IRS nearly resolves one security threat, receives incomplete on others

The Internal Revenue Service showed mixed results in its effort to reduce security risks associated with laptops and a system that processes individual income tax returns, according to the Treasury inspector general for tax administration.

The inspector general released two audits this week that evaluated the agency's progress in correcting security issues identified in previous reports.

In one report released on Tuesday, the auditor found that the IRS installed an encryption program on 99 percent of its laptops to protect data stored on the computer's hard drive from unauthorized users.

"Only after a successful log on to the encryption software will the computer start the log-on process to access other system files," the inspector general reported. "Consequently, any sensitive data on the computer remains encrypted until a user has successfully logged on and deactivated the encryption."

The IRS installed the program in response to a March 2007 audit that reported sensitive data on laptops and other electronic media was not properly protected.

The agency also installed a program that encrypts data transferred to a computer disk or removable storage device, such as a flash drive.

Additional encryption solutions are necessary, the inspector general concluded. Nearly a quarter of the 100 laptop computers the IG inspected housed unencrypted sensitive files -- many that contained taxpayer data and personally identifiable information of employees -- that could be accessed by anyone who logged on after the hard disk encryption had been deactivated. The IRS requires employees to encrypt sensitive files using the encrypting file system, which is available in the Microsoft Windows operating system, but the IG recommended the agency remind employees during annual security training and periodic reminders to use the system.

IRS employees reported 866 incidents of lost or stolen laptops between June 14, 2006, and Sept. 17, 2008. Of those, 152, or nearly one in five cases, involved employee negligence and could have been prevented if employees had followed IRS security policies.

The IG also said the processes for tracking security incidents, which is managed jointly by the IRS Computer Security Incident Response Center and the IG's Office of Investigations, could be improved. From Jan. 1, 2007, to Sept. 17, 2008, 535 security incidents occurred that needed to be reported to the two organizations, but the Office of Investigations was unaware of 21 of the incidents in the center's tracking system, and the center was unaware of 20 incidents in the tracking system operated by the Office of Investigations.

The IRS agreed to revise the memorandum of understanding between the two organizations to clarify the responsibilities for incident reporting and sharing.

In another report released on Monday, the IG said the IRS resolved 10 of 16 security vulnerabilities the auditor had previously identified in the agency's customer account data engine. CADE is the central database application the IRS is deploying in phases to replace existing repositories of taxpayer information.

For example, the IRS tested CADE's disaster recovery plan and information technology contingency plan to ensure operations could continue in case of a disaster, and tested the encrypted data saved on backup tapes and shared with external agencies.

The IG said the IRS prematurely reported that it had resolved the remaining six flaws before effective action was taken. Three of the vulnerabilities remained unresolved at the time of the report.

For example, in the previous audit, the IG reported security events and unauthorized access to taxpayer accounts by privileged CADE users were not recorded. The IRS said the issue was resolved in October 2007, although a new audit logging tool was not installed until March 2009.

In addition, although the IRS reported in January 2008 that contractors could no longer make changes to configuration settings without a notice, receiving approval or a security check, privileges for two contractors were not revoked until March 2008. The agency also claimed to have implemented a vulnerability scanning tool for computer applications in March 2008, but the first scan was not run until almost a year later. A process is still not in place for ensuring vulnerabilities reported by such scans are reviewed, mitigated or monitored.

"Inadequate monitoring of vulnerabilities and prematurely reporting vulnerabilities as resolved may decrease managerial attention to unresolved problems, prevent allocation of resources required to fix problems and lead to delays in correcting vulnerabilities," the IG said. The office recommended that the chief technology officer, Terence Milholland, take actions to ensure system operators track system vulnerabilities and verify corrective actions have been implemented before they are considered and reported as resolved.

Milholland agreed with the recommendation.