IG Questions Effectiveness of IRS MonitoringThird of Agency Servers Aren't Screened, Placing Data at Risk
Performing a job effectively most of the time doesn't cut it in IT security, as the Internal Revenue Service has been reminded by Treasury Department auditors.
Treasury's inspector general for tax administration became the second auditing organization this spring to point out flaws in IT security at the IRS that puts its data at risk.
The IG zeroed in on the IRS Computer Security Incident Response Center, which provides round-the-clock monitoring of IRS networks for cyberattacks and vulnerabilities and for responding to various computer security incidents such as the theft of a laptop computer.
For the most part, the IG said, the response center performs most of its responsibilities to prevent, detect and respond to computer security incidents. Still, the auditors say, more must be done.
"The CSIRC's host-based intrusion detection system is not monitoring 34 percent of IRS servers, which puts the IRS network and data at risk," Michael Phillips, deputy inspector general for audits, wrote in the 33-page audit report. "The CSIRC is not reporting all computer security incidents to the Department of the Treasury as required. Incident response policies, plans and procedures are either nonexistent or are inaccurate and incomplete."
The IG issued its findings last month, about the same time the Government Accountability Office issued an audit that said the IRS's failure to implement proper security controls exposes its financial and tax-processing systems to potential insider threat, putting taxpayer information at risk [see GAO: Lack of Controls Puts IRS Data at Risk].
The IG recommended that IRS's chief information security officer:
- Develop a cybersecurity data warehouse capable to correlate and reconcile active servers connected to the IRS network with servers monitored by a host-based intrusion detection system.
- Revise and expand a memorandum of understanding with the IG to ensure all reportable and relevant security incidents are shared with the response center.
- Collaborate with the IG to create common identifiers to help the response center reconcile its incident tracking systems with auditors.
- Develop or update a standalone incident response policy.
- Develop an incident response plan.
- Develop, update and formalize all critical standard operating procedures.
CSIRC Mission and Functions
IRS Chief Technology Officer Terence Milholland, in a written response, said the taxing agency agrees with the recommendations, and submitted corrective-action plans. But Phillips said the IRS's proposed corrective action to correlate and reconcile active servers connected to its network with servers monitored by the host-based intrusion detection system failed to address the auditor's concerns of implementing recommended controls.