TREASURY
INSPECTOR GENERAL FOR TAX ADMINISTRATION
Improvements Are Needed to
Ensure the Use of Modernization Applications Is Effectively Audited
September 29, 2006
Reference Number: 2006-20-177
This
report has cleared the Treasury Inspector General for Tax Administration
disclosure review process and information determined to be restricted from
public release has been redacted from this document.
Phone Number |
202-927-7037
Email Address | Bonnie.Heald@tigta.treas.gov
Web Site |
http://www.tigta.gov
September 29, 2006
MEMORANDUM
FOR
CHIEF INFORMATION OFFICER
CHIEF,
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Improvements Are Needed to Ensure the Use of Modernization Applications Is Effectively Audited (Audit # 200620003)
This report presents the results of our review to determine whether the Internal Revenue Service’s (IRS) modernized systems generate audit logs that are saved and analyzed to detect unauthorized accesses to modernization applications.
Impact on the Taxpayer
Audit trails[1] for the IRS’ modernized systems are not being adequately collected, reviewed, or retained. Consequently, unauthorized access and theft of taxpayer records may be occurring without being detected, possibly resulting in theft of taxpayer identities. In addition, fraudulent transactions and intrusions on IRS systems used to administer tax laws could go undetected.
Synopsis
The IRS has two approaches for collecting audit trails for the computers supporting its Business Systems Modernization effort. Audit trails for the Customer Account Data Engine (CADE)[2] are stored internally. Audit trails for all other modernized systems are stored centrally and reviewed in the Security Audit and Analysis System (SAAS). Neither approach is working effectively.
The IRS is not monitoring audit trails on the CADE. While the CADE currently stores and processes only a small fraction of all taxpayer returns, its workload is expected to greatly increase in the next few years. This will place added importance on the IRS’ ability to monitor accesses to the sensitive taxpayer records stored in the CADE. We believe CADE transactions are not reviewed because only a limited number of users have permission to access the system. However, these users have powerful access privileges, which could enable them to steal taxpayer information and take action to disrupt computer operations with little chance of detection.
The SAAS audit trails of user and system activities on modernized systems are not being adequately monitored. User activity audit trails on modernized systems are not being reviewed by the IRS business units and the Treasury Inspector General for Tax Administration (TIGTA) for two reasons. First, while audit trail data are being collected by the SAAS, the data are not accurate, reliable, and complete. We reviewed over 3 million audit trail records and found 48 percent of the places for data required by IRS policy were missing data or contained inaccurate information. Second, even if the SAAS audit trails were usable, reports and functions for reviewing them are not yet available, making it unlikely SAAS users could identify inappropriate activity on modernized systems.
System activity audit trails are not being adequately
reviewed by the
The underlying reason why audit trails on the SAAS are not adequately reviewed is the inadequacy of SAAS system requirements, which are used to identify the System’s features and capabilities. Although the IRS accepted the SAAS in Fiscal Year 2002, the system requirements are still inadequate because much of the SAAS development effort to date has been focused on replacement of the Audit Trail Lead Analysis System.[4] This replacement has been a TIGTA and IRS priority because the System is aging. However, until all SAAS users emphasize the need to review audit trail data on modernized systems, sufficient priority will not be given to the development of SAAS audit trails.
Our results indicate the problems with the SAAS we reported[5] in August 2004 have not been adequately addressed, despite claims by the IRS that the SAAS has been functioning. In April 2005, the IRS responded to questions from the Senate Appropriations Committee that the “SAAS is effectively managing audit trail data for modernization systems.” We again reported[6] problems with the SAAS in August 2005. In its response to that report, the IRS disagreed with our conclusion that audit trails for IRS modernized systems were not functioning. IRS management explained the SAAS receives and processes audit trail transactions daily from several modernization applications and the data could be accessed through queries or reports.
Recommendations
We recommended the Chief, Mission Assurance and Security
Services (MA&SS), establish a review process for CADE audit trails and
ensure they are retained. For the SAAS,
the Chief Information Officer should modify modernized system audit trails to
comply with SAAS standards and capture information needed by user
organizations. In addition, the Chief, MA&SS,
should reassess the user and system requirements for the SAAS, including the
control weaknesses identified in this report, and ensure the requirements are
assigned a completion date. Once this is
complete, SAAS procedures and processes
should be reevaluated to ensure the new SAAS requirements are incorporated.
Response
The IRS agreed with our findings and recommendations. The MA&SS organization will establish an
enterprise process for reviewing the audit trails of all IRS legacy (current) and
modernized applications and systems, including CADE audit trails. In addition, it will establish, in
conjunction with the Chief Information Officer, a viable retention policy for
CADE audit trails that is consistent with established IRS policies. For the SAAS, the MA&SS organization will
reassess the requirements for SAAS audit trails, including identifying all user
requirements and the resulting SAAS system requirements needed to achieve
them. The IRS will provide a Project Plan
that includes development of change requests for modification of modernized applications
to provide audit trail data to, and in the correct format for, the SAAS based
on the reassessed SAAS requirements. The
Plan will include expected implementation dates for each modernization application
and will be based on funding and resource availability. Once SAAS requirements are reassessed, the MA&SS
organization will establish procedures to ensure audit trails are properly
reviewed and will assign staff to monitor failed audit trail records. Management’s
complete response to the draft report is included as Appendix V.
Office of Audit Comment
The IRS provided an implementation date of October 2008 for its corrective action addressing our recommendation to modify modernized system audit trails to comply with SAAS standards and capture information needed by user organizations. We recognize the difficult task the IRS faces in modifying modernized system audit trails to provide usable information, given their current state. However, this implementation date will leave the IRS without usable audit trails for more than 2 years. With this response, the IRS is accepting the risk that unauthorized access to taxpayer information on modernized systems may occur and not be detected.
Copies of
this report are also being sent to the IRS managers affected by the report
recommendations. Please contact me at (202)
622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General
for Audit (Information Systems Programs), at (202) 622-8510.
Customer Account Data
Engine Audit Trails Are Not Being Adequately Monitored
Security Audit and
Analysis System Audit Trails Are Not Being Adequately Monitored
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Additional Information on the Security Audit and Analysis System Audit
Trail
Appendix V
– Management’s Response to the Draft Report
Abbreviations
|
CADE |
Customer Account Data
Engine |
|
CSIRC |
Computer Security Incident
Response Center |
|
IDRS |
Integrated Data Retrieval
System |
|
I-EIN |
Internet Employer
Identification Number |
|
IFS |
Integrated Financial System |
|
IRFOF |
Internet Refund/Fact of
Filing |
|
IRS |
Internal Revenue Service |
|
MA&SS |
Mission Assurance and
Security Services |
|
MeF |
Modernized e-File |
|
SAAS |
Security Audit and Analysis
System |
|
TIGTA |
Treasury Inspector General
for Tax Administration |
|
UNAX |
Unauthorized accesses and
inspections of taxpayer records |
An audit
trail is a chronological record of system activities that allows for the
reconstruction, review, and examination of a transaction.
Internal
Revenue Service (IRS) procedures state that each of the IRS’ computer
systems is required to collect and maintain adequate audit trail information
and that this information is to be timely reviewed. An audit trail is defined as a chronological record of system activities
that allows for the reconstruction, review, and examination of a transaction
from inception to final results. Audit
trails can also be used to diagnose computer problems because they capture all user and system activities
associated with a transaction and provide documentation that identifies what
has been done.
The National
Institute of Standards and Technology[7] states that audit trails can provide a means
to help accomplish several security-related objectives, including:
·
Individual
accountability – Enables managers to identify and provide information about
users suspected of improper modification of data (e.g., introducing errors into
a database).
·
Reconstruction
of events – Assesses damage to a system by pinpointing how, when, and why
normal operations ceased.
·
Intrusion
detection – Identifies attempts to penetrate a system and gain unauthorized
access.
·
Problem
analysis – Provides online tools to help identify problems other than
intrusions as they occur.[8]
For the IRS, audit trails on modernized systems are also needed to detect unauthorized access attempts, successful accesses of its most critical information, and attacks on its systems. In particular, audit trails are used to identify willful unauthorized accesses and inspections of taxpayer records (UNAX). Identifying UNAX violations became more important with the passage of the Taxpayer Browsing Protection Act of 1997,[9] which states the willful unauthorized access or inspection of taxpayer records is a crime punishable upon conviction by fines, prison terms, and termination of employment.
In addition to identifying UNAX violations, audit trails can be used to identify whether IRS financial information and transactions have been compromised. Such compromise could result in corruption of financial data and limit the IRS’ ability to conduct business. Compromise of financial information could also result in fraudulent transactions, such as unauthorized payments.
However, none of these events can be detected
if audit trails have not been designed to capture key information and are not
retained for a sufficient period of time.
Also, management must have a formal process for reviewing audit trail
reports to effectively respond to system events.
The IRS has two approaches for collecting audit
trails for the computers supporting its Business Systems Modernization
effort. For the Customer
Account Data Engine (CADE), audit trails are stored internally in
the system’s database. The CADE is the
foundation for managing taxpayer accounts in the IRS’ Business Systems
Modernization effort and will eventually house taxpayer accounts and tax return
data for more than 135 million individual and business taxpayers. The CADE will incrementally replace the existing
IRS Master File.[10] The current release of the CADE processes
selected data for over 1.4 million single filers with no dependents who filed
an Income Tax Return for Single Filers and Joint Filers With No Dependents
(Form 1040EZ) in Calendar Year 2005.
Audit trails for all other modernized systems are centralized in the Security Audit and Analysis System (SAAS). See Appendix IV for a list of these systems. The SAAS was initially built by the IRS’ PRIME contractor as part of the Business Systems Modernization effort and was accepted by the IRS in 2002. The SAAS is designed to gather user and system audit trail information from these systems and store this information in a central database that should be accessed and used by the following customers:
This review was performed in the Mission Assurance and Security Services (MA&SS)
organization and the Modernization and Information Technology Services
organization, at the
The IRS is not adequately collecting, reviewing, or retaining audit trail data from its modernized systems. Without adequate processes in these areas, unauthorized accesses or security intrusions could be occurring without being detected.
Customer Account Data Engine Audit Trails Are Not Being Adequately Monitored
The IRS is properly monitoring audit trails to identify attempts by unauthorized persons to access the CADE, and any security violations noted are sent to appropriate management officials for review and certification. However, once a user is authorized to access the CADE, his or her actions are not monitored. The lack of monitoring provides no assurance that an authorized user is accessing CADE data for official business purposes only.
While the CADE currently stores and processes only a small fraction of all taxpayer returns, its workload is expected to greatly increase in the next few years, as shown in Table 1. This growth places added importance on the IRS’ ability to monitor accesses to the sensitive taxpayer records stored in the CADE. If the IRS cannot review audit trail information for the current volume of returns, its ability to adequately and effectively review audit trails will diminish when the volume increases in future years.
Table 1: Estimated Number of Returns to Be Processed by
the CADE
|
Year |
Estimated Number of Returns |
Year |
Estimated Number of Returns |
|
2005 |
1,423,417 (Actual) |
2009 |
70 million |
|
2006 |
4 million |
2010 |
90 million |
|
2007 |
33 million |
2011 |
100 million |
|
2008 |
50 million |
2012 |
135 million |
Source: Customer Relationship
Management Executive Steering Committee, approved
October 18, 2005.
The IRS has not emphasized the need to monitor audit trails on the CADE because it is updated primarily through input of data from other IRS systems. Consequently, only a limited number of users have direct access to the CADE application. The CADE is currently accessible by only 39 persons including IRS computer personnel, contractors, and TIGTA personnel. However, these users have powerful access privileges that could enable them to steal taxpayer information with little chance of detection. By not reviewing user transactions in the CADE’s audit trails, the IRS cannot be assured that security violations are not occurring.
Also, CADE audit trails are not being sufficiently retained. Currently, audit trails are retained for 30 calendar days, a retention period based on available storage space. In comparison, SAAS audit trail data are required to be retained for 6 years.
We previously identified the CADE audit trail review and retention issues in our August 2005 report,[13] but at that time, CADE audit trails were retained for only 1 to 2 calendar days and were not being reviewed. We recommended CADE audit trail data be retained and reviewed to detect unauthorized accesses. The IRS disagreed with this recommendation, stating that log and audit files used by CADE system programmers are established for recovery and diagnostic purposes and do not capture data related to unauthorized access. In response, we commented that we continue to believe audit trail information for the CADE should be retained and reviewed. The CADE contains tax information for over 1.4 million returns that could be accessed by some IRS employees for unauthorized purposes, potentially resulting in identity thefts. Therefore, audit trail information must be maintained to comply with Department of the Treasury requirements.
Recommendations
Recommendation 1: To ensure CADE audit trails are reviewed, the Chief, MA&SS, should establish a review process for CADE audit trails. Such a process will aid in current reviews and position the IRS to perform future reviews when the amount of taxpayer information residing in the CADE is significantly larger.
Management’s Response: IRS management agreed with this recommendation. The MA&SS organization will establish an enterprise process for reviewing the audit trails of all IRS legacy (current) and modernized applications and systems, including CADE audit trails.
Recommendation 2: To ensure CADE audit trails are sufficiently retained, the Chief, MA&SS, and the Chief Information Officer should establish a viable retention policy for CADE audit trails, mirroring, where possible, that of other systems with taxpayer information.
Management’s
Response: IRS management agreed with this
recommendation. The
MA&SS organization, in conjunction with the Chief Information Officer, will
establish a viable retention policy for CADE audit trails that is consistent
with established IRS policies governing records management and retention
standards for systems with taxpayer information.
Security Audit and Analysis System Audit Trails Are Not Being Adequately Monitored
The three primary users of the SAAS (the IRS business units, TIGTA, and CSIRC) are performing either no reviews or limited reviews of user and system activity on modernized systems, as recorded in the systems’ audit trails. As a result, possible UNAX violations, other inappropriate accesses, or security intrusions may be occurring without being identified.
An underlying reason for the lack of reviews is inadequate requirements for the SAAS, which are used to identify features and capabilities for the System. SAAS requirements have not been adequately identified because much of the SAAS development effort to date has been focused on replacement of the Audit Trail Lead Analysis System, which is currently used by the TIGTA to identify potential UNAX violations on the Integrated Data Retrieval System (IDRS).[14] The replacement of the Audit Trail Lead Analysis System has been a TIGTA and IRS priority because the System is aging. Until all SAAS users emphasize the need to review modernized system audit trails, sufficient priority will not be given to the development of SAAS audit trails.
Our results indicate the problems with the SAAS we reported[15] in August 2004 have not been adequately addressed despite claims by the IRS that the SAAS has been functioning. In April 2005, the IRS responded to questions from the Senate Appropriations Committee that the “SAAS is effectively managing audit trail data for modernization systems.” In August 2005, we again reported[16] problems with the SAAS. In their response to that report, IRS management disagreed with our conclusion that audit trails for IRS modernized systems were not functioning. IRS management explained the SAAS receives and processes audit trail transactions daily from several modernization applications and the data could be accessed through queries or reports.
IRS business units and the TIGTA are not reviewing user activity on modernized systems
The IRS business units and the TIGTA are not reviewing SAAS user audit trails, which document a user’s actions on modernized systems. Specifically:
At present, the only audit trails available for IRS business unit managers and the TIGTA to review are those for IRS employee transactions. In October 2005, the IRS ceased adding transactions by nonemployees to the SAAS, such as those for tax filers and users of the IRS.gov web site, to address an immediate problem of insufficient data storage and to improve the performance of the System. These transactions are now stored in separate files in the SAAS. MA&SS organization personnel informed us this was justified because the TIGTA and IRS business units had not provided any requirements to review these data. In addition, these transactions can be made available to the business units and the TIGTA once requirements are identified to review the transactions.
Reviews of user activity are not occurring because a large amount of audit trail data in the SAAS is not usable. In addition, reporting features that would aid users in reviewing these data are not adequate.
User activity data are not reliable, complete, and accurate
The audit trails collected by the SAAS do not comply with the IRS’ audit trail requirements. The data collected have significant integrity issues, rendering much of the data unreliable, inaccurate, incomplete, and, therefore, unusable. For a record in an audit trail to be useful, certain data must be complete and valid. These data include who initiated the transaction, when the transaction occurred, where it occurred, and whether the transaction succeeded or failed.
We reviewed over 3 million SAAS audit trail records of modernized systems for November 2005 and identified over 24 million possible entries[17] for data required by IRS policies. Of these, we determined that 48 percent were missing data or contained inaccurate information. In particular, we found blank entries, incomplete entries with partial numbers or text, and unexpected data such as numbers where text is expected. In addition to the required entries, the SAAS audit trail can store descriptive information about a transaction, which is useful in the search for UNAX violations. We determined that, while the SAAS audit trail record has 15 places for these descriptive entries, only 1 of the available places contained useful information. In addition to inadequate data entries, we identified over 80,200 potentially missing audit trail records and over 3,400 corrupted audit trail records. Appendix IV presents additional details on this issue.
Due to these data integrity issues, the MA&SS organization has not engaged IRS business units to review employee activity on modernized systems. The data integrity issues are a result of inaccurate and incomplete data being sent to the SAAS by modernized systems and insufficient controls in place to ensure the audit trail data brought into the SAAS are complete and valid. Modernized systems send audit trail data to the SAAS, which then processes and tests the data for existence of selected information. However, the following problems with this process exist:
During our audit, the MA&SS organization submitted a change request for the modernized system audit trails to be revised to properly recognize user actions as well as comply with standard formats and content. The primary focus of the request was to address inconsistencies in how modernized systems record transaction events and the payload, or transaction content, portion of the audit trail record. These changes were requested to be completed by June 2006.
In August 2005, we reported[18] the IRS did not adequately consider security controls in the development phase of modernized systems. Several inadequate security controls were identified, many of which could have been addressed in the development phase of the systems. Given the lack of robust integrity tests and the inadequacy of audit trail data being sent to the SAAS, it is apparent sufficient emphasis was not placed on audit trails during the development and in certification testing of modernized systems.
Report features are not adequate for the business units and the TIGTA
Even if the modernized audit trails were reliable, it is unlikely that users of the SAAS would be able to review them because SAAS features needed to review these data are not yet available. The SAAS is designed to be both the replacement for the Audit Trail Lead Analysis System and the central repository for modernized IRS systems’ audit trails. The SAAS is intended to enable IRS business unit, TIGTA, and CSIRC users to generate reports and search audit trail records to detect unauthorized activities and security intrusions on modernized systems. In addition, IRS managers will be able to certify they have reviewed modernized audit trail reports for their employees, to identify accesses and violations. These reports and functions are specified in the SAAS requirements used to develop the System. Similar features are also available on the IDRS On-Line Reports Services application, which aids IRS managers in identifying UNAX and other violations on the IDRS.
However, SAAS reports and certification features have not yet been implemented. Currently, users can search audit trail records only through user-created queries. While report features are included in the current System requirements, they have not been implemented and do not have completion dates assigned. This occurred in part because IRS business units have historically placed little emphasis on reviewing audit trail data. For example, a recent TIGTA report[19] found that business unit managers were not reviewing audit trail data to detect inappropriate activity of their employees on the IDRS.
The CSIRC does not have sufficient data with which to identify intrusions on modernized systems
We also determined the CSIRC is performing limited reviews of system audit trails to identify security intrusions on modernized systems. System audit trails document the system activities, including those taken during an attack or intrusion into the system. The CSIRC is performing some reviews of modernized system audit trails. However, these reviews are limited because audit trail files needed by the CSIRC are not being sent or sent timely to the SAAS. Procedures require that these files be sent daily from all modernized systems, excluding mainframe computers, to a central server (the Log File Collector) for forwarding to the SAAS. In addition, the files sent are not required to be retained for a sufficient period of time. These deficiencies are a result of insufficient SAAS requirements. Specifically:
· Consolidated audit trail files are not sent. For Solaris-based computers, two sets of audit trail files can be created. One set contains eight individual files that record different system events. The other set records all events in one consolidated file and can potentially record more system event information. While CSIRC users would like to review information contained in the consolidated audit trail files, these audit trails are not forwarded from the Log File Collector to the SAAS for inclusion in the SAAS audit trail. We reviewed the Log File Collector on December 5, 2005, and identified approximately 214 gigabytes of consolidated audit trails covering a 2-week period. These files are not sent to the SAAS because CSIRC personnel and SAAS contractors are not considered security personnel by the IRS and, therefore, are not permitted access to the necessary command to convert the files to a format readable by the SAAS. In addition, SAAS requirements do not specify that the consolidated audit trail files need to be available for inclusion in the SAAS.
· Audit trail files are not sufficiently retained. After audit trail files sent from modernized systems are received by the SAAS, they are kept for 1 year. Because only selected data from these files are incorporated into the SAAS, it is important for the IRS to retain the files in the event additional research on system activity needs to be performed. The CSIRC requires the SAAS to retain data sent from modernization systems for 6 years, but the requirement does not specify what type of data should be retained. The requirements used to develop the SAAS include only the data stored in the SAAS and not the audit trail files providing the data. During our review, the IRS established an informal policy to store audit trail files for 6 years, but no documentation formalizing this policy was available.
Recommendations
To ensure the SAAS
can better meet the needs of its customers and audit trail data reported are
reliable, accurate, and complete, the Chief, MA&SS, should:
Recommendation 3: Reassess the requirements for SAAS audit
trails, including identifying all user requirements and the resulting SAAS
system requirements needed to achieve them.
Once the reassessment is complete, requirements should be assigned
completion dates. The reassessment
process must include the following requirements:
·
Additional
validity tests to ensure audit trail data received are reliable and accurate.
·
Controls
to ensure all audit trail records are uniquely identifiable, and completeness
tests to ensure all audit records are accounted for.
·
Reports
and queries to aid in the analysis of audit trail records that failed validity
tests.
·
Functionality
for review and certification of employee access to taxpayer information,
similar to the functions available through the IDRS On-Line Reports Services application.
·
Consolidated
Solaris audit files that are available for inclusion in the SAAS audit trail. To do this, technical issues preventing these
files from being incorporated into the SAAS need to be resolved. Until the issues are resolved, these files
should be retained.
·
Retention
period for source audit trail files sent from modernized systems to ensure
files are kept for a necessary length of time.
Management’s
Response:
IRS management agreed with this
recommendation. The MA&SS
organization will reassess the requirements for SAAS audit trails, including
identifying all user requirements and the resulting SAAS system requirements
needed to achieve them.
To ensure modernized
systems send reliable, accurate, and complete audit trail information to the
SAAS, the Chief Information Officer should:
Recommendation 4:
Modify modernized system
audit trails to comply with SAAS standards, ensuring data collected are valid and
arranged in the proper format. This
process should include the solicitation of input from user organizations, such
as the IRS business units, TIGTA, and CSIRC, to identify their audit trail data
needs.
Management’s Response: IRS management agreed with this recommendation. The IRS will provide a Project Plan that includes development of change requests for modification of modernization applications to provide audit trail data to, and in the correct format for, the SAAS based on requirements identified in the corrective action for Recommendation 3. The Plan will include expected implementation dates for each modernization application and will be based on funding and resource availability. The IRS plans to make incremental changes as requirements are developed.
Office
of Audit Comment: The IRS provided an implementation date of October
2008 for its corrective action to this recommendation. We recognize the difficult task the IRS faces
in modifying modernized system audit trails to provide usable information,
given their current state. However, this
implementation date will leave the IRS without usable audit trails for more
than 2 years. With this response, the
IRS is accepting the risk that unauthorized access to taxpayer information on
modernized systems may occur and not be detected.
To ensure new SAAS requirements are included
in IRS procedures, the Chief, MA&SS, should:
Recommendation 5: After completion of the requirements reassessment,
reevaluate SAAS procedures and processes to ensure the new SAAS requirements are
incorporated and responsibilities for reviewing modernization audit trails are
adequately defined. These procedures
should include reviews for audit trail records that failed validity tests and
transactions by tax filers and registered users.
Management’s
Response: IRS management agreed with this
recommendation. Once SAAS requirements are reassessed, the MA&SS
organization will establish procedures to ensure audit trails are properly
reviewed and assign staff to monitor failed audit trail records.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to determine whether the IRS’ modernized systems generate audit logs that are saved and analyzed to detect unauthorized accesses to modernization applications. To accomplish this objective, we:
I. Determined whether adequate information was being captured in modernization application audit trails.
A. Reviewed policies and procedures specifying system information required to be captured for audit trail purposes.
B. Identified the modernization application audit trails that were processed through the SAAS.
C. Determined whether modernization applications were generating required audit trail records by obtaining from the SAAS an extract of audit trail records for November 2005, which totaled over 3.6 million records, and reviewing audit trail settings for the CADE. Our analysis of these records identified that 48 percent of the required entries were not usable. We also determined that the CADE audit trail settings were appropriate.
D. Assessed the impact of missing audit trail elements on the IRS’ ability to detect, identify, and substantiate unauthorized accesses of modernization applications.
E. Determined why modernization application audit trails do not capture required data elements.
II. Determined whether audit trails were being retained for required time periods.
A. Reviewed policies and procedures regarding audit trails to identify storage requirements for audit trail data, including required retention periods.
B. Determined whether modernization applications were retaining audit trail records for required time periods by analyzing audit trail settings and interviewing SAAS and CADE system and database administrators.
C. Assessed the impact of absent audit trail records on the IRS’ ability to detect, identify, and substantiate unauthorized accesses of modernization applications.
D. Determined why modernization application audit trails are not retained for required time periods.
III. Determined whether audit trails were being analyzed to detect unauthorized access and other violations.
A. Reviewed policies and procedures regarding audit trails to identify monitoring and reporting requirements for audit trail data.
B. Determined whether user activity on modernization applications was being adequately monitored by reviewing current reports generated from the SAAS.
C. Assessed the impact of inadequate monitoring of audit trails on the IRS’ ability to detect, identify, and substantiate unauthorized accesses of modernization applications.
D. Determined why modernization application audit trail monitoring was not occurring. This step included analysis of computer records from SAAS servers for November and December 2005 to determine whether audit trail files were being sent timely to the SAAS. This step included reviewing the records for all modernized systems sending data to the SAAS, in particular those running the Microsoft Windows or Sun Solaris operating systems. Our analysis identified that Microsoft Windows-based modernized system servers generally sent data as required. However, of the 26 Solaris-based modernized system servers, 5 sent their files daily, 18 sent their files weekly, and 3 did not send their files at all.
Appendix II
Major Contributors to This Report
Margaret
E. Begg, Assistant Inspector General for Audit (Information Systems Programs)
Stephen
Mullins, Director
Kent
Sagara, Acting Director
Gerald
Horn, Audit Manager
Marybeth
Schumann, Audit Manager
Michael
Howard, Lead Auditor
David
Brown, Senior Auditor
Myron
Gulley, Senior Auditor
Appendix III
Commissioner C
Office of the
Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Deputy Chief Information Officer OS:CIO
Deputy Chief, Mission Assurance and Security Services OS:MA
Associate Chief Information Officer, Enterprise Operations OS:CIO:EO
Associate Chief Information Officer, Enterprise Services OS:CIO:ES
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of
Program Evaluation and Risk Analysis
RAS:O
Office of Internal
Control OS:CFO:CPIC:IC
Audit Liaisons:
Deputy Commissioner for Operations
Support OS
Chief, Mission Assurance and
Security Services OS:MA
Director, Program Oversight Office OS:CIO:SM:PO
Appendix IV
Additional Information on the Security Audit and Analysis
System Audit Trail
This appendix provides additional information on audit trail integrity issues for specific modernization applications. The SAAS collects audit trail information from most modernization applications, including:
The data presented are based on reviewed SAAS data from November 2005, specifically from the SAAS audit trail table (MODTRANS) and two additional SAAS audit trail files for users registered through the IRS.gov web site (REGUSER) and tax filers (TAXFIL). We identified issues with required and descriptive audit trail records as well as missing audit records.
Required audit trail entries
We reviewed over 3 million SAAS audit trail records of modernized systems for November 2005 and determined 48 percent of the data entries required by IRS policy contained missing or inaccurate information. For each modernization application we reviewed, Table 1 lists the audit trail requirements specified in the Internal Revenue Manual and the percentage of the entries in the SAAS fields meeting these requirements that were unusable.
Table 1: Percentage of Unusable Required Entries in
the SAAS Audit Trail
|
Audit Trail Requirement |
Field Name |
MeF |
e-Services |
IFS |
IRFOF |
I-EIN |
Other |
SAAS Totals |
|
Date and time of the event |
TIMESTAMP |
0.0% |
0.5% |
0.0% |
0.0% |
0.0% |
0.0% |
0.3% |
|
The unique identifier initiating an action |
USERID |
0.0% |
8.4% |
0.0% |
100.0% |
100.0% |
0.0% |
28.0% |
|
Type of event |
EVENTID |
7.0% |
48.0% |
0.0% |
100.0% |
0.0% |
0.0% |
46.6% |
|
Origin of the request for
identification/authentication events |
SRCADDR |
6.2% |
34.0% |
83.1% |
100.0% |
0.0% |
0.0% |
50.8% |
|
Subject of event, action taken |
VARDATA |
29.9% |
49.4% |
100.0% |
0.0% |
100.0% |
0.0% |
51.5% |
|
Identity of user creating the event |
USERID |
0.0% |
8.4% |
0.0% |
100.0% |
100.0% |
0.0% |
28.0% |
|
Role of user, when creating the event |
None |
100.0% |
100.0% |
100.0% |
100.0% |
100.0% |
100.0% |
100.0% |
|
Success or failure of the event |
ERRORMSG |
100.0% |
100.0% |
0.0% |
100.0% |
0.0% |
100.0% |
78.9% |
|
Totals |
30.4% |
43.6% |
35.4% |
75.0% |
50.0% |
25.0% |
48.0% |
|
Source:
TIGTA analysis of SAAS audit trail data for November 2005.
Although we reviewed three SAAS audit trail files, the MODTRANS table is the primary audit trail table in the SAAS. Table 2 presents the results of our assessment of the data integrity for the MODTRANS table and displays only those records collected from that table. Currently, the MODTRANS table includes audit trail records of IRS employees; therefore, Table 2 lists only those modernized systems accessed by IRS employees.
Table 2: Percentage of Unusable Required Entries in
the MODTRANS Table
|
Audit Trail Requirement |
Field Name |
MeF |
e-Services |
IFS |
Other |
Totals |
|
Date and time of the event |
TIMESTAMP |
0.0% |
0.0% |
0.0% |
0.0% |
0.0% |
|
The unique identifier initiating an action |
USERID |
0.0% |
0.0% |
0.0% |
0.0% |
0.0% |
|
Type of event |
EVENTID |
7.1% |
41.3% |
0.0% |
0.0% |
28.7% |
|
Origin of the request for
identification/authentication events |
SRCADDR |
6.3% |
37.6% |
83.1% |
0.0% |
50.9% |
|
Subject of event, action taken |
VARDATA |
30.6% |
44.7% |
100.0% |
0.0% |
61.1% |
|
Identity of user creating the event |
USERID |
0.0% |
0.0% |
0.0% |
0.0% |
0.0% |
|
Role of user, when creating the event |
None |
100.0% |
100.0% |
100.0% |
100.0% |
100.0% |
|
Success or failure of the event |
ERRORMSG |
100.0% |
100.0% |
0.0% |
100.0% |
70.0% |
|
Totals |
30.5% |
40.5% |
35.4% |
25.0% |
38.9% |
|
Source:
TIGTA analysis of SAAS audit trail data for November 2005.
Because audit trail records from the other two tables, TAXFIL and REGUSER, are also important, Table 3 displays percentages of unusable audit trail records collected from these two tables. Table 3 lists only those modernized systems accessed by tax filers and registered users.
Table 3: Percentage of Unusable Required Entries in
the
TAXFIL and REGUSER Tables
|
Audit Trail Requirement |
Field Name |
MeF |
e-Services |
IRFOF |
I-EIN |
Totals |
|
Date and time of the event |
TIMESTAMP |
0.0% |
1.1% |
0.0% |
0.0% |
0.6% |
|
The unique identifier initiating an action |
USERID |
0.0% |
20.0% |
100.0% |
100.0% |
57.5% |
|
Type of event |
EVENTID |
0.0% |
57.3% |
100.0% |
0.0% |
65.6% |
|
Origin of the request for
identification/authentication events |
SRCADDR |
0.0% |
29.2% |
100.0% |
0.0% |
50.6% |
|
Subject of event, action taken |
VARDATA |
0.0% |
55.9% |
0.0% |
100.0% |
41.4% |
|
Identity of user creating the event |
USERID |
0.0% |
20.0% |
100.0% |
100.0% |
57.5% |
|
Role of user, when creating the event |
None |
100.0% |
100.0% |
100.0% |
100.0% |
100.0% |
|
Success or failure of the event |
ERRORMSG |
100.0% |
100.0% |
100.0% |
0.0% |
88.3% |
|
Totals |
25.0% |
47.9% |
75.0% |
50.0% |
57.6% |
|
Source:
TIGTA analysis of SAAS audit trail data for November 2005.
Descriptive audit trail entries
In addition to the required entries, the SAAS audit trail can store descriptive information about a transaction, which is useful in the search for UNAX violations. The SAAS audit trail record has 15 places for these descriptive entries, which are listed in Table 4.
Table 4: MODTRANS Fields Providing Additional Details
on User Transactions
|
Fields Detailing User Transactions |
|
|
DOLLARAMT TAXFILERTIN TAXPERIOD TAXFILFILESRC TAXFILERINTYPE REASONCODE PLANNUMBER OUTPUTCODE |
NAMECTRL MFTCODE FILESRCCD CASESTATCD CAMPUSCODE CAMPUSACCESS DLN |
Source: TIGTA analysis of SAAS audit trail data for November 2005.
Of these 15 fields, only the following include any information:
· DOLLARAMT: This field should include the dollar amount of a transaction. However, this field contains no actual dollar amounts.
· TAXFILERTIN: This field includes the Taxpayer Identification Number used in a transaction.
Table 5 lists the percentage of unusable TAXFILERTIN entries in the SAAS audit trail for those modernized systems using the TAXFILERTIN field. Those systems not included in audit trail records of one or more SAAS tables are labeled as not applicable (N/A).
Table 5: Percentage of Unusable TAXFILERTIN Entries in
the SAAS Audit Trail
|
SAAS Audit Trail Table |
MeF |
e-Services |
IRFOF |
I-EIN |
SAAS Totals |
|
MODTRANS |
100.0% |
0.6% |
N/A |
N/A |
1.5% |
|
REGUSER |
100.0% |
6.0% |
N/A |
N/A |
6.0% |
|
TAXFIL |
N/A |
4.0% |
2.0% |
0.0% |
2.0% |
|
SAAS Totals |
100.0% |
8.3% |
2.0% |
0.0% |
2.8% |
Source: TIGTA analysis of SAAS audit trail data for November 2005.
Missing audit trail entries
Our analysis of SAAS audit trail records also identified thousands of missing audit trail records. Each SAAS audit trail record contains a unique, sequential identification number, which can be used to ensure all records are accounted for. We identified over 80,200 missing identification numbers, indicating the records associated with these numbers may be missing or are not identifiable from the SAAS. We identified over 3,400 corrupted audit records for which the identification number was overwritten or not in its proper place. Therefore, approximately 3,400 of the over 80,200 missing records may be in the SAAS but not identifiable due to the record corruption. However, there may be more missing records because not all audit trail records contained a unique identification number. Table 6 presents the applications for which these identification numbers were unusable.
Table 6: Percentage of Unusable
Audit Trail
Identification Numbers in the SAAS Audit Trail
|
Application |
Percentage of Unusable or Missing |
|
MeF |
32.2% |
|
e-Services |
42.1% |
|
IFS |
0.0% |
|
IRFOF |
100.0% |
|
I-EIN |
0.0% |
|
Other |
0.0% |
|
SAAS Total |
43.0% |
Source: TIGTA analysis of SAAS audit trail data for November 2005.
Appendix V
Management’s Response to the Draft
Report
The response was removed due to its
size. To see the response, please go to
the Adobe PDF version of the report on the TIGTA Public Web Page.
[1] An audit trail is a chronological log of activities on a computer system.
[2] The CADE is the foundation for managing taxpayer accounts in the IRS’ modernization effort.
[3] This Center was designed to ensure the IRS has a team of capable “first responders” who are organized, trained, and equipped to identify, contain, and eradicate cyber threats targeting IRS computers and data.
[4] This is an IRS system that aids the TIGTA in researching unauthorized access of taxpayer data by IRS employees.
[5] The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning (Reference Number 2004-20-135, dated August 2004).
[6] Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernized Systems (Reference Number 2005-20-128, dated August 2005).
[7] The National Institute of Standards and Technology, under the Department of Commerce, is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all Federal Government agency operations and assets.
[8] The National Institute of Standards and Technology Information Technology Laboratory Computer Security Bulletin published in March 1997.
[9] 26 U.S.C.A. §§ 7213, 7213A, 7431 (West Supp. 2003).
[10] The IRS database that stores various types of taxpayer account information. This database includes individual, business, and employee plans and exempt organizations data.
[11] The CSIRC was designed to ensure the IRS has a team of capable “first responders” who are organized, trained, and equipped to identify, contain, and eradicate cyber threats targeting IRS computers and data.
[12] IRS Computing Centers support tax processing and information management through a data processing and telecommunications infrastructure.
[13] Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernized Systems (Reference Number 2005-20-128, dated August 2005).
[14] The IDRS is the IRS computer system capable of retrieving or updating stored information; it works in conjunction with a taxpayer’s account records.
[15] The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning (Reference Number 2004-20-135, dated August 2004).
[16] Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernized Systems (Reference Number 2005-20-128, dated August 2005).
[17] Each audit trail record has eight entries, or places, for data required by IRS policies.
[18] Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernized Systems (Reference Number 2005-20-128, dated August 2005).
[19] Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses (Reference Number 2006-20-111, dated July 2006).