DISASTER RECOVERY ISSUES HAVE NOT BEEN EFFECTIVELY RESOLVED, BUT PROGRESS IS BEING MADE

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

DISASTER RECOVERY ISSUES HAVE NOT BEEN EFFECTIVELY RESOLVED, BUT PROGRESS IS BEING MADE

Issued on February 29, 2008

Highlights

Highlights of Report Number: 2008-20-061 to the Internal Revenue Service Chief Information Officer.

IMPACT ON TAXPAYERS

The Internal Revenue Service (IRS) declared the Disaster Recovery Program a material weakness in March 2005 and is taking several actions to improve the Program. However, Disaster Recovery Program weaknesses have not been effectively resolved. As a result, the IRS cannot ensure minimal disruption to tax administration activities, which include the collection of approximately $2.7 trillion in revenue for the Federal Government and processing of more than 228 million tax returns.

WHY TIGTA DID THE AUDIT

This audit was initiated to determine the effectiveness of the corrective actions taken to resolve the previously reported disaster recovery material weaknesses.

Disaster recovery is an organization’s ability to respond to an interruption in services by implementing a plan to restore critical business functions. The Federal Information Security Management Act requires Federal Government agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the disruption or destruction of information.

WHAT TIGTA FOUND

On October 1, 2006, the IRS incorporated disaster recovery into the overall Computer Security Material Weakness Plan, identifying five corrective action components. Also, in October 2007 the IRS formed a new Disaster Recovery Program Office to provide oversight, accountability, and responsibility for developing and maintaining the IRS Enterprise Disaster Recovery Strategy.

In addition, our review determined that some corrective actions taken by the IRS in addressing prior audit recommendations have not been effectively implemented. For example, copies of the Disaster Recovery Plans were not stored at the recovery sites’ offsite storage facilities or centralized in designated electronic file locations. In one disaster recovery exercise, participants used a combination of the Disaster Recovery Exercise Plan (because a Disaster Recovery Plan was not available) and individual reference material they had brought to the exercise to recover the system(s). Evidence supporting tests of the offsite storage vendors’ ability to timely deliver all backup files and documentation to the disaster recovery site was not available. Finally, documentation was not provided to support the disaster recovery training strategy.

Our review of the disaster recovery-related Computer Security Material Weakness Plan corrective actions determined the actions have not been effectively implemented. The gap analysis (originally due October 1, 2005) of the current Modernization and Information Technology Services organization business resumption capabilities against business unit requirements for all major systems has not been completed. Items notated as critical in disaster recovery exercise summary reports were not always addressed in subsequent year testing. Disaster Recovery Plan documentation is not standardized, complete, or accurate. Finally, the IRS is not currently collecting and reporting metrics to assess progress and track improvements within the Disaster Recovery Program.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Information Officer ensure all Disaster Recovery Plan documentation is standardized, complete, accurate, readily accessible in the event of disaster, detailed enough to be used verbatim to react to a worst-case scenario, and reviewed quarterly; ensure effective completion of tasks as required in disaster recovery guidance incorporated in the Internal Revenue Manual; ensure offsite storage vendors’ ability to timely deliver all disaster recovery backup files and documentation to the disaster recovery site using tests; ensure appropriate disaster recovery site personnel are identified and provided with annual training; ensure disaster recovery exercise lessons learned or action items deemed as critical are included in subsequent exercises; and ensure a permanent file is established for keeping documentation supporting closure of prior recommended corrective actions and completion of material weakness corrective action plan components.

In their response to the report, IRS officials agreed with the recommendations and plan to take appropriate corrective actions.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response go to:

http://www.treas.gov/tigta/auditreports/2008reports/200820061fr.html.

Email Address: inquiries@tigta.treas.gov

Phone Number: 202-622-6500

Web Site: http://www.tigta.gov