Computer System Access Controls Over Contractors Need to Be Improved
July 24, 2009
Reference Number: 2009-20-108
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Redaction Legend:
3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals
Phone Number |
202-622-6500
Email Address | inquiries@tigta.treas.gov
Web Site |
http://www.tigta.gov
July 24, 2009
MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Computer System Access Controls Over Contractors Need to Be Improved (Audit # 200820015)
This report presents the results of our review to determine
whether the Internal Revenue Service (IRS)
established and implemented effective computer access controls over contractors
that have been hired to develop, operate, and maintain IRS computer systems. This review was
included in the Treasury Inspector General for Tax Administration Fiscal Year
2008 Annual Audit Plan as part of the statutory requirements to annually review
the adequacy and security of IRS information technology.
Impact on the Taxpayer
The IRS uses contractors to perform a variety of
information technology functions, such as developing applications for IRS
business operations and maintaining computer operations. To perform these functions, contractors are
granted access to IRS computer systems. However,
some contractors who no longer had a business need to have access had active
user accounts on IRS systems. When
contractors are allowed to have unnecessary access to computer systems, the IRS
is increasing the risks of exposing taxpayer data to unauthorized disclosure
and disruption of system operations.
Synopsis
We have previously reported[1] problems with contractors’ access to IRS computer systems. The underlying theme of the problems is the IRS’ inability to effectively control contractor access to its computer systems. One of the fundamental principles for effective computer security is restricting system access to only those systems for which individuals, including contractors, have a business need. The IRS has specific security policies and procedures governing access by employees and contractors to computer systems and taxpayer data.
Despite the IRS’ policies and procedures and our previous reports of inadequate oversight of contractor access to IRS computer systems, we identified system access control issues for contractors. From a sample of 7 IRS systems, we found that 53 of 376 contractors had active user accounts but did not have a business need for access to that system. These 53 contractors consisted of contractors whose job duties or access privileges had changed and no longer needed system access, contractors who had separated from the contract with the IRS, and contractors who had never logged onto the system or had not logged onto the system within 45 calendar days. We also identified 15 contractors whose system access was not deleted in a timely manner upon separation from the contract with the IRS. These contractors’ accesses were not removed from systems in a timely manner because responsible officials were not following security procedures and relied on systemic solutions to disable and delete user access to systems based on inactivity. Also, managers and Contracting Officer’s Technical Representatives[2] did not provide the necessary oversight of reviewing access privileges and notifying system owners when contractors no longer needed access.
We also identified 12 system development contractors who had
access to the production environment of the system on which they worked and 39
system administration contractors who had database administrator
privileges. ****(3d)**** Lastly, we found system accesses were not
always authorized, documented, or recertified in a timely manner, and system
accesses were granted prior to a background investigation being completed. We
believe managers and security officers did not carry out their security roles
and responsibilities over system access.
Recommendations
We recommended that the Chief Technology Officer 1) provide appropriate communications to all Contracting Officer’s Technical Representatives and managers reinforcing the need to ensure that system accesses are revoked when contractors leave the IRS and that separation of duties is followed, 2) enforce current procedures on all systems by configuring systems to automatically disable and/or delete user accounts when they are not accessed for the appropriate number of days, 3) provide appropriate communications to all Contracting Officer’s Technical Representatives and managers to remind them that they have the primary responsibility for providing prompt notification to the responsible organization of any contractor status changes, 4) provide appropriate communications to Contracting Officer’s Technical Representatives and managers that the Online 5081 system is the primary system used for authorizing and approving requests for any system access and that system access should not be granted until a contractor or employee has successfully completed a background investigation, and 5) improve accountability over employee and manager adherence with security policies and procedures over contractor system access.
Response
IRS management agreed with the recommendations. The Modernization and Information Technology Services Cybersecurity organization will coordinate with the Agency-Wide Shared Services Contractor Oversight Group to develop and deliver appropriate communications content to Contractor Officer’s Technical Representatives and managers that will 1) remind them of the notification responsibility, including annually reviewing access privileges to verify the continued need for access and, in accordance with existing IRS policy, suspending, cancelling, and/or adjusting contractor system access privileges; 2) address that after 45 calendar days have passed and the user is not recertified, procedures will be implemented to disable and remove or securely incapacitate the user account and access privileges; and 3) remind them of their obligation, in accordance with existing IRS policy, to separate contractors who do not adhere to security policies and procedures governing system access within 45 calendar days. Also, the Modernization and Information Technology Services organization will enforce system configuration settings to automatically disable contractors’ accounts after 45 calendar days of inactivity and will ensure accounts that are inactive for more than 90 calendar days are deleted or securely incapacitated based on the technical capabilities and requirements of each system and platform. Management’s complete response to the draft report is included as Appendix IV.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information Technology Services), at (202) 622-8510.
Contractors
Had Unnecessary Access to Computer Systems
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Management’s Response to the Draft Report
Abbreviations
|
COTR |
Contracting Officer’s Technical Representative |
|
IRS |
Internal Revenue Service |
|
MITS |
Modernization and Information Technology
Services |
|
OL5081 |
Online 5081 |
The Internal Revenue
Service (IRS) relies extensively on contractors to provide information
technology services and systems. These contractors perform a variety of
information technology functions for the IRS, such as developing applications for
business operations and maintaining computer operations. To perform these functions, contractors are
granted access to IRS computer systems.
We have previously
reported problems with contractors’ access to IRS computer systems. In March 2004, we reported[3]
that contractors were not complying with IRS security procedures and IRS Procurement
function officials were not aware of the security regulations pertaining to the
contractors they were assigned to oversee.
In September 2005, we conducted a followup review[4]
and identified that Procurement
function officials were still not fulfilling their responsibilities related to
granting contractors access to IRS systems.
We identified more than 1,000 contractors who were no longer working for
the IRS that could still sign on to IRS systems.
The underlying theme of these problems is the IRS’ inability
to effectively control contractor access to its computer systems. One of
the fundamental principles for effective computer security is restricting
system access to only those systems and applications for which individuals,
including contractors, have a business need.
This concept of need-to-know and least privilege includes having
appropriate persons authorize system access, having program managers and
systems owners monitor system access to ensure access is still needed based on
job responsibilities, and removing system access when the need no longer
exists.
This review was performed at the IRS National Headquarters
in New Carrollton, Maryland, and in Modernization and Information Technology
Services (MITS) organization field offices located in
Contractors Had Unnecessary Access to Computer Systems
The IRS has specific security policies and procedures governing access by employees and contractors to computer systems and taxpayer data. However, our review identified two areas where contractors had unnecessary access to IRS computer systems and taxpayer data.
Contractors had active user accounts, but did not have a business need
The IRS has access control procedures and requirements that pertain to both IRS employees and contractors. These procedures include granting system access when the business need exists, applying the principles of need-to-know and least privilege, and taking away system access when the business need no longer exists. As a further control, the IRS requires disabling system access when no access has occurred within 45 calendar days and removing system access when no access has occurred within 90 calendar days.
Contractors are also subjected to further scrutiny from the Contracting Officer’s Technical Representative (COTR),[5] who is responsible for the contract under which the contractor was hired to work. The COTR’s duties include initiating access privileges for contractors, reviewing access privileges annually to verify the continued need for access, and notifying system owners in a timely manner when contractors no longer need access.
Despite these procedures, we identified contractors with active user accounts on IRS systems who no longer had a business need for that access. For a sample of 7 IRS systems, we identified that 53 (14 percent) of 376 contractors had active user accounts but did not have a business need for access to that system. We also identified five duplicate active user accounts for contractors on the systems we reviewed. The 53 contractors with active user accounts fell into the following exception categories:[6]
In addition to contractors who had active system access with no business need, we identified 15 contractors whose system access was not deleted in a timely manner upon their separation from the IRS. The delays in removing system access ranged from 4 to 53 calendar days.
These contractors’ accesses were not removed from systems in a timely manner because responsible officials were not following security procedures and relied on systemic solutions to disable and delete user access to systems based on inactivity. However, the automated programs to identify user accounts with inactivity were either not being run regularly or did not work as intended. Also, managers and COTRs did not provide the necessary oversight of reviewing access privileges and notifying system owners when contractors no longer needed access.
Contractors had excess privileges that violated separation of duties rules
Separation
of duties is an organizational principle that provides process integrity while
maintaining proper security and quality controls. IRS security policy states that system and application software
development, testing, and debugging must be performed on information systems
dedicated for these purposes and not on production information systems. To ensure proper separation of duties,
system developers should not have access to the system’s production environment. This separation ensures that system
developers cannot make changes on production systems that have gone through
rigorous testing and authorization to operate.
Developers who have access to the production system could bypass strict
configuration management requirements and make unapproved and untested
changes. In addition, system
administrators should not have database administrator privileges. While system administrators are responsible
for the configuration and day-to-day operations of the system, the database
administrators are responsible for the security, maintenance, and backup of the
database repositories. This separation
ensures the integrity of the data and that any unauthorized changes to the data
can be detected.
We identified 12 system development contractors who had access to the production environment of the system on which they worked and 39 system administration contractors who had database administrator privileges. We were unable to determine how long these contractors had unnecessary access to IRS production systems because we could not determine when these accounts were created, when contractors were given system access, or when user access privileges were granted or changed.
For the production environment access issue, ****(3d)****. For the database administrator access issue, ****(3d)****.
1. While we did not identify any questionable activity or wrongdoing by contractors who no longer had a business need for system access, our attempts to evaluate their activities were hampered by the lack of reviewable audit trail[7] data for the systems we reviewed. We referred this issue to an ongoing Treasury Inspector General for Tax Administration review over audit trails. Without the ability to monitor contractor system activities, the IRS is placed in the precarious position of relying on access controls as the sole means to ensure that contractors are accessing only the systems and data they require to do their jobs.
2.
The IRS does not have an effective centralized
system or method of identifying all contractors working within the IRS. This lack of accountability has hampered the
IRS’ ability to monitor contractors and control their computer system access. While the IRS has formed a committee to implement a central
tracking process for contractors, the process is not in place and implementation
efforts have encountered difficulties.
When contractors are allowed to have unnecessary access to IRS systems and taxpayer data, the IRS is increasing the risks of exposing taxpayer data to unauthorized disclosure and disruption of system operations. All seven computer systems in our review contain taxpayer data, including taxpayer correspondence; current, past, and questionable tax returns; delinquent taxpayer accounts; and fuel transaction information on billing and vehicle registration.
To illustrate these risks, several news outlets published a
January 2009 news story relating to a former Federal National Mortgage
Association (Fannie Mae) information technology contractor who was indicted for
installing a malicious computer program that would have caused millions of
dollars of damage and reduced, if not shutdown, operations at the mortgage
giant. The malicious program would have disabled monitoring alerts
and logins, deleted root passwords to 4,000 servers, and erased all data and
backup data on those servers by overwriting them with zeros. However, the malicious program was discovered
by an employee 5 days after it was installed, and no actual harm occurred. The contractor was able to install the
malicious program because his system access privileges were not revoked as soon
as he was terminated from his position.
An equally disturbing possible outcome, as noted in comments from a
reader to one of the online news articles, was that the contractor could have
stolen critical customer data for the purpose of monetary gain instead of
attempting to disrupt computer operations.
Recommendations
The Chief Technology
Officer should:
Recommendation
1: Provide appropriate communications to all COTRs and managers reinforcing
the need to ensure appropriate
system accesses are revoked when contractors leave the IRS and contractors’
duties no longer require system access, and that separation of duties is
followed to ensure that contractors do not have access to both development and
production system environments and do not have both system and database
administrator privileges.
Management’s Response: The IRS agreed with this recommendation. The MITS Cybersecurity organization will coordinate with the Agency-Wide Shared Services Contractor Oversight Group to develop and deliver appropriate communications content to COTRs.
Recommendation 2: Enforce current procedures on all systems by configuring systems to automatically disable contractors’ accounts after 45 calendar days of inactivity and to delete the accounts after 90 calendar days of inactivity.
Management’s Response: The IRS agreed with this recommendation. The MITS organization will enforce system configuration settings to automatically disable contractors’ accounts after 45 calendar days of inactivity and will ensure that accounts that are inactive for more than 90 calendar days are deleted or securely incapacitated based on the technical capabilities and requirements of each system and platform. Securely incapacitating accounts will effectively delete all access capability while retaining account background information. Current procedures will be reviewed and updated to ensure that the associated technical configurations are appropriately documented.
Recommendation 3: Provide
appropriate communications to all COTRs and managers to remind them that they have the primary
responsibility for providing prompt notification to the responsible
organization of any contractor status changes, including annually reviewing
access privileges to verify the continued need for access. The responsible organization should immediately suspend, cancel,
and/or adjust all access privileges associated with changes in a contractor’s status.
Management’s Response: The IRS agreed with this recommendation. The MITS Cybersecurity organization will coordinate with the Agency-Wide Shared Services Contractor Oversight Group to provide appropriate communications to COTRs and managers reminding them of this notification responsibility, including annually reviewing access privileges to verify the continued need for access and, in accordance with existing IRS policy, suspend, cancel, and/or adjust contractor system access privileges.
Compliance With Security Requirements Could Be Improved for Contractors Who Have a Business Need for System Access
The IRS has specific procedures and requirements for authorizing system access for employees and contractors. Our review identified two areas where access authorization controls over contractors can be improved.
System
accesses were not always authorized, documented, or recertified in a timely
manner
Providing contractors access to IRS computer systems starts
with the system access authorization process.
The IRS established the
Information System User Registration/Change Request (Form 5081) for managers to
request and authorize employee and contractor access for all IRS systems,
including development and production systems.
System administrators are responsible for adding and removing authorized
system users and maintaining an up-to-date list of authorized users. In October 2002, the IRS automated the system
authorization process with the Online 5081 (OL5081) system. The OL5081 system also provides
documentation information on a contractor’s certification that he or she understands
the IRS security rules over computer usage and on the manager’s annual
recertification of the contractor’s continued system access and need-to-know.
The IRS also established other complementary security controls. Managers are required to annually review users’ accounts and profiles, including a review of the access level, conformance with the principle of least privilege, and current management authorizations.
Even though clear security policies and procedures have been established, we identified that 46 (12 percent) of 376 contractor accounts did not have proper authorization for system access on the OL5081 system. We were also unable to find paper copies of approved authorizations from the contractors’ current managers or COTRs. Twenty-four of the 46 contractor accounts are associated with a development system, which operated with live taxpayer data and had not received an approved waiver to operate in this condition.
For one development
system, the IRS manager over the system informed us that, because it was a
development system, access was granted using email instead of using the OL5081
system. For the other systems without the Form 5081
information, we were unable to determine how these contractors obtained access
to the systems.
We believe that managers either did not carry out their responsibilities
to follow approved system access authorization processes or system
administrators may have added contractors to systems without a manager’s
authorization. The IRS confirmed that those
contractors needing access to IRS systems were in the process of completing
system access authorization.
We also identified
39 (21 percent) of 187[8] contractor accounts that were not
recertified in a timely manner by a manager to indicate that the contractors
had a continued need for system access. We
were informed that contractor system accesses were not recertified in a timely
manner because:
System
accesses were granted prior to a background investigation being completed
IRS policy requires that a background
investigation must be conducted on employees and contractors at the risk level appropriate to the sensitivity of the
position before system access is granted. At a minimum, contractors should not be given access to sensitive IRS systems until
they have a completed background investigation or have received interim access
approval. The background investigation
provides a level of assurance that the employee or contractor is of good
character and can be trusted with access to sensitive data.
Despite
this requirement, we found that 7 (2 percent) of 376 contractors were given
system access prior to a background investigation being completed or their receiving
interim access approval.
We believe managers and security officers did not carry out their
responsibilities of verifying whether a background investigation was completed
or that the contractor had received interim access approval before granting the
contractor system access. All seven
contractors eventually had a completed background investigation.
When contractors are allowed to have access to IRS systems
before the completion of system access authorization tasks, the IRS increases
its risk of unauthorized access to taxpayer data as well as personally
identifiable information.
Recommendations
The Chief
Technology Officer should:
Recommendation
4: Provide
appropriate communications to all COTRs and managers that
the OL5081
system is the primary system used for authorizing and approving requests for
any system access. System access should
not be granted until the contractor or employee has successfully completed a
background investigation and been approved for access through the OL5081
system. Managers and COTRs have the
primary responsibility to ensure that contractors and employees complete their
annual certification requirements within 45 calendar days of notification. If after 45 days have passed and a
user has not recertified, the System Administrator should disable and
remove the user account and access privileges from
the system.
Management’s Response: The IRS agreed with this recommendation. The MITS Cybersecurity organization will coordinate with the Agency-Wide Shared Services Contractor Oversight Group to develop and deliver appropriate communications content to COTRs. In addition, the communication will also address that after 45 calendar days have passed and the user is not recertified, procedures will be implemented to disable and remove or securely incapacitate the user account and access privileges.
Recommendation 5: Ensure that COTRs understand their obligation
to separate contractors who do not adhere to security policies and procedures
governing system access within 45 calendar days. In cases where a COTR does not separate a noncompliant
contractor, notification should be provided to the COTR’s manager that the
manager needs to direct the COTR to separate the contractor. If the COTR still fails to separate the
contractor, the manager should take appropriate action.
Management’s Response: The IRS agreed with this recommendation. The MITS Cybersecurity organization will coordinate with the Agency-Wide Shared Services Contractor Oversight Group to provide appropriate communications to COTRs reminding them of their obligation, in accordance with existing IRS policy, to separate contractors who do not adhere to security policies and procedures governing system access within 45 calendar days. This notification will also reinforce taking the appropriate actions when this obligation is not fulfilled.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to determine whether the IRS established and implemented effective computer access controls over contractors that have been hired to develop, operate, and maintain IRS computer systems. To accomplish this objective, we:
I. Determined whether the IRS is effectively controlling contractor access.
A. Identified systems with contractor user accounts and judgmentally
selected 7 of 65 systems, totaling 376 contractor user accounts, for
review based on the number of contractor user accounts and the sensitivity and
location of the systems. The seven
systems selected for review were: the Excise
Files Information Retrieval System in
B. Determined whether contractors’ access
rights were authorized for each system selected for review. We obtained a download from the OL5081 system
of contractor accounts for the systems selected. We verified this information by requesting a
download from each system selected and reconciled this information to the
Treasury Integration Management Information System[9] database for current and separated
employees. Those accounts not matched
were identified as contractor accounts and reconciled with the OL5081 data.
C. Determined whether contractors’ managers
recertified annually their continued need-to-know for system access. Only 187 of 376 contractor accounts represented those user
accounts where access was granted over 1 year from system access and were subject
to recertification requirements.
D. Determined whether contractors received the
proper level of background investigation prior to system access.
E.
Reviewed contractor account information to
identify periods of inactivity.
F.
Determined whether contractors have a
continued need-to-know for system access.
G. Determined whether developers have access to
live data and production systems.
H.
Determined the causes for any conditions
identified above.
I.
Reviewed audit
trails[10] for fraud indicators and trends.
II. Determine whether contractors are complying with IRS security policies and procedures.
A. Identified applicable security policies and procedures.
B. Determined whether contractors violated security policies and procedures.
C. Determined the causes for contractors not complying with IRS policies and procedures for handling sensitive IRS data.
D. Assessed the effect of the inadequate security controls
identified above.
Appendix II
Major Contributors to This Report
Margaret
E. Begg, Acting Assistant Inspector General for Audit (Security and Information
Technology Services)
Kent
Sagara, Acting Director
Jody Kitazono, Acting Audit Manager
Louis
Lee, Lead Auditor
Alan
Beber, Senior Auditor
Myron
Gulley, Senior Auditor
Abraham
Millado, Senior Auditor
Larry
Reimer, Senior Auditor
Stasha
Smith, Senior Auditor
Appendix III
Commissioner C
Office of the
Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations
Support OS
Director, Stakeholder Management Division OS:CTO:SM
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of
Program Evaluation and Risk Analysis
RAS:O
Office of Internal
Control OS:CFO:CPIC:IC
Audit Liaison: Chief Technology
Officer OS:CTO
Appendix IV
Management’s Response to the Draft Report
The
response was removed due to its size. To
see the response, please go to the Adobe PDF version of the report on the TIGTA
Public Web Page.
[1] Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated March 22, 2004) and Monitoring of PRIME Contractor Access to Networks and Data Needs to Be Improved (Reference Number 2005-20-185, dated September 29, 2005).
[2] Contracting Officer’s Technical Representatives furnish technical direction, monitor contract performance, and maintain an arm’s-length relationship with the contractor.
[3] Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated March 22, 2004).
[4] Monitoring of PRIME Contractor Access to Networks and Data Needs to Be Improved (Reference Number 2005‑20-185, dated September 29, 2005).
[5] COTRs furnish technical direction, monitor contract performance, and maintain an arm’s-length relationship with the contractor.
[6] The total number of exceptions is more than 53 because 4 contractors fell into more than 1 category.
[7] An audit trail is a chronological record of activities that allow for the reconstruction, review, and examination of a transaction from inception to final results. Audit trails can be used to detect unauthorized accesses to computer networks.
[8] The 187 contractor accounts represent those user accounts in our sample where access was granted over 1 year prior to system access and were, therefore, subject to annual recertification requirements.
[9] An official automated personnel and payroll system for storing and tracking all employee personnel and payroll data. It is outsourced to the United States Department of Agriculture National Finance Center and managed by the Department of the Treasury.
[10] An audit trail is a chronological record of activities that allow for the reconstruction, review, and examination of a transaction from inception to final results. Audit trails can be used to detect unauthorized accesses to computer networks.