Office of Audit
CYBERSECURITY ACT OF 2015: †REPORT ON
THE INFORMATION SECURITY MANAGEMENT
PRACTICES OF THE INTERNAL REVENUE SERVICE
Final Report issued on August 30, 2016
Highlights of Reference Number:† 2016-2R-079 to the Internal Revenue Service Chief Information Officer.
IMPACT ON TAXPAYERS
The IRS collects and maintains a significant amount of personal and financial information on each taxpayer. †As custodians of taxpayer information, the IRS has an obligation to protect this sensitive information against unauthorized access or loss in accordance with Federal requirements.
WHY TIGTA DID THE AUDIT
This audit was initiated to address the Cybersecurity Act of 2015, which mandated Inspectors General to submit a report to the committees of jurisdiction in the Senate and the House of Representatives on specific information security management practices of their respective agency, including logical access controls for unprivileged and privileged users, software license management, data exfiltration controls, and whether contractors also implemented these controls.
WHAT TIGTA FOUND
The IRS has established policy and practices for implementing the use of Personal Identity Verification (PIV) cards for its employees and contractors, as mandated by the August 2004 Homeland Security Presidential Directive 12.† The IRS met the Fiscal Year 2016 cross‑agency priority goal by requiring 85 percent or greater of people with unprivileged network accounts to log on with PIV cards, achieving 92 percent as of June 29, 2016.† Also, 98 percent of the people with remote access were required to log on to the IRSís remote access solution using PIV cards as of June 29, 2016. †In addition, the IRS reported that it met the cross‑agency priority goal of 100 percent for people with privileged accounts required to log on with PIV cards, based on all privileged users being required to use PIV cards for general network access.† Work is ongoing to ensure privileged access to systems using PIV cards. †The IRS reported that eight of 140 systems are configured to support the use of PIV cards for access.
The IRS has established policies for conducting inventories of the software present on its systems and the licenses associated with the software, but it has not fully implemented these management practices.† Although the IRS has various tools for managing its large inventory of hardware and software products, none are implemented enterprise-wide.† Also, the IRS has not yet incorporated software license management into its software management program.
The IRS has implemented capabilities to monitor and detect exfiltration, with the exception of capabilities for digital rights management.† The IRS has also implemented a data loss prevention solution to monitor outbound e-mail and web transmissions.† The IRSís Computer Security Incident Response Center provides various capabilities that offer forensics and visibility.† Also, following the Get Transcript application incident in Fiscal Year 2015, the IRS has taken steps to strengthen its network monitoring abilities.
The IRS requires contractors that provide services to the IRS using IRS-owned equipment to adhere to the level of controls specified for Federal agencies.† For contractors that handle or manage IRS sensitive information using their own systems, the IRS issued Publication 4812, Contractor Security Controls, which contains a subset of Federal controls for moderate-impact systems.† This subset includes comparable, but not always identical, controls for access, software and licensing inventories, and network monitoring.† Federal guidance provides for agencies to consider such risk factors when determining baseline security controls for the external entities that handle Federal agency data.
WHAT TIGTA RECOMMENDED
TIGTA made no recommendations.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number ††/† 202-622-6500
E-mail Address †/† TIGTACommunications@tigta.treas.gov
Website†††††† ††††††/† https://www.treasury.gov/tigta