The Internal Revenue Service’s (IRS) Unisys 2200 mainframe computers are an integral part of its tax processing system. Virtually all transactions affecting a taxpayer’s account are processed through these Unisys systems before being posted to the full taxpayer account on IRS’ Masterfile database. The Unisys systems process tax returns that are sent to IRS’ service centers by taxpayers. In addition, these systems house databases used by the Integrated Data Retrieval System for on-line retrieval of taxpayer information. The IRS will be migrating from a Unisys 2200 to a Unisys 4800 environment as part of the service center mainframe consolidation and will be operating under a more current version of the operating system.

The overall objective of the review was to determine whether general controls in place over the Unisys 2200 operating system are sufficient to protect sensitive data. The scope of this review encompassed system policies as they relate to security controls. We conducted our review in the IRS’ National Office and on-site at the Andover (ANSC) and Austin (AUSC) Service Centers and the Martinsburg Computing Center (MCC). In addition, we reviewed system reports from the Cincinnati, Fresno, and Philadelphia Service Centers.

The general controls over the operating system environment of the Unisys 2200 mainframe computers are adequately defined to protect sensitive data. Specifically, each user is uniquely recognized and verified by the operating system. In addition, discretionary access controls (e.g., file ownership and access control records) are enforced through the security software residing on the mainframe computer. Access to most sensitive taxpayer data files, as well as any security-related actions, are monitored by management.

We identified several areas in which controls could be adhered to more uniformly and where procedures should be established to provide improved system control, security, and standardization. Memoranda dealing with site-specific control weaknesses have been issued to the responsible local officials. This report addresses systemic issues that require corrective actions throughout the IRS.

Although the Unisys 2200 mainframe computers will become obsolete due to the IRS’ mainframe consolidation efforts, steps need to be taken now to better prepare the Unisys 2200 systems for consolidation. In addition, due to the similarities in the operating systems of both systems, control improvements identified on the Unisys 2200 systems should also be implemented on the Unisys 4800 systems to improve its control environment.

Over 6,200 files at the 5 service centers are established in a way that permits any system user to view their contents. From a judgmentally selected sample of 109 such files at the ANSC and AUSC, we identified 10 files that contained taxpayer data. Since these files are not properly recorded on the system, accesses to them are not recorded on weekly reports used by management to monitor access to taxpayer data by system users.

Over 10 percent of the files common to the Unisys production environment at 4 service centers contain inconsistencies in access control settings, such as file ownership and clearance (security) levels. The inconsistencies appear to be an unintentional side effect of actions taken to recover files or solve system problems. These inconsistencies may cause problems in the Unisys 4800 consolidated environment. The Office of Management and Budget (OMB) suggests that part of a consolidation strategy should be the development of a plan to optimize data center operations, which would be achieved in part through standardization of the operating system.

Over 1,200 files at 5 service centers were either recorded without an assigned owner or assigned to a user-identification (user-id) that was no longer active on the system. Files with incorrect ownership assignments can cause problems during the consolidation from the Unisys 2200 to the Unisys 4800 environment. MCC personnel informed us that problems arose in moving improperly owned files during the mock move between the Brookhaven Service Center and MCC. Although a temporary solution was found for the actual conversion, the solution left the IRS with the continued existence of improperly owned files. Internal Revenue Manual (IRM) guidelines do not address the need to reassign ownership for the files meeting these two conditions.

In the current Unisys 2200 environment, there is no mechanism available to account for individual use of the MASTER user-id for the system. The MASTER user-id on the Unisys 2200 is one of the most powerful user-ids on the system, enabling its user to access all areas of the system. Although the MASTER user-id was used primarily by the security analysts at ANSC and AUSC as their sole user-id, several other users also had access to the password in emergency situations. The IRM requires that the system security officer or systems administrator be able to selectively audit the actions of one or more users based on individual identity. These audits should include all actions of the MASTER user-id.

Our review of deviation forms used to request modifications to standard Unisys 2200 user profiles indicated that a number of profile changes made by the service center personnel had not been reviewed or signed by the responsible IRS National Office functions. These omissions were due in part to required IRS National Office functions not receiving the deviation forms for review. The IRS’ Unisys 2200 Access Standards require completion and approval of a deviation form when changes to the standard profiles are needed for system users to perform their duties. Since the security system of the Unisys 2200 system is very complex, modifications made without proper review and approval can have unforeseen serious consequences.

Department of Treasury directives require that all Treasury automated information systems transmitting sensitive but unclassified information meet a C2 level of protection (see Appendix V). The IRS’ Unisys 2200 systems are operating in a non-C2 compliant environment and without an approved waiver of compliance. In addition, we were unable to locate documentation for the testing of the system’s security features.

The OMB requires that controls over general support systems include a system security plan. The OMB also requires that Federal agencies determine the adequacy of their systems’ security, which may be conducted using a risk-based approach. We were unable to locate documentation of risk factors or a security plan for the Unisys 2200 systems.

• Summary of Recommendations
• All files with taxpayer information that are readable by the casual system user should be identified and immediately secured.
• Control settings for files common to the Unisys 2200 production mainframes should be standardized.
• Prior to migration to the consolidated environment, all improperly owned files should be identified and assigned to an active system user. For future user-id removals, a policy should be instituted requiring that all files owned by such users be deleted or assigned to an active system user.
• Information Systems should examine and implement, if feasible, the ability to track individual actions of users accessing the MASTER user-id on the Unisys 4800 system.
• The policy for submitting profile deviation forms to the IRS National Office should be formally re-issued and all unapproved deviation forms should be submitted to all required IRS National Office functions for review and approval.
• All required C2 documentation, security policies, and risk factor documentation should be prepared for the Unisys 4800 environment.

Management’s Response: IRS management agreed with the facts cited in the report and is taking appropriate corrective action. Management’s comments are included in the body of the report, where appropriate, and a complete text appears as Appendix VII.