[ISN] IG: EPA needs better contractor security controls

From: InfoSec News (alerts@private)
Date: Mon Jan 22 2007 - 23:18:04 PST


By David Hubler
Jan. 22, 2007

The Environmental Protection Agency has defined security requirements 
for its contractors information technology systems, but the agencys 
method of identifying those systems does not consider the type and 
sensitivity of the data needing protection, according to the agency's 
Office of Inspector General.

In a report titled EPA Could Improve Processes for Managing Contractor 
Systems and Reporting Incidents, the IG details its findings, including 
a conclusion that the agencys current guidance for identifying 
contractor IT systems limits its scope to those systems installed at an 
EPA facility or connected to the agency's network.

The IG said EPA therefore does not know whether contractors outside EPA 
offices or its network know the mandated standards and whether the 
contractors are applying the security controls necessary to protect data 
they collect for the agency.

The report said EPAs Office of Acquisition Management has not 
established formal procedures for agency offices to regularly review and 
update EPA-specific contract clauses. The current informal process means 
that contractors may not get guidance about new security requirements in 
time to put it to use.

The IG also noted that although agency offices knew of EPAs computer 
security incident response policy, many of them lacked local reporting 
procedures, had not fully implemented automated monitoring tools, and 
did not provide sufficient training on local procedures.

The report added that EPA offices also did not have access to network 
attack trend information necessary to implement proactive defensive 
measures. As a result, there was no consistency in how, what, and when 
EPA offices reported computer security incidents.

Without such relevant security data, it added, EPA may not accurately 
inform senior agency officials regarding the performance and security of 
the agencys network.

The IG recommended that EPA assign duties and responsibilities for 
maintaining and updating information posted on EPAs Web site, update its 
guidance for identifying contractor systems and establish formal 
procedures to ensure that all program offices update and maintain their 
EPA-specific contract clauses on a regular basis.

The IG had several recommendations also for addressing the computer 
security incident reporting weaknesses. They included having EPA update 
its computer security incident guide to cover reporting instructions for 
all locations, establishing a target date for configuring the agencys 
antivirus software to use the central reporting feature, training 
information security officers on new procedures, and providing them with 
computer security incident reports.

The IGs office said EPA officials generally agreed with the 
recommendations. In many cases, management provided milestone dates and 
planned actions to address the reports findings, it stated.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Mon Jan 22 2007 - 23:37:13 PST