In a new report, the Government Accountability Office (GAO) says that EPA’s implementation of data security is riddled with flaws, and the Agency needs to undertake scores of actions to protect the confidentiality, integrity, and availability of the information and systems that support its mission.
“Protection of mission-critical and sensitive information technology (IT) resources on information systems remains an ongoing challenge for EPA as federal agencies experience evolving and growing cyber attacks,” states the GAO.  “Without a well-designed security program, EPA’s information and information systems could be subject to unauthorized access, disclosure, disruption, modification, or destruction.”
Weak passwords
Specifically, according to the GAO, the EPA did not always:

• Enforce strong policies for identifying and authenticating users by, for example, requiring the use of complex (i.e., not easily guessed) passwords. 
• Limit users’ access to systems to what was required for them to perform their official duties.
• Ensure that sensitive information, such as passwords for system administration, was encrypted so as not to be easily readable by unauthorized individuals.
• Keep logs of network activity or monitor key parts of its networks for possible security incidents.
• Control physical access to its systems and information, such as controlling visitor access to computing equipment.

The GAO states that the Agency was also inconsistent in other areas of security such as failing at times to install patches to protect operating systems and database software against known vulnerabilities or to ensure that equipment used for sanitization and disposal of media was tested to verify correct performance.
Unfulfilled policies
One fundamental problem with the EPA data security, says the GAO, is that the Agency has not fully implemented a comprehensive information security program.  Although the EPA has established a framework for its security program, the GAO says that the Agency has not finalized all policies and procedures to guide staff in effectively implementing controls; ensured that all personnel were given relevant security training to understand their roles and responsibilities; updated system security plans to reflect current agency security control requirements; assess management, operational, and technical controls for agency systems at least annually and based on risk; and implemented a corrective action process to track and manage all weaknesses when remedial actions were necessary.
94 recommendations
In the public version of its report, the GAO offers 12 recommendations for improving EPA’s data security systems.  However, another version with “limited distribution” contains no less than 94 recommendations.  The public report includes recommendations that the EPA:

• Finalize 17 agencywide interim information security policies and draft procedures.
• Develop and finalize a role-based security training procedure that tailors specific training requirements to EPA users’ role/position descriptions and details the actions information security officers must take when users do not complete the training.
• Conduct testing of management, operational, and technical controls, based on risks, to occur no less than annually, for the clean air markets division system.
• Develop and implement procedures to annually test the viability of contingency plans for Agency systems.

Read GAO’s report, Information Security:  Environmental Protection Agency Needs to Resolve Weaknesses.