Additional Management Actions Are Needed to Enhance Data Security When Processing User Fee Payment Information

May 2001

Reference Number: 2001-10-091

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

May 24, 2001

MEMORANDUM FOR COMMISSIONER, TAX EXEMPT AND GOVERNMENT ENTITIES DIVISION

FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner

Deputy Inspector General for Audit

SUBJECT: Final Audit Report Ė Additional Management Actions Are Needed to Enhance Data Security When Processing User Fee Payment Information

This report presents the results of our review of administrative controls for the security of data maintained on Tax Exempt and Government Entities (TE/GE) Divisionís automated systems used to process user fee payment information. In summary, we found that additional actions are needed to better manage the data security risks when processing user fee payment information on TE/GE Division automated systems.

Our recommendations will increase assurances that TE/GE management has taken appropriate steps to ensure that user fee payment data are properly safeguarded. TE/GE Division management agreed with all but one of the recommendations presented in the report. The TE/GE Division elected to not develop specific disaster and business resumption plans for the Letter Information Network User System (LINUS). Rather, the TE/GE Division will use the Business Resumption Plan developed for the Ohio area office. We do not concur with the TE/GE Divisionís decision to not develop specific disaster and business resumption plans for the LINUS. The risks associated with using the Business Resumption Plan are increased because the Business Resumption Plan for the Ohio area office does not specifically identify or refer to the LINUS. Managementís comments have been incorporated into the report where appropriate, and the full text of their comments is included as an appendix.

Copies of this report are being sent to the Internal Revenue Service managers who are affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions, or Maurice S. Moody, Associate Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs), at (202) 622-8500.

Table of Contents

Executive Summary

Objective and Scope

Background

Results

Additional Actions Are Needed to Better Manage the Data Security Risks When Processing User Fee Payment Information

Computer Security Controls Established for the Letter Information Network User System Could Be Strengthened

Conclusion

Appendix I Ė Detailed Objective, Scope, and Methodology

Appendix II Ė Major Contributors to This Report

Appendix III Ė Report Distribution List

Appendix IV Ė Managementís Response to the Draft Report

Executive Summary

The Tax Exempt and Government Entities (TE/GE) Division has initiated actions to develop a new automated system to improve management and accounting controls for processing user fee payments. During Fiscal Year (FY) 2001, the TE/GE Division plans to begin redesigning the Employee Plans and Exempt Organizations (EP/EO) Determination System (EDS) to allow the Division to fully meet its objective of providing timely, accurate, and consistent service to its customers.

The objective of this audit was to determine whether the TE/GE Divisionís automated systems used to process user fee payment information provide reasonable assurance that data are properly protected. We evaluated various administrative controls for the security of data maintained on the Letter Information Network User System (LINUS) and the Headquarters Employee Plans/Exempt Organizations Inventory System (HQ EP/EO system).

Results

Even though TE/GE Division management has taken some steps to protect customer user fee payment information, additional actions are needed to better manage the data security risks on existing systems. Timely addressing these risks is critical to ensuring that current and future user fee payment information is secure. To effectively manage the risks associated with processing user fee payment information, TE/GE Division management should:

Additional Actions Are Needed to Better Manage the Data Security Risks When Processing User Fee Payment Information

The current management structure does not provide the Commissioner, TE/GE Division, with reasonable assurance that adequate data security is provided when processing user fee payment information on current automated systems. The LINUS and HQ EP/EO automated systems used to process user fee payment information are not properly certified or accredited as secure systems. Without proper certification and accreditation, TE/GE Division management would not be in a position to protect sensitive customer data. These conditions exist because TE/GE Division management has not established clear roles and responsibilities for system security certification.

Computer Security Controls Established for the Letter Information Network User System Could Be Strengthened

The TE/GE Division developed the LINUS to facilitate the processing of user fee payments that are forwarded to the Ohio area office. Although the LINUS was never intended to meet all of the TE/GE Divisionís business needs for user fee processing systems, we believe additional actions should be taken to enhance the security of sensitive customer data currently maintained on the system. Specifically, we found that: the LINUS user identification controls needed to be strengthened; a process had not been implemented to ensure the LINUS meets established security-monitoring requirements; the LINUS was not listed on the Sensitive Systems Inventory Listing; and, the LINUS Disaster Recovery and Business Resumption Plans had not been completed. These actions were not taken because security over data maintained on the LINUS was never assigned to a responsible management official. Assigning responsibility for these actions would enhance the TE/GE Divisionís efforts to safeguard information against unauthorized accesses, disclosure, damage, modification, and theft.

Summary of Recommendations

Even though TE/GE Division management has taken some steps to protect customer user fee payment information, additional actions are needed to better manage the data security risks. Specifically, we determined that additional management emphasis is needed to properly certify and accredit user fee systems and to establish overall responsibility for managing TE/GE Division user fee systems. Also, the TE/GE Division should appoint a functional security coordinator for the LINUS and develop a process for identifying and reporting TE/GE Division automated systems with sensitive information to the Certification Program Office. Additionally, a process should be developed to ensure that Disaster Recovery and Business Resumption Plans are established for the LINUS.

Managementís Response: IRS management agreed with all but one recommendation cited in the report and is taking appropriate corrective actions. The Commissioner, TE/GE Division, has emphasized the importance of ensuring that automated systems are properly certified and has established controls to ensure that the TE/GE Division does not deploy new systems without the appropriate security certifications. In addition, the TE/GE Division will establish a service-level agreement with the Information Systems (IS) organization to ensure that all system development initiatives adhere to the IRSí Enterprise Life Cycle process for security certifications and data safeguards.

The Commissioner, TE/GE Division, has directed that audit trail information be produced and reviewed for the LINUS system and the HQ EP/EO replacement system, and the Director, EO Rulings and Agreements, will appoint a functional security coordinator for the LINUS. The TE/GE Division will also develop a systems inventory matrix that will identify any system with sensitive information not reported to the IS organization and ensure that these systems are properly registered with the IS Certification Program Office.

The TE/GE Division elected to not develop specific disaster and business resumption plans for LINUS because this system has a limited life. Rather, the TE/GE Division will use the IS Business Resumption Plan developed for the Ohio area office until a LINUS replacement system is developed.

Office of Audit Comment: We do not concur with the TE/GE Divisionís decision to not develop specific disaster and business resumption plans for the LINUS. The risks associated with using the IS Business Resumption Plan are increased because the IS Business Resumption Plan for the Ohio area office does not specifically identify or refer to the LINUS. The time period to develop the LINUS replacement system may exceed the scheduled calendar year 2002 implementation date, resulting in additional risks that user fee payment information may be lost.

Managementís comments are included in the body of the report where appropriate, and the complete text of their response is included as Appendix IV.

Objective and Scope

The objective of this audit was to determine whether the Tax Exempt/Government Entities (TE/GE) Divisionís automated systems used to process user fee payment information provide reasonable assurance that data are properly protected. We evaluated various administrative controls for the security of data maintained on the Letter Information Network User System (LINUS)1 and the Headquarters Employee Plans/Exempt Organizations Inventory System (HQ EP/EO System).2 Specifically, we:

To accomplish our objective, we evaluated data security policies and procedures for processing user fee payments and interviewed TE/GE Division and Information Systems (IS) organization (Strategic Planning and Client Services) management officials and employees.

This audit was performed at the National Headquarters, the TE/GE Division Headquarters office, the Cincinnati Submission and Processing Center (CSPC), and the Ohio field office between March and November 2000, and it was conducted in accordance with Government Auditing Standards.

Details of our audit objective, scope, and methodology are presented in Appendix I. Major contributors to this report are listed in Appendix II.

Background

Section 105-11 of the Revenue Act of 19873 provides that the Secretary of the Treasury or his delegate shall establish the payment of user fees for requests to the IRS for rulings, opinions, determinations, and similar actions. User fee amounts, which are specified by statute, range from $80 to $10,000. EP/EO determination letter requests are forwarded to the CSPC where user fee payments are processed and deposited with a Federal Reserve Bank. The user fee and application information is input into the LINUS and acknowledgement letters are sent to the applicant. Other user fees submitted for revenue rulings and opinions are received at the TE/GE Division Headquarters office. Information associated with these user fees is input into the HQ EP/EO system and acknowledgement letters are sent to the applicants. During Fiscal Year (FY) 1999, the TE/GE Division processed a total of $34.5 million in user fee payments.

Office of Management and Budget (OMB) and Department of the Treasury guidelines require that all information systems that process sensitive but unclassified information be certified and accredited and meet specified security requirements. The accreditation should be performed by TE/GE Division senior management to ensure that customer data are adequately safeguarded on their automated systems.

Results

The TE/GE Division is taking actions to develop a new automated system to improve management and accounting controls for processing user fee payments. During FY 2001, the TE/GE Division plans to begin redesigning the EP/EO Determination System (EDS)4 to allow the TE/GE Division to fully meet its objective of providing timely, accurate, and consistent service to its customers. One of the major business initiatives to be delivered by the redesigned system is the enhancement of processing, accounting, and researching of user fee payment information.

Even though TE/GE Division management has taken some steps to protect customer user fee payment information, additional actions are needed to better manage the data security risks on existing systems. Management actions are also needed to establish overall responsibility that will ensure end-to-end accountability for managing the security of the user fee payment information systems. The TE/GE Division has not incorporated the concept of a senior-level person with end-to-end accountability for managing these systems.

Additional Actions Are Needed to Better Manage the Data Security Risks When Processing User Fee Payment Information

The Commissioner, TE/GE Division, is the principal accrediting authority for the TE/GE Divisionís business systems that contain sensitive but unclassified information. IRS procedures require the Commissioner, TE/GE Division, to certify that security measures are reasonable, adequate, and effectively implemented on TE/GE Division automated systems that process customer data.

The current management structure does not provide the Commissioner, TE/GE Division, with reasonable assurance that security measures are reasonable, adequate, and effectively implemented. This condition exists because TE/GE Division management has not established clear roles and responsibilities for system security certification. We believe TE/GE Division senior management needs to take a more active role to ensure that the automated systems provide adequate security. Without proper certification and accreditation, TE/GE Division management would not be in a position to protect sensitive customer data.

The HQ EP/EO system is currently processing sensitive customer data without the proper certification

The HQ EP/EO system is listed as a system with sensitive but unclassified information on the IRSí Sensitive Systems Inventory Listing (SSIL). However, the certification performed by the IS organization for the HQ EP/EO system expired in 1998 and, as a result, the HQ EP/EO system is currently processing sensitive customer data without being properly certified or accredited. Required documentation that has not been completed for the certification process includes the Continuity of Operations Plan and the Trusted Facility Manual Access Control Listing. Additionally, the HQ EP/EO system does not meet the security monitoring requirements for systems that process sensitive customer data. For example, the system does not generate audit trail information that would identify inappropriate system accesses. Without the proper certification of the automated systems, the Commissioner, TE/GE Division, may be unable to provide the necessary assurance that user fee payment information is secure.

The TE/GE Rulings and Agreements organization uses the HQ EP/EO system to process user fee payments in its Headquarters office. The IS organization is its owner and, as a result, is responsible for conducting the necessary steps that will result in the certification that the system will process data in a secure environment. Even though the IS organization is the system owner, IRS security procedures require the TE/GE Division to provide the required assurances that the automated systems it uses to process taxpayer user fee payment data are secure.

Additional management oversight is needed to ensure that the TE/GE Division receives appropriate IS support. For example, there is no senior TE/GE manager with overall responsibility for the HQ EP/EO system. The TE/GE Division must rely on the IS organization for conducting the certification processes even though the TE/GE Division is the process owner.

The LINUS does not have a security certification or accreditation filed with the IRS Certification Program Office

The LINUS contains sensitive taxpayer information but it does not have a security certification or accreditation with the IRS Certification Program Office. The OMB Circular A-130, Management of Federal Information Resources, and the Department of the Treasury Security Manual require that all information systems that process sensitive data be certified and accredited prior to being placed in operation. The security certification process determines the extent to which a system meets a specific set of security requirements. Accreditation is the issuance of an official statement by the responsible official that he/she authorizes the use of the system and accepts its level of risk. IRS functional executives are responsible for the accreditation of IRS information systems. Without an established process to certify the security of data processed on the LINUS, TE/GE Division management cannot provide the required assurance that user fee payment information is adequately safeguarded.

We did not identify a senior-level manager with overall responsibility for the LINUS. The Director of the TE/GE Business Systems unit stated that senior management had not delegated the responsibilities for the LINUS because the system is still in the start-up phase. The local TE/GE Division Office Automation group manager in Cincinnati is currently performing the day-to-day management of the LINUS.

The service-level agreement with the IS support organization does not ensure that sensitive customer data will be protected

The TE/GE Divisionís existing practices do not ensure that sufficient support for data security will be provided by the IS organization since service-level agreements have not been developed for the security services to be provided by the IS organization. The existing service-level agreement with the IS organization does not include provisions for performing systems certification. We were advised by TE/GE Division management that any future agreements with the IS organization will specify that the IS organization "operate" the entire automated system and, therefore, the agreements will not specifically address computer security requirements.

The TE/GE Division created the Business Systems unit to support its information systems needs. This group is responsible for information systems strategy, planning, and coordinating and for monitoring the support provided by the IS organization. One of its main objectives is to oversee the TE/GE Divisionís contractual relationship with the IS organization to ensure that adequate services are provided. The Directorís role and responsibility for the Business Systems unit includes ensuring that service-level agreements between the TE/GE Division and IS organization cover all aspects of IS technology related to TE/GE Division business systems.

Although the service-level agreement did not specifically include security services, sound business practices dictate that organizational boundaries should not prevent the TE/GE Division from monitoring the adequacy of the computer security support that may be provided by the IS organization. Security requirements should be incorporated into an effective service-level agreement for automated systems under the ownership of the IS organization. In addition, TE/GE management should monitor the adequacy of the support they receive from the IS organization to ensure these requirements are being met. A failure to establish controls to oversee the security of automated systems used by the TE/GE Division could adversely affect the Divisionís efforts to protect sensitive customer data. The TE/GE Division could also be at risk of accrediting a system with inadequate security because the Commissioner, TE/GE Division, becomes the principal accrediting authority and accepts responsibility for the security of the system when the certification is completed.

Management has not established clear guidance regarding the roles and responsibilities for certifying system security. The Director, TE/GE Business Systems unit, advised us that computer security oversight of the HQ EP/EO system was an IS organization responsibility. He stated that the TE/GE Division will rely on local IS support when security reviews are performed.

Establishing a senior-level manager with end-to-end accountability for managing the HQ EP/EO system and the LINUS would enhance the process used to provide the Commissioner, TE/GE Division, with the assurance that these automated systems have sufficient security controls in place that provide an acceptable level of risk.

Recommendations

The Commissioner, TE/GE Division, should:

  1. Emphasize the need to implement processes that will ensure that the TE/GE Division systems are properly certified and accredited.
  2. Establish a senior-level manager with overall responsibility for managing the security of data for the TE/GE Divisionís automated systems.
  3. Enhance the service-level agreement with the IS organization to ensure that the TE/GE Divisionís automated systems are timely certified that data will be properly safeguarded.

Managementís Response: The Commissioner, TE/GE Division, emphasized to appropriate managers the importance of ensuring that TE/GE systems are properly certified. The TE/GE Division Business Systems Planning organization was established to ensure that all TE/GE Division automated systems are developed using the IRSí Enterprise Life Cycle (ELC) process to ensure that new systems are not deployed without the appropriate security certification.

The Director, Business Systems Planning, and the Division Information Officer will develop a systems inventory matrix to capture and document important information for each of the business systems on which the TE/GE Division relies. The matrix will include: system management points of contact, platform and user characteristics, data types, and the status of security certifications and disaster recovery and business resumption plans. This matrix will give the Commissioner, TE/GE Division, a basis for monitoring changes and prioritizing follow-up or remedial actions.

The TE/GE Division is planning a service-level agreement with the IS organization. The TE/GE Division requires that all system development initiatives adhere to the IRSí ELC process. This requirement will help ensure that new systems are not deployed without appropriate security certifications and data safeguards.

Computer Security Controls Established for the Letter Information Network User System Could Be Strengthened

TE/GE Division management developed the LINUS to facilitate the processing of user fee payments forwarded to the Ohio area office. Although the LINUS was never intended to meet all of the TE/GE Divisionís business needs for user fee processing systems, we believe additional actions should be taken to enhance the security of sensitive customer data currently maintained on the LINUS.

Specifically, we found that additional actions could be taken to:

These actions were not taken because security over the data maintained on the LINUS was never assigned to a responsible management official. Assigning responsibility for these actions would enhance the TE/GE Divisionís efforts to safeguard information against unauthorized access, disclosure, damage, modification, and theft.

The LINUS user identification controls need to be strengthened

Readily available employee identification numbers (EIN) are currently used as passwords to access the LINUS. They identify the employee who is entering information into the LINUS. EINs are not secure, protected passwords because they are widely known by other employees. As a result, there is a risk that an employee could successfully circumvent the systemís audit trail by using another employeeís EIN. The LINUS Systems Administrator stated that he used employee numbers as LINUS passwords because they had been used for accessing the prior system that the LINUS replaced.

Secure user identification passwords are required to protect the integrity of the audit trail. They are also needed to authenticate the userís identity and identify all system accesses initiated by that individual. If the audit trail can be successfully circumvented, then all audited actions may become unreliable.

The LINUS was never designed to generate and/or accept secure user identification passwords. The Statement of Work used to develop the LINUS did not discuss the need to use secure password information. This omission may have contributed to the use of EINs as user identification passwords.

Processes have not been established to ensure the LINUS meets security monitoring requirements

Each executive, who is head of the office where an application or system with sensitive but unclassified information resides, is required to select functional security coordinators to administer the security requirements for his/her information systems. The functional security coordinators are required to perform:

Our review identified the following security monitoring control weaknesses for the LINUS:

IRS procedures require the functional security coordinator to review audit trail information. The LINUS Systems Administrator stated that there was no designated security administrator for the system because he was never instructed to designate a security administrator and, as a result, no one was assigned responsibility for producing and reviewing audit trail reports. Unauthorized system accesses may go undetected when audit trail information is not reviewed.

The LINUS is not listed on the SSIL

The LINUS contains sensitive customer data, but it is not listed as a system with sensitive information on the SSIL. IRS procedures require an inventory of all systems that process sensitive customer information. The Certification Program Office, under the direction of the Office of Security and Privacy Oversight, maintains and updates the SSIL. Field organizations are responsible for reporting local sensitive systems to their appropriate Chief Officerís Security Plan Coordinator for addition to the SSIL. We did not identify any controls to ensure that TE/GE Division-owned systems are reported to the Office of Security and Privacy Oversight for addition on the SSIL. Also, there was a lack of awareness of the certification and SSIL requirements. Neither the Ohio field office management team nor the LINUS Systems Administrator was aware of the SSIL requirement.

Additionally, there was no TE/GE Division management official designated with the responsibility for reporting systems with sensitive but unclassified information to the Certification Program Office. Not listing automated systems on the SSIL could result in these systems not being timely certified that security measures are reasonable, adequate and effectively implemented.

The LINUS Disaster Recovery and Business Resumption Plans have not been completed

The Statement of Work document used to develop the LINUS did not identify any requirement to develop a disaster recovery plan. The ELC process requires the development of a disaster recovery plan and a system contingency plan to ensure that proper back-up and recovery procedures are in place in the event of a system failure.

The Ohio field office management team advised us that neither a Disaster Recovery Plan nor a Business Resumption Plan was specifically developed for the LINUS because the IS Business Resumption Plan developed for the Ohio area office could be used in lieu of any specific plans for LINUS. However, the local Business Resumption Plan did not identify any specific reference to the LINUS.

Recommendations

The Commissioner, TE/GE Division, should:

  1. Ensure that automated systems require unique and secure password information and the ability to monitor employee accesses.
  2. Emphasize the need to generate audit trail reports for review of system accesses on all systems used to process user fee payment information.
  3. Appoint a functional security coordinator for the LINUS who will conduct periodic functional security reviews using system-generated audit trail information.
  4. Develop a process for identifying and reporting the TE/GE Divisionís automated systems with sensitive information to the Certification Program Office.
  5. Develop a process to ensure that the Disaster Recovery and Business Resumption Plans are developed for the LINUS.

Managementís Response: The TE/GE Division will require that system development initiatives adhere to the ELC process to ensure that security certifications are appropriate for the data processed by the automated system before the system is deployed. The TE/GE Division has requested that the IS security organization provide a vulnerability assessment of the LINUS. The assessment will identify any necessary cost effective interim solutions for a system with a limited life. The TE/GE Division will request that IS initiate the necessary actions to respond to the needs identified.

The TE/GE Division plans to migrate the HQ EP/EO system from its current hardware platform to a new platform. The new hardware will have sufficient capacity to generate audit trail reports and the Director, EO Rulings and Agreements, will require the HQ EP/EO data base administrator to generate audit trail reports for review by the functional security coordinator. The Director, EO Rulings and Agreements, will require the LINUS data base administrator to produce audit trail reports and appoint a LINUS functional security coordinator to review the reports.

The Director, Business Systems Planning, and the Division Information Officer will develop a systems inventory matrix to capture and document important information for TE/GE Division automated systems. The matrix will identify, and the TE/GE Division will report, any system with sensitive information not reported to the IS Certification Program Office. The TE/GE Division will require developers of new systems to comply with the ELC process to ensure that appropriate security processes are developed before the new systems are deployed.

The TE/GE Division is designing a new system that will replace the LINUS. The design of the new user fee processing system will follow the ELC process. This process requires that the TE/GE Division develop a disaster recovery and business resumption plan for the new system. Until the replacement user fee processing system is operational, the TE/GE Division will use the disaster recovery and business resumption plan developed for the Ohio area office.

Office of Audit Comment: We do not concur with the TE/GE Divisionís decision to not develop specific disaster and business resumption plans for the LINUS. The risks associated with using the IS Business Resumption Plan developed for the Ohio area office are increased because the local IS Business Resumption Plan does not specifically identify or refer to the LINUS. Also, the time period to develop the LINUS replacement system may exceed the calendar year 2002 planned implementation date, resulting in additional risks that user fee payment information may be lost.

Conclusion

Even though the TE/GE Division management has initiated actions that may improve the quality, completeness, and reliability of customer user fee account data, additional actions are needed to better manage the data security risks associated with processing user fee payment information on existing systems. Specifically, we determined that additional management emphasis is needed to properly certify and accredit user fee systems and to establish overall responsibility for managing TE/GE Division user fee systems. Also, the TE/GE Division should appoint a functional security coordinator and develop a process for identifying and reporting TE/GE Division automated systems with sensitive information to the Certification Program Office. Additionally, a process should be developed to ensure that Disaster Recovery and Business Resumption Plans are established.

Appendix I

Detailed Objective, Scope, and Methodology

The overall objective was to determine whether the Tax Exempt/Government Entities (TE/GE) Divisionís automated systems used to process user fee payment information provide reasonable assurance that data are properly protected. We:

  1. Reviewed the Internal Revenue Service (IRS) data security requirements and performed walk-through evaluations of user fee system processing actions to:
    1. Assess whether the system security controls would minimize unauthorized accesses. Specifically, we:
      1. Reviewed documentation obtained from meetings held with the Director, TE/GE Division Administrative Services unit, and the Letter Information Network User System (LINUS) Systems Administrator.
      2. Reviewed the LINUS System Application Test Plan.
    2. Determine whether an audit trail was used to monitor system accesses. Specifically, we:
      1. Discussed system-monitoring requirements with the TE/GE Division office automation managers and staff and the LINUS Systems Administrator.
      2. Determined if functional security coordinators had been assigned to review system accesses.
    3. Determine whether contingency plans and back-up procedures ensured data would not be lost. Specifically, we:
      1. Reviewed documentation provided by the TE/GE Division field office managers and the LINUS Systems Administrator.
      2. Evaluated the Ohio District Business Resumption Plan and discussed contingency plans for the mid-range computer system maintained at the Martinsburg Computing Center with the Information Systems (IS) organization.
      3. Reviewed the Headquarters Employee Plans/Exempt Organizations Inventory System (HQ EP/EO system) Disaster Recovery and Continuity of Operations planning process.
    4. Evaluate the certification/accreditation of user fee payment systems. Specifically, we:
      1. Reviewed Office of Management and Budget and IRS guidelines, policies, and requirements relevant to information systems that process sensitive but unclassified taxpayer information.
      2. Evaluated plans to re-certify the HQ EP/EO system.
      3. Reviewed the Statement of Work for the LINUS.
      4. Evaluated the TE/GE Divisionís efforts for identifying and reporting its automated systems with sensitive but unclassified information to the IS Certification Program Office for addition to the Sensitive Systems Inventory Listing.
  2. Interviewed managers and employees responsible for maintaining data security and providing oversight of user fee payment systems to:
    1. Evaluate the management structure established by the TE/GE Division to oversee the security of user fee payment data. Specifically, we:
      1. Discussed and evaluated oversight responsibilities for the LINUS and the HQ EP/EO system with managers and employees assigned to the TE/GE Division Business Systems unit and the Ohio field office.
      2. Identified and analyzed the TE/GE Commissionerís role as the principal accrediting authority for the TE/GE Divisionís business systems.
    2. Evaluate the TE/GE Divisionís efforts to coordinate data security requirements with the IS organization. Specifically, we:
      1. Identified and analyzed the TE/GE Division Business Systems Planning unitís procedures and processes for coordinating and monitoring the services provided by the IS organization.
      2. Discussed and evaluated the coordination of data security requirements with the Director, TE/GE Division Business Systems unit.

Appendix II

Major Contributors to This Report

Maurice S. Moody, Associate Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs)

Joseph Edwards, Director

Michael Levi, Audit Manager

Michael Van Nevel, Senior Auditor

Steven Bohrer, Auditor

Marjorie Stephenson, Auditor

Appendix III

Report Distribution List

Commissioner N:C

Deputy Commissioner, Tax Exempt and Government Entities Division T

Chief Counsel CC

Director, Business Systems Planning T:BSP

Director, Employee Plans T:EP

Director, Employee Plans Rulings and Agreements T:EP:RA

Director, Exempt Organizations T:EO

Director, Exempt Organizations Rulings and Agreements T:EO:RA

Director, Legislative Affairs CL:LA

Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O

Manager EO Determinations T:EO:RA:D

Manager EP Determinations T:EP:RA:D

National Taxpayer Advocate TA

Office of Management Controls N:CFO:F:M

Audit Liaison, Tax Exempt and Government Entities Division T

Appendix IV

Managementís Response to the Draft Report

The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.