TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION’S FEDERAL INFORMATION SECURITY MANAGEMENT ACT (NON-INTELLIGENCE NATIONAL SECURITY SYSTEMS) REPORT FOR FISCAL YEAR 2010

Treasury Inspector General for Tax Administration

Office of Audit

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION’S FEDERAL INFORMATION SECURITY MANAGEMENT ACT
(NON-INTELLIGENCE NATIONAL SECURITY SYSTEMS) REPORT FOR FISCAL YEAR 2010

Issued on September 9, 2010

Highlights

Highlights of Report Number: 2010-20-101 to the Department of the Treasury Chief Information Officer.

IMPACT ON TAXPAYERS

The Federal Information Security Management Act (FISMA) requires the Office of Inspector General to perform an annual independent evaluation of information security policies, procedures, and practices of the Internal Revenue Service (IRS). This report reflects our independent evaluation of the status of information technology security for Non-Intelligence National Security Systems at the IRS for Fiscal Year 2010.

WHY TIGTA DID THE AUDIT

The review was initiated to evaluate the IRS’s two Non-Intelligence National Security Systems to determine whether information security policies, procedures, and practices complied with FISMA requirements. TIGTA based our evaluation on the Office of Management and Budget’s Fiscal Year 2010 Reporting Guidelines.

WHAT TIGTA FOUND

Our evaluation showed that the IRS is adequately securing its Non-Intelligence National Security Systems and data. However, TIGTA noted one security control area for management’s attention. The FISMA requires that Federal agencies track and monitor known information security weaknesses in Plans of Action and Milestones (POA&M). The IRS did not include the weaknesses identified during the Fiscal Year 2010 annual testing of controls for the IRS National Security Systems in POA&Ms for tracking and remediation. In addition, previously identified weaknesses that had been tracked in the system POA&Ms and subsequently remediated were not timely closed out in the POA&Ms. The POA&M process is particularly important because the IRS decided not to perform a new certification and accreditation in Fiscal Year 2010 and to rely instead on its annual testing to ensure a subset of security controls have been implemented and are working as intended.

WHAT TIGTA RECOMMENDED

TIGTA does not include recommendations as part of our annual FISMA evaluation and reports only on the level of performance achieved by the IRS using the guidelines issued by the Office of Management and Budget for the Fiscal Year 2010 FISMA period.

READ THE FULL REPORT

To view the report, go to:

http://www.treas.gov/tigta/auditreports/2010reports/201020101fr.html.

Email Address: inquiries@tigta.treas.gov

Phone Number: 202-622-6500

Web Site: http://www.tigta.gov