Security challenges persist at IRS despite progress: TIGTA

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Mary Mosquera
 

Connecting state and local government leaders

By Mary Mosquera

|

The Treasury Inspector General for Tax Administration released several recent reports citing the need for the IRS to strengthen patch management and other aspects of IRS security.

The IRS has not installed patches on all its computers in the face of security flaws, leaving sensitive taxpayer information at risk to unauthorized disclosure. The Treasury Inspector General for Tax Administration released several recent reports citing the need for the tax agency to strengthen patch management and other aspects of IRS security.

Although IRS has made process changes, they have not yet had a positive effect on certification and accreditation and tracking the resolution of security vulnerabilities.
Risks to sensitive data on IRS systems are increasing due to more connectivity of computer systems and use of laptops and overall higher hacker activity, TIGTA said.

'Sufficient attention is not yet being given to the security of sensitive systems,' said J. Russell George, inspector general at TIGTA, in reference to IRS' challenges in managing security.

Even with improvements in patch management practices, for example, inadequate management of controls still allow for unpatched systems, TIGTA said in one report.

The IRS plans to complete by February nationwide rollout of a self-install program that identifies and installs patches on workstations and laptops. The agency also has taken steps to better manage its Tivoli security software endpoints and is considering an approach that would not allow workstations onto the network until missing patches were updated.

In another report, TIGTA found that the IRS does not adequately collect, review and retain audit trails of activities to detect unauthorized access on its modernized systems and applications, such as the Customer Account Data Engine, its taxpayer database.

'Consequently, unauthorized access and theft of taxpayer records may be occurring without being detected, possibly resulting in theft of taxpayer identities,' said Michael Phillips, deputy inspector general for audit, in the report.

The IRS provided plans to be implemented in 2007 to correct the situation to review and retain audit logs, said Daniel Galik, chief, IRS mission assurance and security services, in a letter last month.

Despite the vulnerabilities, the IRS has made progress on complying with requirements under the Federal Information Security Management Act, based on a sample of IRS systems that TIGTA tested, the auditor said in another report.

In fiscal 2006, the IRS reassessed security risks of each of its systems so that auditors are confident that the inventory of IRS systems is substantially complete and the risk categorizations are accurate. The agency reported on its total inventory of 264 systems. The risk categorization is the basis for deciding which security controls to use to protect the confidentiality, integrity and availability of systems and data.

TIGTA, however, found problems with the process the IRS uses for thorough assessment of system risk and security. For example, the agency based tests of the account management controls for a moderate risk system from interviews only. The agency should have examined organizational records, user account and configuration settings.

The IRS reported that 95.5 percent of its systems had current certifications and accreditations. A working group, the IRS Security Program Management Officer Council, with representatives from across the agency, has improved the planning for complying with FISMA, such as certification and accreditation of systems.

The IRS also lags on annually testing certain of IT systems' security controls once systems are accredited and throughout the system lifecycle. The Treasury Department CIO recently issued draft guidance on the subject in response, TIGTA said.

The IRS needs to better evaluate its systems and applications, which collect personal information, to improve monitoring for privacy. Since the audit, the agency has taken steps to better comply with privacy regulations and developing an agencywide privacy-training program, TIGTA said.

Security, business systems modernization and financial management again top the list of management and performance challenges facing the IRS in the current fiscal 2007 year, TIGTA said in its annual report.

During the past year, the IRS began to restructure and redesign major areas with the BSM program. For example, IRS took over the role of systems integrator from Computer Sciences Corp., the lead PRIME contractor, and changed its approach from completely replacing current business systems to using a current, existing system to accomplish modernization.

Although the IRS has completed modernization projects that benefit taxpayers, it still needs to bolster key management processes, maintain direction with experienced leadership and effectively manage contractor performance and accountability.

Although it collected more than $2.3 trillion in taxes, or 95 percent of all federal revenue, in fiscal 2005, the IRS' financial-management systems have serious internal control and systems deficiencies because the agency lacks a comprehensive, integrated system. As a result, the IRS relies extensively on labor-intensive processes to extract financial and operating data to prepare its financial statement.

NEXT STORY: White House fact sheet tries to address PMA criticisms

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.