Office of Audit
THE FIRST PHASE OF THE DATA LOSS PREVENTION SOLUTION IS WORKING AS INTENDED, BUT THE REMAINING PHASES CONTINUE TO EXPERIENCE DELAYS
Final Report issued on August 22, 2019
Highlights of Reference Number:† 2019-20-049 to the Commissioner of Internal Revenue.
IMPACT ON TAXPAYERS
The IRS is entrusted with protecting information received from taxpayers, including Personally Identifiable Information and tax account data.† Allowing this information to be removed or exfiltrated for unauthorized purposes could erode public trust in the IRSís ability to administer our Nationís tax system and in the voluntary compliance nature of tax filing.
WHY TIGTA DID THE AUDIT
This audit was initiated to determine whether the IRS properly implemented controls to prevent data loss, including data exfiltration of personal information.† The IRS is implementing a Data Loss Prevention software solution to identify and prevent Personally Identifiable Information from leaving the IRS network, whether intentionally or unintentionally.† The software has multiple components that are being implemented over several years, and this audit evaluated the progress of the implementation.
WHAT TIGTA FOUND
The Safeguarding Personally Identifiable Information Data Extracts Project, which is responsible for implementing the Data Loss Prevention solution, started in Calendar Year 2010 and is ongoing.† The project team implemented and expanded the Data-in-Motion component of the solution that includes reviewing unencrypted e-mail and attachments, file transfers, and web traffic for the most common types of Personally Identifiable Information used by the IRS.† Our testing indicated that the Data-in-Motion component generally identified and blocked common Personally Identifiable Information types from exfiltration by e-mail as designed, and that potential incidents identified by the solution were reviewed and resolved correctly.† However, continued delays with implementing other components are preventing realization of the full benefits of the Data Loss Prevention solution.
The causes of the delays include technical, project management, and administrative issues.† Because of the delays, two key components involving data in repositories and data in use are still not operational more than eight years after the project started.† Without these components, Personally Identifiable Information continues to be at risk of loss.† The delays have also resulted in the inefficient use of resources of approximately $1.2 million in software costs for the components that are not operational.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Information Officer deploy the components of the Data Loss Prevention solution, ensure that project documents are prepared and maintained as required, and ensure that any issues requiring negotiations with the National Treasury Employees Union are identified and negotiations started promptly.
The IRS agreed with all three recommendations and plans to deploy the remaining components of the Data Loss Prevention solution and ensure that project documents are consistently prepared and maintained during the deployment of the remaining components.† In addition, the IRS stated that the Memorandum of Understanding with the National Treasury Employees Union is currently in the process of concurrence signatures, and the IRS plans to notify the Union of any issues regarding the production implementation of the remaining components.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number ††/† 202-622-6500
E-mail Address †/† TIGTACommunications@tigta.treas.gov
Website†††††† ††††††/† https://www.treasury.gov/tigta