TREASURY
INSPECTOR GENERAL FOR TAX ADMINISTRATION
Improvements Are Needed to the Information Security Program
Governance Process
Issued on March 11, 2008
Highlights
Highlights of
Report Number: 2008-20-076 to the
Internal Revenue Service Chief Information Officer.
IMPACT ON TAXPAYERS
The
Internal Revenue Service (IRS) is responsible for developing an effective
information security governance process that complies with Federal Government
standards. The IRS could make improvements
in monitoring compliance with security policies and procedures and issuing
security guidance for all employees to follow.
Until improvements are made, security weaknesses are more likely to
occur, and the IRS cannot provide assurance that systems containing sensitive
taxpayer data are adequately protected from security breaches.
WHY TIGTA DID THE AUDIT
This
audit was initiated to determine whether the IRS monitored compliance with
security policies and procedures and developed sufficient information security
guidance. This review was included in
the TIGTA Fiscal Year 2008 Annual Audit Plan and was part of the Information
Systems Programs unit’s statutory requirements to annually review the adequacy
and security of IRS technology.
WHAT TIGTA FOUND
The IRS
has taken insufficient actions to monitor and enforce compliance with security
policies and procedures, resulting in weaknesses that put the security and
privacy of tax information at risk.
Actions taken to correct security weaknesses were not validated, testing
to verify compliance with security configurations was not adequate, security
incidents were not adequately analyzed for underlying causes, compliance with
continuous monitoring requirements was not enforced, and metrics to measure the
effectiveness of security measures were not developed.
While the
Cybersecurity organization is primarily responsible for monitoring compliance
with security guidance, the Modernization and Information Technology Services
organization and each of the business functions are responsible for
implementing the guidance. In a bureau
as large and diverse as the IRS, it is difficult for one office to enforce
implementation across organizational lines.
The Cybersecurity
organization has developed security guidance that meets standards for 9 of 12
security areas. Guidance for system
development life cycle, capital planning, and security services and products
acquisition did not include all necessary considerations to meet requirements
and made references to obsolete standards and controls.
WHAT TIGTA RECOMMENDED
The
Chief Information Officer, through the Security Services and Privacy Executive
Steering Committee, should require system owners to report on progress in
addressing actions to correct security weaknesses. The Cybersecurity organization should improve
the verification of compliance with standard configurations; analyze security
incidents to identify common or systemic underlying weaknesses; ensure system
owners prepare continuous monitoring plans; develop quantifiable security
metrics based on IRS information security goals and objectives; coordinate with
IRS executives to complete security guidance regarding system development life
cycle, capital planning, and acquisition of services; improve the Cybersecurity
organization Intranet web site to facilitate easy access to security guidance; and
develop a system to notify employees and contractors of changes in security
guidance.
In their response to the report, IRS officials agreed with all
of the recommendations. The Cybersecurity
organization plans to address the issues noted in the report and implement all
recommendations as stated. The Security
Services and Privacy Executive Steering Committee plans to take an active role
in overseeing these actions and use the results to improve security in the IRS.
READ THE FULL REPORT
To view the report,
including the scope, methodology, and full IRS response, go to:
http://www.treas.gov/tigta/auditreports/2008reports/200820076fr.html.
Email Address: inquiries@tigta.treas.gov
Phone Number: 202-622-6500
Web Site:
http://www.tigta.gov