[ISN] EPA, auditors disagree over IT security risks

From: InfoSec News (alerts@private)
Date: Thu Feb 15 2007 - 22:26:24 PST


http://www.gcn.com/online/vol1_no1/43137-1.html

By Jana Cranmer
GCN Staff
02/14/07 

One of the Environmental Protection Agencys mainframe systems possesses 
IT security risks, external auditors said.

The National Computer Center in Raleigh, N.C.s mainframe system 
softwares internal controls were found to be lacking in how they limit 
access to system software resources to protect against unauthorized loss 
and disclosure, reduce the risk of the introduction of authorized 
changes and limit and monitor access to system software programs, 
according to the audit [1] conducted between March and June by KPMG, LLP 
of New York.

The evaluation discovered major weaknesses in EPAs internal controls, 
such as:

* Roles and responsibilities were not clearly assigned
* Change controls were not performed according to agency policies
* Policies, procedures and guidelines were not up to date
* Security settings for sensitive data sets and programs were not 
  effectively configured and implemented

The EPA does not have effective oversight processes in place to help 
ensure that technical controls over sensitive datasets and programs are 
appropriately implemented, said Bill Roderick, acting EPA inspector 
general, whose office contracted for the review. These weaknesses exist 
because EPA had not assigned the roles and responsibilities for 
monitoring and reviewing mainframe system software security.

EPA disagreed with the auditors, stating that the agency conducts weekly 
reviews of system software and roles and responsibilities are formally 
assigned.

The auditors also stated that EPA change control policies, which outline 
practices for normal and emergency system software modifications, are 
not adequately and consistently authorized, tested, approved, 
implemented or reconciled.

This may potentially lead to data corruption or system downtime, which 
could lead to system changes without the agencys knowledge.

In response to this finding, EPA management created a new procedure to 
document and log system changes, which will provide the agency with 
greater control over the mainframe environment.

EPAs policies, procedures and guidelines are out of date, as the Office 
of Environmental Informations information security manual and EPAs 
security manual have not been updated for more than four years, auditors 
said. OEI management is now in the process of updating these manuals, 
EPA said.

Auditors recommended that the agency improve management oversight 
through clearly assigning roles and responsibilities. EPA disagreed with 
this evaluation, arguing that changes made to the present system are 
documented and discussed at the weekly managers meeting with the primary 
support contractor.

The audit also recommended EPA adhere to existing federal and agency 
guidelines, configure and implement security settings for sensitive data 
sets and programs and establish standards for implementing security 
controls for mainframe software.

[1] http://www.epa.gov/oigearth/


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Thu Feb 15 2007 - 22:30:54 PST