The Environmental Protection Agency has taken steps to protect its information and systems, but security control weaknesses still exist, jeopardizing the agency’s ability to protect the confidentiality, integrity and availability of its data, the Government Accountability Office said in a new report.
Because of the importance of the security of EPA’s information systems, GAO was asked to determine whether the agency has effectively implemented appropriate information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission.
To do this, GAO tested security controls over EPA’s key networks and systems; reviewed policies, plans, and reports; and interviewed officials at EPA headquarters and two field offices.
GAO found five areas that EPA failed to protect its information and systems:
- Enforce strong policies for identifying and authenticating users by, for example, requiring the use of complex (i.e., not easily guessed) passwords;
- Limit users’ access to systems to what was required for them to perform their official duties;
- Ensure that sensitive information, such as passwords for system administration, was encrypted so as not to be easily readable by unauthorized individuals;
- Keep logs of network activity or monitor key parts of its networks for possible security incidents; and
- Control physical access to its systems and information, such as controlling visitor access to computing equipment.
GAO made 12 recommendations to EPA Administrator Lisa Jackson to fully implement elements of EPA’s comprehensive information security program. In commenting on a draft of this report, EPA’s assistant administrator generally agreed with GAO’s recommendations.