TD P 15-71

 

 

The Information Technology Services Organization Needs to Complete Its Business Resumption Planning

 

September 2003

 

Reference Number:2003-20-220

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address    TIGTACommunications@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

TD P 15-71

September 30, 2003

 

 

MEMORANDUM FOR CHIEF INFORMATION OFFICER

 

FROM:††††††††††††††††††††††††††† Gordon C. Milbourn III /s/ Gordon C. Milbourn III

†††††† Assistant Inspector General for Audit (Small Business and Corporate Programs)

 

SUBJECT:†††††††††††††††††††† Final Audit Report - The Information Technology Services Organization Needs to Complete Its Business Resumption Planning (Audit # 200320032)

††††††††††††††††††††††††††††††††††††††††

 

This report presents the results of our review of the Information Technology Services (ITS) organizationís efforts to develop business resumption plans to ensure it can effectively support the Internal Revenue Serviceís (IRS) critical business processes and information systems following a disaster.Business resumption is the process of re-opening an organizationís components or business processes following a disaster.Business resumption planning is undertaken by organizations to provide employees with a documented set of actions to perform in the event of a disaster, enabling business processing to be resumed within critical time periods.The ITS organization will play a critical role in helping to recover IRS information systems and business operations in the event of a disaster at one or more facilities, and should have a specific business resumption plan to timely resume its own operations so it can support the IRSí operations.As such, the ITS organization must be able to recover itself before it can support the information systems needs of its customers.

In summary, business resumption plans have been completed or are in development throughout the ITS organization.At the Atlanta and Memphis Submission Processing Sites,[1] the ITS organizationís End-User Equipment & Services function[2] completed business resumption plans that included sufficient direction to support the resumption of the critical systems we selected for review.These plans included procedures to:

-        Resume operations at an offsite location.

-        Reassign ITS employees to replace injured employees.

-        Acquire office equipment and supplies.

-        Designate damage assessment teams.

-        Notify other essential ITS offices and contractors.

-        Update the employee contact information.

Similarly, at the Laguna Niguel Territory Officeís End-User Equipment & Services function,[3] the business continuity plan included general procedures to resume operations at an offsite location, acquire office equipment and supplies, and update the employee contact information.

While the ITS organization has made progress in business resumption planning, business resumption plans were not completed for all branches at the Tennessee and Martinsburg Computing Centers[4] and at the Laguna Niguel Territory Office.At the Tennessee Computing Center, the ITS functions did not have complete business resumption plans for recovering four of the six critical systems operations we selected for review.In the Martinsburg Computing Center, specific business resumption plans have not been prepared.The Laguna Niguel Territory Office did not include the recovery priorities and procedures necessary for the ITS organizationís End-User Equipment & Services function to resume its own business.

We also found that the ITS organization can improve the plans it has completed.The plans did not completely identify essential process priorities, designate clear process resumption time periods, document the plan change history, or document plan testing and results.

While the ITSí Mission Assurance office is responsible for coordinating business resumption plans throughout the IRS, it has not provided clear guidance and direction to accomplish this throughout its own organization.Clear procedures to implement actions to resume the IRSí own business operations and support its critical computing and communications systems do not exist.To address this absence of direction, the Mission Assurance office is developing templates for ITS organization personnel to use in developing its respective business resumption plans.These templates are in a draft status, and the governance process for the plan development, approval, and maintenance is in development, as well.

The absence of guidance within the ITS organization in developing its own business resumption plans for recovering after a major incident could jeopardize its ability to timely support the IRSí critical computing and communications systems.As part of its mission, the IRS annually processes 230 million tax returns, collects $2 trillion in taxes, issues 90 million individual refunds, and provides assistance to 120 million taxpayers.Delays in restoring critical business processes would significantly affect the IRSí ability to deliver these customer services and effectively administer the tax administration system.

To improve the recovery from an incident or disaster affecting the IRS, we recommended that the Chief Information Officer (CIO) ensure the Mission Assurance office develops and provides the direction and guidance for the completion and implementation of adequate business resumption plans within the ITS organization.Additionally, we recommended that the CIO ensure that the Mission Assurance office acquires the technical expertise for developing, implementing, and reviewing the adequacy of the ITS organizationís business resumption plans.This expertise will help ensure all applicable information and essential processes have been included in the business resumption plans and that the plans are appropriate for the ITS organization.

Managementís Response:Managementís response was due on September 26, 2003.As of September 26, 2003, management had not responded to the draft report.

The Treasury Inspector General for Tax Administration (TIGTA) has designated this report as Limited Official Use (LOU) pursuant to Treasury Directive TD P-71-10, Chapter III, Section 2, ďLimited Official Use Information and Other LegendsĒ of the Department of Treasury Security Manual.Because this document has been designated LOU, it may only be made available to those officials who have a need to know the information contained within this report in the performance of their official duties.This report must be safeguarded and protected from unauthorized disclosure; therefore, all requests for disclosure of this report must be referred to the Disclosure Section within the TIGTAís Office of Chief Counsel.

Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510

 

TD P 15-71

.

Table of Contents

Background

Business Resumption Plans Are in Development Throughout the Information Technology Services Organization

Guidance and Direction Are Needed to Complete Business Resumption Plans

Recommendation 1:

Completed Business Resumption Plans Can Be Improved

Recommendation 2:

Appendix I Ė Detailed Objective, Scope, and Methodology

Appendix II Ė Major Contributors to This Report

Appendix III Ė Report Distribution List

 

 


TD P 15-71

 

Background

Business resumption is the process of re-opening an organizationís components or business processes following a disaster.Business resumption planning is undertaken by organizations to provide employees with a documented set of actions to perform in the event of a disaster, enabling business processing to resume within critical time periods.

An effective business resumption plan is wholly dependent on a comprehensive disaster recovery plan, which should encompass issues such as failed hard drives and processors, data loss, data damage, viruses, external or internal attacks, and other affects upon the network and its entities.The disaster recovery plan generally outlines backup routines, offsite storage requirements, emergency boot disk preparation, etc.The business resumption plan deals with who will be responsible for restoring operations following a disaster, what they will do, and how, where, and when they will do it.Together, the business resumption and disaster recovery plans contribute to the business continuity program at the Internal Revenue Service (IRS).

The IRS has placed organizational responsibility for coordinating its business continuity efforts in the Mission Assurance office within the Information Technology Services (ITS) organization.We recently issued an audit report on business continuity in the IRS[5] and reported that there are disaster recovery and business resumption plans in place for the IRS submission processing sites,[6] and a plan was developed for use in restoring essential National Headquartersí functions following an incident or disaster. We recommended that the Chief Information Officer (CIO) clarify the business continuity responsibilities of the various IRS organizations, offices, and executives, including defining organizational expectations and roles, and updating the Internal Revenue Manual.[7]

The IRSí business continuity plan identifies the need to provide computing and communications resources to restore critical business functions.To accomplish this responsibility, the ITS organization should have a specific business resumption plan to timely resume its own operations following an emergency or disaster so it can support the IRSí critical business processes.

To assess the adequacy of the ITS organizationís plans to resume its operations after an emergency or disaster, we reviewed the status of the plans for resumption of business activity to restore six critical IRS business system operations.[8]Our reviews included assessments of the ITS organizationís business resumption planning for these systems at the Martinsburg and Tennessee Computing Centers;[9] the Atlanta and Memphis Submission Processing Sites; and the Laguna Niguel Territory Office.[10]We also reviewed available documentation and interviewed IRS executives, managers, and analysts located at the IRSí National Headquarters and the New Carrollton Federal Building.We performed this audit from April through†† July 2003 in accordance with Government Auditing Standards.Detailed information on our objective, scope, and methodology is presented in Appendix I.Major contributors to the report are listed in Appendix II.

Business Resumption Plans Are in Development Throughout the Information Technology Services Organization

The ITS organization is completing business resumption plans to designate responsibilities and resources to support and restore the IRSí critical computing and communications systems. At the Atlanta and Memphis Submission Processing Sites, the ITS organizationís End-User Equipment & Services function[11] completed business resumption plans that included sufficient direction to support the resumption of the critical systems we selected for review.These plans included procedures to:

-        Resume operations at an offsite location.

-        Reassign ITS employees to replace injured employees.

-        Acquire office equipment and supplies.

-        Designate damage assessment teams.

-        Notify other essential ITS offices and contractors.

-        Update the employee contact information.

We also visited the End-User Equipment & Services function at the Laguna Niguel Territory Office and reviewed its business continuity plan.This office provides support for the resumption of the business operations at the IRS field offices within this territory to ensure uninterrupted access to the critical computing and communications systems.The Laguna Niguel Territory Officeís business continuity plan included general procedures to resume operations at an offsite location, acquire office equipment and supplies, and update the employee contact information.

At the Tennessee Computing Center, an ITS branch officeís draft business continuity plan included details for the business resumption activities of the Electronic Federal Tax Payment System. While this plan is still in draft, it detailed the various recovery tasks and priorities necessary to resume this critical system in the event of an incident.This plan further included the identification of teams to perform the various resumption tasks, and provided procedures to resume operations at an offsite location, reassign ITS employees to replace injured employees, acquire office equipment, designate a damage assessment team, and notify other essential ITS offices and contractors.

Guidance and Direction Are Needed to Complete Business Resumption Plans

While the ITS organization has made progress in business resumption planning, business resumption plans were not completed for all branches at the two computing centers and the territory office we reviewed.†††

At the Tennessee Computing Center, the ITS organization had initiated, but not completed, business resumption plans for recovering the critical business systems we selected for review.The Tennessee Computing Center management official responsible for the recovery of the critical systems cited several reasons for not completing business resumption plans for its own operations, including:

-        A reliance on another computing center as a back-up for the critical systems.

-        An approach that business resumption planning at the computing centers was only for resuming processing for the business functions, and not relevant for the ITS organization to be able to resume its own operations.

-        An implementation of the Enterprise Operations Services Triplex program that will allow for back-up processing at other computing centers with associated cross-training that could reduce the need for separate business resumption plans. However, the Enterprise Operations Services Director stated that this program is not ready for implementation in the short term and may not resolve business resumption planning needs.The Director also indicated that the Enterprise Operations Services has not provided the necessary emphasis for the business resumption planning process and must do more to encourage the development of business resumption plans for the computing centers.

At the Martinsburg Computing Center, the ITS organization had not prepared specific business resumption plans.The disaster recovery coordinator at the Martinsburg Computing Center stated that aspects of business resumption currently reside in the disaster recovery plans.Preparation of specific business resumption plans was awaiting approval of guidance from the Mission Assurance office.

At the Laguna Niguel Territory Office, the ITS business continuity plan did not include a separate business resumption plan section.Our review of the plan found that the recovery priorities (necessary for the ITS organizationís End-User Equipment & Services function to resume its own business) were not included in this plan.Additionally, the plan did not include procedures to reassign ITS employees to replace injured employees, notify other essential ITS offices and contractors, designate a damage assessment team, or provide specific details to resume operations at an offsite location.The End-User Equipment & Services function staff stated that they were not aware of any guidance or efforts to add the business resumption activities to their business continuity plan.

The Security Services function has been tasked to work with the ITS organization and the IRS business units to identify existing and planned business resumption capabilities, including establishing executable business resumption plans.The Mission Assurance office, part of Security Services, is responsible for coordinating the IRSí business resumption efforts to ensure the IRS has the ability to quickly resume operations in the event of a disaster.

The Mission Assurance office has not provided clear guidance and direction to develop and implement business resumption plans in the ITS organization.Clear procedures to implement actions to resume its own business operations and support the IRSí critical computing and communications systems do not exist. To address this absence, the Mission Assurance office is developing templates for the ITS organization to follow in developing its respective business resumption plans. These templates are in a draft status, and the governance process for the plan development approval and maintenance is in development, as well.

Without adequate business resumption guidance to develop effective plans enabling the ITS organization to first recover its essential operations after an incident or disaster, the ability to timely support the IRSí critical computing and communications systems could be jeopardized.The ability of the IRS to meet its mission may be affected without complete business resumption plans throughout the ITS organization.

As part of its mission, the IRS annually processes 230 million tax returns, collects $2 trillion in taxes, issues 90 million individual refunds, and provides assistance to 120 million taxpayers. Delays in restoring critical business processes would significantly affect the IRSí ability to deliver these customer services.

A November 2001 IRS study on Business Continuity[12] indicated that all levels of the IRS rely on the availability of the computing centers to support critical business functions. A disaster that disabled a computing center for an extended period could significantly affect the ability of the IRS to process and deposit tax remittances.For example, as shown in the following table, depending on the time of the year the outage occurred, the IRS projects that if a computing center was inoperable for 6 weeks, the potential lost interest revenue on undeposited remittances could range from $76 million to $179 million.If a computing center experienced a disaster causing complete inoperability for 12 weeks, the potential loss could be up to $718 million.

Potential Lost Interest Revenue
With Computing Center Disaster (in Millions)

 

January-March

April-June

July-September

October-December

6 weeks

$81

$179

$80

$76

8 weeks

$145

$318

$143

$136

10 weeks

$227

$498

$225

$213

12 weeks

$327

$718

$324

$307

Source:IRS-Wide Business Continuity Planning Case For Action, dated November 30, 2001.

Recommendation

To enable the ITS organization to recover essential operations after an incident or disaster and timely support the IRSí critical computing and communications systems, the CIO should:

1.      Ensure the Mission Assurance office develops and provides the direction and guidance for the completion and implementation of adequate business resumption plans throughout the ITS organization.This will provide ITS management and employees the necessary business resumption process priorities to effectively resume their own operations following an incident or disaster.

Managementís Response:Managementís response was due on September 26, 2003. As of September 26, 2003, management had not responded to the draft report.

 

Completed Business Resumption Plans Can Be Improved

Senior executives responsible for IRS business functions are required to work with the various business units to maintain and validate effective, comprehensive business resumption plans.The effectiveness of these plans is measured through testing.IRS guidelines require testing and maintenance for all essential computing and communications systems.

Our analysis of 11 completed ITS business resumption plans for the critical business systems we selected for review identified the following inconsistencies in meeting the above requirements:

-        Only two business resumption plans identified the specific essential process resumption priorities to follow after an incident or disaster.The remaining nine plans relied on the priorities established by the IRSí business units for critical process resumption.

-        Of the two plans with specific ITS resumption process priorities listed, one did not have clear process time periods.Although it states the ďMaximum Allowable OutageĒ[13] of each process priority, it did not indicate whether the given time period is in hours or days.

-        Only two plans included a useful change history section, noting the latest plan updates and nature of any changes.

-        Only one plan contained documentation of any testing.

The inadequacy of the business resumption plans can be partly attributed to an absence of detail in the Internal Revenue Manual. The ITS employees who prepared the business resumption plans stated that the IRS criteria for business resumption is inadequate, and they relied on other sources for developing their plans. The IRS criteria do not provide guidance for a business resumption plan much beyond indicating it is one of the major components of a siteís business continuity plan.

Direction for developing the End-User Equipment & Services function business resumption plans was based on a template provided by the business organizations at the submission processing sites.The use of the software to employ the template and the plan development was coordinated by different organizations at each submission processing site we reviewed.

While the ITS functions prepared business resumption plans based on the templates, the adequacy of these business resumption plans was not validated or certified with expertise from the ITS organization.Inadequate business resumption plans may result in the potential loss of revenue, service interruptions, and corresponding processing backlogs.Only after the ITS organization has recovered itself can it effectively recover the critical business systems and infrastructure the IRS needs to timely resume its critical business processes following an incident or disaster.

Recommendation

To help ensure all applicable information and essential processes have been included in the business resumption plans, and that the plans are appropriate for each ITS function, the CIO should ensure that:

2.      The Mission Assurance office acquires the technical expertise for developing, implementing, and reviewing the adequacy of the ITS organizationís business resumption plans. While testing exercises should identify plan weaknesses, reviews of business resumption plans by experts would make sure the correct business resumption plan template version is being used, similar ITS functional processes are addressed consistently, plans are being updated and tested timely, and lessons learned are identified.

TD P 15-71

 

Appendix I

 

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to evaluate the Information Technology Services (ITS) organizationís efforts to develop business resumption plans to ensure it can effectively support the Internal Revenue Serviceís (IRS) critical business processes and information systems following a disaster.To accomplish this objective, we performed the following analyses and review activities:

I.       Selected six critical business systems operations supporting the IRSí most critical business processes, which include processing tax returns, taxpayer payments, and taxpayer refunds.We selected these systems to identify the ITS organization resources necessary to support and restore these systems after a disaster.[14]The six critical business systems selected included the:

A.    Batch Block Tracking System.

B.     Electronic Federal Tax Payment System.

C.     Error Resolution System.

D.    Integrated Data Retrieval System.

E.     Internal Revenue Accounting and Control System.

F.      Integrated Submission and Remittance Processing.

II.    Performed assessments of business resumption planning and available plans for the ITS functions responsible for recovering the systems selected in Step I at the Martinsburg and Tennessee Computing Centers,[15] the Atlanta and Memphis Submission Processing Sites,[16] and the Laguna Niguel Territory Office.[17]We reviewed these plans to determine the ITS organizationís ability to recover after an incident or disaster.

A.    Interviewed the ITS Mission Assurance office Business Continuity Planning executives, as well as ITS representatives at the selected sites, to determine the ITS functions, the specific employees, and the ITS systems and processes that would be required to restore the selected critical business systems at each of our selected sites.

B.     Assessed the ITS business resumption planning at the selected sites that will guide restoration of the necessary ITS resources (people, processes, and systems) and resumption of the ITS operations needed to support the selected IRS critical business systems.The assessment included the:

1.      Status of efforts to develop the business resumption plans at each location.

2.      Criteria provided to develop and implement business resumption plans.

3.      Assistance or guidance received to prepare the business resumption plans.

4.      ITS managementís role in monitoring the business resumption planning process to ensure that all plans are completed, tested, and kept current.


TD P 15-71

Appendix II

 

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Scott A. Macfarlane, Director

Edward A. Neuwirth, Audit Manager

Michael A. Garcia, Senior Auditor

Louis V. Zullo, Senior Auditor

Perrin T. Gleaton, Auditor

 

 

TD P 15-71

Appendix III

 

 

Report Distribution List

 

CommissionerC

Deputy Commissioner for Operations SupportOS

Chief, Information Technology ServicesOS:CIO:I

Chief, Security Services OS:CIO:S

Director, Enterprise Operations OS:CIO:I:EO

Director, End-User Equipment & ServicesOS:CIO:I:EU

Director, Mission Assurance OS:CIO:S:A

Acting Director, Portfolio Management DivisionOS:CIO:R:PM

Deputy Chief Financial Officer, Department of the Treasury

Audit Liaisons:

Chief, Information Technology ServicesOS:CIO:I

Chief, Security ServicesOS:CIO:S

 

TD P 15-71



[1] Submission processing sites are responsible for processing tax returns and payments.

[2] The End-User Equipment & Services function provides computer equipment and desktop support to IRS employees located at submission processing sites and field offices within its territory.

[3] Territory offices service taxpayers within a specified geographical area.

[4] IRS computing centers support tax processing and information management through a data processing and telecommunications infrastructure.

 

[5] The Internal Revenue Service Has Made Substantial Progress in Its Business Continuity Program, but Continued Efforts Are Needed (Reference Number 2003-20-026, dated December 2002).

[6] Submission processing sites are responsible for processing tax returns and payments.

[7] The Internal Revenue Manual is the single official IRS source of all policies, procedures, guidelines, and delegations of authority to administer the nationís tax laws.

[8] See Appendix I for information on the six business systems operations we reviewed.

[9] IRS computing centers support tax processing and information management through a data processing and telecommunications infrastructure.

[10] Territory offices service taxpayers within a specified geographical area.

[11] The End-User Equipment & Services function provides computer equipment and desktop support to IRS employees located at submission processing sites and field offices within its territory.

[12] IRS-Wide Business Continuity Planning Case For Action, dated November 30, 2001.

[13] The duration that the loss of a business process could be tolerated before a significant negative impact is felt.

[14] IRS-Wide Business Continuity Planning Critical Process Mapping Report, dated June 5, 2002.

[15] IRS computing centers support tax processing and information management through a data processing and telecommunications infrastructure.††

[16] Submission processing sites are responsible for processing tax returns and payments.

[17] The ITS organizationís presence at a territory office provides onsite desktop and telecommunications services to the IRS within a specified geographical area.

 

TD P 15-71