Treasury Inspector General for Tax Administration
Office of Audit
USED INFORMATION TECHNOLOGY ASSETS ARE BEING PROPERLY DONATED; HOWEVER, DISPOSITION PROCEDURES NEED TO BE IMPROVED
Issued on April 25, 2014
Highlights of Report Number: †2014-20-021 to the Internal Revenue Service Chief Technology Officer and the Chief, Agency-Wide Shared Services.
IMPACT ON TAXPAYERS
The IRS Information Technology and Agency-Wide Shared Services organizations work together to dispose of the IRSís information technology equipment.† If the IRSís processes associated with the disposition of its information technology equipment are not effective, the risk of loss, theft, or inadvertent release of sensitive information is increased, which can reduce the publicís confidence in the IRSís ability to effectively monitor and use its resources.
WHY TIGTA DID THE AUDIT
This audit is included in TIGTAís Fiscal Year 2014 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees.† The overall objectives of this review were to validate the accuracy of the disposal asset inventory and determine the effectiveness of the IRSís actions taken or planned to fulfill the requirements set forth by the General Services Administration.
WHAT TIGTA FOUND
While the IRS is complying with the requirements to donate its previously used information technology equipment to non-Federal recipient organizations, there are several processes associated with asset disposal that need improvement.† For example, improved documentation is needed to ensure compliance with media sanitization guidelines.
Controls over the processing of Federal electronic assets reported as missing, lost, or stolen can be strengthened.† Information technology equipment that cannot be located are written off; however, these lost items are not reported to the Computer Security Incident Response Center as required.
Further, documentation of disposal actions can be improved, and the inventory system does not archive electronic asset disposal data.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief, Agency-Wide Shared Services, reemphasize the importance of completing new disposal forms when changes are identified and ensure that updated procedures reflect the policy change requiring the use of Standard Form-122, Transfer Order Excess Personal Property, when transferring Federal electronic assets.† TIGTA recommended that the Chief Technology Officer ensure that offices complete and maintain documentation for each asset to provide an audit trail regarding the sanitizing and verifying of storage media, report lost or stolen information technology equipment within one hour after detection, and report assets written off as lost to the Computer Security Incident Response Center and TIGTA.† Finally, the Chief Technology Officer should ensure that the Knowledge Incident/Problem Services Asset Management (KISAM) systemís archiving mechanism is developed.
IRS management agreed with our recommendations.† The IRS plans to update its standard operating procedures to ensure that disposal forms are free of all edits and markups.† Contingent upon funding availability, the IRS plans to enhance the KISAM to include an electronic form to document storage media sanitization for each asset, update procedures to require that Computer Security Incident Response Center and TIGTA report numbers are documented prior to finalizing the asset record as lost, and ensure that the KISAM systemís archiving mechanism is developed so that the information technology asset data can be effectively managed in accordance with the IRSís Records Control Schedule.† Finally, the IRS plans to issue an employee communique reinforcing existing policy for reporting lost or stolen information technology equipment.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to: †
E-mail Address: ††TIGTACommunications@tigta.treas.gov
Phone Number:†† 202-622-6500