Office of Audit
INFORMATION TECHNOLOGY: SHAREPOINT CONTROLS NEED IMPROVEMENT
RISKS AND TO ENSURE THAT POSSIBLE DUPLICATE COSTS ARE AVOIDED
Final Report issued on September 15, 2016
Highlights of Reference Number: 2016-20-075 to the Internal Revenue Service Chief Information Officer.
IMPACT ON TAXPAYERS
The IRS uses thousands of SharePoint® sites for collaboration, document management, records management, and enterprise content management. The implementation of operational and security controls for these sites is critical to the protection of sensitive IRS data.
WHY TIGTA DID THE AUDIT
The overall objective was to assess the IRS’s implementation of SharePoint operational and security controls, including the SharePoint governance structure, policies and procedures, user access controls, protection of sensitive data, and the Information Technology Contingency Plan.
WHAT TIGTA FOUND
Improved risk management across the IRS SharePoint environment is needed to ensure that adequate operational and security controls are in place and functioning as intended to protect sensitive SharePoint sites and data. Operational controls are needed to ensure that SharePoint sites containing sensitive data are identified and have an approved Privacy and Civil Liberties Impact Assessment. Security controls are needed to ensure that a security assessment of the SharePoint product, sites, and data is completed; SharePoint site collection audit trails are enabled; quarterly reviews of users’ accesses are performed; users’ accounts and permissions are efficiently managed; security and content management policies are consistently enforced; and the Information Technology Contingency Plan and Business Impact Analysis are finalized.
The IRS has not evaluated and justified its SharePoint approach as a long-term solution within the Department of the Treasury’s shared services strategy. As a result, the IRS may be incurring duplicate operational costs; operating in a less secure environment; and, in the event of a disruption, functioning in an environment in which SharePoint is not defined as a mission‑critical system. The SharePoint Program Management Office allocated $5 million for operations and maintenance of the Fiscal Year 2016 IRS SharePoint program. However, sufficient cost information for SharePoint expenses across the IRS enterprise was not available to verify possible duplicate expenditures or potential net savings related to transitioning to the Treasury Enterprise Content Management environment.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Information Officer ensure that SharePoint sites are routinely scanned for sensitive data; privacy assessments are completed; a security assessment is completed for the SharePoint product, sites, and data; IRS business commissioners ensure that SharePoint site collection audit trails are enabled, quarterly security reviews are performed, access permissions are efficiently managed, and security policies are enforced; a contingency plan and a Business Impact Analysis are finalized; and a feasibility analysis of using the Treasury Enterprise Content Management environment is completed.
IRS management agreed with five of our 10 recommendations and partially agreed with the other five recommendations primarily because business unit commissioners have a shared responsibility for implementing SharePoint controls. The IRS has taken or plans to take corrective actions, including scanning sites for sensitive data, ensuring that privacy assessments are completed, ensuring that security controls are documented, issuing a memorandum to business unit commissioners on SharePoint responsibilities, and conducting a feasibility analysis.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta