Data insecurity at EPA
Log in to view your state's edition
You are not logged in
State:
Free Special Reports
Get Your FREE Special Report. Download Any One Of These FREE Special Reports, Instantly!
Featured Special Report
Claim Your Free Copy of 2018 EHS Salary Guide

This report will help you evaluate if you are being paid a fair amount for the responsibilities you are shouldering.

In addition, EHS managers can find the information to keep their departments competitive and efficient—an easy way to guarantee you are paying the right amount to retain hard-to-fill positions but not overpaying on others.

Download Now!
Bookmark and Share
August 24, 2012
Data insecurity at EPA
Untitled Document

In a new report, the Government Accountability Office (GAO) says that EPA’s implementation of data security is riddled with flaws, and the Agency needs to undertake scores of actions to protect the confidentiality, integrity, and availability of the information and systems that support its mission.
“Protection of mission-critical and sensitive information technology (IT) resources on information systems remains an ongoing challenge for EPA as federal agencies experience evolving and growing cyber attacks,” states the GAO.  “Without a well-designed security program, EPA’s information and information systems could be subject to unauthorized access, disclosure, disruption, modification, or destruction.”
Weak passwords
Specifically, according to the GAO, the EPA did not always:

As an EHS professional, it’s hard to tell if you are being paid competitively, and as an employer, it’s hard to tell if you are offering salaries that are competitive and efficient. For a Limited Time we’re offering a FREE copy of the 2018 EHS Salary Guide! Download Now
  • Enforce strong policies for identifying and authenticating users by, for example, requiring the use of complex (i.e., not easily guessed) passwords. 
  • Limit users’ access to systems to what was required for them to perform their official duties.
  • Ensure that sensitive information, such as passwords for system administration, was encrypted so as not to be easily readable by unauthorized individuals.
  • Keep logs of network activity or monitor key parts of its networks for possible security incidents.
  • Control physical access to its systems and information, such as controlling visitor access to computing equipment.

The GAO states that the Agency was also inconsistent in other areas of security such as failing at times to install patches to protect operating systems and database software against known vulnerabilities or to ensure that equipment used for sanitization and disposal of media was tested to verify correct performance.
Unfulfilled policies
One fundamental problem with the EPA data security, says the GAO, is that the Agency has not fully implemented a comprehensive information security program.  Although the EPA has established a framework for its security program, the GAO says that the Agency has not finalized all policies and procedures to guide staff in effectively implementing controls; ensured that all personnel were given relevant security training to understand their roles and responsibilities; updated system security plans to reflect current agency security control requirements; assess management, operational, and technical controls for agency systems at least annually and based on risk; and implemented a corrective action process to track and manage all weaknesses when remedial actions were necessary.
94 recommendations
In the public version of its report, the GAO offers 12 recommendations for improving EPA’s data security systems.  However, another version with “limited distribution” contains no less than 94 recommendations.  The public report includes recommendations that the EPA:

  • Finalize 17 agencywide interim information security policies and draft procedures.
  • Develop and finalize a role-based security training procedure that tailors specific training requirements to EPA users’ role/position descriptions and details the actions information security officers must take when users do not complete the training.
  • Conduct testing of management, operational, and technical controls, based on risks, to occur no less than annually, for the clean air markets division system.
  • Develop and implement procedures to annually test the viability of contingency plans for Agency systems.

Read GAO’s report, Information Security:  Environmental Protection Agency Needs to Resolve Weaknesses.

Featured Special Report:
2018 EHS Salary Guide
   
   
 
 
Twitter   Facebook   Linked In
Follow Us