TREASURY INSPECTOR GENERAL
FOR TAX ADMINISTRATION
THE INTERNAL REVENUE SERVICE CAN INCREASE STORAGE CAPACITY ON SEVERAL IBM MAINFRAME SYSTEMS THROUGH IMPROVED MAINTENANCE
Reference No. 2000-20-009
The Internal Revenue Service (IRS) uses IBMís Multiple Virtual Storage (MVS) operating system for many of its mission critical, tax processing systems. We examined the controls on two of these systems: the Masterfile system, which serves as the platform for the primary processing of all taxpayer accounts, and the Automated Collection System/Integrated Collection program development system (ACS/ICS), which is used to develop and test the IRSí computer system for collecting delinquent taxes. Because the MVS operating system is used on IRS computers that maintain over 206 million taxpayer accounts, its implementation must be closely controlled and monitored.
The objective of this review was to determine if selected general controls of the MVS operating system were implemented to provide system security, safeguard sensitive data, and ensure efficient use of system resources.
Generally, the controls of the two MVS operating systems we reviewed were adequate to provide system security and to safeguard sensitive data. We determined, however, that system resources could be better used if extraneous files were removed from the systems.
System Controls Were Adequate to Provide System Security and Protect Sensitive Data
System resources were adequately protected and controls over program files and libraries containing operating system files assured that only authorized personnel had access to these significant system resources. In addition, the MVS operating system was implemented in a manner that provided IRS with necessary management information. Specifically, we found:
∑Key System Management Facility (SMF)1 settings were properly implemented on both systems.
∑Exits (automated system interfaces) that can be used to suppress selected audit trail data were not in use.
∑"ZAP" programs2 were adequately protected, and access to these programs was restricted on both systems.
∑Systems security controls were employed to protect key system resources such as the Authorized Program Facility (APF) and the Time-Sharing Option (TSO) User Attribute Set3.
In some instances, IRS systems programmers took immediate action and made changes on-line based on our verbal recommendations for improving system control settings.
Storage Capacity Can Be Increased by Removing Unnecessary Files
Our review of the Masterfile and ACS/ICS systems identified a significant number of files that were uncataloged (not maintained or recognized by the MVS facility for organizing files) or miscataloged (contained in one disk unit and "labeled" as being in another). On the taxpayer account processing system, we found that over 8 percent of the over 10,600 files on the disk units containing important system set-up files were uncataloged or miscataloged. On the development system, 25 percent of the over 37,000 files on the system were uncataloged or miscataloged. Allowing extraneous files to remain on the system wastes valuable storage space. Furthermore, extraneous files present a system security risk since they may be altered to support unauthorized activities.
Summary of Recommendation
The Chief Information Officer should develop procedures to periodically examine system storage space to identify extraneous data files and programs, and to ensure that they are removed from the systems.
Managementís Response: IRS management has implemented the Hierarchical Storage Manager, which ages off and archives data files that have not been used. Also, batch jobs that eliminate uncataloged data files have been instituted as part of weekly housekeeping batch runs.
1SMF is an IBM product that serves as an event tracking mechanism and audit trail for system activities in MVS.
2ZAP programs can be used to alter or delete the Volume Table of Content (VTOC), which is the "card catalog" for the entire system. Without a reliable VTOC, files cannot be found in the system.
3APF programs can circumvent all standard MVS security mechanisms and gain access to secured data. The TSO User Attribute Set houses the powers granted to each user on the system.