Many Advances Made, But Additional Emphasis Is Needed on Key Initiatives in the Security Services Organization
Reference Number: 2003-20-005
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
October 4, 2002
DEPUTY COMMISSIONER FOR MODERNIZATION &
CHIEF INFORMATION OFFICER
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Acting Inspector General
SUBJECT: Final Audit Report - Many Advances Made, But Additional Emphasis Is Needed on Key Initiatives in the Security Services Organization (Audit # 200220022)
This report presents the results of our review of key initiatives in the Security Services organization. The overall objective of this review was to evaluate the effectiveness of selected activities performed by the Security Services organization. We undertook this review to assist us in making our annual evaluation of the Internal Revenue Service’s (IRS) technology security program and practices.
In summary, a successful security program relies on both the managers in the IRS’ business units and the Chief Information Officer’s (CIO) staff to develop and enforce security policies. Office of Management and Budget (OMB) policy states that functional managers are primarily responsible for the security of systems under their control. The CIO’s office must administer the program by coordinating with managers in business units to provide a strategic view of the agency’s crosscutting security needs. In the IRS, this function is carried out by Security Services.
Since its establishment in 1997, Security Services has been responsible for increasing the attention given to technology security issues within the IRS. Security Services has made many significant advances including a much stronger virus protection program, the establishment of the Computer Security Incident Response Center, effective efforts made in response to the terrorist activities of September 11, 2001, and subsequent anthrax attacks, improvements made in IRS-wide disaster recovery capabilities, particularly at the computing centers, and increasing the number of systems that have been certified. Significant progress has also been made in establishing a Common Operating Environment to standardize software and security features on employees’ computers.
Still, we believe Security Services could continue to improve security in the IRS by placing more emphasis on a few key areas. Increased emphasis in the areas noted below will help to ensure that computer security controls are being effectively implemented and operating as intended to reduce risks.
· Policies for some key security issues have not been developed. Those policies that have been developed have taken up to several years before being issued. The IRS remains unnecessarily vulnerable to security attacks while these policies are being developed.
· Security Services did conduct reviews of key IRS facilities during the year. However, Federal law requires functional managers to annually review the security of the systems for which they are accountable. To our knowledge, none of these reviews were conducted. Security Services officials believed that their facilities reviews achieved the intent of the law. Without the annual system reviews, however, the IRS has only limited assurance that the appropriate policies and procedures have been developed and implemented and that system controls integrate with other IRS systems.
· While Security Services uses various methods and techniques to provide computer security awareness, it does not have a systematic method for evaluating whether these activities are having a positive effect. Having such information would enable Security Services management to better direct its computer security awareness activities to the topics and audiences that need the most attention.
· The computer security training program needs improvement. Until recently, Security Services had deferred to business unit managers to ensure that required training took place and to a group of Information Systems personnel in the Midwest area to develop curricula. Although recommended by standards-setting organizations, computer security training in the IRS is not role-based, a system is not in place to accurately track the training employees attend, and methods do not exist to determine whether employees have learned, retained, and applied what they have been taught. Based on our limited sample, employees may not be receiving adequate training. As a result, systems may be unnecessarily at risk.
Security Services developed an effective monitoring tool to help track progress on these and other key security issues. Actions were initiated to reduce security vulnerabilities in each of 15 areas. Quarterly reviews are conducted to evaluate progress and to highlight specific areas needing further improvement.
We recommended that resources be assigned to develop policies for key security issues and that the process for vetting policies be streamlined. Upfront involvement by functional users could expedite the approval process. Functional managers should conduct annual system reviews to comply with the Government Information Security Reform Act (GISRA) and Security Services should assist, using tools mandated by the OMB. Security Services should develop techniques to gain feedback on awareness activities and develop a more formal training program for employees with key security responsibilities.
Copies of this report are also being sent to the IRS managers who are affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Scott E. Wilson, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
Federal law and policy state that functional managers are primarily responsible for the security of their systems and must assess the risks for each of those systems. The Chief Information Officer (CIO) is responsible for administering the security program and providing a strategic view of security issues that cut across these systems. In the Internal Revenue Service (IRS), this responsibility has been given to the Chief, Security Services.
Security Services (formerly the Office of Security) was established in 1997 to create corporate solutions for Agency-wide computer security problems. Security Services’ responsibility is to focus on a continuous program of evaluating and improving the IRS’ security program and processes and to work with management to drive solutions, develop sound security processes, and establish mechanisms that support IRS functional managers in assessing security risks and making decisions regarding those risks.
Evaluating and improving security in the IRS is a difficult challenge. Unscrupulous employees may have access to sensitive taxpayer data maintained by the IRS. Also, as the primary revenue collector for the United States, the IRS is a target for both terrorists and hackers. This threat has increased with more interconnectivity of computer systems.
We performed our audit work between January and May 2002 at the Security Services office in IRS National Headquarters. The audit was conducted in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Since its inception in 1997, Security Services has focused increased attention on the issue of computer security within the IRS. Its primary focus has been to address issues that have posed significant security risks for the IRS. For example:
· Corrective actions were taken that resulted in a much stronger virus protection program.
· The Computer Security Incident Response Center has significantly enhanced the intrusion detection efforts within the IRS.
· Security controls were enhanced at all IRS campuses in response to the terrorist activities of September 11, 2001, and subsequent anthrax attacks. Related improvements have been made in IRS-wide disaster recovery capabilities, particularly at the computing centers.
· The number of systems that have been certified has increased. As of May 2002, the IRS reported that 39 percent of its systems had been certified, ensuring that they contain appropriate security controls necessary to protect against system breaches. While this is still a relatively low percentage, progress has been made since 2000, when only 10 percent of its systems were certified.
· A major effort has been made to ensure security features are included in new systems before they are “rolled out.”
· A significant effort has been made to implement the Common Operating Environment (COE) that provides IRS end-users with a uniform set of applications and common software features. The COE provides a means to affect what an end-user can and cannot do, by enabling or disabling specific features of the operating system and computer applications.
Overall, Security Services has made significant strides in addressing security issues, particularly with a limited staff. However, additional improvements are needed in the following key areas.
In February 2002, the IRS asked the MITRE Corporation to provide an analysis to identify gaps between Federal/Department of the Treasury requirements and IRS security policies. MITRE identified policy gaps in 12 areas including the following:
· Continuity of Operations Plans.
· Classified Systems.
· Credit Card Security on the Internet.
· Electronic Signatures.
· Financial Management System Controls.
· Internet mechanisms, including CGI Scripts and ActiveX.
Storage and Labeling of Limited Official Use Data.
· Records Management.
· Threat Coordination.
The IRS has begun work on the Continuity of Operations Plans. However, policies have not been developed to address the other policy gaps.
The development of policies often takes an unreasonable length of time, even for critical security issues. For example, guidance for administering the Windows NT operating system used throughout the IRS took several years to develop. The IRS is estimating that critical policies over the configuration of Internet gateways, which control information to and from the Internet, will take 15 months to issue from the date the need to do so was identified.
A policy for the Intrusion Detection System and firewalls is also taking an unreasonable amount of time to develop. The MITRE Corporation, under another contract, had delivered guidance, standards, and procedures in February 2002. The Deputy Director, Computer Security for Incident Response, is now in the process of making some changes and updates to that guidance. The guidance will then undergo the vetting process and then be submitted to the Technology Security Committee headed by the Deputy Commissioner for Modernization & CIO. Final guidance is now expected to be delivered by September 2002 but could take even longer.
We attribute these policy gaps to a lack of emphasis by Security Services and to an unnecessarily lengthy vetting process used by the IRS. Guidelines have to go through a process whereby all the affected parties in the IRS review the guidelines and offer their concerns, problems, and suggestions that Security Services then tries to address. The vetting process takes months.
While the policies and guidance are being developed, the vulnerabilities and risks are still left unresolved. Computer security issues change rapidly with additional risks and exposures to IRS systems occurring daily. The process of policy development and implementation should be streamlined to keep pace and afford protection of systems and infrastructure.
The Deputy Commissioner for Modernization & CIO should:
1. Assign the necessary resources to address the critical policy gaps and accelerate estimated completion dates for draft policies and guidance.
Management’s Response: Management, in effect, disagreed with this recommendation by stating that policies existed for many of the areas that we indicated need to be developed.
Office of Audit Comment: Although Security Services indicates that policies do exist for seven of the nine areas indicated in our report, the references provided do not include clear policy statements. We concur with the MITRE study, which concluded that well-developed and publicized policies in these areas need to be completed.
2. Accelerate the vetting process. We recognize that input from functional users is critical to the success of all security policies. Rather than wait until guidance is drafted, we suggest that user representatives be assigned early to assist in the development of the policies. The vetting process could also be accelerated by establishing and adhering to tight time frames for review and comment.
Management’s Response: Management, in effect, disagreed with this recommendation by stating that their policy vetting process is sufficient as it now exists.
Office of Audit Comment: Implementation of security policies has taken, in some cases, years to be developed. As noted in the report, for example, guidance for administering the Windows NT operating system used throughout the IRS took several years to develop. We anticipate that the policy development process should improve with the implementation of the Security Governance structure initiated during our audit.
Security Services’ oversight responsibilities have been assigned to Security Policy Support and Oversight. This office carries out these responsibilities primarily by conducting physical security checks, automated network scans, and other facilities-based reviews. Between May 2001 and April 2002, it conducted 27 reviews of IRS facilities and performed network reviews at 10 service centers. The system reviews were limited to the use of scanning software. Weaknesses were identified and recommendations to improve security were made.
The Government Information Security Reform Act (GISRA) also requires that appropriate senior functional officials annually test and evaluate information security controls and techniques on the systems assigned to them. The Office of Management and Budget (OMB) states that the CIO should assist functional officials in understanding and addressing risks, especially the increased risk resulting from interconnecting with other programs and systems over which the functional officials have little or no control. The OMB suggests that, to promote consistent reviews and reporting across the government, functional officials should use the CIO Council’s Federal Information Technology Security Assessment Framework and National Institute of Standards and Technology (NIST) guidance as a basis.
IRS business unit officials had not conducted any security reviews in Fiscal Years (FY) 2001 and 2002, to date. Security Services did not play an active role in encouraging and assisting in these reviews because it believes that it meets the intent of the GISRA through its facility reviews. The Chief, Security Services, believes that the office’s methodology provides a more comprehensive, enterprise-wide approach for assessing the IRS’ security programs than would be provided by using a system-by-system approach.
Security Services also believes that the GISRA and OMB guidance are subject to many different interpretations and that the OMB did not provide sufficient or timely guidance to agencies to clarify expectations. Security Services did not believe the OMB intended agencies to apply the review guidance to each IRS sensitive system.
We followed up with the OMB and confirmed it intended that each system be reviewed annually using the NIST framework. The OMB clarified this issue in guidance issued for GISRA reporting in FY 2002.
We believe that both the facility reviews conducted by the IRS and the annual system reviews required by the OMB are necessary to determine the acceptable level of risk and to maintain an adequate level of security. Facility reviews give some assurance of the adequacy of physical, operating system, and network security. However, without the sensitive system reviews, the IRS cannot fully assess whether security policies and procedures have been consistently implemented, and if operational, management and technical controls are functioning as intended for its sensitive systems.
Conducting annual system reviews should promote accountability for functional executives and ensure that security controls enable, but do not unnecessarily impede, business operations.
The Deputy Commissioner for Modernization & CIO should:
3. Require responsible functional officials to assess each agency-wide system at least annually to comply with existing law and policy. Functional officials should develop action plans for all sensitive application weaknesses and coordinate with Security Services to correct those weaknesses. Per the OMB, the scope of the annual reviews can vary depending on risk, prior reviews, and the status of corrective actions for previously identified system weaknesses.
Management’s Response: Security Services has activities underway to identify and define the roles and responsibilities of the functional officials for conducting annual system reviews, in partnership with the business units. Management anticipates addressing this issue over the next 18 months. However, Security Services believes its current technical assessments, which include some systems reviews, substantially reduce the risks of functional officials not fulfilling their GISRA responsibilities for conducting annual assessments of their sensitive systems.
4. Assist functional managers in complying with the intent of GISRA and OMB requirements by:
· Participating with functional officials in conducting the required annual program reviews. To meet this responsibility, it may be necessary to divert some resources currently used by Security Policy Support and Oversight in its facility reviews.
· Including the results of the program reviews in the annual self-assessment provided to the Department of the Treasury.
· Including the weaknesses identified in the program reviews in the Plan of Action and Milestones.
Management’s Response: Management is making improvements to comply with GISRA and OMB requirements. Activities are underway to identify and define the roles and responsibilities of the functional officials for conducting annual program assessments, in partnership with the business units. As functional officials implement the defined roles and responsibilities, their results will be included in the annual self-assessment and Plan of Action and Milestones provided to the Department of the Treasury. Management anticipates addressing these issues over the next 18 months.
Another function of Security Services is to promote security awareness for all IRS employees. The Security Awareness Program Office is charged with carrying out this responsibility. We consider employee awareness of security risks to be perhaps the weakest link in protecting taxpayer data and assets from disclosure or loss. For example, in a prior TIGTA review, 71 of 100 employees we contacted were willing to change their password to 1 provided by a caller pretending to work on the Help Desk.
Security Services has provided a wide variety of computer security awareness activities using various methods and techniques as recommended by the NIST and the General Accounting Office (GAO). However, it does not have assurance that its efforts are having a positive effect.
Security Services does not have a systematic method for regularly obtaining information or data on the impact of its computer security awareness activities. Such information could be used to evaluate the effectiveness of these activities, help measure trends in whether employee computer security awareness is improving or decreasing, and help redirect computer security awareness activities to the topics and audiences that need the most attention.
The NIST and the GAO recommend that computer security awareness activities include:
· Using test measures, such as true/false or multiple-choice questions, to ascertain what has been learned and retained.
· Using incident reports to monitor for noncompliance with computer security.
· Observing how well employees follow recommended security procedures.
· Conducting periodic tests by contacting employees directly to measure their security awareness.
Another potential source for analyzing trends in employee computer security awareness is the IRS’ Automated Labor and Employee Relations Tracking System (ALERTS). The ALERTS contains a database of employee relation cases that may result in disciplinary and adverse actions. The ALERTS coding system tracks cases involving unauthorized access to tax return or return information and misuse of the Internet and e-mail systems.
Security Services does not use any of these methods to evaluate the effectiveness of its computer security awareness activities. Security Services officials advised that the IRS generally does not test employees to determine what they have learned or retained from training. They advised that their responsibility ends with providing the awareness, with the only testing accomplished during the periodic compliance reviews conducted by Security Policy, Support and Oversight.
By not tracking and evaluating its security awareness efforts, the IRS cannot determine whether employees understand their security responsibilities. Employees could commit security breaches knowingly or unknowingly that result in loss or unauthorized disclosure of taxpayer data. Also, awareness activities may not be targeted to the appropriate audience, which could result in unnecessary costs.
To better assess the effectiveness of computer security awareness activities, the Deputy Commissioner for Modernization & CIO should:
5. Consider testing security awareness by surveying selected employees as part of the annual computer security awareness week activities, performing direct contact tests to assess employees’ awareness of computer security, reviewing data available in the ALERTS and incident reports to identify trends, and targeting awareness activities to those trends.
Management’s Response: Management will explore various assessment methods and techniques for evaluating the effectiveness of their computer security awareness activities. The Security Awareness Program Office will continue to develop and improve tools for obtaining feedback on computer security awareness activities and responding with targeted awareness activities. The School of Information Technology (SIT) is improving its ability to identify trends, and the Security Awareness Program Office will work closely with security officers to develop annual security awareness training that employees receive. Management anticipates addressing these issues over the next 18 months.
The NIST and the GAO recommend that:
· Computer security training should be role-based. Role-based learning focuses on the job functions employees perform rather than on their job titles. It provides security training that satisfies the specific requirements of an employee’s role.
· A system for effectively tracking each employee’s training should be in place.
· Methods should be employed for determining whether employees have learned and retained what they have been taught and whether their performance has improved. Some of the better methods that can be used to help measure this are various types of testing that take place before and at the end of courses and feedback from supervisors on whether employee performance has improved.
IRS employees with key security responsibilities are dispersed in many locations throughout the organization. Many report to the Deputy Commissioner for Modernization & CIO, but others report to functional managers. Ensuring that each of these employees receives the appropriate training for his or her role is a difficult challenge. Currently, IRS computer security training does not follow any of the NIST and GAO recommendations.
Curricula for key security roles have not been developed. The SIT operated by the Midstates Area had begun developing employee skill sets based on the job functions employees perform and with the intent of identifying specific training that will provide employees the needed skills. These initiatives have no formal or approved plans that set forth the tasks to be performed, the persons assigned to these tasks, time frames for completing them, and expected deliverables. Without the expertise and vision of employees in Security Services, we believe it a high risk that the training will not be on target.
In addition, a reliable system is not in place to track employees’ training. The IRS uses a national database for storing training data on employees; however, the data are not kept current. As a result, the IRS cannot determine the number of employees given security training, the types of training provided, and the costs of the training. Plans are not in place to replace this system.
Also, testing and other follow-up techniques are not used to determine whether training was successful. The IRS cannot determine whether employees have learned and retained what they have been taught and whether their performance has improved.
As a result, Security Services has no assurance that employees are adequately skilled to perform computer security duties, which could place systems at unnecessary risk.
Security Services had not sufficiently overseen, directed, and guided these initiatives. Instead, it had deferred to the SIT for the development of the security training program. Functional managers submitted their training requests directly to the SIT.
Security Services believed that functional managers were in the best position to decide their staffs’ training needs and assumed that these managers provided it. Security Services placed the responsibility on the managers for being aware of their staffs’ current assignments and ensuring that the training received was commensurate with the employees’ assignment and put into practice immediately. Security Services also believed that correcting the training database was not its responsibility.
Near the end of our review, Security Services committed to defining those skills necessary for employees with security responsibilities and assisting in devising curricula for acquiring needed skills. We still believe that Security Services is in the best position to also oversee and track training to ensure a consistent skill level is maintained for these key employees.
The Deputy Commissioner for Modernization & CIO should:
6. Take overall responsibility for providing security training. Curricula should be developed for each key security role. Consideration should be given to requiring annual minimum continuing professional education credits. Training given to employees with key security responsibilities should be tracked, and methods for determining whether employees learn and retain what they have been taught need to be developed and used.
Management’s Response: Management has activities underway to identify, define, and track competency-based security training. These activities will identify security-related training needs of defined security roles, validate and update courses, communicate training opportunities and guidance to key personnel, complete development of e-learning tools, and begin quarterly monitoring of course participation. Management anticipates addressing these activities over the next 18 months. The SIT is improving its ability to identify participation and trends through the service-wide training system it maintains. Additional employee security training assessment tools and methods will require coordination with the National Treasury Employees Union.
Security Services developed a framework that identifies the key security responsibilities of Federal agencies. It is linked to the 15 security areas provided by the NIST. The framework, if used effectively, enables management to quickly identify the current status, barriers to improvement, responsible official, and expected completion date for corrective actions. The IRS has identified actions to reduce security vulnerabilities in each of the 15 areas and is tracking its progress during quarterly business performance reviews. The Department of the Treasury adopted the IRS’ framework for use in all bureaus.
The overall objective of this audit was to evaluate the effectiveness of selected activities performed by the Security Services organization. We undertook this review to assist us in making our annual evaluation of the Internal Revenue Service’s (IRS) security program and practices, as required by the Government Information Security Reform Act (GISRA). We expect many of the questions posed by the Office of Management and Budget (OMB) for the 2002 GISRA process to be centered on the activities of Security Services.
To accomplish our overall objective, we performed work on the following five sub-objectives:
I. Determined if Security Services provided the policies and procedures necessary to protect IRS data, personnel, and equipment.
A. Obtained the MITRE Corporation’s security policy and procedure gap analysis.
B. Obtained the IRS’ response to MITRE’s findings in the analysis and reviewed corrective actions proposed by the IRS. Determined if the response contained specific assignment of actions needed along with expected completion dates.
C. Based on other audit work, the Chief Information Officer (CIO) Council’s Federal Information Technology Security Assessment Framework, and guidance issued by the National Institute of Standards and Technology (NIST), determined if there were any policies and procedures not identified by MITRE’s policy and procedures gap analysis.
II. Determined if Security Services provided sufficient direction to functional executives in carrying out its required annual reviews and had adequate controls to monitor such reviews.
A. Identified applicable OMB requirements for the annual reviews.
B. Contacted the OMB and ascertained its intent regarding who is to perform the reviews and the review scope.
C. Determined Security Services’ understanding of OMB requirements regarding the annual reviews.
D. Documented the extent to which the annual reviews had been conducted by functional executives.
E. Documented the system that Security Services has in place to ensure that the reviews are performed.
F. Identified instructions and requirements that Security Services had provided to functional executives in carrying out their annual required reviews. Determined if the basis for these instructions and requirements was the CIO Council framework consisting of five questions for each sensitive system. Determined if:
1. The instructions required functional executives in coordination with Information Technology Services staff to annually review their risk assessments and security plans and system configuration settings for the systems they own.
2. The instructions were consistent with GISRA requirements for assigning responsibilities for accomplishing the required annual reviews.
III. Determined if Security Services provided sufficient direction on the types of training needed for specific security functions, and determined if it adequately monitored the delivery to ensure all security employees received the necessary training.
A. Obtained back-up documentation supporting the assessment and rationale for the training performance criteria assertions.
B. Obtained the tactical plan for the training assertions.
C. Compared the plan to NIST and Office of Personnel Management guidance on computer security training.
D. Interviewed key personnel for the training tactical plan.
E. Selected a sample of 20 employees with security responsibilities and obtained documentation to determine if they have had the required training.
IV. Determined if Security Services had taken sufficient actions to increase IRS employees’ awareness of their security responsibilities. Determined if:
A. Security Services had a designated organizational component responsible for carrying out computer security awareness activities.
B. There were standardized consequences for security violations.
C. The awareness training program included communicating to users the consequences of committing security violations.
D. Security Services was aware of violations that had occurred, and if so, determined what disciplinary actions were taken in these cases.
E. Listed all security awareness actions and compared them to NIST guidelines on implementing a good security awareness program.
V. Determined if Security Services had performed sufficient tests to ensure that security policies and procedures were implemented as prescribed.
A. Identified Security Evaluation and Oversight’s responsibilities for conducting periodic security control reviews at IRS facilities. Researched the Internal Revenue Manual and other applicable guidance.
B. Obtained a schedule of reviews planned and completed by type of facility for the last 2 fiscal years.
C. Compared the scope of its reviews with guidance provided by the CIO Council framework and NIST guidance.
D. Determined if it documented weaknesses identified in these reviews in its database and if it followed up to ensure the weaknesses were corrected
Scott E. Wilson, Assistant Inspector General for Audit (Information Systems Programs)
Stephen Mullins, Director
Gerald H. Horn, Audit Manager
Richard T. Borst, Senior Auditor
Bret D. Hunter, Senior Auditor
David C. Hodge, Auditor
Joan Raniolo, Auditor
Deputy Commissioner N:DC
Chief, Security Services M:S
Chief Counsel CC
National Taxpayer Advocate TA
Director, Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O
Office of Management Controls N:CFO:F:M
Deputy Commissioner for Modernization & Chief Information Officer M
Office of Security Services M:S
The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.