The Internal Revenue Service Can Improve Information Systems Physical Security
February 2000
Reference
Number: 2000-20-039
This
report has cleared the Treasury Inspector General for Tax Administration
disclosure review process and information determined to be restricted from
public release has been redacted from this document.
February 15, 2000
MEMORANDUM
FOR COMMISSIONER ROSSOTTI
FROM: Pamela J. Gardiner
/s/ Pamela J. Gardiner
Deputy
Inspector General for Audit
SUBJECT: Final Audit Report – The Internal Revenue Service Can Improve Information Systems Physical Security
This
report presents the results of our reviews to assess the adequacy of the
Internal Revenue Service’s (IRS) physical security for its information
systems. This review was part of a
series of reviews initiated to assess the overall effectiveness of security
controls over the IRS’ information systems.
Related reviews covered operational/ telecommunications security and
logical access security, which will be reported on separately.
In
summary, the IRS has taken considerable steps to improve its security
program. However, assessing and reducing
risks at over 1,000 IRS facilities is a significant undertaking. In
implementing its security program, the IRS needs to consistently apply physical
security standards throughout its organizational components. Specifically, the IRS can improve physical
security controls over information systems in the following areas: access
controls, fire protection, environmental controls, and magnetic media
management.
To
address these conditions we recommended that the Chief Information Officer, in
conjunction with other IRS executives, take steps to address the specific
weaknesses identified in this report and to ensure that minimum physical
security standards are met in all offices.
These steps also include prioritizing the weaknesses and obtaining funds
to correct them.
Management’s
comments have been incorporated into the report where appropriate, and the full
text of their comments is included as an appendix.
Please
contact me at (202) 622-6510 if you have questions, or your staff may call Scott E. Wilson, Associate Inspector General
for Audit (Information Systems Programs), at (202) 622-8510.
Appendix I - Detailed Objective, Scope, and Methodology
Appendix II - Major Contributors to This Report
Appendix III - Report Distribution List
Appendix IV - Glossary of Terms
Appendix V - Security Exposures by Internal Revenue Service Facility Type and Function
Appendix VI - Management’s Response to the Draft Report
The purpose of
computer security is to protect an organization’s valuable resources, such as
information, hardware, and software.
Through the selection and application of appropriate safeguards,
security helps the organization’s mission by protecting its physical and
financial resources, reputation, legal position, employees, and other tangible
and intangible assets.
Physical security is the most fundamental form of information systems control. Physical security controls are implemented to protect sensitive areas housing information systems equipment or data. Sensitive areas requiring physical controls include computer rooms, communication wire closets, and areas housing essential support equipment, such as power control panels, air conditioning units, communication equipment, and magnetic media storage. Physical security controls protect information systems hardware, software, and data from theft, physical damage, unauthorized disclosure, and interruption of service.
The overall objective of this review was to assess the
adequacy of physical security controls over the Internal Revenue Service’s
(IRS) information systems and sensitive data.
This review was part of a series of reviews initiated to assess the
overall effectiveness of security controls over the IRS’ information systems. Related reviews covered
operational/telecommunications security and logical access security, which will
be reported separately.
The IRS has taken considerable steps to improve its security program. However, assessing and reducing risks at over 1,000 IRS facilities is a significant undertaking. We found that the IRS does not consistently apply physical security standards throughout all of its organizational components. By using prescribed controls, the IRS can reduce information systems physical security weaknesses in the following four areas:
· Access controls: Construction of computer rooms and related facilities did not always meet the IRS and United States Treasury requirements for minimum security. Controls restricting the entry and exit of personnel, equipment, and magnetic media were not always in place in areas such as computer rooms, tape libraries, or rooms containing local area network file servers.
· Fire protection: Adequate fire extinguishing and evacuation instructions were not always posted in strategic locations, computer room fire detection systems did not always include properly placed smoke and heat detection devices or fire alarm pull boxes, and all automatic fire extinguishing systems were not appropriate for computer rooms.
· Environmental controls: Preventive maintenance, cleaning, and inspection of computer equipment and facilities was not always performed; thermometers and humidity indicators to identify unsuitable temperature and humidity levels were not always turned on and monitored; and computer rooms and related facilities were not always protected from potential water damage.
· Magnetic media management: Management of the magnetic media inventory did not always ensure accountability and accessibility of disks and tapes to operate the IRS’ information systems.
Addressing these weaknesses will improve information systems security. Both the level of risk and the severity of the exposure should be considered in taking actions to improve information systems security.
The Chief Information Officer (CIO), in conjunction with other IRS executives, should identify physical security weaknesses and take steps to address them. These steps will require IRS management to assess the state of physical security and prioritize the need to address identified weaknesses. These steps include seeking and obtaining funds to correct the conditions that require attention. The CIO can use the Office of Security Standards and Evaluation to evaluate the progress the IRS has made in meeting plans to eliminate or reduce the identified weaknesses.
Management’s Response: The IRS’ Office of Security and Privacy Oversight has designated its Director of the Office of Security Evaluations and Oversight to work in conjunction with other IRS executives to establish minimum physical security requirements for information systems operations at all IRS facilities.
The Office of Security Evaluations and Oversight currently performs about 150 reviews at various facilities each year. This office is acquiring contractor support to help with its effort. These security efforts will not focus on visiting the over 1,000 IRS facilities in the short term. Instead, the IRS will continue to work issues in a facility-type approach. This approach intends to initiate facility-wide improvements.
As
part of these reviews, the Office of Security Evaluations and Oversight
conducts follow-up reviews to assess the progress that sites make to reduce
identified risks. It also conducts
problem-solving visits to work with local staff to develop corrective actions
for unresolved risks.
The
IRS is also making a large financial commitment to maintain its efforts. It continues to work with the Department of
the Treasury and its bureaus to obtain additional security funds for critical
infrastructure protection. To date,
however, the IRS has not identified any additional funding sources.
The overall objective of this review was to assess the adequacy of physical security controls over the Internal Revenue Service’s (IRS) information systems and sensitive data. The review considered whether:
1. Program goals are adequately defined, communicated, implemented, and maintained.
2. Program assets (including data) are adequately safeguarded.
We reviewed physical security in
different types of IRS facilities in 24 sites around the nation.
We visited 24 IRS sites between March and May 1999. The IRS facilities we visited had varying operations and geographical make-up. We performed these reviews in accordance with Government Auditing Standards in the following facilities: computing center, service center, service center posts of duty, software development center, district office headquarters, and district office posts of duty. Review steps included identifying and analyzing the IRS security control structure and existing physical security procedures. We also made assessments of the physical security measures in place at the sites visited.
Details of our audit objective, scope, and methodology are presented in Appendix I. Major contributors to this report are listed in Appendix II. Appendix IV presents a glossary defining technical terminology used in this report.
Adequate physical security can help
prevent:
Interruptions
in computer services.
Physical
damage.
Unauthorized
disclosure of information.
Loss of
control over system integrity.
Theft.
The purpose of computer information
systems security is to protect an organization’s valuable resources, such as
information, hardware, and software.
Through the selection and application of appropriate safeguards,
security helps the organization meet its mission by protecting its physical and
financial resources, reputation, legal position, employees, and other tangible
and intangible assets.
Physical security is the most fundamental form of
information systems control. Physical
security controls are implemented to protect sensitive areas housing
information systems equipment or data.
Sensitive areas requiring physical controls include computer rooms,
communication wire closets, and areas housing essential support equipment, such
as power control panels, air conditioning units, communication equipment, and
magnetic media storage.
The IRS has a very large and diverse network of computer
systems that it uses to process over 200 million tax returns and collect $1.7
trillion in taxes annually. It operates over 1,000 facilities (computing
centers, service centers, and regional, district, and outlying offices) that
support tax processing.
The IRS, as well as the Congress and the General Accounting Office (GAO), recognize the risks and vulnerabilities associated with the scope and magnitude of the IRS’ information systems security. Along with the IRS’ own self-assessments, the GAO recently issued reports about the IRS’ systems security. The GAO related in its report entitled, IRS Systems Security (GAO/AIMD-99-27, December 1998), that although the IRS has made significant progress to improve security at its facilities, serious weaknesses persist.
The Congress recognized the significance of maintaining adequate information systems security in the IRS Restructuring and Reform Act of 1998 (RRA 98).[1] This law directs the newly established Office of Treasury Inspector General for Tax Administration (TIGTA) to report to the Congress an assessment of the adequacy and security of the IRS’ information technology. This report is part of TIGTA’s effort to provide that assessment.
Federal law, Department of the Treasury directives, and the IRS’ own internal policies and procedures require the implementation of sound security practices. The IRS has taken considerable steps to improve its security program. These steps include the creation of the Office of Security Standards and Evaluation (SSE). In 1998, the SSE began performing security risk assessments at the IRS’ facilities nationwide. In addition to the risk assessments, the SSE is working with IRS management to correct weaknesses identified. However, assessing and reducing risks at over 1,000 IRS facilities cannot be completed in a few years. It is a progressive and continuous process.
Although the IRS has taken steps to further secure its information systems security, the IRS’ organizational components do not consistently apply physical security standards throughout all facilities. Specifically, the IRS can improve physical security over information systems in the following four areas:
Ÿ Access controls
Ÿ Fire protection
Ÿ Environmental controls
Ÿ
Magnetic media management
By addressing these weaknesses the IRS will reduce the
effects of exposures to its information systems security. Eliminating or reducing these exposures
involves assessing and managing available resources to address potential
security threats. The level of risk
associated with the severity of the exposure can direct the IRS in taking actions
to improve information systems security.
By Consistently Applying Security Standards, the
Internal Revenue Service Can Improve Physical Security
All IRS organizational components need to
follow IRM guidance to ensure information systems operations meet minimum
security requirements.
The Internal Revenue Manual (IRM) provides guidance on information systems security policies and procedures. Parts 1 and 2 of the IRM comprehensively cover minimum security standards. Although these IRM sections are available nationwide, all of the IRS’ organizational components did not consistently and comprehensively apply the minimum security standards in the facilities reviewed.
Several organizational components are responsible for security over the IRS’ information systems.
Ÿ Information Systems (IS) has responsibility for security over district telecommunications equipment and the Examination and Collection Divisions’ file servers and computer workstations.
Ÿ Criminal Investigation, Appeals, and the IRS Chief Counsel each control the security over their own file servers and computer workstations.
Ÿ Support Services manages physical security over existing building components, initial construction, and space occupation.
These functions applied varying emphasis on, and interpretation of, the minimum standards for information systems security. Differences in application of the security standards existed among functions as well as within functions in different locations.
Management decisions for meeting
security requirements varied by their understanding and interpretation of the
IRM guidance or their attempt to access funding.
In some instances, management at the facilities:
Ÿ Did not recognize the requirement to implement some of the minimum security measures.
Ÿ Recognized the requirement for security measures but chose not to implement them.
Ÿ Recognized the need for the security measures but did not seek the funds to meet the minimum security requirements.
In one instance, the IRS planned and constructed a new
district office facility. Support
Services designed the construction of the computer room using the IRS’
requirements for an “equipment room.”
This design did not meet the minimum requirements for computer room
operations as prescribed in the IRM. The
controls that are required for computer rooms but not equipment rooms include
slab-to-slab wall construction, a fire detection system, deadbolt locks, secure
hinges, and drainage. The equipment room
controls were not sufficient to protect the district’s information systems equipment
and data from theft, alteration, or damage from unauthorized access, fire, or
environmental problems.
IRS management’s reasons for the constructed design were
cost considerations and an absence of a complete understanding of the purpose
of the minimum physical security requirements for a computer room.
In another instance, a
district office was not aware of basic controls, such as restricted access to
the tape library and proper routing of water pipelines. Although these controls are detailed in the
IRM, neither the district IS function security analyst nor the Support Services
branch chief had knowledge of the current requirements.
Physical
security exposures exist in the IRS’ information systems as a result of
noncompliance with established guidelines.
Compliance with policies,
procedures, and guidelines by the IRS’ organizational components can help:
Ÿ Sustain operations.
Ÿ Account for, protect, and optimize the IRS’ use of available information systems hardware.
Ÿ Maintain current systems and plan and model future systems.
Ÿ Provide administrators and users an adequate understanding of security requirements to help ensure the integrity of the systems and data.
Appendix V presents a table of the specific security exposures identified during this review. The table presents the security weaknesses (exposures) by IRS facility type and responsible operating and/or support function.
Access Controls Issues
Physical access controls restrict the entry and exit of personnel, equipment, and magnetic media. These controls restrict access to areas such as computer rooms, tape libraries, or rooms containing local area network file servers.
Physical access security is the
ability to grant selective physical access to specific personnel at certain
times and deny access to all other personnel at all times.
The IRS needs to consistently implement the following physical access controls over information systems facilities:
Ÿ Proper construction of doors (including appropriate signs), locks, hinges, and walls will improve security over access to computer facilities. Information systems equipment, including file servers, should be located in areas where access is restricted.
Ÿ Computer room entrance logs should be used by all persons without card key access and should include dates and times of all persons entering the facility. If a questionable event requires identifying the potential participants involved, records of presence in the computer room allow for accountability of personnel.
Ÿ
Adequate
control and accounting of entrance cards, keys, and door combinations will help
ensure only appropriate personnel
access computer facilities. Also, only
personnel with a need to access the facility should have entrance cards, keys,
or combinations (keys should not be on the
facility-wide key access system, i.e., “master key system”). Unused equipment
should be removed from computer rooms to further reduce a need for access.
Consistent implementation of
controls over physical access to computer rooms and supporting facilities will allow the IRS to meet minimum
physical security requirements by restricting access to only authorized staff
with an official business need.
Fire
Protection Issues
It is important to evaluate the
fire safety of buildings that house information systems. Smoke, corrosive gases, and high humidity
from a localized fire can damage information systems throughout an entire
building.
Fire, along with the resultant damage caused by fire
extinguishing procedures, is one of the most common causes of damage to
information systems equipment and data.
The IRS needs to consistently implement the following fire protection
measures for information system facilities:
Ÿ
Clear
and adequate fire extinguishing and evacuation instructions should be posted in
strategic locations to assist personnel in the event of a fire.
Ÿ
Computer
room fire detection systems should include properly placed smoke and heat
detection devices. Fire alarm pull boxes
should be appropriately placed.
Ÿ
Computer
room automatic fire extinguishing systems should be modified to dry pipe
systems (sprinkler system water pipelines that do not hold standing water) and
should be tested periodically by the manufacturer or service representative.
Adhering to fire protection requirements will help ensure the safety of employees, information systems, and data. Following these requirements will also promote continuity of operations and service.
Failures of electric power, heating and air
conditioning systems, water, sewage, and other utilities will usually cause a
service interruption and may damage hardware.
Ÿ
Preventive
maintenance, cleaning, and inspection of computer equipment and facilities
should be performed routinely.
Documentation of these actions should also be maintained.
Ÿ
Thermometers
and humidity indicators should be installed and monitored to identify
unsuitable temperature and humidity levels.
A trained person should monitor these instruments on a routine
basis. Also, the temperature range of
communication wire closets (also called Intermediate Distribution Facilities)
should be the same as the adjacent office space at all times.
Ÿ
Computer
rooms should be constructed to prevent water damage. Overhead water and steam pipes should not be
present, waterproof protective covers for computer equipment should be readily
accessible, and computer room drainage should be sufficient to protect the
entire room.
Adhering to
environmental control requirements will help promote continuity of operations
and service.
Magnetic Media Management Issues
Information systems capture electronic data on magnetically charged disks and tape, commonly referred to as magnetic media. Effective media management ensures accountability and accessibility of disks and tapes to operate the IRS’ information systems. Back-up media are critical to continue operations in situations ranging from a minor loss of information to a disaster recovery predicament. The facility needs the back-up media from off-site storage to resume operations.
Following its own procedures would help the IRS ensure efficient and
effective magnetic media management.
Without proper media protection, critical information could be lost and recovery time would significantly increase. In addition, the back-up media may contain sensitive taxpayer data, which, if not controlled, could be compromised.
The IRM includes procedures for managing magnetic media through several Tape Management Systems and for conducting tape inventory validations. The inventory process includes reporting inventory results to the IRS National Office Field Systems and Support Branch. This process includes reconciling and resolving inventory discrepancies and performing vulnerability studies for missing tapes.
Management should follow prescribed
procedures for accounting for and storing magnetic media, including back-up
tapes.
To meet their prescribed procedures, management needs to ensure the following controls are consistently implemented.
Ÿ The magnetic media inventory should properly account for all tapes in libraries. Inventory systems varied from an absence of a system to ineffectively or improperly managed systems.
Ÿ Access to the tape libraries should be restricted to only those with a need for access. Access to the tape library was not always restricted; therefore, anyone with access to the area had access to the tapes. Access to the tape library should be restricted to prevent unauthorized access to taxpayer information.
Ÿ All back-up media should be accounted for and properly stored. Specifically, back-up tapes were not properly secured in all locations reviewed. Some locations did not send the back-up tapes to off-site storage. And, in one location, the off-site facilities’ environmental conditions did not ensure adequate tape protection.
Ÿ Back-up tapes should be created at planned times. At one location reviewed, IS management did not always ensure that they created back-up tapes for all systems. Also, back-up media should be scheduled for disposition and replacement to reduce the potential of data errors due to decay of the media. By not tracking the tapes’ age, offices cannot plan for disposition and replacement of the back-up tapes. As a result, offices may encounter data retrieval failure because the aged tape no longer works.
With the proper controls in place, magnetic media back-up information will be available when needed, and the information stored on the media will be safeguarded against unauthorized disclosure.
The Chief Information Officer, in conjunction with other IRS executives and field managers, should ensure that minimum physical security requirements for information systems operations are met in the IRS’ facilities.
1. The executives need to take steps to address the specific weaknesses identified in this report. They also should perform reviews in all IRS locations to assess the state of physical security and take steps to reduce similar exposures in those locations. This will require IRS management to prioritize the need to reduce these exposures, including seeking and obtaining funds to correct the weaknesses.
In performing these reviews and prioritizing the corrective actions necessary to address security weaknesses, IRS management needs to consider the risks and assume responsibility if they do not take corrective actions. To implement these activities, we suggest that:
- The IS, Support Services, and Compliance functions use existing guidelines and controls to review the state of physical security in their facilities and implement their respective requirements for physical access, fire protection, and environmental controls.
- The IRS’ organizational components follow existing procedures for properly storing magnetic media and for conducting tape inventory validations. (The inventory process includes reporting inventory results to the IRS National Office Field Systems and Support Branch. This process includes reconciling and resolving inventory discrepancies and performing vulnerability studies for missing tapes.)
Management’s Response: The IRS’ Office of Security and Privacy Oversight has designated its Director of the Office of Security Evaluations and Oversight to work in conjunction with other IRS executives to establish minimum physical security requirements for information systems operations at all IRS facilities.
The Office of Security Evaluations and Oversight currently performs about 150 reviews at various facilities each year. This office is acquiring contractor support to help with its effort. These security efforts will not focus on visiting the over 1,000 IRS facilities in the short term. Instead, the IRS will work issues in a facility-type approach. This approach intends to initiate facility-wide improvements.
The IRS is also making a large financial commitment to maintain its efforts. It is working with the Department of the Treasury and its bureaus to obtain additional security funds for critical infrastructure protection. To date, however, the IRS has not identified any additional funding sources.
2. The executives need to use the SSE to evaluate the progress the IRS has made in meeting plans to reduce or eliminate the identified exposures.
Management’s Response: The Office of Security Evaluations and Oversight currently performs about 150 reviews at various facilities each year. As part of these reviews, it conducts follow-up reviews to assess the progress that sites make to reduce identified risks. It also conducts problem-solving visits to work with local staff to develop corrective actions for unresolved risks.
Practical computer security is a
series of actions and counteractions of attacks and defenses.
The IRS should implement policies and controls to provide consistent security measures throughout its operations. Without adequate physical control safeguards, the IRS risks security breaches, such as:
Ÿ Loss or destruction of assets (hardware, software, and data).
Ÿ Theft or misuse of assets (hardware, software, and data).
Ÿ Introduction of undesirable software or programs.
Ÿ Interruptions in the continuity of operations and service.
Vigilance in implementing and maintaining this security program will help ensure the IRS meets its mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
Implementation of our recommendations could reduce: 1) delays in processing and collecting taxes; 2) opportunities to manipulate or destroy program data; 3) opportunities for theft; and 4) the risk of improper use or disclosure of sensitive taxpayer data.
Appendix I
Detailed Objective, Scope, and Methodology
The overall
objective of this review was to assess the adequacy of physical security safeguards
used to assure sufficient security for the Internal Revenue Service’s (IRS)
information systems and sensitive data.
To accomplish our objective, we:
Ÿ
Analyzed the development and communication of IRS policies and guidelines
related to physical security.
Ÿ
Reviewed the IRS’ information systems oversight of physical security,
including reviews performed by the Office of Security Standards and Evaluation.
Ÿ
Performed tests and observations of physical security controls in the IRS
facilities identified below.
We performed these reviews in the following types of
IRS facilities:
Ÿ Computing Center - 1
Ÿ
Ÿ
Ÿ
Ÿ District Office Headquarters - 3
Ÿ District Office Post of Duty (with computer room) - 3
Ÿ District Office Post of Duty (without computer room) - 13
IRS Facilities Reviewed:
Ÿ
Computing Center:
Ÿ
-
Lamar
site -
Mendenhall
site -
Ÿ
Ÿ District Office: Los Angeles District
-
District Office Headquarters:
- District Office Posts of Duty (without computer room):
Ÿ District Office: Manhattan District
-
District Office Headquarters: Downtown
- District Office Post of Duty (with computer room):
Midtown
- District Office Post of Duty (without computer room):
Bronx -
Ÿ District Office: Southwest District
-
District Office Headquarters:
- District Office Posts of Duty (with computer room):
Las Vegas,
Nevada
Albuquerque, New Mexico
- District Office Posts of Duty (without computer room):
Northwest Phoenix, Arizona Reno, Nevada
Tempe, Arizona Santa
Fe, New Mexico
Tucson, Arizona
I. To identify current guidelines and standards for federal government information systems, we reviewed and analyzed the following documents containing industry/government information systems security standards:
Ÿ Office of Management and Budget Circular A-130 - Management of Federal Information Resources.
Ÿ
National
Ÿ Department of Justice’s “Vulnerability Assessment of Federal Facilities”
Ÿ Institute of Internal Auditors’ “Systems Auditability and Control”
Ÿ Information Systems Security Procedural Guide (IRS Document 9627)
Ÿ IRS Windows NT Security Guidelines
Ÿ Consolidated Physical Security Standards for IRS Facilities
Ÿ The Internal Revenue Manual
II. To determine the effect of the absence of development or communication of computer security policies and guidelines, we evaluated the effectiveness of physical security controls in computer facilities. To accomplish this, we:
A. Evaluated controls in place to reduce the potential for the damage or theft of data and equipment and determined if existing physical security policies and procedures were adequate.
B. Reviewed local security procedures and interviewed responsible security managers to ascertain the adequacy of local physical security policies and procedures.
1. Ascertained whether the Information Systems function maintained a catalogue of current information systems policies and procedures (or equivalent) including whether there were documented written procedures in effect to prevent unauthorized persons from gaining access to computer facilities.
2. Obtained site maps, interviewed local security managers, and toured sites to locate and observe all computer-related facilities in the sites, including computer rooms, telecommunications closets, and utilities access points, and evaluated the adequacy of local physical security controls in use.
3. Interviewed security managers and reviewed local procedures to evaluate the adequacy of fire protection systems.
4. Determined whether environmental equipment was adequate to protect computer hardware from damage.
5.
Reviewed
back-up power supply documentation to determine if it had been tested and met
criteria to be of adequate size to power-up critical systems and resume
operations of: computer systems, emergency back-up lights, and any other
relevant equipment or facilities.
6. Interviewed local security managers, obtained and reviewed local procedures, and observed tape library area to evaluate security controls over managing tape libraries.
C.
Obtained and reviewed local data back-up
procedures, interviewed security managers, and observed data back-up storage
facilities. Evaluated the controls
implemented to ensure data file back-up
procedures effectively protected and prevented the loss of data.
D. Interviewed security managers, reviewed local application control procedures, and obtained local inventories/listings of both authorized and installed applications to evaluate application controls.
E. Obtained local security incident handling procedures and interviewed security managers to determine whether controls had been implemented to effectively identify and respond to security-related incidents.
Appendix II
Scott E. Wilson, Associate Inspector General for Audit (Information Systems Programs)
Scott A. Macfarlane, Director
Stephen Mullins, Director
Edward Neuwirth, Audit Manager
Eulala Davis, Senior Auditor
Glen Rhoades, Senior Auditor
Michael Garcia, Auditor
Beverly Tamanaha, Auditor
Louis Zullo, Auditor
Appendix III
Deputy Commissioner Operations C:DO
Chief Information Officer IS
Chief Management and Finance M
Chief Operations Officer OP
Assistant Commissioner (Criminal Investigation) OP:CI
Assistant Commissioner (Information Systems Field Operations) IS:FO
Assistant Commissioner (National Operations) IS:O
Assistant
Commissioner (
Security Standards and Evaluation Office IS:E
National Director for Legislative Affairs CL:LA
Appendix IV
Cipher
Lock - A combination door lock
used to restrict access.
Dry
Pipe System - A sprinkler system
employing automatic sprinklers attached to a piping system containing air or
nitrogen under pressure, the release of which (from the open sprinklers)
permits the water pressure to open a valve known as a dry pipe valve. The water then flows into the piping system
and out the opened sprinklers.
File Server - A high-speed computer in a network that stores the programs and data files shared by users. It acts like a remote disk drive. The difference between a file server and an application server is that the file server stores the programs and data, while the application server runs the programs and processes the data.
Intermediate Distribution Facility (IDF)
- A telecommunications closet set aside for
housing telecommunications equipment, cable and fiber terminations, and related
cross-connections.
Local Area Network (LAN) - A communications network that serves users
within a confined geographical area. It
is made up of servers, workstations, a network operating system, and a
communications link.
Logical Access Security - Logical security includes software-based security provisions and the supporting policies, organization, and procedures to protect computer-based data from unauthorized destruction, manipulation, or disclosure.
Magnetic Media - Magnetically charged disks and tapes on which information systems data is captured and stored.
Main Distribution Facility (MDF) - An equipment room in a centralized space which houses communications (voice and data) common equipment, serving the occupants of the space.
Network - A network is composed of communications media and all components attached
to them. These components may include
computers, routers, multiplexers, switches, transmission systems, and
management and support services.
Operational and
Physical Security - Operational
security and physical security include established control structures that
effectively manage and protect the integrity, confidentiality, and availability
of information systems data and resources.
Restricted Access - Access
is restricted to those persons who, due to their official duties and/or
responsibilities, have a need for such access.
Secure Hinges - A door
hinge modified with a pin to prevent removal.
Telecommunications
Security - Telecommunications security
includes not only the technology supporting the communication, but also the
people, policies, and procedures that are critical to the success of
telecommunications.
Users - People or
processes accessing an automated information system either by direct
connections (i.e., via terminals) or indirect connections.
Appendix V
The following table depicts the specific security exposures identified in the Internal Revenue Service (IRS) facilities visited. The table presents the:
·
Security
Exposure
·
Type
of Facility Which Had the Exposure
· The IRS Function Responsible for Managing the Risk Associated with the Exposure
· Reference to the Guideline/Criteria for Providing Adequate Measures to Provide Information Systems Security
The table includes the following abbreviations:
IRM - Internal Revenue Manual
TD - Treasury Directive
POD - Post of Duty
IDF - Intermediate Distribution Facility
NIST - National
MDF - Main Distribution Facility
IIA -
Doc 9399 - Information Systems Operations and Support Procedures
|
IRS FACILITY |
RESPONSIBLE FUNCTION |
REFERENCE |
|||||||||
|
|
Computing Center |
|
District Office |
Post of Duty |
Information Systems |
Support Services |
Examination |
Collection |
Appeals |
Criminal Investigation |
|
|
PHYSICAL SECURITY |
|
|
|
|
|
|
|
|
|
|
|
|
Access to
Facility: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Deadbolts were not installed for use during non-duty
hours. |
|
|
X |
X |
X |
X |
|
|
|
|
TD P 71-10, VI-6.B.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Hinges were located on the outside of the entrance
and were not modified to preclude removal. |
|
|
X |
X |
X |
X |
|
|
|
|
TD P 71-10, VI-6.B.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The computer room or IDF
walls were not slab-to-slab. |
X |
|
X |
X |
X |
X |
|
|
|
|
TD P 71-10, VI-6.B.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The computer room entrance
log was not used regularly and properly controlled for personnel who did not
have card key access. |
|
|
X |
X |
X |
|
|
|
|
|
IRM 1.16.8.2.7.0 (2)a & |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Access to Facility: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Entrances to IDFs were not
locked when they were not in use. |
|
|
|
X |
X |
X |
|
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Entrance cards/keys/combos
were not properly controlled and accounted for. Computer room/IDF locks were accessible by
master keys. |
X |
X |
X |
X |
X |
X |
|
|
|
|
IRM 1.16.8.4.9.4 (1), (9)a
& |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Entrance cards/keys/combos
were not restricted to only those with a need to access the facility. |
|
|
X |
X |
X |
X |
|
|
|
|
IRM 1.16.8.4.9.4 (1), (11)
& |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Access to Facility: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Access to computer rooms was
not monitored to determine levels of usage and continuing need for access. |
|
|
X |
X |
X |
X |
|
|
|
|
TD P 71-10, VI-6.B.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Equipment not in use was
warehoused in the computer room or IDF. |
X |
|
X |
X |
X |
X |
X |
|
|
|
IRM 1.16.8.1.6.0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The access card system does
not provide a listing of employees with a need for computer room/tape library
access; the manual list was not kept current. |
|
|
X |
|
X |
X |
|
|
|
|
TD P 71-10, VI-6.B.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Access to Facility: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The cipher lock to the IDF
does not use at least four numbers. |
|
|
|
X |
|
X |
|
|
|
|
TD P 71-10, VI-6.B.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
POD IDF keys were not
restricted to only those with a need to access the facility. |
|
|
X |
|
X |
|
|
|
|
|
IRM 1.16.8.4.9.4 (1), (11)
& TD P 71-10, VI-6.B.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The file servers and
communications equipment were located in open workspace where access cannot
be restricted. |
|
|
X |
X |
X |
X |
|
X |
X |
X |
IRM 2.1.10. 4.6(12) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Access to Facility: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The entrances to communication
equipment rooms were labeled. |
|
|
X |
X |
X |
X |
|
|
|
|
Consolidated Physical
Standards for IRS Facilities pg. III - 37 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fire Protection: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Clear and adequate fire
instructions were not posted in strategic locations. |
X |
X |
X |
X |
X |
X |
|
|
|
|
IRM 1(16)23 Sub.622 (1)(a), (2) & (3) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There were no smoke or heat
detectors in the computer room. |
|
|
X |
|
|
X |
|
|
|
|
IRM 2.1.7.2.5.2 &
2.1.10.6.7.1; NIST 3.10 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fire Protection: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There were no smoke
detectors above the suspended ceiling in the computer room. |
X |
X |
X |
X |
X |
X |
|
|
|
|
IRM 1.16.8.2.10.0 (3)k,
& 1(16)41 Sub. 252 (2)(k) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Computer room/MDF did not
have pull boxes to activate fire alarms. |
X |
X |
|
|
|
X |
|
|
|
|
IRM 1(16)41 Sub. 252 (2)(b) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The computer room fire
extinguishing system was not periodically tested. |
|
|
|
X |
|
X |
|
|
|
|
IIA 9-28 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fire Protection: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The sprinkler system in the
computer room was not a dry pipe system. |
|
|
X |
|
X |
X |
|
|
|
|
IRM 2.1.10. 4.6(10); Western
Region Voice & Data Com-munications 6/16/98 p.4; IIA 9-26 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Waterproof protective covers
for computer equipment were not available. |
X |
X |
X |
X |
X |
X |
|
|
|
|
IRM 1(16) 23 Sub. 622 (1)(b)
& 1.16.8. 2.10.0 (3)j |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Environmental Controls: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The computer rooms and IDFs
were not kept clean. |
|
|
X |
X |
X |
X |
|
|
|
|
IRM 2.1.7.2.5.1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The computer room and MDF
humidity alarms were not activated. |
X |
X |
|
|
X |
X |
|
|
|
|
IRM 2.1.7.2.5.2 & 1.16.8
Section 2.10.0 (3)o |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Thermometers and humidity
indicators were not monitored on a routine basis. |
|
|
|
X |
X |
X |
|
|
|
|
IRM 2.1.7.2.5.2(1); Western
Region Voice & Data Com- munications 6/16/98 p.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Environmental Controls: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There was no drainage system
in the computer room. |
|
|
X |
X |
X |
X |
|
|
|
|
IRM 1(16)41 Sub. 252(2)(k) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The temperature range of
IDFs was not the same as the adjacent office space. |
|
|
X |
X |
X |
X |
|
|
|
|
Western Region Voice &
Data Com- munications 6/16/98 p.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The computer equipment was
not subject to preventive maintenance, cleaning, and inspection. |
|
|
|
X |
X |
|
|
|
|
|
IIA 4-36 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Hazardous utilities
(overhead water pipes) were present. |
|
|
|
X |
|
X |
|
|
|
|
IIA 9-26 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Magnetic Media Management: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Managers did not ensure that
all media were properly stored. |
|
X |
X |
X |
X |
|
|
X |
X |
X |
IRM 2.1.10.6.8.2.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Access to the tape library
was not restricted. |
|
|
X |
X |
X |
|
|
|
|
|
IRM 1.16.8.2.10.5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Managers did not ensure that
all magnetic media were accounted for. |
X |
|
X |
X |
X |
|
|
|
|
|
IRM 2.1.10.6.8.2.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Back-up tapes were not run
at planned times. |
|
|
|
X |
X |
|
|
|
|
|
IRM 2.1.10.6.8.2.2 (1) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Magnetic Media Management: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The magnetic media inventory
system does not properly account for tapes returned from back-up storage
facilities. |
X |
|
|
|
X |
|
|
|
|
|
IRM 2.1.8.4.2.1 (1); Doc.
9399 pg. 15 & 17 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Environmental controls at
the |
|
|
X |
|
|
X |
|
|
|
|
IRM 2.1.8.6.4 (4) & (5) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Back-up media were not
scheduled for disposition and replacement to reduce the potential of data
errors due to degradation. |
|
|
X |
X |
X |
|
|
|
|
|
Doc. 9399 pg. 25 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Appendix VI
The response was removed due to its size. To see the response, please go to the Adobe
PDF version of the report on the TIGTA Public Web Page.
[1] Internal Revenue Service Restructuring and Reform Act of 1998, Pub. L. No. 105-206, 112 Stat. 685 (1998)