Information Security

GAO found serious and pervasive problems that essentially render the Environmental Protection Agency's (EPA) agencywide information security program ineffective. Current security program planning and management is largely a paper exercise that has done little to identify, evaluate, and mitigate risks to the agency's data and computer systems. Moreover, on the basis of its tests of computer-based controls, GAO concludes that the computer operating systems and the agencywide computer network that support most of EPA's mission-related and financial operations are riddled with security weaknesses. Of particular concern is that many of the most serious weaknesses GAO identified--those related to inadequate protection from intrusions via the Internet and poor security planning--had been reported to EPA management in 1997 by the agency's Inspector General. The repercussions of such weaknesses are illustrated by EPA's own records, which show several serious computer security incidents in the last two years that have damaged and disrupted agency operations. GAO has also identified shortcomings in EPA's incident detection and handling capabilities that call into questions the agency's ability to fully understand and assess the nature of or damage due to its computer security breaches. The result is that EPA's computer systems are highly vulnerable to tampering, disruption, and misuse, and EPA cannot guarantee the protection of sensitive business and financial data kept on its larger computer systems or supported by its agencywide network.

GAO noted that: (1) GAO's review found serious and pervasive problems that essentially render EPA's agencywide information security program ineffective; (2) current security program planning and management is largely a paper exercise that has done little to substantively identify, evaluate, and mitigate risks to the agency's data systems; (3) GAO's tests of computer-based controls have concluded that the computer operating systems and the agencywide computer network that support most of EPA's mission-related and financial operations are riddled with security weaknesses; (4) many of the most serious weaknesses--those related to inadequate protection from intrusions via the Internet and poor security planning--had been previously reported to EPA management in 1997 by EPA's Inspector General; (5) the negative effects of such weaknesses are illustrated by EPA's own records which show several serious computer security incidents in the last 2 years that have resulted in damage and disruption to agency operations; (6) GAO identified deficiencies in EPA' incident detection and handling capabilities that draw into question EPA's ability to fully understand or assess the nature of or damage due to its computer security breaches; (7) accordingly, EPA's computer systems and the operations that rely on these systems are highly vulnerable to tampering, disruption, and misuse; (8) moreover, EPA cannot ensure the protection of sensitive business and financial data maintained on its larger computer systems or supported by its agencywide network; and (9) GAO's work has sensitized EPA to the seriousness of these issues and agency officials have informed GAO of some corrective actions and announced other plans which, if properly implemented, can begin to address several of these serious problems.