TREASURY INSPECTOR GENERAL
FOR TAX ADMINISTRATION
COMPUTER SECURITY CONTROLS SHOULD BE STRENGTHENED IN THE HOUSTON DISTRICT
Reference No. 2000-20-106
Advances in information technology have caused the daily activities of the Internal Revenue Service (IRS) to become increasingly automated and inter-linked. These advances, while improving efficiency, have also increased the risk that hackers or dishonest employees could misuse taxpayer data. Recent events have demonstrated the risk of hackers gaining inappropriate access to other government agencies and private businesses. Malicious acts by employees present an even greater risk since they already have access to data via networks. The Houston District has over 800 employees connected to its Windows NT local area network (LAN), approximately 150 of whom have access to taxpayer information through the Examination Returns Control System (ERCS).
The overall objective of this review was to determine whether the Houston District has effective security controls over its computer systems to safeguard information against unauthorized access or use, disclosure, damage, modification, and loss. We reviewed controls over the Districtís LAN with emphasis on the ERCS to help define our scope and demonstrate the impact of security weaknesses. This review was part of a series of reviews initiated to assess the overall effectiveness of security controls over the IRSí information systems.
The District has various computer security controls in place which reduce the risk, to some degree, of unauthorized access and destruction of data. For example, logical access controls, such as user identification and passwords, were properly set up at the minicomputer and LAN level, and logical access to sensitive system areas, such as the ERCS, was correctly limited. In addition, physical access to the working area and computer facilities was properly restricted. However, additional steps in the following areas can further strengthen the computer security program.
Strengthening User Account Management, Security Surveillance, and Physical Security Controls Can Achieve a Higher Level of Security
Following prescribed controls can reduce information systems security weaknesses in the following three areas:
Acting managers were given ERCS approval authority for periods longer than needed, increasing the risk that they could approve inappropriate actions on their own work. In addition, three users who had access to the LAN, but not to the ERCS, were not removed promptly from the LAN after they had left the IRS. We did not identify any inappropriate activity by these three users.
Summary of Recommendations
The Chief Information Officer and IRS executives responsible for systems in the Houston District need to take steps to address the specific weaknesses identified in this report. Actions management should take include: allowing only appropriate system permissions and monitoring the use of the permissions; ensuring system access is promptly removed for departing employees; training and monitoring responsible employees on performing audit trail reviews; and reinforcing backup tape inventory controls.
Management's response was due on July 10, 2000. As of July 18, 2000, management has not responded to the draft report.