Fundamental Weaknesses Place EPA Data and Operations at Risk
T-AIMD-00-97: Published: Feb 17, 2000. Publicly Released: Feb 17, 2000.
- Full Report:
Pursuant to a congressional request, GAO discussed its recent review of information security at the Environmental Protection Agency (EPA).
GAO noted that: (1) GAO's review found serious and pervasive problems that essentially render EPA's agencywide information security program ineffective; (2) current security program planning and management is largely a paper exercise that has done little to substantively identify, evaluate, and mitigate risks to the agency's data systems; (3) GAO's tests of computer-based controls have concluded that the computer operating systems and the agencywide computer network that support most of EPA's mission-related and financial operations are riddled with security weaknesses; (4) many of the most serious weaknesses--those related to inadequate protection from intrusions via the Internet and poor security planning--had been previously reported to EPA management in 1997 by EPA's Inspector General; (5) the negative effects of such weaknesses are illustrated by EPA's own records which show several serious computer security incidents in the last 2 years that have resulted in damage and disruption to agency operations; (6) GAO identified deficiencies in EPA' incident detection and handling capabilities that draw into question EPA's ability to fully understand or assess the nature of or damage due to its computer security breaches; (7) accordingly, EPA's computer systems and the operations that rely on these systems are highly vulnerable to tampering, disruption, and misuse; (8) moreover, EPA cannot ensure the protection of sensitive business and financial data maintained on its larger computer systems or supported by its agencywide network; and (9) GAO's work has sensitized EPA to the seriousness of these issues and agency officials have informed GAO of some corrective actions and announced other plans which, if properly implemented, can begin to address several of these serious problems.