Executive Summary

Objective and Scope

Background

Results

Conclusion

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

Executive Summary

The Internal Revenue Service’s (IRS) Office of Research conducts analyses to identify tax noncompliance issues, root causes for the issues, and practical approaches to modify non-compliant behavior. To perform their jobs, Office of Research employees have access to millions of taxpayer records. Assuring the security of these records is important to avoid unauthorized disclosure, misuse or loss of taxpayer data. The objective of this review was to determine if the Office of Research adequately safeguarded taxpayer data used in research efforts.

We identified three security issues in the Office of Research where taxpayer data was not adequately secured against the risks of unauthorized disclosure, misuse, and loss. During our review, we became aware of potential inappropriate accesses to computer workstations at one Office of Research site that could have led to the theft or improper disclosure of taxpayer data. These access attempts are being investigated by the Treasury Inspector General for Tax Administration’s Office of Investigations.

Approvals ensure that research plans have adequately presented detailed project information, including data needs and security. Over half of the projects we reviewed did not have proper approvals from the responsible executive as required, yet employees working those projects obtained taxpayer data.

Access controls provide assurance that those without authorization are not allowed access to sensitive data. Office of Research sites had security weaknesses that hindered their ability to limit access to taxpayer data on a need-to-know basis.

The main detection control available on computer systems is the audit trail, which provides a track record of key accesses to taxpayer files. Office of Research sites were not consistently activating and reviewing audit trails, and, in some cases, did not maintain adequate separation of duties for adding, deleting or modifying data on the research systems.

To reduce the risk of unauthorized disclosure, misuse, and loss of taxpayer data, we recommend that all requests for taxpayer data be approved, as required. We also recommend that access to taxpayer data used in research be limited and monitored.

Management’s Response: IRS management generally agreed with our findings and recommendations. The modernization of the Office of Research and the centralization of the Information Systems Division affected the implementation of some of the corrective actions. In light of the modernized Research offices, the policies and procedures that address our findings will be carried over into the Operating Divisions, which will take over jurisdiction of the various District Office Research and Analysis sites throughout the country. In addition, a newly created council will provide oversight and coordination over the implementation of corrective actions.

Management’s complete response to the draft report is included in Appendix IV.

Office of Audit Comment: While we concur with all of the corrective actions, we do not agree that four of the seven corrective actions have been completed, as reported in management’s response. The corrective actions cited generally describe actions and events that will occur in the future versus actions that have already been implemented.

Objective and Scope

The objective of our review was to determine whether the Internal Revenue Service’s (IRS) Office of Research adequately safeguarded taxpayer data used in research efforts. Taxpayer data consisted of Taxpayer Identification Numbers (TIN), taxpayer names, taxpayer addresses, and tax practitioner TINs.

We conducted our review from October 1999 to May 2000 in the Office of Research headquarters in Washington, D.C., and District Office Research and Analysis (DORA) sites in Atlanta, Fort Lauderdale, Los Angeles, and St. Louis. This audit was performed in accordance with Government Auditing Standards.

Details of our audit objective, scope, and methodology are presented in Appendix I. Major contributors to this report are listed in Appendix II.

Background

At the time of our review, the IRS’ Office of Research employed over 370 employees located in its headquarters office and 33 supporting DORA sites. Its mission is to contribute to improving voluntary compliance by conducting data-driven research to identify tax noncompliance issues, root causes for those issues, and practical actions to modify non-compliant taxpayer behavior. To perform their jobs, Office of Research employees have access to millions of taxpayer records.

In 1998, the IRS began taking actions to modernize the way it does business so it can provide taxpayers top quality service. This required fundamental changes in almost all aspects of the IRS, including its research activities. One of the first changes made was to the name of the organization from Compliance Research to the Office of Research. This better reflected the expansion of focus from taxpayers’ compliance treatments to other forms of solutions (e.g., electronic tax administration and customer service). While all plans have yet to be finalized for the Office of Research, preliminary plans have the DORA sites being embedded into the four Operating Divisions and one National Headquarters site. The specific roles and responsibilities have yet to be determined. Because the IRS has not finalized the role of the Office of Research, our audit results were based on its current structure.

Results

Actions need to be taken to improve the security of taxpayer data used by the Office of Research. Employees obtained taxpayer data without proper approvals, access to the data was not always properly restricted, and controls to detect unauthorized accesses were not always followed.

By tightening the security controls surrounding the use of taxpayer data, the IRS will be able to provide more assurance to the public that taxpayer data used in research efforts are properly approved and sufficiently secured to minimize the risk of unauthorized disclosure, misuse, and loss.

Office of Research Employees Obtained Taxpayer Data Without Receiving Proper Approvals

The Office of Research requires approvals of research plans to ensure they address the objective, methodology, data needs, anticipated benefits, budgetary constraints, milestones, and privacy and security issues for each research project. Currently, projects that are national in scope require the approval of the Director, Office of Research, or Assistant Commissioner (Research and Statistics of Income), and projects that are local in scope require the District Director’s approval. The Director, Office of Research, issued a memorandum in March 1999 to DORA Chiefs on the approval process to reinforce the established procedures.

The 30 projects we selected used taxpayer data from 14.8 million taxpayers and consisted of 22 national and 8 local projects. For purposes of this test, we excluded 7 of the 22 national projects. One of the 7 was still in the development stage, and 6 of the projects were related and did not need separate approvals. Eight of the remaining 15 national projects had not been approved by the Director, Office of Research, or the Assistant Commissioner (Research and Statistics of Income), and 4 of the 8 local projects had not been approved by the District Director.

Even without the proper approvals for the 12 projects above, DORA employees obtained over 5.9 million taxpayer records from other divisions in their local offices and in the National Office to proceed with their work.

There are inherent risks in using taxpayer data, such as unauthorized disclosure, misuse, or loss of that data. By not following established guidelines, the vulnerability to these risks increases.

These conditions occurred because managers and employees did not give sufficient weight to obtaining proper authorization for using taxpayer data. Also, the Office of Research had no central control to ensure approvals were received. Local projects were not controlled on the national inventory of projects, which prevented headquarters management from being aware of what projects were ongoing and what kinds of data were being used.

1. The Assistant Commissioner (Research and Statistics of Income) should assign accountability to an official as the approving authority over all research projects. In light of the IRS modernization, the appropriate Director over the research function in each Operating Division should implement this recommendation.

Management’s Response: The guidance policy currently in place will likely be carried over into the modernized Research program. Within each Operating Division, field Research managers will report directly to senior Research management, ensuring these policies are observed. The modernized Research program includes both a Senior Management Council and a Research Data and Technology Council to oversee and coordinate these efforts.

Office of Audit Comment: While we agree with management’s corrective action on this recommendation, we do not agree that this corrective action has been completed, as cited in their response. Completion of this corrective action will occur when policies and procedures have been established for the four Operating Divisions’ Research functions and when a single point of authority has been assigned accountability over the approval process.

2. The Assistant Commissioner (Research and Statistics of Income) should ensure that DORA employees do not receive data with taxpayer identifiers from other IRS functions without the appropriate approval. Managers and employees obtaining data without appropriate approvals should be referred to the Treasury Inspector General for Tax Administration’s (TIGTA) Strategic Enforcement Division for investigation of potential violations of the statutory rules governing unauthorized access and inspection of taxpayer records by IRS employees (referred to as UNAX).

Management’s Response: Giving the Chief Information Officer (CIO) and the Information Systems (IS) Organization sole control over information technology resources will substantially remove the likelihood of "back-door" data acquisition. The Research Data and Technology Council will develop specific procedures for ensuring compliance with data acquisition policies.

Office of Audit Comment: While we agree with management’s corrective action on this recommendation, we do not agree that this corrective action has been completed, as cited in their response. Completion of this corrective action will occur when specific procedures for ensuring compliance with data acquisition policies have been developed and implemented in each Operating Division.

3. The Director, Office of Research, should ensure all local projects are added to the national inventory of projects. By adding local projects to the national inventory, headquarters management would be aware of what projects were ongoing and what kinds of data were being used. Another benefit would be to reduce the potential duplication of effort among projects. In light of the IRS modernization, the appropriate Director over the research function in each Operating Division should implement this recommendation.

Management’s Response: The modernized Research design will substantially reduce the volume of local projects, thus ensuring that all projects will be national in scope and included in each Operating Division’s national inventory of projects.

Office of Research Management Did Not Always Properly Restrict Access to Taxpayer Data

Access controls provide assurance that those without authorization are not allowed access to sensitive data. Guidance on IRS system security comes from the Internal Revenue Manual (IRM) section on Data Processing Services and the IRS’ Office of Security, Evaluation and Oversight.

Access to taxpayer data on Office of Research computer systems was not sufficiently limited to those who needed it. The importance of access controls was illustrated when, during our review, 1 DORA site identified approximately 21 failed attempts to access several computers. The attempts were made from other IRS offices and were suspicious enough that DORA referred the incidents to TIGTA’s Office of Investigations for further investigation. This indicates that unauthorized access attempts do occur and proper security settings can be critical in protecting taxpayer data. The conditions cited below increase the risk of unauthorized disclosure, misuse, and loss of taxpayer data.

• The Office of Research allowed employees in its headquarters office to use non-standard operating systems on workstations connected to its network. Operating systems provide key controls to authenticate and identify users. The IRS’ standard operating system is Microsoft Windows NT. The non-standard operating systems included operating systems for Apple (Apple OS) and Sun Microsystems (Solaris) computers. There were at least 10 Apple computers in operation. Neither operating system had been evaluated for conformity to the level of security required for systems that process taxpayer information. The Department of the Treasury and the IRM requires that connectivity to any IRS system must be certified and authorized in writing to ensure that the connecting system will not degrade the security present on the host system.
• The Office of Research headquarters allowed some users to load applications on its workstations. For example, some employees had loaded their preferred versions of Microsoft’s Internet Explorer. The IRM requires only authorized personnel to load approved software on IRS systems. The risks of computer virus outbreaks and security breaches increase significantly when users are allowed to load their own software.
• One DORA site maintained a laptop computer that contained two operating systems, Windows NT and Windows 95. Because a user can access either operating system, the security benefits from Windows NT can be bypassed. Windows 95 cannot effectively prevent any user from accessing information stored on the computer.
• DORA employees in one site were given permissions to view and delete files of projects that they were not assigned to work. In addition, DORA network servers at two sites were not properly configured to require a certain password length and the frequency on how often a password must be changed. This would prevent unlimited attempts to access the system by unauthorized users. The Department of the Treasury and the IRS require that access to sensitive data be given only to authenticated users on a need-to-know basis.
• Two separated employees still had access to the Office of Research network and data because their user accounts were not disabled or deleted from the network after they left the Office of Research. However, neither had used the passwords to access the network after leaving. One of the two separated employees also had physical access to Office of Research workspace, including the computer room. This employee’s building access card, which was coded for access to Office of Research floors and the computer room, was not deactivated upon separation. We could not determine whether the employee accessed the computer room because access records were maintained for only a limited time.
• Back-up tape storage of Office of Research data did not properly limit access. The back-up tapes from two key databases and the headquarters office file servers were stored in a small, moveable combination safe in an unrestricted area at the IRS headquarters office. This area could be entered at seven doors, one of which was unlocked and used by several employees from other divisions.

The conditions cited above occurred because the Office of Research sites did not comply with IRS security procedures and other local guidelines. There were also inconsistencies from site to site on whether IS or DORA employees were responsible for administering DORA’s computer systems.

1. Office of Research management should ensure all security deficiencies are corrected. Specifically, they should:

• Ensure standardized operating systems and applications are installed and running on all Office of Research computer resources.
• Restrict user rights and permissions to match employee assignments and apply standard password configurations to Office of Research resource servers.
• Verify that separated employees have had their user accounts disabled or deleted, and that their building access privileges have been taken away.
• Improve physical security over their back-up tapes to ensure the tapes and the information on the tapes are secured and only accessible by authorized personnel.

Management’s Response: The Office of Research sites addressed many of these issues as they were identified during the audit. Furthermore, giving the CIO/IS Organization sole control over information technology resources will substantially address all of these issues. This will permit a uniform set of information technology standards to be applied to all Research systems.

1. Responsibility for managing the Office of Research’s computer systems should be transferred to the CIO. This would ensure more compliance with IRS security standards. IS currently has responsibility for administering virtually every other computer system in the IRS. Systems administrators reporting to the CIO should be held accountable for ensuring access control standards are followed.

Management’s Response: The IRS expects that giving the CIO/IS Organization sole control over information technology resources will substantially address all of these issues. System administrator responsibilities previously in the Office of Research will be transferred to the IS Organization on October 1, 2000.

Office of Research Management Did Not Always Follow Controls to Detect Unauthorized Accesses

Controls to detect improper accesses to computer systems consist of the activation of the audit trail function and review of audit trail information. Audit trails are historical records of key access control occurrences, such as who made the access, what they did, and when it occurred. Audit trails should be reviewed and analyzed regularly by an employee who does not have the capability to add, delete, or modify data on the system. The two places within the Office of Research where audit trails should be activated and reviewed are at the resource server and the workstation.

We identified two issues in regards to the audit trail function within the Office of Research.

• Audit trails were not consistently activated and reviewed from site to site. Audit trail reviews were conducted for both servers and workstations in two of five sites. One site had both audit trails activated, but only conducted reviews on the server. Another site activated and reviewed the audit trails at the workstation level, but did not activate the audit trail function at the server level. The remaining site had the function activated, but did no reviews.
• Employees who conducted audit trail reviews also had the ability to access, disable, and/or alter the audit trail logs in two sites that conducted audit trail reviews. These individuals were provided administrator privileges to perform other duties within the office.

These detection issues existed because Office of Research sites did not comply with IRS security procedures and other local guidelines. The importance of correcting the above conditions can be demonstrated through incident reports turned in by Office of Research sites where audit trail reviews were conducted. Out of the five sites we visited, three sites filed six incident reports, two for each site, that involved computer access attempts in the last three years. All incidents involved attempts to access DORA workstations by users who were not known by the DORA reviewers.

The incidents are summarized as follows:

• Repeated successful logons by an "Anonymous User" from another IRS office. The user had administrator rights, which allows for the addition, modification, and deletion of records. Based on the available information, we could not determine the specific actions the user had taken.
• Twenty-one failed access attempts on eight different workstations, as mentioned earlier. The attempts were made by three different non-DORA users from other IRS offices. These attempts were referred to TIGTA’s Office of Investigations for further review. These attempted accesses were adequately resolved.
• Twenty-three failed login attempts by an administrator on two different computers.
• Ten failed access attempts by non-DORA users.
• Ten failed access attempts by an administrator to the Compliance Data Warehouse (CDW).
• Unspecified number of failed access attempts to the CDW by an employee.

Because the Office of Research did not consistently review audit trails and because duties were not adequately separated, management could not state with confidence who had tried to access their system, what they did, and when.

6. Office of Research management should ensure the audit trail function is activated at the server and workstation levels at each site.

Management’s Response: The IRS expects that giving the CIO/IS Organization sole control over information technology resources will substantially address this finding. The Office of Research will apply appropriate uniform standards on activating audit trail features on all Research systems.

Office of Audit Comment: While we agree with management’s corrective action on this recommendation, we do not agree that this corrective action has been completed, as cited in their response. Completion of this corrective action will occur when the CIO establishes the uniform standard on enabling the audit trail functions and Research offices activate the audit trail features on all Research systems.

7. Office of Research management should assign the audit trail review duties to someone who does not have system administrator duties. In light of the IRS modernization, the appropriate Director over the research function in each Operating Division should implement this recommendation.

Management’s Response: The Research Data and Technology Council will develop specific actions to address audit trail reviews by Research managers.

Office of Audit Comment: While we agree with management’s corrective action on this recommendation, we do not agree that this corrective action has been completed, as cited in their response. Completion of this corrective action will occur when specific actions to address audit trail reviews have been developed and implemented in each Operating Division.

Conclusion

The Office of Research needs to improve security over taxpayer data. The use of millions of taxpayers’ records for research efforts inherently creates the risk for possible disclosure and misuse issues. When controls to minimize these risks are not followed, the IRS is unnecessarily exposed to these risks.

Detailed Objective, Scope, and Methodology

The objective of our review was to determine whether the Internal Revenue Service’s (IRS) Office of Research adequately safeguarded taxpayer data used in research efforts.

1. We determined if the Office of Research sites were using live taxpayer data (i.e., data containing taxpayer identifiers, such as Taxpayer Identification Numbers, names or addresses) in accordance with laws, regulations and policies.
1. We identified congressional concerns and IRS policies and current practices regarding the use of live taxpayer data and the conditions for using such data, with emphasis on taxpayer disclosure and privacy. We also identified public records related to the Office of Research function and any available public comments to Privacy Act notices, and compared the information to its current policies, procedures, and controls.
2. We determined whether the Office of Research headquarters office maintained a management information system for monitoring and controlling projects using live taxpayer data.
3. We determined if Office of Research sites maintained operational controls over projects to ensure the projects and the use of project data were properly authorized.
1. We requested District Office Research and Analysis (DORA) management’s assistance to identify 190 open projects where taxpayer identifiers were included as part of the projects’ data files. We stratified the projects by location to identify and select the sites with the highest number of projects, with the exception of the headquarters site. We visited five sites and reviewed 54 projects: Atlanta, Georgia (17 projects), Ft. Lauderdale, Florida (9 projects), Los Angeles, California (13 projects), St. Louis, Missouri (12 projects) and the Office of Research in Washington, D.C. (3 projects). We eliminated 24 of the 54 projects that were not conducted during Fiscal Years 1998 and 1999, did not actually contain taxpayer identifiers, or had taxpayer identifiers removed prior to use.
2. We interviewed Office of Research team members and reviewed the project plans, project prospectuses, and data certifications for the remaining 30 projects in our review. Because the 30 projects included 6 duplicate projects from 3 national strategies and 1 project in its developmental stages, we reviewed the 23 applicable projects for each item below:

• Whether taxpayer identifiers requested were essential for their analyses and were consistent with the project’s objective.
• Whether the request contained the proper approvals prior to the data being requested and received for analysis.
• Whether the data requested are permitted under privacy and disclosure guidelines.
• Whether the sites retained taxpayer data on their networks or individual workstations.
• The number of taxpayers and taxpayer accounts used for projects.

1. We determined if Office of Research sites were adequately configuring their automated information systems to maximize logical security for restricting access to taxpayer information. We conducted our reviews in the headquarters office in Washington, D.C., and DORA sites in Atlanta, Fort Lauderdale, Los Angeles, and St. Louis.
1. We evaluated access controls over computer systems and data containing taxpayer identifiers to ensure personnel were authorized access to such systems and data on a need-to-know basis.
2. We identified three current/active and all former employees (departing in 1998 or 1999) who had Office of Research automated information system access and determined if they still had a valid reason for the access.
3. We selected three available employees in each office and determined if their individual workstation security settings met standards and policies.
4. We determined if automated information systems, user passwords, rights, permissions, and privileges were configured to meet IRS and/or industry standard security settings on Windows NT.
5. We determined if automated information system operating system security configurations met IRS and/or industry security standards, including appropriate system access restrictions, file and application installation restrictions and directory/file level access restriction controls.
6. We assessed the administration and configuration of telecommunications security including, use of encryption, use of modems, and the use of remote access systems capabilities, and physical protection of data lines.
7. We assessed the use of automated information system audit trails.
1. We determined if audit trails were being effectively reviewed, and that any suspicious incidents were properly reported.
2. We determined if adequate separation of duties existed between administrators and audit trail reviewers.
2. We determined if the Office of Research sites maintained adequate security over their automated information system facilities to protect access to taxpayer information. We conducted our tests in the same offices as in step II above.
1. We interviewed local security managers, DORA and security services personnel, and conducted on-sight inspections of Office of Research facilities where taxpayer data are stored, including computer rooms and off-premises back-up tape storage areas, to assess the security level.
2. We reviewed Office of Research self-assessments on physical security to identify any control weaknesses.
3. We interviewed functional security coordinators and identified and reviewed one incident report which involved missing or stolen computer equipment within DORA sites to ensure that controls had been implemented to effectively identify and respond to security-related incidents.
4. We interviewed Information Systems support personnel, and observed data back-up procedures and storage facilities to identify control weaknesses.
1. We evaluated the controls implemented to ensure data file back-up procedures effectively protected against the loss of data.
2. We verified available documentation and inventory listings of back-up tapes stored off premises for accuracy and reliability.
3. We interviewed pertinent management and office personnel to determine the cause for and recovery of any omitted tapes.
5. We identified Office of Research personnel who had separated or transferred and who still had access to Office of Research space.

Major Contributors to This Report

Scott Wilson, Associate Inspector General for Audit (Information System Programs)

Stephen Mullins, Director

Kent Sagara, Audit Manager

Louis Lee, Senior Auditor

Bill Lessa, Senior Auditor

Abe Millado, Senior Auditor

Billy Benge, Auditor

Christina Johnson, Auditor

Midori Ohno, Auditor

Beverly Tamanaha, Auditor

Report Distribution List

Deputy Commissioner Operations C:DO

Chief Information Officer IS

Chief Operations Officer OP

Assistant Commissioner (Research and Statistics of Income) OP:RS

Deputy Chief Information Officer (Operations) IS

Director, Office of Research OP:RS:R

Office of Security and Privacy Oversight IS:SPO

Director, Office of Program Evaluation and Risk Analysis M:O

The Office of the Chief Counsel CC

The Office of Management Controls CFO:A:M

National Taxpayer Advocate TA

Director, Legislative Affairs CL:LA

Audit Liaisons:

Management’s Response to the Draft Report

The response has been removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.