or identifying corrective measures.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to develop and implement plans for testing key information security controls associated with general support systems and other systems under their control.
Closed – Implemented
In response, EPA implemented a program of ongoing penetration testing of resources. The CIO's office provides support as part of the risk assessment process to identify sensitive information systems and assist programs and Regions in interpreting the results of tests or identifying corrective measures. In addition, the agency developed a project management database to track progress and provide regular weekly reports to management.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to monitor progress in implementing actions needed to address identified information security weaknesses.
Closed – Implemented
In response, EPA developed a disciplined project management approach to managing its Information Security Action Plan. Action plans were developed to guide the near-term and mid-term actions. These plans outlined high-level goals and key components of a comprehensive security program that follows industry best practices. To support implementation, milestones were developed to support the high-level tasks. In addition, the agency developed a project management database to track progress and provide regular weekly reports to management.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to periodically report to the Administrator and the heads of EPA program and support offices on the effectiveness of EPA's information security program.
Closed – Implemented
EPA established a priority list for its actions related to the GAO audit, including senior management briefings on information security, teleconferences with agency primary Information Security Officers every two weeks, and weekly updates at the Administrator's staff meetings.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to adjust and supplement EPA's written information security policies and related guidance to include information that clarifies which elements of policies and related guidance are mandatory and which are optional.
Closed – Implemented
After assessing "best practices" for security policies in the federal government and analyzing legislative requirements, EPA drafted a list of policies that needed to be revised and new policies that need to be written and sent to management for review. As a first step, an Agency Network Security Policy was approved and issued March 31, 2001. A workgroup was formed to prioritize policies needing updates and revisions. The policy prioritization list was presented to the Office Directors and approved as the logical methodology for updating and revising information security policies.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to adjust and supplement EPA's written information security policies and related guidance to include information that defines information security roles and responsibilities.
Closed – Implemented
After reviewing its policies; soliciting feedback from Information Security Officers, systems managers, and application owners; assessing "best practices" for security policies in the federal government; and analyzing legislative requirements, EPA developed a list of policies that need to be revised and new policies that need to be written. One element of this effort--a network security policy--was approved and issued March 31, 2001. To facilitate the refinement of roles and responsibilities, internal EPA documents were reviewed to baseline prior definitions. Feedback was also obtained from Information Security Officers, system managers and application owners to determine their contributions to information security.
Environmental Protection Agency The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to adjust and supplement EPA's written information security policies and related guidance to include information that defines procedures and provides tools for agencywide self-assessments.
Closed – Implemented
In response, EPA has identified a list of priority policies based on a collaborative process that sought input from knowledgeable staff and approval by senior management. After assessing "best practices" for security policies in the federal government and analyzing legislative requirements, a list of policies that need to be revised and new policies that need to be written was drafted and sent to management for review. An Agency Network Security Policy was approved and issued on March 31, 2001. Automated monitoring tools have been acquired to monitor compliance with security configuration standards. Deployment of the tools is complete and training in how to use them is underway for system managers and Information Security Officers throughout the Agency.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer crimesInformation securityComputer networksComputer securityComputer security incidentsData integrityInformation resources managementInternal controlsSoftwareInternet