IG cuffs IRS security staff for performance woes

IRS system administrators and security specialists continue to fumble and allow system vulnerabilities because accountability for carrying out security tasks and training is insufficient, a new inspector general's report contends.

Employees did not apply vendor patches to block known vulnerabilities nor maintain configuration baselines to identify unauthorized changes, the Treasury Department's IG for tax administration noted in its report on IRS security.

The IG reviewed whether IRS security employees performed their roles and responsibilities consistently and whether training, education and experience were adequate.

According to the audit, the tax agency's staff failed to generate and review audit trails and event logs. And employees have access to systems although there's no record of managerial approval. The review team also found that IRS security officials did not delete user accounts when employees left the agency. Auditors reviewed local servers and workstations at five IRS locations.

A major underlying cause for the conditions is that accountability for carrying out security responsibilities is not maintained, said Gordon C. Milbourn III, acting deputy IG for audit. 'Interviews of IRS employees identified widespread confusion in this area,' he said.

A significant percentage of employees said they had not received sufficient training to adequately perform their security duties. Training was too general, not timely or not related to the employees' work. "Some employees had not received any security training in the past three years,' Milbourn said.

The IRS agreed with the report and will have a plan in place in July to correct the issues raised by the IG, said Daniel Galik, chief of IRS mission assurance. The agency also will evaluate the performance of security employees.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.