It may come as no surprise an agency that accidentally destroys a computer hard drive and two years of archived emails along with it -- in seeming contravention of federal record-keeping laws -- struggles with making risk-based decisions regarding technology.
We’re talking, of course, about the Internal Revenue Service. And it turns out, the agency also struggles with risk-based decision-making when it comes IT security.
A new report from the Treasury Inspector General for Tax Administration -- dated Sept. 22, but not made publicly available until last week -- set out to examine whether the agency’s mostly ad hoc process for assessing IT security risks “provides an effective platform of identifying, assessing and addressing risks related to information technology projects and systems.”
Short answer: not really.
Risk-based decision-making describes the tradeoffs an agency makes -- or doesn’t make -- when confronted with a potential cyber vulnerability.
“When a security risk is discovered and it cannot be easily mitigated, for instance, through a configuration change or software upgrade, either a plan must be developed to address the risk or a determination is made to accept the risk,” the IG said.
The problem, according to the IG, is IRS isn’t properly documenting where and when it decides to eschew its IT security policies and to live with the risk.
With “insufficient oversight” of risk-based decision-making and “limited information about why decisions are being made, IRS systems and data are at risk of breach by insider threats and could potentially result in wasted resources through fraud or collusion with contractors and software vendors,” auditors wrote in the report.
Auditors said IRS is spotty in its record-keeping of risk-based decisions.
“The IRS collects and tracks minimal information about risk-based decisions and does not require supporting documentation about why decisions were made,” the report stated.
For example, the agency uses only a basic 10-column spreadsheet to document deviations from standard security practices.
According to IRS policy, all risk-based decisions are required to be tracked and stored in a special “library,” but auditors determined many such decisions “were neither supported nor adequately tracked in the spreadsheet cybersecurity function officials refer to as their library.”
In addition, some IT officials may be accepting and approving risk unbeknownst to the agency’s cybersecurity shop, auditors found.
The IG recommended the IRS chief technology officer, Terence V. Milholland, direct the agency’s cybersecurity team to rewrite policies regarding risk-based decision-making, retrain officials on how to document them and conduct quarterly record-keeping reviews.
The agency agreed with the recommendations.