TIGTA Seal graphic

Treasury Inspector General for Tax Administration

Press Release

November 1, 2012
TIGTA - TIGTA - 2012-62
Contact: David Barnes
(202) 622-3062

TIGTA Finds Risky Business in Patch Management for IRS Computers

WASHINGTON – The Internal Revenue Service (IRS) has made progress in automating installation and monitoring in a large segment of its computers, but it has not yet implemented key patch management policies and procedures needed to ensure that all IRS systems are patched timely and operating securely, according to a new report released publicly today by the Treasury Inspector General for Tax Administration (TIGTA).

Patch management is an important element in mitigating the security risks associated with known vulnerabilities to computer systems. The IRS has taken some actions to address patch management weaknesses, but an enterprise approach is needed to fully implement and enforce patch management policy. Any significant delays in patching software with critical vulnerabilities provides ample opportunity for persistent attackers to gain control over the vulnerable computers and get access to the sensitive data they may contain, including taxpayer data.

TIGTA initiated its audit to evaluate the effectiveness of the IRS security patch management process, which has been an ongoing challenge for the IRS.

TIGTA found that although progress has been made to automate installation and monitoring of patching in a large segment of its Windows environment, the IRS has not yet implemented key patch management policies and procedures. Specifically, the IRS has not completed implementation of an accurate and complete inventory of its information technology assets, which is critical for ensuring that patches are identified and applied timely for all types of operating systems and software used within its environment.

In addition, the IRS needs to improve its patch policy and monitoring processes to ensure that patches are applied timely, TIGTA found.

“Although the IRS has made some progress, we found that it has not implemented controls to secure unsupported operating systems,” said J. Russell George, Treasury Inspector General for Tax Administration. “The IRS needs enterprise-level oversight and leadership to complete the implementation of its standardized patch management program and to reduce associated risks.”

TIGTA recommended that the IRS implement enterprise-level responsibility to set and enforce IRS patch management policy, complete deployment of an automated asset discovery tool, build an accurate and complete inventory of information technology assets, take an enterprise-wide approach to buying tools to avoid redundancy and excessive cost, and complete implementation of controls to ensure that unsupported operating systems are not putting the IRS at risk.

The IRS agreed with TIGTA’s recommendations and planned appropriate corrective actions for seven of the eight recommendations. Although the IRS agreed with the intent of the recommendation to hold system owners accountable for patching computers within prescribed time frames, it stated that its existing procedures addressed this recommendation and planned no corrective actions.

Read the report.


Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.

A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.