http://www.gcn.com/online/vol1_no1/43137-1.html By Jana Cranmer GCN Staff 02/14/07 One of the Environmental Protection Agencys mainframe systems possesses IT security risks, external auditors said. The National Computer Center in Raleigh, N.C.s mainframe system softwares internal controls were found to be lacking in how they limit access to system software resources to protect against unauthorized loss and disclosure, reduce the risk of the introduction of authorized changes and limit and monitor access to system software programs, according to the audit [1] conducted between March and June by KPMG, LLP of New York. The evaluation discovered major weaknesses in EPAs internal controls, such as: * Roles and responsibilities were not clearly assigned * Change controls were not performed according to agency policies * Policies, procedures and guidelines were not up to date * Security settings for sensitive data sets and programs were not effectively configured and implemented The EPA does not have effective oversight processes in place to help ensure that technical controls over sensitive datasets and programs are appropriately implemented, said Bill Roderick, acting EPA inspector general, whose office contracted for the review. These weaknesses exist because EPA had not assigned the roles and responsibilities for monitoring and reviewing mainframe system software security. EPA disagreed with the auditors, stating that the agency conducts weekly reviews of system software and roles and responsibilities are formally assigned. The auditors also stated that EPA change control policies, which outline practices for normal and emergency system software modifications, are not adequately and consistently authorized, tested, approved, implemented or reconciled. This may potentially lead to data corruption or system downtime, which could lead to system changes without the agencys knowledge. In response to this finding, EPA management created a new procedure to document and log system changes, which will provide the agency with greater control over the mainframe environment. EPAs policies, procedures and guidelines are out of date, as the Office of Environmental Informations information security manual and EPAs security manual have not been updated for more than four years, auditors said. OEI management is now in the process of updating these manuals, EPA said. Auditors recommended that the agency improve management oversight through clearly assigning roles and responsibilities. EPA disagreed with this evaluation, arguing that changes made to the present system are documented and discussed at the weekly managers meeting with the primary support contractor. The audit also recommended EPA adhere to existing federal and agency guidelines, configure and implement security settings for sensitive data sets and programs and establish standards for implementing security controls for mainframe software. [1] http://www.epa.gov/oigearth/ ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Thu Feb 15 2007 - 22:30:54 PST