TD P 15-71
Physical Security Can Be Improved to Maximize Protection Against Unauthorized Access and Questionable Mail
Reference Number: 2003-20-004
TD P 15-71
October 8, 2002
MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Acting Inspector General
SUBJECT: Final Audit Report – Physical Security Can Be Improved to Maximize Protection Against Unauthorized Access and Questionable Mail (Audit # 200220042)
This report presents the results of our review to evaluate the effectiveness of physical security measures implemented at Internal Revenue Service (IRS) facilities. We conducted this audit to address Congressional concerns over security in the IRS in the wake of the terrorist attacks of September 11, 2001, and subsequent Anthrax mailings.
A determined and experienced intruder can breach most lines of defense. Agencies like the IRS, which must offer public access to provide customer service, are particularly difficult to defend. With this in mind, the IRS has established adequate policies and procedures to protect its employees and to minimize the possibility of physical breaches. In addition, the IRS has implemented several physical security enhancements, such as canine units at all campuses for explosive detection and intruder deterrence, increased guard service, and redesigned mail handling to isolate questionable mail. However, security measures have not been consistently applied and IRS facilities were unnecessarily vulnerable to intruders and questionable mail.
In summary, we identified several security weaknesses at the offices we visited that could allow an intruder access to IRS facilities. We attributed the weaknesses to a lack of awareness and non-compliance with policies and procedures by employees and managers. Our results indicate that the heightened security awareness that occurred after September 11th may be waning.
We recommended that the Chief, Agency-Wide Shared Services (AWSS), issue guidance to re-emphasize security policies and procedures to address the security weaknesses in this report. We also recommended that the IRS consider installing or repairing security devices (i.e., alarms, cameras, x-ray machines, metal detectors) and protective items (i.e., blast-resistant film for glass, high quality air filters) to strengthen physical security at IRS sites.
Management’s Response: The Deputy Chief, AWSS, agreed with our recommendations. AWSS management will issue memoranda to emphasize security policies and procedures, continue to use the risk assessment process to determine the appropriate level of security for all facilities and to develop budget requirements for upgrade projects, and emphasize mail-handling procedures as part of the Campus Readiness process for the upcoming filing season.
Management’s complete response to the draft report is included in Appendix V.
TIGTA has designated this report as Limited Official Use (LOU) pursuant to Treasury Directive TD P-71-10, Chapter III, Section 2, “Limited Official Use Information and Other Legends” of the Department of Treasury Security Manual. Because this document has been designated LOU, it may only be made available to those officials who have a need to know the information contained within this report in the performance of their official duties. This report must be safeguarded and protected from unauthorized disclosure; therefore, all requests for disclosure of this report must be referred to the Disclosure Unit within TIGTA’s Office of Chief Counsel.
Copies of this report are also being sent to the IRS managers who are affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Scott E. Wilson, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
TD P 15-71
TD P 15-71
Physical security has always been an important matter for the Internal Revenue Service (IRS), whether it is safeguarding taxpayer data or protecting its employees and facilities. While the terrorist attacks of September 11, 2001, have increased security awareness and put the entire nation on alert, they have also brought a dramatic shift in assessing risk vulnerabilities, in that what was once considered unthinkable is now very real and likely to occur. In addition, the subsequent anthrax mailings and mail bomb incidents have increased the risks associated with processing mail.
The IRS has always been in the position of balancing the needs of the taxpaying public and its responsibility to protect its employees and assets. Being more accessible to the public means being more vulnerable to attack. The IRS is widely dispersed with over 750 facilities throughout the nation. These facilities can range from one-person offices to large tax return processing campuses with thousands of employees. There are also different tenant sharing arrangements at these facilities, from being housed as an IRS-only office to sharing building space with other Federal agencies and other private companies.
Of particular difficulty are those buildings with joint occupancy of others. There are certain security measures over which the IRS has little or no control. For example, guard service at buildings with multiple Federal agencies is provided by the General Services Administration’s (GSA) Federal Protective Service (FPS). Also, buildings where the IRS is not the lead agency or tenant (i.e., the largest organization in the building) means that the IRS must propose changes to the building security committee, who approves or disapproves security requests.
We conducted this audit to address Congressional concerns over security in the IRS in the wake of the terrorist attacks of September 11, 2001. We performed this audit from March to June 2002 at the National Headquarters office of the Agency-Wide Shared Services (AWSS) and the IRS offices at the following eight locations: ***(b)(7)(F)*** The audit was conducted in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
TD P 15-71
The IRS has adequate physical security policies and procedures for the level of security required at each facility and has taken an active role in strengthening security measures. The following are examples of improvements and security assessments that have been made at campuses and field offices.
· Preliminary assessment surveys, compliance reviews, or vulnerability assessments were completed at IRS facilities.
· Gloves and masks were made available to all employees who process mail.
· Plans were proposed to remove garbage receptacles around a building.
· Cement barriers, security bollards, and planters were placed around a building to guard against explosive attack.
· Public building and street parking were eliminated around a building, and loading dock access was restricted.
· Increased building security guard staff was provided for more deterrence and detection abilities.
· Armed guards were placed in customer service walk-in offices to deter and quickly respond to potential threats.
However, security measures have not been consistently applied and IRS facilities remain vulnerable to intruders and explosive attacks. We identified several security weaknesses at the offices we visited that could allow an intruder access to IRS facilities. Our results indicate that the heightened security awareness that occurred after September 11th may be waning. The following findings present these weaknesses and specific examples of these conditions by site are presented in Appendix IV.
The first line of defense in protecting a facility and the resources within the facilities from intruders and building attacks are the security controls placed at the property line and building perimeter. While we recognize the difficulty in preventing access to a determined and experienced intruder, the IRS could strengthen controls to minimize the opportunities for most unauthorized accesses.
Building perimeters were not adequately secured
The Department of the Treasury and IRS security standards require that all perimeter doors be locked and alarmed when not guarded. Management must conduct regular reviews of these controls to ensure they are functioning properly and must also train employees to be alert to security vulnerabilities. Weaknesses could allow intruders, visitors, or employees to surreptitiously enter the buildings and threaten the safety of employees and do harm to the building. We identified the following instances.
These conditions occurred because employees and FPS were not alert to security vulnerabilities and the AWSS staff did not adequately review and test security controls to ensure that locks, alarms, and cameras were functioning properly. In some instances, State regulations and property jurisdiction superseded security concerns. Management also cited a lack of funding as a cause of cameras not functioning and the absences of metal detectors and x-ray machines placed in the lobby of the building.
Buildings were vulnerable to explosive attacks
The Consolidated Physical Security Standards for IRS Facilities (CPSS) provides a set of minimum physical security standards. The CPSS states that receptacles that could conceal explosives should be kept away from buildings. Passive vehicle barriers, such as security bollards, should be provided at all IRS facilities.
Four sites we visited had ill-placed trash receptacles and/or newspaper stands located close or next to the building. Both could be used to conceal explosive devices. Also, buildings at two sites were not separated from parking spaces by security bollards.
Management was aware of many of these conditions but had not taken action either because of cost considerations, lack of awareness of the potential security risks, or lack of jurisdiction.
We recommend that the Chief, AWSS:
1. Issue an all employee memorandum to reinforce security policies and procedures over building perimeter and interior security, and disallow the practice of electronically overriding proxy card entrances. Employees who do not have proxy cards should be subject to visitor entrance security procedures.
Management’s Response: AWSS management will issue a memorandum instructing Facilities Management Officers (FMO) to emphasize the issue of perimeter and interior access control in their local security awareness briefings of all employees. The FMOs will also direct that all employees use their proxy cards every time they enter doors equipped with card readers and require employees without an authorized proxy card to follow the entry procedures for visitors.
2. Consider installing or repairing alarms, cameras, x-ray machines, metal detectors, and blast resistant film on ground-level windows when allocating new funds.
Management’s Response: AWSS management will continue to use the risk assessment process to determine the appropriate use and placement of security devices, which will include considerations for all recommended items in this report. In addition, the Real Estate and Facilities Management (REFM) Division has scheduled a November 2002 meeting with the Chief, Field Operations, to develop an implementation strategy to acquire maintenance contracts for security equipment and systems.
3. Issue guidance requiring all individuals (visitors and employees without identification and proxy card access) entering IRS grounds or space to be subject to metal detectors, and their personal items subject to x-ray machines.
Management’s Response: The IRS has delegated authority for physical security in only 14 of the approximately 785 facilities. In these 14 facilities, the IRS screens all visitors. Also, the IRS either screens employees without identification or requires a manager to verify that the individual is still an IRS employee. In all other multi-tenant federal and commercial locations, a Building Security Committee (BSC) established by GSA determines the required level of screening. When the IRS assesses security needs for IRS space in these locations, the upgrades recommended take into consideration the level of security provided, through the BSC, for the entire facility.
Office of Audit Comment: We encourage re-emphasis of this issue as part of the Campus Readiness process for the upcoming filing season.
The IRS Deputy Commissioner issued memoranda requiring all mail and packages received in each field office to be extracted only in a central mailroom or mail-sorting area, wherever possible. Large packages received from unknown sources must be x-rayed or subject to other appropriate screening. The only exception to this requirement is mail or packages that were never outside IRS control or from known vendors or contractors. Following these procedures will restrict the impact of any potential biological incident to areas where special precautions have been taken to minimize risk to employees. We identified the following instances.
· In five sites, employees voluntarily opened mail at their desks or cubicles and not in the central mailroom. Managers did not ensure that employees complied with existing procedures.
· In three sites, x-ray machines did not receive regular maintenance or calibration. Mail handlers only requested service for the x-ray machines if a problem was noted. National guidance did not address this issue.
We recommend that the Chief, AWSS:
4. Issue an all employee memorandum to clarify mail handling procedures to include taxpayer correspondence from the walk-in area, Collection sealed bids, and letters or packages received that were outside IRS control be x-rayed or subject to other appropriate screening and opened in a designated centralized mailroom. This memorandum can also include requirements to periodically perform maintenance and calibration on all x-ray machines.
Management’s Response: Because the IRS Deputy Commissioner has already issued memoranda for both campuses and field locations that provide specific mail-handling guidance, AWSS management will not issue any more memoranda on the subject. They will emphasize mail-handling procedures as part of the Campus Readiness process for the upcoming filing season. The maintenance and calibration of x-ray machines and security equipment was addressed in the corrective actions for recommendation 2.
The IRS Deputy Commissioner issued a memorandum, dated November 2, 2001, requiring facilities management officers to update the Occupant Emergency Plan (OEP) for each location no later than November 6, 2001. The FPS is responsible for conducting annual reviews to ensure the OEPs are current and adequate. In subsequent memoranda, the Deputy Commissioner required all employees who extract mail to receive hazardous material awareness information and training. Also, the IRS requires all potential and significant incidents, and unusual situations that may affect the operations of the IRS, to be reported as quickly as possible. We identified the following instances.
In the event of an emergency, properly developed and current OEPs can reduce the threat to personnel, property, and other assets, while minimizing work disruption. Prompt reporting of incidents is essential to advise all levels of management of conditions that affect the operations of the IRS, as well as allow analysis of the information for trends.
We recommend that the Chief, AWSS:
5. Issue an all employee memorandum to re-emphasize that OEPs should be updated at least once a year, or when personnel changes, or a significant change in tenant occupancy occurs, and to clarify and reinforce escalation procedures.
Management’s Response: AWSS management agreed that they must re-emphasize annually the need to update OEPs. However, an all-employee memorandum is not the appropriate vehicle in this situation since the IRS only controls the OEPs for the 14 delegated sites. They will emphasize OEP review, including escalation procedures, as part of the annual Campus Readiness process at these delegated sites.
6. When allocating new funds, consider installing permanent telephones in all mailrooms to allow for the immediate reporting of incidents, ventilation cut-off switches accessible to IRS employees, and high quality filters in the vacuum system to better capture potentially dangerous substances.
Management’s Response: The REFM Division will contact the Digital Communications Office in the Modernization & Information Technology Services organization to pursue implementation of telephone service in all mailrooms. In addition, AWSS management has isolated the Receipt and Control ventilation systems for the 14 delegated sites, and has ordered high quality filters for the mail opening and sorting equipment used at the campuses and the IRS main headquarters building. These filters will be delivered in October 2002, and the manufacturer will do the initial installation and train IRS equipment operators on proper installation, removal, and disposal procedures.
TD P 15-71
The overall objective of this review was to evaluate the effectiveness of physical security measures implemented at Internal Revenue Service (IRS) facilities. To accomplish our objective, we conducted the following audit steps at the Agency-Wide Shared Services Headquarter office, ***(b)(7)(F)***.
I. Identified what the IRS had done in the area of physical security and employee safety as a result of September 11, 2001. Specifically, we reviewed prior physical security reviews and the statuses of their implementation, the Threat Assessments and Security Reviews required by the Deputy Commissioner for a judgmental sample of 48 of 752 sites (selected using interval sampling on sites sorted by square footage), physical security incident reports, the Consolidated Physical Security Standards for IRS facilities, physical security requirements and standards, and contacted the Treasury Inspector General for Tax Administration, Office of Investigations, to identify any potential threats and/or current investigations at sites selected for review.
II. Determined how well IRS buildings are protected against unauthorized entry for the eight sites selected for our review. Specifically, we conducted after hours checks on the strength of security at the entry points and conducted a walk-through of the buildings, evaluated local procedures and security measures on permitting individuals into the buildings, and interviewed security guards to identify their roles, responsibilities, and enforcement capabilities.
III. Determined how well the perimeters of IRS buildings are protected against explosive threats for the eight sites selected for our review. Specifically, we conducted after hours checks on security measures implemented around the building perimeter and a walk-through of the buildings, evaluated local procedures on protecting and monitoring the building perimeters, and interviewed security guards to identify the capabilities and limitations of the security cameras, and what security measures had been considered and taken to protect the buildings from car attacks.
IV. Determined how well the IRS is protected against biological threats received via mail for the eight sites selected for our review. Specifically, we evaluated local procedures on mail handling to ensure all mail is subjected to the same requirements and opened in a designated area equipped with the necessary security precautions, and interviewed employees who handle mail to determine if they had received training and are aware of the procedures for processing mail.
V. Determined if the incident response handling procedures are adequate and effective at minimizing the risks of external threats, unauthorized access, and bio-chemical attacks for the eight sites selected for our review. Specifically, we reviewed the Occupant Emergency Plans to ensure information is current, and roles and responsibilities are clear and defined, interviewed employees and managers to verify everyone is aware of the procedures, and contacted the local fire departments to discuss concerns and/or issues they identified.
TD P 15-71
Scott E. Wilson, Assistant Inspector General for Audit (Information Systems Programs)
Steve Mullins, Director
Kent Sagara, Audit Manager
Harry Dougherty, Senior Auditor
Jody Kitazono, Senior Auditor
Louis Lee, Senior Auditor
Larry Reimer, Senior Auditor
Dave Hodge, Auditor
Joan Raniolo, Auditor
William Simmons, Auditor
TD P 15-71
Deputy Commissioner N:DC
Deputy Commissioner for Modernization & Chief Information Officer M
Deputy Chief, Agency-Wide Shared Services A
Chief, Security Services M:S
Director, Real Estate and Facilities Management A:RE
Director, Facilities Operations A:RE:O
Director, Safety and Security A:RE:S
Director, Mission Assurance M:S:A
Director, Security Policy Support and Oversight M:S:S
Management Control Coordinator A
Deputy Chief Financial Officer, Department of the Treasury
TD P 15-71
The chart was removed due to its size. To see the chart, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.***(b)(7)(F)***
TD P 15-71
The response was removed due to its size. To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
TD P 15-71