Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 02/23/07 web stories

IG: EPA could improve controls over mainframe system software

Tightening controls would prevent compromise of information, report says

By Rutrell Yasin, GCN Staff

The Environmental Protection Agency needs to strengthen controls governing access to and modification of mainframe system software located in the agency’s National Computer Center (NCC) to ensure that sensitive information is not compromised, according to a report by EPA’s Office of Inspector General.

An audit, conducted by KPMG in 2006, did not uncover any breaches in mainframe system software security. While noting that EPA management and the primary support contractor have taken a proactive approach to improving mainframe system security and protecting the agency’s information assets, the OIG audit found several weaknesses in internal controls over access to and modification of system software that needs improvement.

The report, “EPA Could Improve Controls Over Mainframe System Software,” issued Jan. 29, 2007, focused on the mainframe at the NCC in Research Triangle Park in Raleigh, N.C. EPA’s mainframe is a general support system that provides a national data repository for the agency’s environmental, administrative, financial and scientific systems. It is used by the agency’s program and regional offices, laboratories and external business partners.

KPMG identified several weaknesses, including:
  • Roles and responsibilities were not clearly assigned.
  • Change controls were not performed in accordance with agency policies.
  • Policies, procedures and guides could be strengthened.
  • Security settings for sensitive datasets and programs were not effectively configured or implemented.
The OIG recommends that EPA’s Office of Environmental Information (OEI):
  • Improve management oversight and review of primary support contractor activity, and clearly assign roles and responsibilities to ensure personnel are held accountable.
  • Ensure change control procedures are performed in accordance with existing agency and federal guidance.
  • Strengthen existing policies, procedures and guides to establish standards for implementing key security controls for mainframe system software.
  • Appropriately configure and implement security settings for sensitive datasets and programs.
“EPA does not have effective oversight processes in place to help ensure that technical controls over sensitive data sets and programs are appropriately implemented,” the report states. Agency guidelines require information managers to receive a written request before creating system accounts or granting users privileges to use a system. They are also required to conduct monthly reviews of system logs, support requests and previous review findings. In addition, monitoring of systems and user activity for security violations is to be performed daily and in real time.

Auditors found that NCC personnel did not follow established policy. They were not able to verify that NCC personnel performed periodic reviews and revalidation of mainframe access, the report states. Further, NCC personnel had not activated system logging to create the necessary audit trails to verify system changes and users’ activity.

More news on related topics: Communications / Networks, Software Applications, IT Security, IT Management



GCN Popup