TREASURY INSPECTOR GENERAL

FOR TAX ADMINISTRATION

Additional Management Actions Are Needed to Enhance Data Security When Processing User Fee Payment Information

May 2001

Reference No. 2001-10-091

Executive Summary

The Tax Exempt and Government Entities (TE/GE) Division has initiated actions to develop a new automated system to improve management and accounting controls for processing user fee payments. During Fiscal Year (FY) 2001, the TE/GE Division plans to begin redesigning the Employee Plans and Exempt Organizations (EP/EO) Determination System (EDS) to allow the Division to fully meet its objective of providing timely, accurate, and consistent service to its customers.

The objective of this audit was to determine whether the TE/GE Divisionís automated systems used to process user fee payment information provide reasonable assurance that data are properly protected. We evaluated various administrative controls for the security of data maintained on the Letter Information Network User System (LINUS) and the Headquarters Employee Plans/Exempt Organizations Inventory System (HQ EP/EO system).

Results

Even though TE/GE Division management has taken some steps to protect customer user fee payment information, additional actions are needed to better manage the data security risks on existing systems. Timely addressing these risks is critical to ensuring that current and future user fee payment information is secure. To effectively manage the risks associated with processing user fee payment information, TE/GE Division management should:

Additional Actions Are Needed to Better Manage the Data Security Risks When Processing User Fee Payment Information

The current management structure does not provide the Commissioner, TE/GE Division, with reasonable assurance that adequate data security is provided when processing user fee payment information on current automated systems. The LINUS and HQ EP/EO automated systems used to process user fee payment information are not properly certified or accredited as secure systems. Without proper certification and accreditation, TE/GE Division management would not be in a position to protect sensitive customer data. These conditions exist because TE/GE Division management has not established clear roles and responsibilities for system security certification.

Computer Security Controls Established for the Letter Information Network User System Could Be Strengthened

The TE/GE Division developed the LINUS to facilitate the processing of user fee payments that are forwarded to the Ohio area office. Although the LINUS was never intended to meet all of the TE/GE Divisionís business needs for user fee processing systems, we believe additional actions should be taken to enhance the security of sensitive customer data currently maintained on the system. Specifically, we found that: the LINUS user identification controls needed to be strengthened; a process had not been implemented to ensure the LINUS meets established security-monitoring requirements; the LINUS was not listed on the Sensitive Systems Inventory Listing; and, the LINUS Disaster Recovery and Business Resumption Plans had not been completed. These actions were not taken because security over data maintained on the LINUS was never assigned to a responsible management official. Assigning responsibility for these actions would enhance the TE/GE Divisionís efforts to safeguard information against unauthorized accesses, disclosure, damage, modification, and theft.

Summary of Recommendations

Even though TE/GE Division management has taken some steps to protect customer user fee payment information, additional actions are needed to better manage the data security risks. Specifically, we determined that additional management emphasis is needed to properly certify and accredit user fee systems and to establish overall responsibility for managing TE/GE Division user fee systems. Also, the TE/GE Division should appoint a functional security coordinator for the LINUS and develop a process for identifying and reporting TE/GE Division automated systems with sensitive information to the Certification Program Office. Additionally, a process should be developed to ensure that Disaster Recovery and Business Resumption Plans are established for the LINUS.

Managementís Response: IRS management agreed with all but one recommendation cited in the report and is taking appropriate corrective actions. The Commissioner, TE/GE Division, has emphasized the importance of ensuring that automated systems are properly certified and has established controls to ensure that the TE/GE Division does not deploy new systems without the appropriate security certifications. In addition, the TE/GE Division will establish a service-level agreement with the Information Systems (IS) organization to ensure that all system development initiatives adhere to the IRSí Enterprise Life Cycle process for security certifications and data safeguards.

The Commissioner, TE/GE Division, has directed that audit trail information be produced and reviewed for the LINUS system and the HQ EP/EO replacement system, and the Director, EO Rulings and Agreements, will appoint a functional security coordinator for the LINUS. The TE/GE Division will also develop a systems inventory matrix that will identify any system with sensitive information not reported to the IS organization and ensure that these systems are properly registered with the IS Certification Program Office.

The TE/GE Division elected to not develop specific disaster and business resumption plans for LINUS because this system has a limited life. Rather, the TE/GE Division will use the IS Business Resumption Plan developed for the Ohio area office until a LINUS replacement system is developed.

Office of Audit Comment: We do not concur with the TE/GE Divisionís decision to not develop specific disaster and business resumption plans for the LINUS. The risks associated with using the IS Business Resumption Plan are increased because the IS Business Resumption Plan for the Ohio area office does not specifically identify or refer to the LINUS. The time period to develop the LINUS replacement system may exceed the scheduled calendar year 2002 implementation date, resulting in additional risks that user fee payment information may be lost.

Managementís comments are included in the body of the report where appropriate, and the complete text of their response is included as Appendix IV.