There’s Even More Bad News About IRS Information Security

The board charged with overseeing the Internal Revenue Service’s sprawling agglomeration of computer network directories doesn’t know basic facts about the directories it’s charged with overseeing and frequently isn’t informed about upgrades it’s supposed to be authorizing, a recent audit report found.

Network directory services include verifying that only authorized computers and other devices are operating on a network and ensuring that all users on the network are who they say they are.

The IRS created the directory oversight board—officially, the Active Directory Technical Advisory Board, or ADTAB—in 2013 after a 2011 audit found that the agency had allowed its collection of Microsoft Windows active directory networks to grow far too complex.

At that point, IRS was managing 20 active directory “forests.” Forests are the largest meaningful boundary encompassing an active directory and separating it from other directories—basically the kingdom of the active directory world, which encompasses, phyla, classes, etc.

“Ideally, there should be only one forest in an organization for maximum administration, cost, and security efficiencies,” the audit from Treasury Inspector General for Tax Administration notes.

Five years later, however, the IRS has only whittled down to 19 forests and members of the ADTAB—which is supposed to be ensuring those forests are properly designed and secured—didn’t even know there were 19 forests until auditors told them.  

The ADTAB members also couldn’t provide documentation that described what those various forests looked like and were unaware of major past upgrades that they were supposed to have approved, the auditors found. Those include forest-wide upgrades to newer generations of Windows operating systems.

“Based on the results of our review, the ADTAB did not meet the basic requirements of its charter,” the auditors said.

The auditors recommended reviewing and modifying the ADTAB’s scope of responsibilities, changing its charter if necessary and making sure all forest owners are represented on the board. The IRS agreed with those recommendations.

The active directory audit follows a string of negative audit findings related to IRS information security. Most recently, auditors found in late June that the IRS wasn’t properly securing personal information about roughly 350,000 taxpayers that was previously compromised.

As part of the active directory audit, the inspector general’s office also reviewed physical and digital security protections on the computer rooms that house domain controllers in 11 locations—all of them controlled by IRS’ criminal investigations unit.

That review turned up 88 “physical security weaknesses,” including not limiting which employees could access the computer rooms and not setting up humidity controls and emergency power shut offs.

None of the 11 locations required two-factor authentication for employees to access the computer rooms, auditors found. All of the criminal unit’s domain controllers also failed a test that checks whether computers on the domain are adhering to current policies for the Windows operating system, the report found.