Endpoint Security , Governance & Risk Management , Next-Generation Technologies & Secure Development

Inspector General: IRS's Aging IT Puts Taxpayer Data at Risk

IRS Pegs Replacement Costs at $430 Million
Inspector General: IRS's Aging IT Puts Taxpayer Data at Risk
Internal Revenue Service headquarters in Washington

The use of aging computer hardware at the Internal Revenue Service is introducing unnecessary risks to sensitive taxpayer information, a new report reveals.

See Also: Strengthening Defenses with ISO/IEC 27001 Standards: The Frontier of Canadian Cybersecurity

An audit from the Treasury Department's inspector general for tax administration, made public this week, reviewed an IRS's Sustaining Infrastructure Program that's aimed to address the operational challenge of replacing its aging hardware infrastructure. The IG reports the IRS isn't faring well.

The IG says the IRS has yet to achieve its stated objective of reducing its aging hardware to an acceptable level, deemed at 20 percent to 25 percent of all IT hardware. Instead, the percentage of older machines in use increased to 64 percent at the start of fiscal 2017 last Oct. 1 from 40 percent at the beginning of FY 2013.

Workweek of Time to Address Each Incident

Auditors analyzed 107 incident tickets most likely to involve old hardware failures in FY 2016 and found that the aggregate length of time to resolve the issues was approximately 4,541 hours, or 42 hours per incident.

"Aged information technology hardware still in use introduces unnecessary risks," Deputy Inspector General for Audit Michael McKenney writes in the report. "These aged hardware failures may have also had a negative effect on IRS employee productivity, security of taxpayer information and customer service."

The IRS estimates that the replacement cost for its old hardware is about $430 million.

IRS CIO S. Gina Garza characterizes replacement of aging infrastructure as a high priority for the agency. "However," she says in a written response, "providing sufficient funding to reduce the aged percentage of infrastructure to industry standards has been challenging. The IRS has faced the challenge of accomplishing its mission with decreased funding levels over several years and it did so while absorbing $1.3 billion in costs for unfunded or partially funded mandates."

IRS Questions IG's Assumptions

Garza challenges the auditors' underlying premise that the agency is using resources inefficiently by not spending all of its appropriated funds each fiscal year. She says transferring more than $5 million from one program to another requires congressional approval, but tight deadlines required in the budgeting process are hard to meet. "Given the time of the annual request and how long it takes to receive congressional approval, we would not be able to utilize surpluses identified late in the fiscal year," Garza says.

The IG recommended that the IRS CIO develop comprehensive guidance that describes the agency's enterprisewide processes, policies and procedures as well as the roles and responsibilities of IRS IT personnel to efficiently manage the its aged hardware. Auditors also recommended that the IRS implement systemic controls to prevent erroneous incident ticket time entries to an asset management system where the incident stop time is earlier than the incident start time.

The IRS accepted both of those recommendations, saying they'll be implemented by Oct. 31 and Dec. 15, respectively.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.