TIGTA recommends improvements to IRS cybersecurity system


The Treasury Inspector General for Tax Administration (TIGTA) reports that the IRS’s computer security response center is performing effectively, but further improvement is needed (TIGTA Rep’t No. 2012-20-019 (3/12/12)).

Part of TIGTA’s mandate is to review the adequacy and security of IRS technology. From March through September 2011, TIGTA performed an audit to evaluate the effectiveness of the IRS’s Computer Security Incident Response Center (CSIRC) at preventing, detecting, reporting, and responding to computer security incidents targeting IRS computers and data.

The CSIRC is responsible for monitoring the IRS’s computer network 24 hours a day, 365 days a year, for cyberattacks and computer vulnerabilities and for responding to various computer security incidents such as the theft of laptop computers. Its mission is to ensure the IRS has a team of capable “first responders” who are organized, trained, and equipped to identify and eradicate cyberthreats. The CSIRC maintains a network-based intrusion detection system that includes 27 sensors stationed throughout the IRS. Multiple sensors are placed in the IRS’s three computing centers, and at least one server is located at each of the IRS’s 10 campuses.

In 2010, the CSIRC detected 2,768 computer security incidents and threats against the IRS. The Government Accountability Office testified to Congress that same year that “pervasive and sustained cyber attacks pose a potentially devastating threat to the systems and operations of the federal government” (Government Accountability Office, Continued Attention Is Needed to Protect Federal Information Systems From Evolving Threats (GAO-10-834T), p. 1 (June 16, 2010)).

TIGTA’s audit found that the CSIRC is effectively performing most of its responsibilities for preventing, detecting, and responding to computer security incidents.

However, TIGTA did find some issues. The CSIRC’s host-based intrusion detection system is not monitoring 34% of IRS servers, which puts the IRS network and data at risk. In addition, the CSIRC is not reporting all computer security incidents to the Treasury Department, as required. During the period audited, TIGTA found 84 computer security incidents that were not reported to Treasury, including five incidents involving sabotage or intrusion. Finally, TIGTA found that incident response policies, plans, and procedures are either nonexistent or are inaccurate and incomplete.

TIGTA recommended that the IRS should:

  1. Develop its cybersecurity data warehouse capability to correlate and reconcile active servers connected to the IRS network with servers monitored by the host-based intrusion detection system;
  2. Revise and expand the memorandum of understanding with the TIGTA Office of Investigations to ensure all reportable and relevant security incidents are shared with the CSIRC;
  3. Collaborate with the TIGTA Office of Investigations to create common identifiers to help the CSIRC reconcile its incident tracking system with the TIGTA Office of Investigations’ tracking system;
  4. Develop a stand-alone incident response policy or update the policy in the IRS’s Internal Revenue Manual with current and complete information;
  5. Develop an incident response plan; and
  6. Develop, update, and formalize all critical standard operating procedures.

The IRS agreed with the recommendations, and corrective actions are planned or in process for five of the six recommendations. Although the IRS agreed with the first recommendation, TIGTA says the IRS’s proposed corrective actions do not address the recommendation because the IRS did not commit to implementing the recommended controls.

Alistair M. Nevius ( anevius@aicpa.org ) is the JofA’s editor-in-chief, tax.

More from the JofA:

 Find us on Facebook  |   Follow us on Twitter  |   View JofA videos


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.