MORE ACTIONS ARE NEEDED TO CORRECT THE SECURITY ROLES AND RESPONSIBILITIES PORTION OF THE COMPUTER SECURITY MATERIAL WEAKNESS

Treasury Inspector General for Tax Administration

Office of Audit

MORE ACTIONS ARE NEEDED TO CORRECT THE SECURITY ROLES AND RESPONSIBILITIES PORTION OF THE COMPUTER SECURITY MATERIAL WEAKNESS

Issued on August 26, 2010

Highlights

Highlights of Report Number: 2010-20-084 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

The Federal Managers’ Financial Integrity Act of 1982 requires that each agency conduct annual evaluations of its systems of internal accounting and administrative controls and submit an annual statement on the status of the agency’s system of management controls, including identifying areas that can be considered material weaknesses. The Internal Revenue Service (IRS) prematurely closed the security roles and responsibilities component of its computer security material weakness. As a result, the IRS cannot ensure all IRS and contract employees will carry out their responsibilities to protect the confidentiality, integrity, and availability of taxpayer data.

WHY TIGTA DID THE AUDIT

TIGTA initiated this audit at the request of the IRS to provide an independent validation assessment of the effectiveness of the IRS’s actions to correct the roles and responsibilities component of the computer security material weakness. This audit was included in TIGTA’s Fiscal Year 2010 Annual Audit Plan.

WHAT TIGTA FOUND

While the IRS has made strides in addressing each set of corrective actions, our analysis found that the IRS did not effectively complete four of its six corrective action objectives. Specifically, the IRS did not 1) document all information technology (IT) security roles and responsibilities in the Internal Revenue Manual, 2) develop and document day-to-day IT security procedures and guidelines, 3) properly conduct compliance assessments to test IT procedures, and 4) establish effective metrics for measuring compliance.

The IRS uses two documents, IRS Roles Requiring an IT Security Training Curriculum and Internal Revenue Manual IT Security Roles and Responsibilities, to document security roles and responsibilities. While each document is used for different purposes, the Internal Revenue Manual acts as the official policy over security roles and responsibilities. TIGTA identified that for 10 of 18 roles similar in both documents, the manual did not include all responsibilities established in the training curriculum. The IRS also did not document an additional five IT security roles existing at the IRS in the Internal Revenue Manual. Further, the IRS did not properly conduct compliance assessments to verify and validate that IRS and contract employees were executing their security responsibilities. Lastly, because the compliance assessment did not yield significant information, the IRS has yet to establish or collect meaningful performance metrics for this weakness area.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Associate Chief Information Officer, Cybersecurity, update the Internal Revenue Manual to include all IT security roles in existence at the IRS, establish recurring processes and communications to ensure security roles and responsibilities are periodically reviewed and updated, and develop procedures to validate compliance that incorporate supporting evidence of proper execution of assigned responsibilities. In addition, the Co-Chairpersons of the Security Services and Privacy Executive Steering Committee should reopen the roles and responsibilities component of the computer security material weakness.

In their response to the report, IRS officials agreed with three of the four recommendations. The IRS plans to update the Internal Revenue Manual to include all IT security roles and related responsibilities, perform a crosswalk of the Internal Revenue Manual with its training program annually and align any differences, and improve existing procedures to validate compliance through assessments that incorporate supporting evidence of proper execution of assigned responsibilities. However, the IRS disagreed that the roles and responsibilities component should be reopened as a material weakness and believes that this component is in a state of “Significant Deficiency” as defined by the Government Accountability Office. The IRS plans to maintain its focus, with governance oversight, on maturing these processes and procedures.

TIGTA disagrees with the IRS’s assessment that the roles and responsibilities component is in a state of “Significant Deficiency” and believes that repeatable processes are not in place. As such, TIGTA does not agree with the downgrade.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2010reports/201020084fr.html.

Email Address: inquiries@tigta.treas.gov

Phone Number: 202-622-6500

Web Site: http://www.tigta.gov