IRS slow on security settings, IG says

The Internal Revenue Service has been slow to implement the required security settings on its 98,000 desktop and laptop computers, the Treasury Inspector General for Tax Administration said. The IRS implemented 102 of the 254 required security settings on its computers in October 2008, nine months after the deadline set by the Office of Management and Budget, TIGTA said in a report released today.

OMB required agencies that use Microsoft’s Windows XP or VISTA operating systems to adopt the Federal Desktop Core Configuration (FDCC), a standard set of configuration settings, by Feb. 1, 2008, to improve security and reduce operating costs. As of December 2008, the IRS had implemented 81 percent of the settings, the auditor said.

The service has faced difficulties in establishing the security settings because the tax agency’s 98,000 computers are in 670 locations, and the IRS operates 1,900 software applications, 300 of which were internally developed for specific IRS business processes, the report states. As part of the implementation effort, the IRS must test each application to ensure it operates properly with the FDCC settings, TIGTA said.

The creation of a project team to manage the security effort in January 2008, one week before the deadline, slowed implementation of the settings, TIGTA said. The untimely creation of the project team occurred because some IRS officials mistakenly assumed the IRS’ current common operating environment met the FDCC requirements, according to the report.

Once created, the team did not follow basic project-management practices while testing the applications for FDCC compatibility, the auditor said. For example, the master control list used by the project leaders did not account for many applications that needed to be tested, TIGTA said.

The IRS also has not implemented an automated monitoring application to detect and monitor changes to the settings after installation, said J. Russell George, the Treasury inspector general for tax administration. And the tax agency has not modified its software contracts to make sure that new software operates properly with the settings, he said.

“Taxpayers have every right to expect that the IRS protects their privacy and personal information to the highest possible degree. Without a complete set of security settings on employees' computers, the IRS is at risk of business disruption and unauthorized access to taxpayer data,” George said.

The IRS has improved its testing after consulting with Microsoft and had updated its internal procedures to include the FDCC settings, TIGTA said.

The service said it would follow TIGTA recommendations that it improve its technology project-management practices, consider acquiring an automated monitoring tool and prioritize the updating of software contracts.

The TIGTA report is available here.