IG cuffs IRS security staff for performance woes

IRS system administrators and security specialists continue to fumble and allow system vulnerabilities because accountability for carrying out security tasks and training is insufficient, a new inspector general's report contends.

Employees did not apply vendor patches to block known vulnerabilities nor maintain configuration baselines to identify unauthorized changes, the Treasury Department's IG for tax administration noted in its report on IRS security.

The IG reviewed whether IRS security employees performed their roles and responsibilities consistently and whether training, education and experience were adequate.

According to the audit, the tax agency's staff failed to generate and review audit trails and event logs. And employees have access to systems although there's no record of managerial approval. The review team also found that IRS security officials did not delete user accounts when employees left the agency. Auditors reviewed local servers and workstations at five IRS locations.

A major underlying cause for the conditions is that accountability for carrying out security responsibilities is not maintained, said Gordon C. Milbourn III, acting deputy IG for audit. 'Interviews of IRS employees identified widespread confusion in this area,' he said.

A significant percentage of employees said they had not received sufficient training to adequately perform their security duties. Training was too general, not timely or not related to the employees' work. "Some employees had not received any security training in the past three years,' Milbourn said.

The IRS agreed with the report and will have a plan in place in July to correct the issues raised by the IG, said Daniel Galik, chief of IRS mission assurance. The agency also will evaluate the performance of security employees.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

inside gcn

  • ARL seeks private cloud to modernize IT infrastructure

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group