IG cuffs IRS security staff for performance woes
- By Mary Mosquera
- Jan 20, 2004
IRS system administrators and security specialists continue to fumble and allow system vulnerabilities because accountability for carrying out security tasks and training is insufficient, a new inspector general's report contends.
Employees did not apply vendor patches to block known vulnerabilities nor maintain configuration baselines to identify unauthorized changes, the Treasury Department's IG for tax administration noted in its report
on IRS security.
The IG reviewed whether IRS security employees performed their roles and responsibilities consistently and whether training, education and experience were adequate.
According to the audit, the tax agency's staff failed to generate and review audit trails and event logs. And employees have access to systems although there's no record of managerial approval. The review team also found that IRS security officials did not delete user accounts when employees left the agency. Auditors reviewed local servers and workstations at five IRS locations.
A major underlying cause for the conditions is that accountability for carrying out security responsibilities is not maintained, said Gordon C. Milbourn III, acting deputy IG for audit. 'Interviews of IRS employees identified widespread confusion in this area,' he said.
A significant percentage of employees said they had not received sufficient training to adequately perform their security duties. Training was too general, not timely or not related to the employees' work. "Some employees had not received any security training in the past three years,' Milbourn said.
The IRS agreed with the report and will have a plan in place in July to correct the issues raised by the IG, said Daniel Galik, chief of IRS mission assurance. The agency also will evaluate the performance of security employees.
Mary Mosquera is a reporter for Federal Computer Week.