IRS Needs to Physically Secure Its Computer Rooms

The Internal Revenue Service has had cyber problems before, but now the physical security of its facilities is under scrutiny.

IRS' computer rooms and tape libraries, which store critical systems on mainframes, servers and other equipment, aren't well enough protected from potential intruders, a new watchdog report concluded.

In some cases, anyone with general access can enter restricted computer rooms, and surveillance equipment is either outdated or nonexistent, an audit from the Treasury Inspector General for Tax Administration said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Such "unauthorized access" could lead to the "theft of equipment and taxpayer information and disruption of service," the report said.

One of IRS' data center locations didn't have two-factor authentication, and IRS wasn't performing door-testing after some changes to its Physical Access Control System, called ePACs. 

For instance, at one site, doors from a dock into a computer room let "any person with general access capability to enter the computer room," the report said; a door to a tape library was in same group as the main computer room door, which allowed any person who could get into a computer room to also get into a tape library.

In some cases, doors were "labeled incorrectly for entry and exit situations."

Some employees were issued temporary badges, which could be used for identification but didn't actually include information specific to the employee, the audit found. IRS' process for identifying visitors was "manual and visual," which could increase the chances of unauthorized entry.

Using a Personal Identity Verification card could solve this problem because "the card authenticates the individual entering the room," the report said.

TIGTA recommended IRS automate the monitoring of its tape libraries and computer rooms, and that the agency's chief information officer be involved in that decision.

IRS agreed with many of the recommendations, but disagreed with recommendations about “updating policies for cameras and monitoring physical intrusion alarms, temporary badges, controlling of access into computer rooms, the need to remove levels of access, and business need for access."

For automating the monitoring and access, "our current processes are meeting mandated standards and have been quite effective," S. Gina Garza, CIO, and Kevin McIver, chief of agencywide shared services, wrote in a response.

"While we truly appreciate the value of exceeding standards with more automation in this area, it does not rise to the level of other more pressing priorities," they said.