Security challenges persist at IRS despite progress: TIGTA
- By Mary Mosquera
- Oct 11, 2006
The IRS has not installed patches on all its computers in the face of security flaws, leaving sensitive taxpayer information at risk to unauthorized disclosure. The Treasury Inspector General for Tax Administration released several recent reports citing the need for the tax agency to strengthen patch management and other aspects of IRS security.
Although IRS has made process changes, they have not yet had a positive effect on certification and accreditation and tracking the resolution of security vulnerabilities.
Risks to sensitive data on IRS systems are increasing due to more connectivity of computer systems and use of laptops and overall higher hacker activity, TIGTA said.
'Sufficient attention is not yet being given to the security of sensitive systems,' said J. Russell George, inspector general at TIGTA, in reference to IRS' challenges in managing security.
Even with improvements in patch management practices, for example, inadequate management of controls still allow for unpatched systems, TIGTA said in one report
The IRS plans to complete by February nationwide rollout of a self-install program that identifies and installs patches on workstations and laptops. The agency also has taken steps to better manage its Tivoli security software endpoints and is considering an approach that would not allow workstations onto the network until missing patches were updated.
In another report, TIGTA found that the IRS does not adequately collect, review and retain audit trails of activities to detect unauthorized access on its modernized systems and applications, such as the Customer Account Data Engine, its taxpayer database.
'Consequently, unauthorized access and theft of taxpayer records may be occurring without being detected, possibly resulting in theft of taxpayer identities,' said Michael Phillips, deputy inspector general for audit, in the report
The IRS provided plans to be implemented in 2007 to correct the situation to review and retain audit logs, said Daniel Galik, chief, IRS mission assurance and security services, in a letter last month.
Despite the vulnerabilities, the IRS has made progress on complying with requirements under the Federal Information Security Management Act, based on a sample of IRS systems that TIGTA tested, the auditor said in another report
In fiscal 2006, the IRS reassessed security risks of each of its systems so that auditors are confident that the inventory of IRS systems is substantially complete and the risk categorizations are accurate. The agency reported on its total inventory of 264 systems. The risk categorization is the basis for deciding which security controls to use to protect the confidentiality, integrity and availability of systems and data.
TIGTA, however, found problems with the process the IRS uses for thorough assessment of system risk and security. For example, the agency based tests of the account management controls for a moderate risk system from interviews only. The agency should have examined organizational records, user account and configuration settings.
The IRS reported that 95.5 percent of its systems had current certifications and accreditations. A working group, the IRS Security Program Management Officer Council, with representatives from across the agency, has improved the planning for complying with FISMA, such as certification and accreditation of systems.
The IRS also lags on annually testing certain of IT systems' security controls once systems are accredited and throughout the system lifecycle. The Treasury Department CIO recently issued draft guidance on the subject in response, TIGTA said.
The IRS needs to better evaluate its systems and applications, which collect personal information, to improve monitoring for privacy. Since the audit, the agency has taken steps to better comply with privacy regulations and developing an agencywide privacy-training program, TIGTA said.
Security, business systems modernization and financial management again top the list of management and performance challenges facing the IRS in the current fiscal 2007 year, TIGTA said in its annual report.
During the past year, the IRS began to restructure and redesign major areas with the BSM program. For example, IRS took over the role of systems integrator from Computer Sciences Corp., the lead PRIME contractor, and changed its approach from completely replacing current business systems to using a current, existing system to accomplish modernization.
Although the IRS has completed modernization projects that benefit taxpayers, it still needs to bolster key management processes, maintain direction with experienced leadership and effectively manage contractor performance and accountability.
Although it collected more than $2.3 trillion in taxes, or 95 percent of all federal revenue, in fiscal 2005, the IRS' financial-management systems have serious internal control and systems deficiencies because the agency lacks a comprehensive, integrated system. As a result, the IRS relies extensively on labor-intensive processes to extract financial and operating data to prepare its financial statement.
Mary Mosquera is a reporter for Federal Computer Week.