TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Highlights

MANAGEMENT OVERSIGHT OF THE TIER II ENVIRONMENT BACKUP AND
RESTORATION PROCESS NEEDS IMPROVEMENT

Report issued on February 11, 2016

Highlights of Reference Number:  2016-20-019 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

Inadequate backup and restoration of Tier II environment data could result in the loss of taxpayer or management information and unrecoverable data following a disaster.  Effective management of the Tier II backup and restoration environment is crucial to ensure that information technology fully supports business operations by efficiently providing services to taxpayers.

WHY TIGTA DID THE AUDIT

The IRS Chief Technology Officer requested that TIGTA evaluate the Tier II backup and restoration process following an incident in which the IRS discovered that a backup did not exist when needed to restore a significant database.  Our overall objective was to evaluate the effectiveness of the IRS’s Tier II backup and restoration process.

WHAT TIGTA FOUND

The IRS is not effectively managing its Tier II environment backup and restoration process.  For example, IRS management has not established goals and does not regularly collect sufficient performance metrics to monitor, measure, and report on the effectiveness of the process.  The dashboard created to report on the completion status of backups is not sufficient. 

TIGTA identified additional areas for improvement, including problem reporting and root cause analysis, standard operating procedures, and access control.  Also, the IRS did not properly analyze, document, or take effective corrective actions in response to the database incident.  As a result, management still does not have information to detect if a required backup is not created.  Similarly, management does not routinely test restore of backups to ensure the integrity and reliability of the data.  In addition, 28 (35 percent) of 81 Tier II backup software applications are at their end of life, which could result in a lack of vendor critical security and maintenance support.  Likewise, 104 (100 percent) of the hardware equipment used in the Tier II backup environment is beyond its useful life and has critical deficiencies that should be addressed.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer establish goals and performance measures; implement a problem management process; create and implement a backup strategy that includes tests to restore databases; ensure that a root cause analysis is performed on known vulnerabilities and corrective actions are properly documented; develop standard operating procedures; and establish automated procedures to notify support personnel and system owners that backups have been completed.  To improve the Tier II backup and restoration environment, TIGTA recommended that the Chief Technology Officer upgrade the software and aged hardware infrastructure, and develop specific guidelines that should be taken when equipment reaches its end of useful life.

The IRS agreed with 10 recommendations and partially agreed with three recommendations.  The IRS agreed to establish goals and plans to implement performance measures and to use the measures to take appropriate corrective actions; implement the problem management process; revise standard operating processes and procedures; create and implement a backup strategy; review all privilege groups; establish automated notification procedures; upgrade hardware and software; and develop guidelines for when hardware reaches the end of its useful life.  The IRS disagreed with parts of three recommendations, including using performance metrics to determine staffing needs and adding software compatibility to the Infrastructure Currency policy.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treasury.gov/tigta/auditreports/2016reports/201620019fr.pdf.

 

Phone Number   /  202-622-6500

E-mail Address  /  TIGTACommunications@tigta.treas.gov

Website             /  https://www.treasury.gov/tigta