IRS fails to assign employees security roles and responsibilities, audit finds

The Internal Revenue Service has not informed information technology employees what their responsibilities are for securing taxpayer data, according to a report a Treasury Department inspector general released on Tuesday.

The audit reviewed steps the IRS established to address a lack of defined security roles and tasks and found the agency failed to implement most of the corrective actions.

Agency officials believed they had executed their plan properly, but the inspector general called that conclusion premature and said the IRS has yet to correct material weaknesses. The deficiencies included a lack of day-to-day IT security procedures and metrics for evaluating compliance with IT security requirements.

"Until the IRS has documented and reviewed security role-related, day-to-day procedures and guidelines in existence within its business units, it cannot ensure all employees performing in security roles are complying with their security-related responsibilities consistent with IRS policy," wrote Michael R. Phillips, deputy inspector general for audit in the Office of the Treasury Inspector General for Tax Administration. He sent the report to the IRS chief technology officer on Aug. 26.

The IRS is not required to train contract employees in cybersecurity because their companies are responsible for ensuring they have the necessary expertise. But the agency still should track contractor personnel's security duties and test them on compliance, the audit stated. In addition, the IRS has no method for determining which contractors are in security roles, the report found.

"We identified more than 1,350 contract employees with system access that held titles related to security roles, such as system administrators, database administrators, programmers, developers, security specialists, system architects, system engineers and Web developers," Phillips wrote. "These job titles may or may not align with IRS security roles."

IRS officials said they plan to establish a way to document the contract employees who have access to computer systems and then test the individuals appropriately, according to the report.

The IRS has made strides in communicating security policies, the report noted. For example, the agency has used electronic newsletters to promote security awareness among workers, has conducted security surveys and has made staff available to answer employees' questions.

In responding to a draft of the audit, IRS officials agreed with the inspector general's judgment that the agency has yet to address the noted problem areas but disagreed the problems represent "material weaknesses," according to the report.

IRS officials on Tuesday stood by their response in the report.