CSB's Information Security Program Is Not Consistently Implemented; Improvements Are Needed to Address Four Weaknesses

Date Issued

Tuesday, February 9, 2021

Submitting OIG

Environmental Protection Agency OIG

Other Participating OIGs

Environmental Protection Agency OIG

Agencies Reviewed/Investigated

Chemical Safety and Hazard Investigation Board

Report Number

21-E-0071

Report Description

The CSB has not consistently implemented its information security program’s policies, procedures, and strategies.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Additional Details

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
21-E-0071_1	No	$0	$0
Complete the Risk Assessment process as required by NIST 800-37, re-evaluate the Risk Management Framework to make in more fluent to leverage day-to-day processes in place for completing the risk assessment, and determine how to best implement an organization-wide governance process for monitoring and reporting on risks.
21-E-0071_2	No	$0	$0
Document the process in place to monitor required flaw remediation to resolution and enhance the flaw remediation process to require approvals if risks cannot be mitigated to an acceptable level in a timely manner. In addition, develop timeframes and monitoring on the timeliness of applying patch updates.