U.S. Chemical Safety and Hazard Investigation Board, or CSB, needs to better define its policies and procedures around data, access and incident response to toughen its cybersecurity program, the Environmental Protection Agency’s Office of Inspector General recommends.
The IG audited the agency, which is responsible for determining the circumstances around industrial chemical accidents, between July 2018 and March 2019 to assess the maturity of CSB’s information security program.
“CSB lacks established procedures for automated processes and authentication technologies, which could permit unauthorized access to agency systems,” the IG said in a report on its findings.
The watchdog used the fiscal 2018 reporting metrics document for the Federal Information Security Modernization Act, which rates entities between maturity levels one through five—the lowest level is labeled “Ad Hoc,” meaning there are no formalized policies, procedures or strategies, the highest level five is “Optimized,” or fully institutionalized and self-generating policies and practices. The IG rated CSB’s information security program to be at maturity level two, “Defined,” which means that the agency doesn’t consistently implement its policies.
“Failure to define and implement processes to address cybersecurity controls leaves the CSB susceptible to loss of data, security breaches and excessive incident handling time frames in the
event of a security incident,” the report said.
The IG made several recommendations, including that the agency implements the use of Personal Identity Verification card technology, as required by a directive from the Homeland Security Department or obtain a waiver from the Office of Management and Budget. The IG noted that it made the recommendation for PIV cards in two prior audits ..