Reference
Number: 2003-20-026
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
December 4,
2002
MEMORANDUM
FOR ACTING COMMISSIONER WENZEL
FROM: Gordon C. Milbourn III /s/ Gordon C. Milbourn III
Acting Deputy Inspector General for Audit
SUBJECT: Final Audit Report - The Internal Revenue Service Has Made
Substantial Progress in Its Business Continuity Program, but Continued Efforts
Are Needed (Audit # 200220041)
This report presents the
results of our review of the Internal
Revenue Service’s (IRS) Business Continuity Program. The
overall objective of this audit was to review the IRS’ policies and strategies
for business continuity and to determine the status of the IRS’ efforts in developing,
implementing, testing, and maintaining its Business Continuity Program.
In summary, the IRS has made
substantial progress in developing and implementing its Business Continuity
Program that includes disaster recovery, business resumption, and other related
efforts to ensure that IRS operations continue.
The IRS has
disaster recovery plans in place for the
computing centers, and business resumption and disaster recovery plans for the
IRS campuses. These plans have been
periodically tested and updated. The
IRS has also developed a continuity of operations
plan that will be used in restoring essential National Headquarters functions
during an emergency. In addition, the
IRS has improved physical security at its offices, taken steps to identify
critical assets, and increased the visibility of business continuity issues by
reporting them as material weaknesses under government financial reporting
requirements. See Appendix IV for
additional information on actions taken by the IRS.
The
IRS has placed organizational responsibility for coordinating its business
continuity efforts with the Security Services organization. Coordinating and controlling the IRS’
Business Continuity Program is
clearly a challenge in an organization with over 100,000 employees and over 750
buildings dispersed throughout the nation.
The
Security Executive Steering Committee (ESC) was established to provide
executive level oversight of the security program, including business
continuity. Other ESCs are also
involved in the oversight of business continuity issues. These include the Financial Management
Controls ESC and the Campus Business Resumption Steering Committee.
The IRS has recognized the overlapping responsibilities of the various ESCs in business continuity issues and the difficulties in managing issues involving all IRS Business Units. To improve the processes for reporting on and monitoring the Business Continuity Program, the IRS has started to develop a formal governance process. Because of the inherent difficulties in providing oversight for the numerous activities among the IRS Business Units, finalizing the governance process is necessary to enhance and assure organizational responsibility, accountability, and integration of the IRS’ Business Continuity Program.
Additionally,
the IRS has yet to clearly define functional duties, responsibilities, and
reporting relationships of the Business Continuity Program in sufficient
detail. While the Internal Revenue
Manual (IRM) assigns responsibilities for business continuity to “Heads of
Offices,” the IRS has not fully determined the executives to
whom this applies. For example, each of
the four IRS Business Units has executives in charge of its programs. However, in large IRS offices where more
than one Business Unit is present, it is not clear whether each executive is
responsible for developing individual business continuity plans or whether one
executive is responsible for developing these plans in each geographic
location. IRS management advised us
that the Senior Commissioner Representatives should have these
responsibilities.
To
improve the Business Continuity Program, we recommended that the Deputy
Commissioner clarify the business continuity responsibilities of the various
IRS organizations, offices, and executives, including defining organizational
expectations and roles and updating the IRM, and ensure that the business
continuity governance process documentation is completed and implemented.
Management’s Response: The Chief,
Security Services, concurred with our recommendations and indicated that
actions are underway for coordinating with the various organizational
components and executives managing the Business Continuity Program to clearly
define the roles, responsibilities, and expectations for each area. Management’s complete response to the draft
report is included as Appendix V.
Copies of this report are
also being sent to the IRS managers who are affected by the report
recommendations. Please contact me at
(202) 622-6510 if you have questions, or your staff may call Scott E. Wilson,
Assistant Inspector General for Audit (Information Systems Programs), at (202)
622-8510.
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix V – Management’s Response to the Draft
Report
This report presents the results
of the Treasury Inspector General for Tax Administration’s review of the
Internal Revenue Service’s (IRS) efforts in the areas of business continuity
planning and management. The IRS uses
the phrases “disaster recovery” for the restoration of computing services and
“business resumption” for the restoration of operations at IRS sites. For the purposes of this report, the phrase
“business continuity” is used as an umbrella term to cover a family of
interrelated disciplines that includes disaster recovery, business resumption,
and all other services necessary to ensure the IRS’ essential functions are
returned to an operational status following a disaster.
Business continuity requirements are defined
in various government-wide documents including:
·
Presidential Decision Directive (PDD) 63, Critical
Infrastructure Protection, which requires agencies to identify and protect
critical infrastructures (physical and cyber-based systems) that are essential
to the minimum operations of the economy and government.
·
Federal Preparedness Circular 65, Federal Executive Branch Continuity of
Operations (COOP), which requires agencies to develop continuity of
operations plans and provides guidance for the plans’ contents.
·
Office of Management and
Budget (OMB) Circular A‑130, Management
of Federal Information Resources, which requires agencies to provide for
continuity of support and contingency planning for their general support
systems and major applications, respectively.
The IRS has placed organizational responsibility for coordinating its business continuity efforts in the Security Services organization within the Chief Information Officer’s Modernization Information Technology and Security Services (MITS) organization. However, various Executive Steering Committees (ESC) are also involved in these business continuity efforts. For example, the Security ESC, the Financial Management Controls ESC, and the Campus Business Resumption Steering Committee all provide some form of oversight in these efforts.
The audit was performed at the IRS National Headquarters and Martinsburg Computing Center from April to August 2002. This audit was conducted in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Managing and coordinating business continuity efforts in an organization with over 100,000 employees dispersed in over 750 buildings throughout the nation that are supported by 16 mainframe and 900 mid-range computer systems is clearly a challenge. The IRS is addressing this challenge and has already made considerable progress in improving its Business Continuity Program. For example, the IRS has:
·
Established the Security ESC chaired by the Deputy
Commissioner to provide executive level oversight to the security program,
including the Business Continuity Program.
·
Developed disaster recovery plans for the computing
centers and business resumption and disaster recovery plans for the IRS
campuses. These plans are periodically
tested and updated.
·
Obtained emergency funding from the OMB after the
September 11, 2001, disaster.
·
Initiated plans to improve the recovery capability of
its mainframe computers located at the computing centers. The IRS estimated it would take approximately
4 weeks to restore critical systems and 3 months to fully integrate and return
supporting systems to operational levels that existed prior to a disaster.
·
Developed a continuity of
operations plan for the IRS National Headquarters, established offsite
Situation Awareness and Management Centers (SAMC) for management’s use during
an emergency, and conducted a test of the continuity
of operations plan using one of the SAMCs.
·
Improved physical security at its offices by hiring
additional guards, and implemented new mail handling procedures.
·
Identified 19 critical assets, 18 critical business
processes (e.g., processing refunds, processing tax returns), and 6 critical
administrative processes (e.g., providing computing and communications
resources, providing procurement services) as required by federal
guidelines.
·
Recognized the
need to identify vital records in support of the 18 critical business processes
and to coordinate with the IRS’ Records Officer who is responsible for the IRS’
overall Vital Records Program.
·
Increased the visibility and management oversight of
business continuity issues by indicating, for example, Master File recovery as
a material weakness under government financial reporting requirements.
·
Updated the Internal Revenue Manual (IRM) business
continuity procedures.
We believe that the IRS’ collective activities, if properly
implemented, should significantly reduce the business continuity risks facing
the IRS.
Additional information on actions taken by
the IRS is included in Appendix IV.
OMB Circular A-123, Management Accountability and Control, requires the IRS to ensure that appropriate authority, responsibility, and accountability are defined and delegated to accomplish the mission of the organization and that an appropriate organizational structure is established to effectively carry out the program responsibilities.
The IRS’ Business Continuity Program is defined in the January 2002 IRM revision, which states that “the senior executive responsible for an IRS business function shall initiate and ensure that the Business Continuity Planning Program policy established by the Commissioner is followed and delegate implementation of the Business Continuity Program to Heads of Offices.”
The Security ESC, the Financial Management
Controls ESC, and the Campus Business Resumption Steering Committee provide
executive support of the IRS’ Business Continuity Program. The IRS has recognized the overlapping
responsibilities of the various ESCs and the difficulties in managing issues
involving all IRS Business Units. To
improve the processes for reporting on and monitoring the Business Continuity
Program, the IRS has begun developing a formal governance process. This will include documentation of the
oversight process for all security activities, including the Business Continuity
Program, and show the interrelationships among the various ESCs to improve
accountability and integration of program activities.
Because of the inherent difficulties in
providing oversight for numerous activities among the IRS Business Units,
finalizing the governance process is necessary to enhance and assure
organizational responsibility, accountability, and integration of the Business
Continuity Program. Finalizing this
process should also help ensure timely completion and adequate funding of
ongoing business continuity activities.
Use of the governance process will help enhance the IRS’ business
continuity capability.
Functional
responsibility for the Business Continuity Program involves all organizational
components of the IRS, including the Security Services organization that is
responsible for coordinating the IRS’ business continuity efforts. The Security Services organization is
supported by each of the IRS Business Units, the MITS organization that is
responsible for restoration of computer operations, and the Agency‑Wide
Shared Services organization that is responsible for addressing building
security issues and assuring the availability of vital paper and electronic
records. Due to the number of ongoing business
continuity activities involving representatives from each of the IRS Business
Units and several contractors, the Security Services organization has developed
a master list (called the IRS Mission Assurance Big Board) to assist in
monitoring the activities.
The IRS has
not clearly defined the functional duties, responsibilities,
and reporting relationships of the Business Continuity Program in sufficient
detail. While the IRM assigns
responsibilities for business continuity to “Heads of Offices,” the IRS has not
fully determined the executives to whom this applies. For example, each of the four IRS Business Units has executives
in charge of its programs. However, in
large IRS offices where more than one Business Unit is present, it is not clear
whether each executive is responsible for developing individual business continuity
plans, or whether one executive is responsible for developing these plans in
each geographic location. IRS
management advised us that the Senior Commissioner Representatives should have
these responsibilities.
Without fully defining and assigning the business continuity duties, responsibilities, and job titles involved, the IRS may not be able to restore mission essential functions (e.g., collecting and depositing taxes) within a reasonable period of time. The inability to restore IRS operations could have a direct impact on government revenues. For example, the IRS has estimated that lost interest revenue could total approximately $264.1 million if the Electronic Federal Tax Payment System was unable to collect taxes for 3 months. IRS officials indicated this amount could be significantly reduced if manual deposit procedures were used.
The Deputy Commissioner should:
1. Clarify the business continuity responsibilities of the various IRS organizations, offices, and executives, including defining organizational expectations and roles and updating the IRM.
Management’s Response: Management advised that actions are underway
for coordinating with the various IRS organizational components and executives
managing the Business Continuity Program to clearly define the roles,
responsibilities, and expectations for each area and for updating the IRM as
appropriate.
2. Ensure that the business continuity governance process documentation is completed and implemented. This process should include requirements for executive level monitoring of the numerous business continuity activities to assure they are integrated, timely, effectively completed, and adequately funded.
Management’s Response: Management advised that actions have been completed for ensuring that status reporting on outstanding business continuity activities is a standing agenda item on both the Operations Security Committee and the Security ESC. Actions are underway for drafting a business continuity action plan that uses a governance process for gaining enterprise-wide approval and commitment; this plan will be submitted to the Operations Security Committee and the Security ESC for approval.
Appendix I
Detailed Objective, Scope, and
Methodology
The overall
objective of this audit was to review the Internal Revenue Service’s (IRS)
policies and strategies for business continuity and to determine the status of
the IRS’ efforts in developing, implementing, testing, and maintaining its
business continuity efforts. This
review included an assessment of the status of the IRS’ business continuity
planning and management processes, based on interviews with Department of the
Treasury and IRS executive management responsible for these efforts, and the
review of documentation supporting the business continuity effort. Specifically, we:
|
I. |
Interviewed key executives and managers to obtain their assessment of the IRS’ business continuity planning and management processes, including the: |
|
|
|
|
- Chief, Security Services, and appropriate staff. - Director of Enterprise Operations. -
Critical Infrastructure Assurance Officer. -
Director of one IRS Computer Campus (formerly
called Service Centers). |
|
II. |
Determined the IRS’ status in its efforts to develop the necessary processes to protect its critical infrastructure systems. We reviewed IRS documentation prepared in response to requirements found in Presidential Decision Directives, Federal Emergency Management Agency guidelines, and Department of the Treasury regulations. The IRS documentation reviewed included: - Critical Infrastructure Protection Plan. - Business Continuity Plans. - Continuity of Operations Plans for mission critical systems. - Disaster Recovery Plans for mission critical systems. - System Security Plans for mission critical systems. A. For systems with completed planning documentation, assessed the processes used for monitoring, testing, and updating the plans. B. For systems with planning documentation still in development, determined time periods for completion and implementation. |
|
Appendix II
Major Contributors to This Report
Scott E. Wilson,
Assistant Inspector General for Audit (Information Systems Programs)
Gary Hinkle,
Director
Ted Grolimund,
Audit Manager
Leon Niemczak,
Audit Manager
Kevin Burke, Senior Auditor
Myron Gulley,
Senior Auditor
Timothy F. Greiner,
Auditor
Kim McManis,
Auditor
Appendix III
Deputy Commissioner for Modernization & Chief Information Officer M
Commissioner, Large and Mid-Size Business Division LM
Commissioner, Small Business/Self-Employed Division S
Commissioner, Tax Exempt and Government Entities Division T
Commissioner, Wage and Investment Division W
Chief, Agency-Wide Shared Services A
Chief, Information Technology Services M:I
Chief, Security Services M:S
Director, Mission Assurance M:S:A
Chief Counsel CC
National Taxpayer Advocate TA
Director, Legislative Affairs CL:LA
Director, Office of Program
Evaluation and Risk Analysis N:ADC:R:O
Office of Management Controls N:CFO:F:M
Audit Liaison:
Director, Security Policy Support and Oversight M:S:S
Appendix IV
|
Activities |
Description |
Status |
Responsible
Organization |
|
Established the Security Executive Steering Committee (ESC) |
Monitors business continuity activities and coordinates the Internal Revenue Service’s (IRS) business continuity activities. |
· Governance documents are in draft. |
Administered by the Modernization Information Technology and Security Services (MITS) organization and chaired by the Deputy Commissioner. |
|
Established the Financial Management Controls ESC |
Monitors actions taken to correct material control weaknesses in the IRS’ processes. |
· On going. |
The Deputy Commissioner chairs the Financial Management Controls ESC. |
|
Established Campus Business Resumption Steering Committee |
Provides guidance and program oversight to the campuses (formerly called Service Centers) and monitors their business resumption planning activities. |
· Established in 1998. · Provides on-going direction and includes documenting, testing, and updating resumption plans at IRS campuses. |
Chaired by the Director of the Andover Campus. |
|
Produced a National Headquarters Continuity of Operations (COOP) Plan |
The IRS produced and updated a National Headquarters COOP plan. This Plan is used to ensure National Headquarters business continuity and is based on the guidance contained in Federal Preparedness Circular 65. |
· A test was conducted in August 2002. |
MITS |
|
Implemented the Situation Awareness and Management Centers (SAMC) |
Designed
to bring decision makers together in an environment to obtain ongoing
incident information and to provide managed responses. |
· A SAMC has been developed. · Alternate sites have been determined for the SAMC. · Processes are being refined. · Tests are being developed and planned. |
MITS |
|
Provided Data to the National Critical Infrastructure Assurance Office (NCIAO) |
The government-wide process to identify Critical Infrastructure Protection Assets in support of Presidential Decision Directive (PDD) 63. |
· Identified six IRS assets as being among the Department of the Treasury’s most relevant PDD 63 assets. · Identifying business processes associated with these six assets. · Identifying significant public and private sector interdependencies. |
MITS |
|
Established Mission Assurance Function |
The MITS organization has designated an organization
within the Security Services organization to be responsible for coordinating
the IRS’ business continuity activities.
|
· Organization is not fully staffed. · Obtained funding for contractor support. |
MITS |
|
Created Business Continuity Case for Action |
Provides a strategy for implementing the |
· Drafted business case for comment. |
MITS |
|
Activities |
Description |
Status |
Responsible Organization |
|
Developed
a Disaster Recovery Triplex Strategy |
The IRS has approved a plan to provide the capability to restore operations of critical systems within required time periods. |
· Initial funds have been allocated. · Full implementation of this capability is not expected before the 2nd quarter of Fiscal Year (FY) 2003. |
MITS |
|
Recognized the Need to Produce a Business
Continuity Project Management Plan |
To provide an overall management plan to guide in the development, coordination, direction, and implementation of the IRS’ business continuity efforts. |
· The
IRS has assigned contractors to develop an overall plan by |
MITS |
|
Initiated Business
Continuity Critical Process Mapping |
Compilation of critical data needed to assist IRS officials in the event of a crisis affecting any IRS facility, including vital records. |
· Identified
· Identified six administrative processes. · In the process of mapping processes to locations, vital records, essential personnel, outage times, and supporting information technology systems. |
MITS |
|
Updated
and Issued Internal Revenue Manual (IRM) |
Section 2510 of the IRM defines the IRS’ Business Continuity Program. |
·
Issued in |
MITS |
|
Developing Governance Document |
Provides mission statements and other documents for defining responsibilities, oversight, and reporting requirements. |
· Mission statements have been drafted. · Governance documents have been produced and circulated for comment. |
MITS |
|
Performed Facility Risk Assessments |
Physical security risk assessments of IRS facilities. The IRS has over 750 facilities. |
· Completed
· An
additional |
Agency-Wide Shared Services (AWSS) |
|
Determined Whether Occupant Emergency Plans (OEP) Existed
at IRS Offices |
The OEP is a document containing instructions to employees on what to do during an emergency, such as a fire, a power outage, a bomb threat, etc. Every IRS location is required to have an updated OEP. |
· The AWSS function has requested that regional facilities managers verify that all OEPs exist and are current. |
AWSS |
|
Revised
Mail
Handling Procedures |
Procedures
were developed and implemented to protect employees and to isolate and
contain dangerous substances while processing mail. |
· Implemented. |
Coordinated by the Security ESC chaired by the Deputy Commissioner. |
Source:
Compiled by the Treasury Inspector General for Tax Administration from
various IRS sources.
Appendix V
The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.