The Internal Revenue Service’s Computer Security Incident Response Center (CSIRC), set up by General Dynamics in 2006 to monitor IRS networks, is failing to monitor 34% of the agency’s servers, concluded a Treasury audit.
In the audit released last month, the Treasury Inspector General for Tax Administration (TIGTA) found that, in addition to not monitoring all of the IRS servers, the CSIRC is not reporting all computer security incidents to the Treasury, as required. Also, IRS computer incident response policies, plans, and procedures “are either nonexistent or are inaccurate and incomplete.”
To remedy the center’s shortcomings, the TIGTA recommended that the IRS’s assistant chief information officer for cybersecurity direct the CSIRC to develop its cybersecurity data warehouse capabilities to correlate and reconcile active servers connected to the IRS network with servers monitored by the host-based intrusion detection system; revise and expand the agreement with the TIGTA to ensure all reportable and relevant security incidents are shared with the CSIRC; collaborate with the TIGTA to create common identifiers to help the CSIRC reconcile its incident tracking system with TIGTA; develop a stand-alone incident response policy or update the policy in the IRS’s manual with current and complete information; develop an incident response plan; and develop, update, and formalize all critical standard operating procedures.
The IRS Chief Technology Officer Terence Milholland concurred with the recommendations. The IRS is “committed to continuously improving its security posture”, he added.
The IRS was not as accommodating with the GAO audit, which found the agency dragging its feet on fixing ongoing information security problems. In his response to the GAO audit, IRS Commissioner Douglas Shulman said that the “integrity of our financial systems continues to be sound….The IRS has fully implemented a comprehensive information security program.”