TD P 15-71
Physical Security Can Be Improved to Maximize Protection
Against Unauthorized Access and Questionable Mail
October 2002
Reference Number: 2003-20-004
TD P 15-71
October
8, 2002
MEMORANDUM FOR
CHIEF, AGENCY-WIDE SHARED SERVICES
FROM: Pamela J. Gardiner
/s/ Pamela J. Gardiner
Acting Inspector General
SUBJECT: Final Audit Report – Physical Security Can Be Improved to Maximize
Protection Against Unauthorized Access and Questionable Mail (Audit #
200220042)
This
report presents the results of our review to evaluate the effectiveness of
physical security measures implemented at Internal Revenue Service (IRS)
facilities. We conducted this audit to address Congressional
concerns over security in the IRS in the wake of the terrorist attacks of
September 11, 2001, and subsequent Anthrax mailings.
A
determined and experienced intruder can breach most lines of defense. Agencies like the IRS, which must offer
public access to provide customer service, are particularly difficult to
defend. With this in mind, the IRS has
established adequate policies and procedures to protect its employees and to
minimize the possibility of physical breaches.
In addition, the IRS has implemented several physical security
enhancements, such as canine units at all campuses for explosive detection and
intruder deterrence, increased guard service, and redesigned mail handling to
isolate questionable mail. However, security measures have not been consistently
applied and IRS facilities were unnecessarily vulnerable to intruders and
questionable mail.
In summary, we identified
several security weaknesses at the offices we visited that could allow an
intruder access to IRS facilities. We
attributed the weaknesses to a lack of awareness and non-compliance with
policies and procedures by employees and managers. Our results indicate that the heightened
security awareness that occurred after September 11th may be waning.
We recommended that the
Chief, Agency-Wide Shared Services (AWSS), issue guidance to re-emphasize
security policies and procedures to address the security weaknesses in this
report. We also recommended that the IRS
consider installing or repairing security devices (i.e., alarms, cameras, x-ray
machines, metal detectors) and protective items (i.e., blast-resistant film for
glass, high quality air filters) to strengthen physical security at IRS sites.
Management’s
Response:
The Deputy Chief, AWSS, agreed with our recommendations. AWSS management will issue memoranda to
emphasize security policies and procedures, continue to use the risk assessment
process to determine the appropriate level of security for all facilities and
to develop budget requirements for upgrade projects, and emphasize
mail-handling procedures as part of the Campus Readiness process for the
upcoming filing season.
Management’s
complete response to the draft report is included in Appendix V.
TIGTA
has designated this report as Limited Official Use (LOU) pursuant to Treasury
Directive TD P-71-10, Chapter III, Section 2, “Limited Official Use Information
and Other Legends” of the Department of Treasury Security Manual. Because this document has been designated
LOU, it may only be made available to those officials who have a need to know
the information contained within this report in the performance of their
official duties. This report must be
safeguarded and protected from unauthorized disclosure; therefore, all requests
for disclosure of this report must be referred to the Disclosure Unit within
TIGTA’s Office of Chief Counsel.
Copies of this
report are also being sent to the IRS managers who are affected by the report
recommendations. Please contact me at
(202) 622-6510 if you have questions or Scott E. Wilson, Assistant Inspector
General for Audit (Information Systems Programs), at (202) 622-8510.
TD P 15-71
The
Internal Revenue Service Has Taken Steps to Reduce the Risk of Security Threats
Incident Handling and Reporting Can Be Improved
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix IV – Matrix of Findings by Location
Appendix V – Management’s Response to the Draft Report
TD P 15-71
Physical security has always been an important matter for the Internal Revenue Service (IRS), whether it is safeguarding taxpayer data or protecting its employees and facilities. While the terrorist attacks of September 11, 2001, have increased security awareness and put the entire nation on alert, they have also brought a dramatic shift in assessing risk vulnerabilities, in that what was once considered unthinkable is now very real and likely to occur. In addition, the subsequent anthrax mailings and mail bomb incidents have increased the risks associated with processing mail.
The IRS has always been in the position of balancing the needs of the taxpaying public and its responsibility to protect its employees and assets. Being more accessible to the public means being more vulnerable to attack. The IRS is widely dispersed with over 750 facilities throughout the nation. These facilities can range from one-person offices to large tax return processing campuses with thousands of employees. There are also different tenant sharing arrangements at these facilities, from being housed as an IRS-only office to sharing building space with other Federal agencies and other private companies.
Of particular difficulty are those buildings with joint occupancy of others. There are certain security measures over which the IRS has little or no control. For example, guard service at buildings with multiple Federal agencies is provided by the General Services Administration’s (GSA) Federal Protective Service (FPS). Also, buildings where the IRS is not the lead agency or tenant (i.e., the largest organization in the building) means that the IRS must propose changes to the building security committee, who approves or disapproves security requests.
We conducted this audit to address Congressional concerns over security in the IRS in the wake of the terrorist attacks of September 11, 2001. We performed this audit from March to June 2002 at the National Headquarters office of the Agency-Wide Shared Services (AWSS) and the IRS offices at the following eight locations: ***(b)(7)(F)*** The audit was conducted in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
TD P 15-71
The Internal Revenue Service Has Taken Steps to Reduce the Risk of Security Threats
The IRS has adequate physical security policies and procedures for the level of security required at each facility and has taken an active role in strengthening security measures. The following are examples of improvements and security assessments that have been made at campuses and field offices.
·
Preliminary assessment surveys, compliance reviews, or
vulnerability assessments were completed at IRS facilities.
·
Gloves and masks were made available to all
employees who process mail.
·
Plans were proposed to remove garbage receptacles around a
building.
·
Cement barriers, security bollards, and planters were placed
around a building to guard against explosive attack.
·
Public building and street parking were eliminated around a
building, and loading dock access was restricted.
·
Increased building security guard staff was provided for more
deterrence and detection abilities.
·
Armed guards were placed in customer service
walk-in offices to deter and quickly respond to potential threats.
However, security measures have not been consistently applied and IRS facilities remain vulnerable to intruders and explosive attacks. We identified several security weaknesses at the offices we visited that could allow an intruder access to IRS facilities. Our results indicate that the heightened security awareness that occurred after September 11th may be waning. The following findings present these weaknesses and specific examples of these conditions by site are presented in Appendix IV.
Physical Measures Can Be Improved to Minimize Unauthorized Access to Internal Revenue Service Offices and External Attacks to Its Buildings
The first line of defense in
protecting a facility and the resources within the facilities from intruders
and building attacks are the security controls placed at the property line and
building perimeter. While we recognize
the difficulty in preventing access to a determined and experienced intruder,
the IRS could strengthen controls to minimize the opportunities for most
unauthorized accesses.
Building perimeters were not adequately secured
The Department of the Treasury and IRS security standards
require that all perimeter doors be locked and alarmed when not guarded. Management must conduct regular reviews of
these controls to ensure they are functioning properly and must also train
employees to be alert to security vulnerabilities. Weaknesses could allow intruders, visitors,
or employees to surreptitiously enter the buildings and threaten the safety of
employees and do harm to the building. We identified the following
instances.
These conditions occurred because employees and FPS were not alert to security vulnerabilities and the AWSS staff did not adequately review and test security controls to ensure that locks, alarms, and cameras were functioning properly. In some instances, State regulations and property jurisdiction superseded security concerns. Management also cited a lack of funding as a cause of cameras not functioning and the absences of metal detectors and x-ray machines placed in the lobby of the building.
Buildings were vulnerable to explosive attacks
The Consolidated Physical Security Standards for IRS Facilities (CPSS) provides a set of minimum physical security standards. The CPSS states that receptacles that could conceal explosives should be kept away from buildings. Passive vehicle barriers, such as security bollards, should be provided at all IRS facilities.
Four
sites we visited had ill-placed trash receptacles and/or newspaper stands
located close or next to the building.
Both could be used to conceal explosive devices. Also, buildings at two sites were not
separated from parking spaces by security bollards.
Management was aware of many of these conditions but had not taken action either because of cost considerations, lack of awareness of the potential security risks, or lack of jurisdiction.
We recommend that the Chief, AWSS:
1.
Issue an all employee memorandum
to reinforce security policies and procedures over building perimeter and
interior security, and disallow the practice of electronically overriding proxy
card entrances. Employees who do not
have proxy cards should be subject to visitor entrance security procedures.
Management’s Response:
AWSS management will issue a memorandum instructing Facilities
Management Officers (FMO) to emphasize the issue of perimeter and interior
access control in their local security awareness briefings of all
employees. The FMOs will also direct
that all employees use their proxy cards every time they enter doors equipped
with card readers and require employees without an authorized proxy card to
follow the entry procedures for visitors.
2.
Consider installing or repairing
alarms, cameras, x-ray machines, metal detectors, and blast resistant film on
ground-level windows when allocating new funds.
Management’s Response:
AWSS management will continue to use the risk assessment process to
determine the appropriate use and placement of security devices, which will
include considerations for all recommended items in this report. In addition, the Real Estate and Facilities
Management (REFM) Division has scheduled a November 2002 meeting with the
Chief, Field Operations, to develop an implementation strategy to acquire
maintenance contracts for security equipment and systems.
3.
Issue guidance requiring all
individuals (visitors and employees without identification and proxy card
access) entering IRS grounds or space to be subject to metal detectors, and
their personal items subject to x-ray machines.
Management’s Response:
The IRS has delegated authority for physical security in only 14 of the
approximately 785 facilities. In these
14 facilities, the IRS screens all visitors.
Also, the IRS either screens employees without identification or
requires a manager to verify that the individual is still an IRS employee. In all other multi-tenant federal and
commercial locations, a Building Security Committee (BSC) established by GSA
determines the required level of screening.
When the IRS assesses security needs for IRS space in these locations,
the upgrades recommended take into consideration the level of security
provided, through the BSC, for the entire facility.
Office of Audit Comment:
We encourage re-emphasis of this issue as part of the Campus Readiness
process for the upcoming filing season.
Mail Handling Can Be Improved to Reduce the Risk of Employee Exposure to Potentially Dangerous Substances
The IRS Deputy Commissioner issued memoranda requiring all
mail and packages received in each field office to be extracted only in a
central mailroom or mail-sorting area, wherever possible. Large packages received from unknown sources must be
x-rayed or subject to other appropriate screening. The only exception to this requirement
is mail or packages that were never outside IRS control or from known vendors
or contractors. Following these procedures will restrict the impact of any
potential biological incident to areas where special precautions have been
taken to minimize risk to employees. We
identified the following instances.
· In five sites, employees voluntarily opened mail at their desks or cubicles and not in the central mailroom. Managers did not ensure that employees complied with existing procedures.
· In three sites, x-ray machines did not receive regular maintenance or calibration. Mail handlers only requested service for the x-ray machines if a problem was noted. National guidance did not address this issue.
We recommend that the Chief, AWSS:
4.
Issue an all employee
memorandum to clarify mail handling procedures to include taxpayer
correspondence from the walk-in area, Collection sealed bids, and letters or
packages received that were outside IRS control be x-rayed or subject to other
appropriate screening and opened in a designated centralized mailroom. This memorandum can also include requirements
to periodically perform maintenance and calibration on all x-ray machines.
Management’s
Response: Because the IRS Deputy Commissioner has
already issued memoranda for both campuses and field locations that provide
specific mail-handling guidance, AWSS management will not issue any more
memoranda on the subject. They will
emphasize mail-handling procedures as part of the Campus Readiness process for
the upcoming filing season. The
maintenance and calibration of x-ray machines and security equipment was
addressed in the corrective actions for recommendation 2.
Incident Handling and Reporting Can Be Improved
The IRS Deputy Commissioner issued a memorandum, dated November 2, 2001, requiring facilities management officers to update the Occupant Emergency Plan (OEP) for each location no later than November 6, 2001. The FPS is responsible for conducting annual reviews to ensure the OEPs are current and adequate. In subsequent memoranda, the Deputy Commissioner required all employees who extract mail to receive hazardous material awareness information and training. Also, the IRS requires all potential and significant incidents, and unusual situations that may affect the operations of the IRS, to be reported as quickly as possible. We identified the following instances.
In the event of an emergency, properly developed and current
OEPs can reduce the threat to personnel, property, and other assets, while
minimizing work disruption. Prompt
reporting of incidents is essential to advise all levels of management of
conditions that affect the operations of the IRS, as well as allow analysis of
the information for trends.
We recommend that the Chief, AWSS:
5.
Issue an all employee
memorandum to re-emphasize that OEPs should be updated at least once a year, or
when personnel changes, or a significant change in tenant occupancy occurs, and
to clarify and reinforce escalation procedures.
Management’s
Response: AWSS management agreed that they must
re-emphasize annually the need to update OEPs.
However, an all-employee memorandum is not the appropriate vehicle in
this situation since the IRS only controls the OEPs for the 14 delegated
sites. They will emphasize OEP review,
including escalation procedures, as part of the annual Campus Readiness process
at these delegated sites.
6.
When allocating new
funds, consider installing permanent telephones in all mailrooms to allow for
the immediate reporting of incidents, ventilation cut-off switches accessible
to IRS employees, and high quality filters in the vacuum system to better
capture potentially dangerous substances.
Management’s
Response: The REFM
Division will contact the Digital Communications Office in the Modernization
& Information Technology Services organization to pursue implementation of
telephone service in all mailrooms. In
addition, AWSS management has isolated the Receipt and Control ventilation
systems for the 14 delegated sites, and has ordered high quality filters for
the mail opening and sorting equipment used at the campuses and the IRS main
headquarters building. These filters
will be delivered in October 2002, and the manufacturer will do the initial
installation and train IRS equipment operators on proper installation, removal,
and disposal procedures.
TD P 15-71
Appendix I
Detailed Objective,
Scope, and Methodology
The overall objective of this review was to evaluate the effectiveness of physical security measures implemented at Internal Revenue Service (IRS) facilities. To accomplish our objective, we conducted the following audit steps at the Agency-Wide Shared Services Headquarter office, ***(b)(7)(F)***.
I. Identified what the IRS had done in the area of physical security and employee safety as a result of September 11, 2001. Specifically, we reviewed prior physical security reviews and the statuses of their implementation, the Threat Assessments and Security Reviews required by the Deputy Commissioner for a judgmental sample of 48 of 752 sites (selected using interval sampling on sites sorted by square footage), physical security incident reports, the Consolidated Physical Security Standards for IRS facilities, physical security requirements and standards, and contacted the Treasury Inspector General for Tax Administration, Office of Investigations, to identify any potential threats and/or current investigations at sites selected for review.
II. Determined how well IRS buildings are protected against unauthorized entry for the eight sites selected for our review. Specifically, we conducted after hours checks on the strength of security at the entry points and conducted a walk-through of the buildings, evaluated local procedures and security measures on permitting individuals into the buildings, and interviewed security guards to identify their roles, responsibilities, and enforcement capabilities.
III. Determined how well the perimeters of IRS buildings are protected against explosive threats for the eight sites selected for our review. Specifically, we conducted after hours checks on security measures implemented around the building perimeter and a walk-through of the buildings, evaluated local procedures on protecting and monitoring the building perimeters, and interviewed security guards to identify the capabilities and limitations of the security cameras, and what security measures had been considered and taken to protect the buildings from car attacks.
IV. Determined how well the IRS is protected against biological threats received via mail for the eight sites selected for our review. Specifically, we evaluated local procedures on mail handling to ensure all mail is subjected to the same requirements and opened in a designated area equipped with the necessary security precautions, and interviewed employees who handle mail to determine if they had received training and are aware of the procedures for processing mail.
V. Determined if the incident response handling procedures are adequate and effective at minimizing the risks of external threats, unauthorized access, and bio-chemical attacks for the eight sites selected for our review. Specifically, we reviewed the Occupant Emergency Plans to ensure information is current, and roles and responsibilities are clear and defined, interviewed employees and managers to verify everyone is aware of the procedures, and contacted the local fire departments to discuss concerns and/or issues they identified.
TD P 15-71
Appendix II
Major Contributors to This
Report
Scott E. Wilson,
Assistant Inspector General for Audit (Information Systems Programs)
Steve Mullins,
Director
Kent Sagara, Audit
Manager
Harry Dougherty,
Senior Auditor
Jody Kitazono, Senior
Auditor
Louis Lee, Senior
Auditor
Larry Reimer, Senior
Auditor
Dave Hodge, Auditor
Joan Raniolo, Auditor
William Simmons,
Auditor
TD P 15-71
Appendix III
Commissioner N:C
Deputy Commissioner N:DC
Deputy Commissioner for Modernization & Chief Information Officer M
Deputy Chief, Agency-Wide Shared Services A
Chief, Security Services M:S
Director, Real Estate and Facilities Management A:RE
Director, Facilities Operations A:RE:O
Director, Safety and Security A:RE:S
Director, Mission Assurance M:S:A
Director, Security Policy Support and Oversight M:S:S
Management Control
Coordinator A
Deputy Chief Financial Officer, Department of the Treasury
TD P 15-71
Appendix IV
The chart was removed due to its size. To see the chart, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.***(b)(7)(F)***
TD P 15-71
Appendix V
The response was removed due to its size. To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
TD P 15-71