Treasury Inspector General for Tax Administration
December 23, 2010
TIGTA - 2010-80
Contact: Karen Kraushaar
WASHINGTON – The information security program implemented by the Internal Revenue Service (IRS) was generally compliant with the Federal Information Security Management Act (FISMA) legislation, according to a report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).
However, the report identified seven areas where the IRS’s information security program was not fully effective.
FISMA was enacted to strengthen the security of information and systems within Federal agencies. As part of the legislation, the Offices of Inspector General must perform an annual independent evaluation of each Federal agency’s information security policies and procedures and evaluate its compliance with FISMA requirements. The audit report reflects TIGTA’s independent evaluation of the status of information technology security for unclassified systems at the IRS for Fiscal Year 2010.
TIGTA found three program areas where the IRS met the level of performance specified by the Office of Management and Budget’s Fiscal Year 2010 FISMA checklist. Those areas include the IRS’s certification and accreditation program, incident response and reporting program, and remote access management. However, TIGTA also found that the IRS’s information security program was not fully effective in the areas of configuration management, security training, plans of actions and milestones, identity and access management, continuous monitoring management, contingency planning, and contractor systems oversight.
“The IRS collects and maintains a significant amount of personal and financial taxpayer information and relies heavily on computerized systems to support its responsibility in collecting taxes,” said J. Russell George, Treasury Inspector General for Tax Administration. “As custodians of taxpayer information, the IRS has an obligation to protect the confidentiality of this sensitive information against unauthorized access or loss. The failure to do so could expose taxpayers to invasion of privacy and financial loss or damage from identity theft and other financial crimes.”
TIGTA did not make any recommendations to the IRS in this audit report.
To review the report, including the scope and methodology, go to: http://www.treas.gov/tigta/auditreports/2011reports/201120003fr.pdf.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.