Treasury Inspector General for Tax Administration

Office of Audit

SECURITY OVER DATABASES COULD BE ENHANCED TO ENSURE TAXPAYER DATA ARE PROTECTED

Issued on May 4, 2011

Highlights

Highlights of Report Number:  2011-20-044 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

The Internal Revenue Service (IRS) uses more than 2,200 databases to manage and process its taxpayer data.  Databases are increasingly being targeted by attackers.  When the right degree of security diligence is not applied to databases, disgruntled insiders or malicious outsiders can exploit security weaknesses over databases and may gain unauthorized access to taxpayer data, resulting in identity theft or fraud.

WHY TIGTA DID THE AUDIT

This review was included in TIGTA’s Fiscal Year 2010 Annual Audit Plan and is part of our statutory requirements to annually review the adequacy and security of IRS information technology.  This audit also addresses the major management challenge of Security of the IRS.  The overall objective of this review was to determine whether the IRS adequately configured databases operating in its non-mainframe production environment to properly secure taxpayer data.

WHAT TIGTA FOUND

TIGTA found that non-mainframe databases containing taxpayer data were not always configured in a secure manner and that databases were running out-of-date software that no longer received security patches and other vendor support.

In addition, the IRS had not fully implemented its plans to complete vulnerability scans of databases within its enterprise.  Also, the IRS purchased a database vulnerability scanning and compliance assessment tool without the completion of adequate product evaluation and testing.  As a result, the IRS spent more than $1.1 million in software licenses and support costs for a tool that was not fully implemented.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer ensure:  1) the security vulnerabilities identified on databases are remediated; 2) explicit management approvals are included in the database configuration building process; 3) a strategic plan is developed to address outdated database versions; 4) outdated databases are upgraded, planned to be migrated to newer versions, or properly approved to deviate from existing standards; 5) database vulnerability scans are conducted as required by policies; 6) database vulnerability scans test all high- and medium-risk configuration settings; and 7) a thorough technical product evaluation is consistently conducted and documented for the purchase of future software products.

In its response to the report, the IRS agreed with TIGTA’s recommendations.  The IRS plans to:  1) develop a strategy to ensure vulnerabilities are documented; 2) identify appropriate organizations to develop a management approval process to be used in the database build and configuration change processes; 3) develop a strategic plan for obsolescence of technology, including database version control; 4) develop a migration plan to upgrade database software to supported versions; 5) establish a process for conducting monthly scans of databases; 6) establish a Memorandum of Understanding to ensure database vulnerability scans are conducted with the privileges necessary to test all high- and medium-risk database configuration settings; and 7) create\designate a location to ensure all Product Evaluation and Selection and testing documentation is accessible from a centralized location.

The IRS disagreed with TIGTA’s $1.1 million outcome measure related to the licensing of the IRS vulnerability scanning tool.  TIGTA maintains the appropriateness of the measure.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2011reports/201120044fr.html

Email Address:   TIGTACommunications@tigta.treas.gov

Phone Number:   202-622-6500

Web Site:   http://www.tigta.gov