IG cuffs IRS security staff for performance woes

IRS system administrators and security specialists continue to fumble and allow system vulnerabilities because accountability for carrying out security tasks and training is insufficient, a new inspector general's report contends.

Employees did not apply vendor patches to block known vulnerabilities nor maintain configuration baselines to identify unauthorized changes, the Treasury Department's IG for tax administration noted in its report on IRS security.

The IG reviewed whether IRS security employees performed their roles and responsibilities consistently and whether training, education and experience were adequate.

According to the audit, the tax agency's staff failed to generate and review audit trails and event logs. And employees have access to systems although there's no record of managerial approval. The review team also found that IRS security officials did not delete user accounts when employees left the agency. Auditors reviewed local servers and workstations at five IRS locations.

A major underlying cause for the conditions is that accountability for carrying out security responsibilities is not maintained, said Gordon C. Milbourn III, acting deputy IG for audit. 'Interviews of IRS employees identified widespread confusion in this area,' he said.

A significant percentage of employees said they had not received sufficient training to adequately perform their security duties. Training was too general, not timely or not related to the employees' work. "Some employees had not received any security training in the past three years,' Milbourn said.

The IRS agreed with the report and will have a plan in place in July to correct the issues raised by the IG, said Daniel Galik, chief of IRS mission assurance. The agency also will evaluate the performance of security employees.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected