Information Security

Serious and pervasive problems have rendered the Environmental Protection Agency's (EPA) agencywide information security program ineffective. GAO reported many of these weaknesses to EPA in 1997. The computer network that supports most of EPA's mission-related and financial operations is riddled with security weaknesses, and the agency has had several serious computer security incidents since early 1998 that have damaged and disrupted agency operations. Deficiencies in incident detection and handling capabilities have limited EPA's ability to fully understand or assess the nature of or the damage due to intrusions into and misuse of its computer systems. EPA's computer systems and the operations that rely on them have been highly vulnerable to tampering, disruption, and misuse from both internal and external sources. Moreover, EPA has been unable to protect sensitive business and financial data maintained on its larger computer systems. Since the close of GAO's audit in mid-February, EPA has moved aggressively to reduce the vulnerability of its systems and data and to correct the weaknesses identified. Sustaining these improvements in today's dynamic computing environment will require continuing vigilance and management attention.

GAO noted that: (1) GAO's review found serious and pervasive problems that essentially rendered EPA's agencywide information security program ineffective; (2) GAO's tests of computer-based controls concluded that the computer operating systems and the agencywide computer network that support most of EPA's mission-related and financial operations were riddled with security weaknesses; (3) of particular concern is that many of the most serious weaknesses GAO identified--those related to inadequate protection from intrusions via the Internet and poor security planning--had been previously reported to EPA management in 1997 by EPA's Inspector General; (4) the negative effects of such weaknesses are illustrated by EPA's own records, which show several serious computer security incidents since early 1998 that have resulted in damage and disruption to agency operations; (5) in addition, GAO identified deficiencies in EPA's incident detection and handling capabilities that limited EPA's ability to fully understand or assess the nature of or damage due to intrusions into and misuse of its computer systems; (6) as a result of these weaknesses, EPA's computer systems and the operations that rely on these systems were highly vulnerable to tampering, disruption, and misuse from both internal and external sources; (7) moreover, EPA could not ensure the protection of sensitive business and financial data maintained on its larger computer systems or supported by its agencywide network; (8) since the close of GAO's audit in mid-February, EPA has moved aggressively to reduce the exposure of its systems and data and to correct weaknesses GAO identified; (9) these efforts, which include both short-term and long-term improvements to system access controls, are still underway, and GAO has not tested their effectiveness; (10) however, EPA's actions show that the agency is taking a comprehensive and systematic approach that should help ensure that its efforts are effective; (11) GAO's review of EPA security program planning and management found that EPA's existing practices were largely a paper exercise that had done little to substantively identify, evaluate, and mitigate risks to the agency's data and systems; and (12) ensuring that corrective actions are effective on a continuing basis and that new risks are promptly identified and addressed will entail implementing significant improvements in the way EPA plans for and manages its information security program.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: