Overall, the review found serious and pervasive problems that essentially render EPA’s agencywide information security program ineffective. Current security program planning and management has done little to substantively identify, evaluate, and mitigate risks to the agency’s data and systems. Tests of computer-based controls have concluded that the computer operating systems and the agencywide computer network that support most of EPA’s mission-related and financial operations are riddled with security weaknesses. The negative effects of such weaknesses are illustrated by EPA’s own records, which show several serious computer security incidents in the last 2 years that have resulted in damage and disruption to agency operations. EPA’s mission is to protect human health and safeguard the environment. The need to manage its programs for results substantially increases EPA’s demand for high-quality environmental information. Such information is also required to identify and respond to emerging problems before significant damage is done to the environment. Tests showed that EPA’s access controls were ineffective in adequately reducing the risk of intrusions and misuse. EPA’s firewall and other perimeter defenses -- designed largely to protect agency systems from unauthorized access from the Internet -- were not effective in preventing such intrusions because of weaknesses in the way they were configured and deployed. Other problems involved weak network and operating system controls and poor password protections. Records showed these vulnerabilities had been exploited by both external and internal sources. Ensuring that computer security controls remain effective on an ongoing basis will require changes to the way the EPA approaches its information security program, especially in regard to assessing risk and determining security needs, and ensuring that existing controls are operating effectively. 7 footnotes