IRS Needs Better IT Security Plan, Inspector General Says - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance

IRS Needs Better IT Security Plan, Inspector General Says

The process for identifying weaknesses and reporting progress is flawed and ineffective, according to the report.

The Internal Revenue Service isn't doing enough to assure the security of its IT systems, according to a Treasury Department Inspector General's report made public last week.

The report, written by assistant inspector general for audit Gordon Milbourn, says the IRS has prepared action plans and milestones to track program-level and system-level weaknesses, as required by the White House Office of Management and Budget.

But the process the IRS employs to identify weaknesses and report progress is flawed and ineffective, Milbourn writes. That means the information the IRS provides Treasury and has been inaccurate and misleading. Without effective action and milestone plans, Milbourn says, the IRS can't identify and monitor security weaknesses to ensure that the most significant weaknesses are addressed in a timely fashion.

Among the other observations the inspector general made:

  • The IRS failed to provide sufficient emphasis and instill the discipline needed to assure it has a system in place to monitor security weaknesses. As a result, the IRS has reported only general weaknesses for its systems and overstated the actions it has taken to improve its security program. For the most recent plans submitted to Treasury in September, the IRS reported 319 system-level weaknesses for its 80 major IT systems. This number is understated because it represents only management-control limitations such as lack of a certification and accreditation, security plan, or tested contingency plan. Generally, operational and technical control weaknesses weren't reported.
  • The agency prepared almost identical plans of action and milestones for each system, noting only broad control topics rather than specific weaknesses.
  • Specific actions aimed at correcting the weaknesses weren't detailed, and responsible individuals weren't identified. "Essentially," Milbourn writes, "the [plans] were so vague they couldn't be used in managing and overseeing the security program."
  • The IRS overstated progress in addressing the weaknesses. The IRS assumed if a system had been certified and accredited, then nearly all weaknesses noted about the system's plans of action and milestones could be closed. "This assumption isn't valid since certified and accredited systems can still have security weaknesses," Milbourn says. "We know of no testing that was done to identify security weaknesses or to ensure weaknesses were corrected."
  • To ensure an effective system is established to monitor security weaknesses, the Inspector General's office recommends that the IRS chief of mission assurance and security services coordinate with the department's CIO and business-unit owners to develop plans that specifically identify all known security weaknesses.

    The IRS chief of mission assurance and security services agrees with the inspector general's recommendations, and has initiated a number of corrective actions. Among them, according to the inspector general's report, is establishing a working group of executives and senior staffers from business units and the agency's modernization and technology services unit to develop and implement an approach to managing the plans. In coordination with the CIO and business unit owners, the chief of mission assurance and security services will develop a plan to allow the reconciliation and validation of corrective actions through the testing process.

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Print  | 
    More Insights
    State of the Cloud
    State of the Cloud
    Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
    What Digital Transformation Is (And Isn't)
    Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
    Watch Out for New Barriers to Faster Software Development
    Lisa Morgan, Freelance Writer,  12/3/2019
    If DevOps Is So Awesome, Why Is Your Initiative Failing?
    Guest Commentary, Guest Commentary,  12/2/2019
    Register for InformationWeek Newsletters
    Current Issue
    Getting Started With Emerging Technologies
    Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
    White Papers
    Twitter Feed
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
    Sponsored Video
    Flash Poll