Treasury Inspector General for Tax Administration
April 3, 2012
TIGTA - 2012-10
Contact: David Barnes
WASHINGTON - The office responsible for monitoring the IRS network 24 hours a day year-round for cyberattacks and computer vulnerabilities is effectively performing most of its responsibilities for preventing, detecting, and responding to computer security incidents, according to a new report publicly released by the Treasury Inspector General for Tax Administration (TIGTA).
TIGTA's audit was conducted to evaluate the effectiveness of the Computer Security Incident Response Center (CSIRC) at preventing, detecting, reporting, and responding to computer security incidents targeting IRS computers and data.
"TIGTA found that the CSIRC is effectively performing most of its responsibilities for preventing, detecting, and responding to computer security incidents," said J. Russell George, the Treasury Inspector General for Tax Administration. "However, further improvements could be made," he added.
George noted that the CSIRC's host-based intrusion detection system is not monitoring 34 percent of IRS servers, which puts the IRS network and data at risk. In addition, the CSIRC is not reporting all computer security incidents to the Department of the Treasury, as required. Finally, incident response policies, plans, and procedures are either nonexistent or are inaccurate and incomplete.
TIGTA recommended that the Assistant Chief Information Officer, Cybersecurity, direct the CSIRC to 1) develop its Cybersecurity Data Warehouse capability to correlate and reconcile active servers connected to the IRS network with servers monitored by the host-based intrusion detection system; 2) revise and expand the Memorandum of Understanding with the TIGTA Office of Investigations to ensure all reportable and relevant security incidents are shared with the CSIRC; 3) collaborate with the TIGTA Office of Investigations to create common identifiers to help the CSIRC reconcile its incident tracking system with the TIGTA Office of Investigations' incident system; 4) develop a standalone incident response policy or update the policy in the IRS's Internal Revenue Manual with current and complete information; 5) develop an incident response plan; and 6) develop, update, and formalize all critical standard operating procedures.
The IRS agreed with the recommendations and corrective actions are planned or in process for five of the six recommendations. Although the IRS agreed with the recommendation to correlate and reconcile active servers connected to the IRS network with servers monitored by the host-based intrusion detection system, its proposed corrective actions did not address TIGTA's recommendation. Specifically, the IRS did not commit to implementing the controls TIGTA recommended.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.