GAO Questions EPA's Ability to Secure DataAudit: Security Control Weaknesses Pervade IT Systems
Security control weaknesses pervade IT systems and networks at the U.S. Environmental Protection Agency, jeopardizing the agency's ability to sufficiently protect the confidentiality, integrity and availability of its information and systems, the Government Accountability Office said in an audit made public Aug. 21.
The EPA failed to implement fully access controls that are designed to prevent, limit and detect unauthorized access to computing resources, programs, information and facilities. Specifically, GAO said the agency didn't always:
- Enforce strong policies for identifying and authenticating users by, for example, requiring the use of complex passwords, such as those not easily guessed.
- Limit users' access to systems to what was required for them to perform their official duties.
- Ensure that sensitive information, such as passwords for system administration, was encrypted so as not to be easily readable by unauthorized individuals.
- Keep logs of network activity or monitor key parts of its networks for possible security incidents.
- Control physical access to its systems and information, such as controlling visitor access to computing equipment.
In addition to weaknesses in access controls, congressional auditors said EPA had mixed results in implementing other security controls. GAO cited the following example:
EPA conducted appropriate background investigations for employees and contractors to ensure sufficient clearance requirements had been met before permitting access to information and information systems. But EPA had not always securely configured network devices and updated operating system and database software with patches to protect against known vulnerabilities. And, the agency had not always ensured equipment used for sanitization and disposal of media was tested to verify correct performance.
"An underlying reason for the control weaknesses is that EPA has not fully implemented a comprehensive information security program," GAO Information Security Issues Director Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati wrote in the 45-page audit report.
Wilshusen and Barkakati said EPA didn't always finalize policies and procedures to guide staff in effectively implementing controls; ensure that all personnel were given relevant security training to understand their roles and responsibilities; update system security plans to reflect current agency security control requirements; assess management, operational and technical controls for agency systems at least annually and based on risk; and implement a corrective action process to track and manage all weaknesses when remedial actions were necessary.
"Sustained management oversight and monitoring are necessary for EPA to implement these key information security practices and controls," the auditors wrote. "Until EPA fully implements a comprehensive security program, it will have limited assurance that its information and information systems are adequately protected against unauthorized access, use, disclosure, modification, disruption or loss."
GAO made 12 recommendations to the EPA administrator to fully implement elements of EPA's comprehensive information security program.
EPA Assistant Administrator and Chief Information Officer Malcolm Jackson wrote GAO that the agency agreed with all but two of its recommendations. While EPA agreed to implement an agencywide method for approving contingency plans, it didn't agree with the GAO recommendation that would require the approving officials' signature and date to be on the document. Jackson said that a centralized repository for managing all security documents would be the more appropriate mechanism for ensuring plans are the most recent official versions. GAO accepted Jackson's rationale.
EPA agreed to implement a uniform method for recording annual contingency plan testing, but Jackson said the agency didn't agree to keep records of contingency plan testing within the contingency plans. GAO, in its response, reiterated the intent of its draft recommendation was to ensure that EPA implements procedures to test contingency plans at least annually.
In a separate report with limited distribution, GAO said it made 94 recommendations to EPA to enhance access and other information security controls over its systems.