By Jana Cranmer
One of the Environmental Protection Agencys mainframe systems possesses
IT security risks, external auditors said.
The National Computer Center in Raleigh, N.C.s mainframe system
softwares internal controls were found to be lacking in how they limit
access to system software resources to protect against unauthorized loss
and disclosure, reduce the risk of the introduction of authorized
changes and limit and monitor access to system software programs,
according to the audit  conducted between March and June by KPMG, LLP
of New York.
The evaluation discovered major weaknesses in EPAs internal controls,
* Roles and responsibilities were not clearly assigned
* Change controls were not performed according to agency policies
* Policies, procedures and guidelines were not up to date
* Security settings for sensitive data sets and programs were not
effectively configured and implemented
The EPA does not have effective oversight processes in place to help
ensure that technical controls over sensitive datasets and programs are
appropriately implemented, said Bill Roderick, acting EPA inspector
general, whose office contracted for the review. These weaknesses exist
because EPA had not assigned the roles and responsibilities for
monitoring and reviewing mainframe system software security.
EPA disagreed with the auditors, stating that the agency conducts weekly
reviews of system software and roles and responsibilities are formally
The auditors also stated that EPA change control policies, which outline
practices for normal and emergency system software modifications, are
not adequately and consistently authorized, tested, approved,
implemented or reconciled.
This may potentially lead to data corruption or system downtime, which
could lead to system changes without the agencys knowledge.
In response to this finding, EPA management created a new procedure to
document and log system changes, which will provide the agency with
greater control over the mainframe environment.
EPAs policies, procedures and guidelines are out of date, as the Office
of Environmental Informations information security manual and EPAs
security manual have not been updated for more than four years, auditors
said. OEI management is now in the process of updating these manuals,
Auditors recommended that the agency improve management oversight
through clearly assigning roles and responsibilities. EPA disagreed with
this evaluation, arguing that changes made to the present system are
documented and discussed at the weekly managers meeting with the primary
The audit also recommended EPA adhere to existing federal and agency
guidelines, configure and implement security settings for sensitive data
sets and programs and establish standards for implementing security
controls for mainframe software.
Subscribe to the InfoSec News RSS Feed