For the sixth year in a row, security for taxpayer information and employees is the top challenge facing the Internal Revenue Service, according to the agency’s watchdog.
In its yearly review of the IRS’ information technology program, the Treasury Inspector General for Tax Administration advised the agency to ensure its computer systems are up to date and secure, to both protect taxpayer information and provide the latest services to meet taxpayer needs.
“Overall, the IRS needs to ensure that it leverages viable technological advances as it modernizes its major business systems and improves its overall operational and security environments,” the report states. “Otherwise, the IRS’s computer operations could become compromised, disrupted, or outdated, which could adversely affect the IRS’s ability to meet its mission of providing America’s taxpayers with top-quality service by helping them understand and meet their tax responsibilities and enforcing the law with integrity and fairness to all.”
The report was issued Sept. 30 and posted online Oct. 27. The review is based on assessments of audit reports made during fiscal 2016, so while no recommendations are made, TIGTA in its review does offer suggestions on ways to strengthen security and thus improve service.
TIGTA based some of its assessment on Homeland Security Department-issued Federal Information Security Modernization Act Inspector General reporting metrics.
Based on DHS’ scoring methods, the IRS met all of the attributes for:
Identifying contractor systems.
Security and privacy training.
TIGTA’s report states three areas of IRS cybersecurity need significant improvement: information security continuous monitoring, configuration management, and identity and access management.
Other areas that also need some work include electronic authentication process controls, physical security controls, data backup and restoration, and SharePoint controls.
The IRS’ Information Security Continuous Monitoring (ISCM) only had a maturity level of two, on DHS’ scale of one to five. In 2014 the Treasury Department chose to adopt a uniform approach to ISCM and a toolset chosen by DHS, to meet program requirements, the report states.
“The DHS is in the process of procuring a standard set of cybersecurity tools and services for use by federal agencies,” TIGTA says. “This toolset will include sensors that perform automated searches for known cyber flaws and send the results to dashboards that inform system managers in real time of cyber risks that need remediation.”
TIGTA also reported that IRS’ configuration management program “did not meet the majority of the attributes specified by the DHS.”
While IRS has standard baseline configurations, “deficiencies continue to exist in ensuring baseline configurations are maintained and reported vulnerabilities are corrected timely.”
The agency is also still working on the expansion of a standard automated process for sending out system patches.
TIGTA said in its report that the IRS has made progress on using personal identity verification (PIV) cards, but the IRS needs to work on ensuring access isn’t granted more than it needs to be, controlling shared accounts, and better monitoring of account closures.
Another mention in the assessment is the IRS’ electronic authentication.
While the agency understands the growing challenge, TIGTA warns, because the agency doesn’t have a service-wide approach to managing authentication, there is room to strengthen that security feature.
“The risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering online tools to taxpayers,” the report states. “The consequences of unauthorized accesses include expanding the taxpayers’ preexisting identity theft issues and potential delays in tax return processing while identity theft issues are resolved.”
Recovery, records and reviews
Other areas reviewed by TIGTA included data storage security. TIGTA recommended more detailed agreements between the IRS and the Enterprise Storage Services Program contractors, to help “ensure adequate preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.”
Another area of assessment was access to government facilities and returning work computers once an IRS employee leaves the agency.
While IRS has a series of steps in place to ensure departing employees turn in their computers and are no longer granted access to buildings, TIGTA’s sampling of fiscal 2014 employee separations found that IRS couldn’t verify all security items were recovered for more than 2,700 separations, while more than 850 employee separations had potential problems with laptop recovery.
IRS also needs to work on its handling of contractor laptop computers — which often have access to IRS networks — because TIGTA found during its review that records of these computers were “often incomplete, inaccurate, or not provided for review.”
Physical access to computer rooms and tape libraries was also flagged by TIGTA. The watchdog said the security for these areas needs to be updated, and temporary badges as a form of identification was a security issue because there’s no specific information about badge wearer.
“We determined that automating access monitoring to the computer rooms and tape libraries will increase efficiency, oversight, and security,” the report said. “Currently, a manual process performed by one person is used to authorize and remove access for over 500 individuals.”
The watchdog also assessed the IRS’ Return Review Program (RRP).
“During our review of the RRP in December 2015, we found that the RRP pilot successfully identified tax returns involving identity theft that were not identified by other fraud detection systems,” TIGTA states. “However, our analysis also showed that 54,175 confirmed identity theft tax returns with refunds totaling more than $313 million were identified by other existing fraud detection systems but were not selected by the RRP, As the IRS continues to develop the RRP, it needs to ensure that the RRP will detect identity theft cases being identified by existing systems as well as other identity theft cases.”
Other issues flagged by TIGTA include the need for better management of the agency’s Tier II backup servers, and better risk management for the IRS SharePoint environment,
TIGTA also weighed in on legislative issues that impact the IRS, such as the Affordable Care Act and Foreign Account Tax Compliance Act.