The Environmental Protection Agency’s (EPA) inspector general found that a share folder within one of the agency’s regions did not meet National Institute of Science and Technology (NIST) standards for account management, which left sensitive data at risk.
According to an EPA Office of Inspector General report released on August 28, the vulnerable folder was shared among employees in EPA’s Region 4, which covers the southeastern states of the U.S. After an initial investigation into server security across the department, “we narrowed our scope to the Region 4 sampled share folder that stores scanned SEMS [Superfund Enterprise Management System] documents with sensitive data,” the report states.
When tested against NIST SP 800-53 controls, the folder failed to meet eight standards, OIG said. “We found the conditions existed because Region 4 IT personnel lacked documented procedures for federal and agency IT guidance applicable to file servers and share folders,” the inspector general said.
Without guidance, “adding or removing sensitive data in the share folder is entrusted to end users,” leaving the data at risk to unauthorized access. “Region 4 personnel stated that there is no documented list of authorized approvers or account managers for share folder users. There also was no regular review of share folder access for compliance with account management requirements,” the report notes.
The regional administrator agreed with the IG’s report, and created a standard operating procedure document to meet NIST requirements.