Treasury
Inspector General for Tax Administration
Office of Audit
TAXPAYER DATA USED AT CONTRACTOR
FACILITIES MAY BE AT RISK FOR UNAUTHORIZED ACCESS OR DISCLOSURE
Issued on May 18, 2010
Highlights
Highlights of
Report Number: 2010-20-051 to the
Internal Revenue Service Chief Technology Officer and the Chief, Agency-Wide
Shared Services
IMPACT ON TAXPAYERS
The Internal Revenue Service (IRS) provides its
taxpayer data to contractors who store and process the data at their own facilities
in support of the IRS’ mission of tax administration. These data can contain personally
identifiable information, such as tax return data and Social Security
Numbers. The IRS did not have effective
processes to identify all contractors with IRS taxpayer data that require
annual security reviews by the IRS and did not ensure computer security
weaknesses identified at contractor facilities during security reviews have
been corrected. As a result, taxpayer data
may be at risk for unauthorized access or disclosure.
WHY TIGTA DID THE AUDIT
This audit was initiated as part of our statutory
requirements to annually review the adequacy and security of IRS information
technology. The overall objective of
this review was to determine whether the IRS had effective controls in place to
ensure IRS taxpayer data are protected at contractor facilities.
WHAT
TIGTA FOUND
Current processes were not
effective at identifying all contractors who receive IRS taxpayer data and may
be subject to required security reviews.
The Infrastructure Security and
Reviews (ISR)
office of the IRS Modernization and
Information Technology Services organization Cybersecurity function identified contractors that
require reviews by submitting a data call request asking the IRS business
organizations to identify their contractors that process, store, or house IRS
taxpayer data. However, this process did
not identify all contractors who have been provided such data. Without an effective process for identifying
the contractors receiving IRS taxpayer data, the IRS cannot ensure that all
contractors who receive such data are being reviewed for computer security
control weaknesses. As a result, the IRS
cannot ensure that taxpayer data are protected at contractor facilities.
TIGTA also found that current processes were not
followed to ensure weaknesses identified by the ISR teams at contractor
facilities were timely corrected. O
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief, Agency-Wide Shared
Services, and the Chief Technology Officer, identify the information system
that can serve as the primary source for identifying contractors requiring
reviews. The Director, Procurement, and
the Director, Office of Privacy and Information Protection, should ensure
appropriate indicators are captured on each existing contract with a disclosure
and privacy impact, validate whether the IRS business organization provided any
IRS taxpayer data to these contractors, and provide the appropriate
notification and guidance to the responsible IRS business organizations to
execute annual security reviews of contractors when required.
In addition, the Associate Chief Information
Officer, Cybersecurity, should validate correction of ISR office reported
security weaknesses and recommend a process for reporting weaknesses that
remain unmitigated to increase the accountability of the responsible parties
for remediation of security weaknesses. In
their response to the report, IRS management agreed with our recommendations
and plans to take appropriate corrective actions.
READ THE
FULL REPORT
To view the report,
including the scope, methodology, and full IRS response, go to:
http://www.treas.gov/tigta/auditreports/2010reports/201020051fr.html.
Email Address: inquiries@tigta.treas.gov
Phone Number: 202-622-6500
Web Site:
http://www.tigta.gov