Summary: Serious and pervasive problems have rendered the Environmental Protection Agency's (EPA) agencywide information security program ineffective. GAO reported many of these weaknesses to EPA in 1997. The computer network that supports most of EPA's mission-related and financial operations is riddled with security weaknesses, and the agency has had several serious computer security incidents since early 1998 that have damaged and disrupted agency operations. Deficiencies in incident detection and handling capabilities have limited EPA's ability to fully understand or assess the nature of or the damage due to intrusions into and misuse of its computer systems. EPA's computer systems and the operations that rely on them have been highly vulnerable to tampering, disruption, and misuse from both internal and external sources. Moreover, EPA has been unable to protect sensitive business and financial data maintained on its larger computer systems. Since the close of GAO's audit in mid-February, EPA has moved aggressively to reduce the vulnerability of its systems and data and to correct the weaknesses identified. Sustaining these improvements in today's dynamic computing environment will require continuing vigilance and management attention.
