Information Security:

Fundamental Weaknesses Place EPA Data and Operations at Risk

AIMD-00-215: Published: Jul 6, 2000. Publicly Released: Aug 11, 2000.

Contact:

Robert F. Dacey
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO provided information on the Environmental Protection Agency's (EPA) information security program, focusing on: (1) EPA's computer-based controls; (2) the extent and impact of computer security incidents at EPA; and (3) the agency's information security program management.

GAO noted that: (1) GAO's review found serious and pervasive problems that essentially rendered EPA's agencywide information security program ineffective; (2) GAO's tests of computer-based controls concluded that the computer operating systems and the agencywide computer network that support most of EPA's mission-related and financial operations were riddled with security weaknesses; (3) of particular concern is that many of the most serious weaknesses GAO identified--those related to inadequate protection from intrusions via the Internet and poor security planning--had been previously reported to EPA management in 1997 by EPA's Inspector General; (4) the negative effects of such weaknesses are illustrated by EPA's own records, which show several serious computer security incidents since early 1998 that have resulted in damage and disruption to agency operations; (5) in addition, GAO identified deficiencies in EPA's incident detection and handling capabilities that limited EPA's ability to fully understand or assess the nature of or damage due to intrusions into and misuse of its computer systems; (6) as a result of these weaknesses, EPA's computer systems and the operations that rely on these systems were highly vulnerable to tampering, disruption, and misuse from both internal and external sources; (7) moreover, EPA could not ensure the protection of sensitive business and financial data maintained on its larger computer systems or supported by its agencywide network; (8) since the close of GAO's audit in mid-February, EPA has moved aggressively to reduce the exposure of its systems and data and to correct weaknesses GAO identified; (9) these efforts, which include both short-term and long-term improvements to system access controls, are still underway, and GAO has not tested their effectiveness; (10) however, EPA's actions show that the agency is taking a comprehensive and systematic approach that should help ensure that its efforts are effective; (11) GAO's review of EPA security program planning and management found that EPA's existing practices were largely a paper exercise that had done little to substantively identify, evaluate, and mitigate risks to the agency's data and systems; and (12) ensuring that corrective actions are effective on a continuing basis and that new risks are promptly identified and addressed will entail implementing significant improvements in the way EPA plans for and manages its information security program.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators, and the regional administrators to implement policy and procedures for monitoring suspicious activity in log files and audit trails on a regular schedule commensurate with current threats and potential impact of damage or disruption.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA developed and implemented a methodology for log reviews in their central environment. Log review procedures have been developed and disseminated for all Agency platforms. Agency organization heads have confirmed increased reviews of daily audit logs. A certification checklist was developed to address password management, technical controls, and management controls. Senior managers certified in writing that controls in the checklist had been implemented in their environments. A quality assurance check was performed on all senior management certifications.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators, and the regional administrators should restrict access to security incident data so that only those individuals involved in monitoring and investigating incidents can view such data.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA has reduced the number of individuals with access to security incident data. EPA has also segregated its security incident data and restricted access. According to the most recent status report, EPA has substantially completed the process of developing a more formal program to manage access to security incident data. Officials are currently reviewing and updating incident handling procedures as part of the development of an enterprise-wide incident handling program.

    Recommendation: To strengthen EPA's ongoing security posture and incident management efforts, the Administrator, EPA, should direct EPA's Principal Deputy Assistant for the Office of Environmental Information to develop, document, and enforce standards, controls, and procedures for security intrusion and misuse detection, recording, response, follow-up, analysis, and reporting, including clear assignment of responsibilities for government and contractor employees to ensure appropriate oversight of security functions.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: EPA has deployed intrusion detection systems to observe network activity both inside and outside the Agency firewalls. According to the most recent EPA status report, agency management receives alerts and reviews logs daily. The Deputy CIO reviews a weekly summary of security incidents. The final stages of instituting a Managed Security Services (MSS) program for monitoring EPA's intrusion detection sensors are being completed. According to EPA's status report, the agency has an ongoing effort to develop methods for more effective post-incident analyses.

    Recommendation: To strengthen EPA's ongoing security posture and incident management efforts, the Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to analyze existing and future problem reports to identify deficiencies in system controls, incident records, and problem responses.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: EPA has implemented a process to receive regular incident reports from all programs and Regions, and officials are regularly evaluating incident reports to identify trends. The agency has an ongoing effort to enhance its computer security incident handling program to more fully analyze incident data and then use this data to identify deficiencies and corresponding controls.

    Recommendation: To strengthen EPA's ongoing security posture and incident management efforts, the Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to periodically report summaries of security incidents and responses to senior EPA and application managers in order to raise awareness of security risks, ensure that response actions and control improvements are appropriately managed, and ensure that the related risks are considered in security planning.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA has limited direct access from the Internet and completed a risk assessment of critical/priority systems and applications. They have developed a plan for conducting awareness/training sessions. Information security awareness training has been conducted for senior EPA career executives, senior political and career executives, managers, and Information Security Officers. Information from the incident reporting program has been incorporated into awareness materials. There is a continuing effort to provide updated material and additional guidance on the classification of sensitive information.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators for other EPA offices, and the regional administrators to work together to identify and rank their information assets and computer-supported operations according to their sensitivity and criticality to EPA's mission.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, each EPA program office and Region is now required to identify and rank their information assets as part of the security planning process using established criteria for identification of information sensitivity. An agency-wide workgroup was established to further assess the classification of the sensitivity of the EPA's information holdings.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators for other EPA offices, and the regional administrators to work together to select procedures and controls that provide this protection.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, the agency reviewed its data classification structure and decided not to make any changes. Implementation assistance has been provided based on the agency's experience with the current classification scheme.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators for other EPA offices, and the regional administrators to work together to identify and prioritize improvement actions needed.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA established a priority list for its actions related to the GAO audit. An action plan was prepared and work began on this recommendation beginning the first quarter of fiscal year 2002. The agency prioritized its implementation of GAO recommendations and prepared the required supporting near-term and mid-term action plans.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information, the assistant administrators for other EPA offices, and the regional administrators to work together to implement a program of routine and periodic testing and evaluation of the procedures and controls adopted, with emphasis on those procedures and controls affecting the most sensitive and critical information assets.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA established a schedule to periodically run independent scans of the network to test the effectiveness of network controls. The agency subsequently conducted scans and penetration testing of firewalls, conducted scans of other Headquarters and Regional perimeters, and conducted significant testing of systems and controls. EPA also acquired automated monitoring tools to examine compliance with configuration standards. Headquarters and Regional campuses were scanned as part of the Agency's risk assessments.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to proactively assist EPA offices in understanding and implementing EPA's agencywide information security policy.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: EPA's senior management has received many communications regarding information security. For example, senior management has received multiple briefings, weekly updates at the Administrator's staff meetings, and memorandums from the Deputy Administrator and Principal Deputy Administrator, Office of Environmental Information (OEI). An information security awareness program has been developed for all agency staff. Training and awareness forums are held annually.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to assist EPA program and regional offices in understanding the information security risks associated with their operations, including those risks stemming from their reliance on general support systems, such as the agencywide network maintained by EPA's National Computer Center.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, each EPA program office and Region is now required to identify and rank their information assets as part of the security planning process using established criteria for identification of information sensitivity. An agency-wide workgroup was established to further assess the classification of the sensitivity of EPA information holdings. All risk assessments of regional campuses were completed to incorporate as part of the annual assessments required by the law. In addition, system managers offered to share information from general support system security plans to assist application developers.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to assist offices in developing and implementing plans for testing key information security controls associated with systems under their control.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA implemented a program of ongoing penetration testing of resources. The CIO's office provides support as part of the risk assessment process to identify sensitive information systems and assist programs and Regions in interpreting the results of tests or identifying corrective measures.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to develop and implement plans for testing key information security controls associated with general support systems and other systems under their control.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA implemented a program of ongoing penetration testing of resources. The CIO's office provides support as part of the risk assessment process to identify sensitive information systems and assist programs and Regions in interpreting the results of tests or identifying corrective measures. In addition, the agency developed a project management database to track progress and provide regular weekly reports to management.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to monitor progress in implementing actions needed to address identified information security weaknesses.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA developed a disciplined project management approach to managing its Information Security Action Plan. Action plans were developed to guide the near-term and mid-term actions. These plans outlined high-level goals and key components of a comprehensive security program that follows industry best practices. To support implementation, milestones were developed to support the high-level tasks. In addition, the agency developed a project management database to track progress and provide regular weekly reports to management.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to periodically report to the Administrator and the heads of EPA program and support offices on the effectiveness of EPA's information security program.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: EPA established a priority list for its actions related to the GAO audit, including senior management briefings on information security, teleconferences with agency primary Information Security Officers every two weeks, and weekly updates at the Administrator's staff meetings.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to adjust and supplement EPA's written information security policies and related guidance to include information that clarifies which elements of policies and related guidance are mandatory and which are optional.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: After assessing "best practices" for security policies in the federal government and analyzing legislative requirements, EPA drafted a list of policies that needed to be revised and new policies that need to be written and sent to management for review. As a first step, an Agency Network Security Policy was approved and issued March 31, 2001. A workgroup was formed to prioritize policies needing updates and revisions. The policy prioritization list was presented to the Office Directors and approved as the logical methodology for updating and revising information security policies.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to adjust and supplement EPA's written information security policies and related guidance to include information that defines information security roles and responsibilities.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: After reviewing its policies; soliciting feedback from Information Security Officers, systems managers, and application owners; assessing "best practices" for security policies in the federal government; and analyzing legislative requirements, EPA developed a list of policies that need to be revised and new policies that need to be written. One element of this effort--a network security policy--was approved and issued March 31, 2001. To facilitate the refinement of roles and responsibilities, internal EPA documents were reviewed to baseline prior definitions. Feedback was also obtained from Information Security Officers, system managers and application owners to determine their contributions to information security.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to complete efforts to develop and implement an action plan for strengthening access controls associated with EPA's major computer operating systems and agencywide network. This will require ongoing cooperative efforts between EPA's Office of Environmental Information and EPA's program and regional offices. GAO provided EPA a detailed list of these control weaknesses and related recommendations in the Limited Official Use report.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA adopted a disciplined project management approach to managing its Information Security Action Plan. Action plans were developed to guide the near-term and mid-term actions. Re-establishment of connection to the Internet was accomplished using a risk-based approach after defining a baseline set of firewall business rules and implementing a full firewall. EPA has established a rigorous review process that must be completed prior to systems and applications being allowed to go into production on the Agency's network. EPA lists all 100 detailed recommendations GAO made in the Limited Official Use report as completed.

    Recommendation: The Administrator, EPA, should direct EPA's Principal Deputy Assistant Administrator for the Office of Environmental Information to adjust and supplement EPA's written information security policies and related guidance to include information that defines procedures and provides tools for agencywide self-assessments.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: In response, EPA has identified a list of priority policies based on a collaborative process that sought input from knowledgeable staff and approval by senior management. After assessing "best practices" for security policies in the federal government and analyzing legislative requirements, a list of policies that need to be revised and new policies that need to be written was drafted and sent to management for review. An Agency Network Security Policy was approved and issued on March 31, 2001. Automated monitoring tools have been acquired to monitor compliance with security configuration standards. Deployment of the tools is complete and training in how to use them is underway for system managers and Information Security Officers throughout the Agency.

    Apr 15, 2014

    Mar 4, 2014

    Feb 27, 2014

    Feb 19, 2014

    Feb 12, 2014

    Feb 10, 2014

    Feb 4, 2014

    Jan 22, 2014

    Jan 13, 2014

    Looking for more? Browse all our products here