The Internal Revenue Service needs to take more action to monitor and enforce compliance with security policies and procedures, and provide more effective guidance, the Treasury Inspector General for Tax Administration said in a new report.
Although IRS has made progress in its information security, it needs to be more comprehensive, the IG said. For example, the agency did not validate actions taken to correct security weaknesses, and testing to verify compliance with security configurations was inadequate.
IRS also did not adequately analyze security incidents for underlying causes. The agency did not always identify the causes of the 1,172 incidents reported in a one-year period and did not always follow up to ensure that the weaknesses were corrected, TIGTA said in the report, released today. In another audit, TIGTA said it found 15 of 20 systems did not meet basic annual testing requirements.
Although IRS’ cybersecurity organization is primarily responsible for monitoring compliance with security guidance, the Modernization and Information Technology Services organization and each of the business functions are responsible for implementing the guidance. It is difficult for one office to enforce implementation across organizational lines in an agency as large and diverse as the IRS, TIGTA said.
IRS did not enforce compliance with continuous-monitoring requirements and did not develop the metrics to measure the effectiveness of security measures, the audit found.
“Until improvements are made, security weaknesses are more likely to occur, and the IRS cannot provide assurance that systems containing sensitive taxpayer data are adequately protected from security breaches,” said Michael Phillips, deputy inspector general for audit, in the report.
IRS’ cybersecurity organization developed guidance that incorporates nine of the 12 key techniques from the National Institute for Standards and Technology, including: • System owners are required to ensure that corrective actions are taken to resolve security weaknesses. • All devices connected to the IRS network are to be scanned quarterly for configuration compliance. • The IRS is required to semiannually analyze incidents reported, identify common weaknesses and follow up to ensure that the weaknesses are corrected. • Security controls should be tested at least annually to ensure that they are accomplishing their intended purposes. • Analysis of metrics should be a part of the IRS’ monitoring efforts.
Digg
De.licio.us
Slashdot
Technorati
