Treasury Inspector General for Tax Administration
November 5, 2015
TIGTA - 2015-35
Contact: Karen Kraushaar, Director of Communications
WASHINGTON Many computer system interconnections in use at the Internal Revenue Service (IRS) do not have proper authorization or security agreements, according to a report released publicly today by the Treasury Inspector General for Tax Administration (TIGTA).
TIGTA initiated its audit to determine whether controls are in place and operating effectively to protect IRS networks when connected to external information technology systems. Through such interconnections, the IRS shares Federal tax information and other records with many Federal, State, and local agencies, as well as private agencies and contractors. Because taxpayer and other sensitive data must be protected, the IRS is required to ensure that external system interconnections are authorized by written agreements that specify the technical and security requirements.
TIGTA found that although the IRS has established an office to provide oversight and guidance for the development of security agreements, that office is not responsible for managing or monitoring agreements for all external interconnections in use in the IRS environment. TIGTA also found that improvements are needed to ensure that existing agreements contain all required elements and are renewed timely.
"These system interconnections are critical and must be properly designed and managed to meet security requirements, said J. Russell George, Treasury Inspector General for Tax Administration. If not, failures could compromise the connected systems and the sensitive data that they store, process, or transmit," he added.
The IRS agreed with all of the six TIGTA audit recommendations and planned appropriate corrective actions. The IRS agreed to: 1) identify and document external interconnections; 2) establish a repeatable process for identifying external interconnections; 3) ensure that policies and procedures are developed and implemented for updating the interconnections inventory; 4) establish an escalation process to resolve agreement renewal issues; 5) ensure that interconnection agreements meet policies and are renewed timely; and 6) streamline and eliminate ineffective practices related to interconnection agreements.
Read the report.