Treasury Inspector General for Tax Administration

Office of Audit

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION – FEDERAL INFORMATION SECURITY MANAGEMENT ACT REPORT FOR FISCAL YEAR 2012

Issued on September 28, 2012

Highlights

Highlights of Report Number:  2012-20-114 to the Department of the Treasury, Office of the Inspector General, Assistant Inspector General for Audit.

IMPACT ON TAXPAYERS

The IRS collects and maintains a significant amount of personal and financial information on each taxpayer.  The IRS also relies extensively on computerized systems to support its responsibilities in collecting taxes, processing tax returns, and enforcing the Federal tax laws.  As custodians of taxpayer information, the IRS has an obligation to protect the confidentiality of this sensitive information against unauthorized access or loss.  Otherwise, taxpayers could be exposed to invasion of privacy and financial loss or damage from identity theft or other financial crimes.

WHY TIGTA DID THE AUDIT

The Federal Information Security Management Act (FISMA) was enacted to strengthen the security of information and systems within Federal agencies.  As part of this legislation, the Offices of Inspectors General are required to perform an annual independent evaluation of each Federal agency’s information security programs and practices.  This report reflects TIGTA’s independent evaluation of the status of the IRS’s information security program for Fiscal Year 2012.

WHAT TIGTA FOUND

Based on our Fiscal Year 2012 FISMA evaluation, TIGTA found that the IRS’s information security program was generally compliant with the FISMA requirements.  Specifically, TIGTA determined that the following eight program areas met the level of performance specified by the Department of Homeland Security’s Fiscal Year 2012 Inspector General FISMA Reporting Metrics:

·        Continuous monitoring management.

·        Incident response and reporting.

·        Risk management.

·        Plan of action and milestones.

·        Remote access management.

·        Contingency planning.

·        Contractor systems.

·        Security capital planning.

However, TIGTA determined that the following program areas did not meet the level of performance specified by the Department of Homeland Security’s Fiscal Year 2012 Inspector General FISMA Reporting Metrics as a result of specific program attributes that were missing or other conditions identified that reduced program effectiveness:

·        Configuration management.

·        Identity and access management.

·        Security training.

WHAT TIGTA RECOMMENDED

TIGTA does not include recommendations as part of its annual FISMA evaluation and reports only on the level of performance achieved by the IRS using the guidelines issued by the Department of Homeland Security for the applicable FISMA evaluation period.

READ THE FULL REPORT

To view the report, including the scope and methodology, go to:

http://www.treas.gov/tigta/auditreports/2012reports/201220114fr.html

E-mail Address:   TIGTACommunications@tigta.treas.gov

Phone Number:   202-622-6500

Website:   http://www.tigta.gov