An Environmental Protection Agency office allowed server access to sensitive information without monitoring whether users had permission to view it, an inspector general’s report has found.
The report, released Wednesday, found that the EPA’s Region 4 office lacked the required security controls for accessing its shared information folder on the Superfund Enterprise Management System and thus failed to monitor whether users had the proper authorization to access it. Region 4 serves eight states in the Southeast.
The SEMS serves as the centralized information system for the EPA’s $1 billion program to help clean up contaminated sites across the nation. It also contains a wealth of other information in a series of shared folders that reside on its file servers.
“The SEMS is key to the EPA meeting its responsibilities to federal agencies, Congress and the public regarding Superfund site remediation. The SEMS is also used for Freedom of Information Act requests, administrative records and litigation support,” the report noted.
But the OIG found that officials from Region 4 failed to verify employee authorizations and kept no documented list of “authorized approvers or account managers” despite being required to by National Institute of Standards and Technology governance on federal information systems.
Agency officials also failed to regularly review shared folder access and did not monitor folders for unusual activity, opening to the potential for unauthorized activity to proceed without an investigation.
The report said that despite the NIST guidance and EPA policies on handling access to sensitive information, the breakdown occurred because Region 4 personnel didn’t have documented procedures governing access or monitoring “applicable to agency file servers and share folders.”
Region 4 personnel also said they relied on both the SEMS User Request System certification process and the users’ own discretion to determine whether they should be able to access certain levels of information.
“Region 4 personnel also stated that they only review the number and permissions of their share folders from a Microsoft Excel spreadsheet,” the report said. “However, the spreadsheet that Region 4 personnel created was only spot-checked on an ad hoc basis, and personnel did not document their review.”
The OIG offered one recommendation calling for approving and monitoring access, including ensuring that personnel implement “access and audit log control procedures.”
EPA officials agreed with the recommendation and took corrective action as of Aug. 14. The OIG said it was satisfied with the resulting actions and closed the recommendation.