TIGTA: IRS needs to better monitor security compliance

The Internal Revenue Service needs to take more action to monitor and enforce compliance with security policies and procedures, and provide more effective guidance, the Treasury Inspector General for Tax Administration said in a new report. Although IRS has made progress in its information security, it needs to be more comprehensive, the IG said. For example, the agency did not validate actions taken to correct security weaknesses, and testing to verify compliance with security configurations was inadequate. IRS also did not adequately analyze security incidents for underlying causes. The agency did not always identify the causes of the 1,172 incidents reported in a one-year period and did not always follow up to ensure that the weaknesses were corrected, TIGTA said in the report, released today. In another audit, TIGTA said it found 15 of 20 systems did not meet basic annual testing requirements. Although IRS’ cybersecurity organization is primarily responsible for monitoring compliance with security guidance, the Modernization and Information Technology Services organization and each of the business functions are responsible for implementing the guidance. It is difficult for one office to enforce implementation across organizational lines in an agency as large and diverse as the IRS, TIGTA said. IRS did not enforce compliance with continuous-monitoring requirements and did not develop the metrics to measure the effectiveness of security measures, the audit found. “Until improvements are made, security weaknesses are more likely to occur, and the IRS cannot provide assurance that systems containing sensitive taxpayer data are adequately protected from security breaches,” said Michael Phillips, deputy inspector general for audit, in the report. IRS’ cybersecurity organization developed guidance that incorporates nine of the 12 key techniques from the National Institute for Standards and Technology, including: • System owners are required to ensure that corrective actions are taken to resolve security weaknesses. • All devices connected to the IRS network are to be scanned quarterly for configuration compliance. • The IRS is required to semiannually analyze incidents reported, identify common weaknesses and follow up to ensure that the weaknesses are corrected. • Security controls should be tested at least annually to ensure that they are accomplishing their intended purposes. • Analysis of metrics should be a part of the IRS’ monitoring efforts. Guidance for the remaining three elements -- system development life cycle, capital planning, and security services and products acquisition -- did not meet all necessary NIST requirements and made references to obsolete standards and controls. For guidance to be effective, it must be communicated to those who need it. IRS’ cybersecurity organization should make it easier for users to locate security policy guidance on its Web site, which is the primary source for communicating security requirements, TIGTA said. “Confusion caused by difficulty in locating guidance increases the likelihood that employees could unknowingly create weaknesses that result in security breaches,” Phillips said in the report. IRS is implementing TIGTA’s recommendations. Among them, the chief information officer, through the Security Services and Privacy Executive Steering Committee, should require system owners to regularly report to the committee on progress in addressing plans of action and milestones items; require the cybersecurity organization to improve the verification of compliance with standard configurations; analyze incidents reported to the Computer Security Incident Response Center to identify common or systemic underlying weaknesses that contributed to these incidents and track corrective actions in the appropriate plan of action and milestones. The system owners should prepare continuous-monitoring plans that implement annual testing of system controls compliant with NIST guidance, the report said, and develop quantifiable security metrics based on IRS information security goals. The cybersecurity organization should analyze anomalies for root causes and report its results regularly to the steering committee. To improve security guidance, TIGTA recommended, the associate CIO for cybersecurity should coordinate with other IRS executives to include complete NIST-compliant security guidance for the three areas that need to be updated, and improve the cybersecurity organization’s Web site by maintaining all security procedures in one location and providing direct links to other federal guidance. IRS should also develop a system to notify employees and contractors of changes to security guidance.