Summary: GAO found serious and pervasive problems that essentially render the Environmental Protection Agency's (EPA) agencywide information security program ineffective. Current security program planning and management is largely a paper exercise that has done little to identify, evaluate, and mitigate risks to the agency's data and computer systems. Moreover, on the basis of its tests of computer-based controls, GAO concludes that the computer operating systems and the agencywide computer network that support most of EPA's mission-related and financial operations are riddled with security weaknesses. Of particular concern is that many of the most serious weaknesses GAO identified--those related to inadequate protection from intrusions via the Internet and poor security planning--had been reported to EPA management in 1997 by the agency's Inspector General. The repercussions of such weaknesses are illustrated by EPA's own records, which show several serious computer security incidents in the last two years that have damaged and disrupted agency operations. GAO has also identified shortcomings in EPA's incident detection and handling capabilities that call into questions the agency's ability to fully understand and assess the nature of or damage due to its computer security breaches. The result is that EPA's computer systems are highly vulnerable to tampering, disruption, and misuse, and EPA cannot guarantee the protection of sensitive business and financial data kept on its larger computer systems or supported by its agencywide network.
