TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Treasury Inspector General for Tax Administration – Federal Information Security Management Act Report for Fiscal Year 2006

 

 

 

September 19, 2006

 

Reference Number:  2006-20-179

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

Phone Number   |  202-927-7037

Email Address   |  Bonnie.Heald@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

 

Background

 

The Federal Information Security Management Act (FISMA)[1] requires each Federal Government agency to report annually to the Office of Management and Budget (OMB) on the effectiveness of its security programs.  In addition, the FISMA requires that each agency shall have performed an annual independent evaluation of the information security program and practices of that agency.  In compliance with the FISMA requirements, the Treasury Inspector General for Tax Administration (TIGTA) performs the annual independent evaluation of the security program and practices of the Internal Revenue Service.

The OMB provides information security performance measures by which each agency is evaluated for the FISMA review.  The OMB uses the information from the agencies and independent evaluations to help assess agency-specific and Federal Government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and assist in the development of the E-Government Scorecard under the President’s Management Agenda.

Attached is the TIGTA’s Fiscal Year 2006 FISMA report.  The report was forwarded to the Treasury Inspector General for consolidation into a report issued to the Department of the Treasury’s Chief Information Officer.

 

September 19, 2006

 

 

MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT

                                         OFFICE OF THE TREASURY INSPECTOR GENERAL

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Treasury Inspector General for Tax Administration – Federal Information Security Management Act Report for Fiscal Year 2006

 

We are pleased to submit the Treasury Inspector General for Tax Administration’s (TIGTA) Federal Information Security Management Act (FISMA)[2] report for Fiscal Year 2006.  Attachment I presents our independent evaluation of the status of information technology security at the Internal Revenue Service (IRS).  We based our evaluation on the Office of Management and Budget (OMB) reporting guidelines.

During the 2006 evaluation period,[3] we also conducted 14 audits to evaluate the adequacy of information security in the IRS.  We considered results from these audits when making our assessment.  Attachment II is a list of these specific audits.

The IRS has made steady progress in complying with FISMA requirements since the enactment of the FISMA in 2002.  During 2006, the IRS reassessed the security risks of each of its systems.  We are now confident that the inventory of IRS systems is substantially complete and the risk categorizations are accurate.  The IRS also made significant improvements in the security certification and accreditation process.  A working group,[4] with participation from all the IRS business units, continued its weekly meetings to plan and refine processes for FISMA compliance.  The IRS also continued to work closely in seeking guidance and concurrence on FISMA issues with the TIGTA and the Department of the Treasury Chief Information Officer to improve compliance with the National Institute of Standards and Technology (NIST)[5] and FISMA requirements.

To complete our review we evaluated a representative sample of 15 IRS information systems to determine whether they had been certified and accredited and whether security controls had been tested within the last year.  We reviewed 10 IRS information systems to evaluate the adequacy of the certification and accreditation process and conducted separate tests to evaluate processes for Plans of Action and Milestones (POA&M), configuration management, incident reporting, awareness training, training for employees with significant security responsibilities, and ensuring privacy of sensitive information.  Our evaluation of the IRS’ 2006 performance against specific OMB security measures, as well as our audit work performed during the 2006 evaluation period, show that the IRS still needs to do more to adequately secure its systems and data.  Provided in this document are security performance improvements as well as areas that require additional attention.

Systems Inventory  An accurate systems inventory is one of the cornerstones of an effective security program.  The IRS updates its inventory on an ongoing basis and reviews the system inventory monthly and annually for accuracy and completeness.  In this year’s FISMA evaluation, the IRS reported on its total inventory of 264 systems.  In addition, during the 2006 review period, the Office of Mission Assurance and Security Services, in coordination with each of the business units, reevaluated the risk of all 264 systems.  The risk categorization forms the basis for selecting an appropriate set of security controls to protect the confidentiality, integrity, and availability of systems and data.  We are confident that the systems inventory is substantially complete and the risk categorizations for IRS systems are accurate.

Certification and Accreditation  OMB guidelines for minimum security controls in Federal Government information systems require that all systems be certified and accredited every 3 years or when major system changes occur.  In the IRS, the Chief, Mission Assurance and Security Services, is the certifying authority for all systems.  The Chief, Mission Assurance and Security Services, must test[6] the security controls in the information system and provide the results to the business unit owners.  Business unit owners must then evaluate the information and determine whether to accredit the system, thereby giving it an authority to operate.  By accrediting the system, the business unit owner accepts responsibility for the security of the system and is fully accountable for any adverse impacts if security breaches occur.

The IRS reported that 95.5 percent of it systems had current certifications and accreditations in Fiscal Year 2006.  From our review of a sample (15 systems), we reported 100 percent had current certifications and accreditations.  We attribute the difference to the limited number of systems we reviewed in our sample.

In 2006, the IRS developed a repeatable, NIST-compliant process designed to ensure a thorough assessment of system risk and security from which the system owner can make an appropriate accreditation decision.  The IRS used this approach to evaluate its systems inventory.  However, during our review, we noted problems with the execution of this process.  For example, we found that application-specific controls were sometimes erroneously described as common controls and, as a result, they were not tested.

We also found examples of controls that were accepted without adequate testing.  For example, tests of the account management controls for a moderate risk system were based on interviews only.  Appropriate testing procedures should have included examinations of organizational records, user accounts, and configuration settings.  Additionally, the business units did not always track weaknesses identified during the certification process for remediation.

Continuous Monitoring  The NIST Special Publication 800-37, Guidelines for the Security Certification and Accreditation of Federal Information Systems, states that a critical aspect of the security certification and accreditation process is the post-accreditation period involving the oversight and monitoring of the information system’s security controls.  The NIST requires the testing of an appropriate set of security controls every year throughout the system life cycle but not necessarily to the same extent required for a certification.

In 2006, the IRS did not make progress in implementing annual testing requirements.  From our sample of 15 systems, we determined that the IRS met annual testing requirements on only 7 of 15 (46.6 percent) systems we reviewed because they were tested during the certification process.  On those systems that were not certified during the year, self-assessments were conducted but were generally based on tests of the operating systems only.  We recognize these tests are useful; however, by not testing application-specific controls, business units cannot be confident that the privacy of sensitive taxpayer information is adequately protected.

The Department of the Treasury’s Chief Information Officer recognizes that all bureaus need to improve compliance with the NIST annual testing requirements and recently issued draft guidance on the subject.  The IRS agrees that this is an area for improvement and plans to have an improved process in place in Fiscal Year 2007.

Tracking Corrective Actions  All Federal Government agencies are required to use the POA&M process to prioritize, track, and resolve security weaknesses.  The IRS has developed, implemented, and is currently managing a POA&M process; however, the process needs improvement to ensure that all weaknesses from audit reports and vulnerability scans are tracked in POA&Ms.

From 9 TIGTA security reports issued during the 2006 FISMA reporting period, we could locate POA&Ms addressing only 11 of 41 (26.8 percent) recommendations and 11 of 47 (23.4 percent) proposed corrective actions.  Also, in September 2005, the TIGTA issued an audit report[7] in which we noted that problems identified during vulnerability scans and penetration tests were not formally provided to the business units, and corrective actions were not documented in POA&Ms.

Security Configuration Policies  The OMB requires that agencies have configuration guides in place for software to ensure consistent implementation across the agency.  During 2006, the IRS provided configuration guides for all eight types of operating system, database, and router software running on IRS systems.

The IRS provided test results that demonstrated implementation for configuration policies for 6 of the 8 software types on at least 81 percent - 95 percent of the systems running the software.  However, it could not provide documentation of testing done to demonstrate the extent to which security configuration guides were implemented for the other two software products.  These software products, if improperly configured, could make the IRS’ network vulnerable to disruptions of service and thefts of sensitive information by hackers, employees, and contractors.

Incident Reporting Procedures  The IRS Computer Security Incident Response Center (CSIRC) in the Mission Assurance and Security Services organization provides IRS-wide assistance and guidance for incident handling.  The CSIRC defines a security incident as “. . . any adverse event whereby some aspect of computer security could be threatened.”

The loss or theft of an information technology asset, including laptop computers and other portable devices, is a type of incident that could result in unauthorized access to systems and information.  The IRS’ incident reporting procedures require reporting this type of incident to an employee’s first-line manager immediately upon detection, who should then notify the CSIRC and the TIGTA.

For 2006, we believe the IRS has not complied with CSIRC incident reporting policies and procedures.  Employees’ managers did not follow procedures for reporting the loss or theft of laptops and other portable devices to the IRS and the TIGTA.  In a separate, ongoing audit,[8] we found the CSIRC and the TIGTA were not notified of incidents involving lost or stolen computer devices (e.g., laptops, Blackberries).

We recognize that incidents regarding lost or stolen portable devices are not the only type of incidents that require reporting to the CSIRC and the TIGTA.  However, due to the significance of this type of incident and the risk of loss and misuse of personal information that these incidents pose, it appears the IRS is not in compliance with incident reporting policies and procedures.

Awareness Training  The NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, states that an awareness training program is crucial for all users since it is the vehicle for disseminating information that users need to do their jobs.  The IRS provided security awareness training to all of its employees but did not ensure all of its contractors received security awareness training.  The IRS records showed that 998 contractors received security awareness training.  Based on the 2,323 contractors reported by the IRS for 2006, we determined that 1,325 (57 percent) did not receive security awareness training.  To ensure that all contractors receive security awareness training, further improvements are needed.

Training Employees With Key Security Responsibilities  The OMB requires that all employees with key security responsibilities be given security-related training at least annually.  The IRS has improved its performance in this area in 2006 and now has a process in place for identifying employees with significant security responsibilities.  The IRS has also implemented the Electronic Learning Management System to centrally track specialized security training provided.  However, further improvements are needed to ensure that employees with significant security responsibilities receive sufficient security training.

The IRS reported that 2,447 of 2,476 (99 percent) employees with significant security responsibilities received specialized security training during the reporting period.  Since the OMB and NIST have not provided minimum training requirements for employees with key security responsibilities, the IRS considered an employee trained if he or she received any training during the reporting period.  We determined, however, that only 1,712 (69 percent) employees received 8 hours or more of training (an amount we arbitrarily selected) during the entire reporting period.  The Department of the Treasury has indicated it will provide more specific training requirements for the 2007 reporting period.

Training employees with key security responsibilities requires more emphasis.  We have attributed several weaknesses in past audit reports to the lack of training provided to these employees.  Without sufficient training, these weaknesses will continue.

Privacy Requirements  In March 2006, the TIGTA completed field work on an audit[9] to determine whether the Office of Privacy has effective controls and procedures to ensure IRS computer systems and employees adhere to privacy regulations.  We determined that the IRS did not comply with Section 208 of the E-Government Act[10] on privacy requirements.  Specifically, the IRS needs to take further actions to conduct evaluations for all systems and applications which collect personal information and to enhance its processes to better monitor compliance with privacy policy and procedures.  Since we completed the fieldwork on this audit, the IRS has made several improvements to better comply with privacy regulations by conducting privacy impact assessments for most of its systems and applications and developing an agency-wide privacy training program.  Corrective actions are in process to complete assessments for the remainder of its applications, provide job-specific privacy training, and improve continuous monitoring capabilities.

 

Attachment I

 

Details of the Treasury Inspector General for Tax Administration Federal Information Security Management Act Analysis

 

 

The Excel spreadsheet was removed due to its size.  To see the Excel spreadsheet, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

Attachment II

 

Treasury Inspector General For Tax Administration Information Technology Security Reports Issued During the 2006 Evaluation Period

 

1.      Security Controls for the Taxpayer Advocate Management Information System Could Be Improved (Reference Number 2005-20-100, dated July 2005)

2.      Managers and System Administrators Need to Limit Employees’ Access to Computer Systems (Reference Number 2005-20-097, dated July 2005)

3.      More Management Attention Is Needed to Protect Critical Assets (Reference Number 2005-20-108, dated July 2005)

4.      Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernized Systems (Reference Number 2005-20-128, dated August 2005)

5.      Monitoring Prime Contractor Access to Networks and Data Needs to Be Improved (Reference Number 2005-20-185, dated September 2005)

6.      Increased Internal Revenue Service Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected (Reference Number 2005-20-184, dated September 2005)

7.      Internal Penetration Test of the Internal Revenue Service’s Networked Computer Systems (Reference Number 2005-20-144, dated September 2005)

8.      The Computer Security Incident Response Center Is Operating As Intended, Although Some Enhancements Can Be Made (Reference Number 2005-20-143, dated September 2005)

9.      Contracting for Information Technology Goods and Service Generally Provided Intended Benefits; However, Maintenance Contracts Were Not Always Supported (Reference Number 2005-20-187, dated September 2005)

10.  Federal Information Security Management Act Report for Fiscal Year 2005 (Reference Number 2006-20-071, dated October 2005)

11.  Progress Has Been Made in Using the Tivoli Software Suite, Although Enhancements Are Needed to Better Distribute Software Updates and Reconcile Computer Inventories (Reference Number 2006-20-021, dated December 2005)

12.  Secure Configurations Are Initially Established on Employees Computers, but Enhancements Could Ensure Security Is Strengthened After Implementation (Reference Number 2006-20-031, dated February 2006)

13.  The Internal Revenue Service Successfully Accounted for Employees and Restored Computer Operations After Hurricanes Katrina and Rita (Reference Number 2006-20-068, dated March 2006)

14.  The Enterprise-Wide Implementation of Active Directory Needs Increased Oversight (Reference Number 2006-20-080,dated May 2006)