The office at the Internal Revenue Service that is responsible for monitoring the IRS network for cyberattacks and computer vulnerabilities is generally doing a good job, but still has room for improvement, according to a new government report.

J. Russell George

The report, by the Treasury Inspector General for Tax Administration, evaluated the effectiveness of the Computer Security Incident Response Center at preventing, detecting, reporting and responding to computer security incidents targeting IRS computers and data.

"TIGTA found that the CSIRC is effectively performing most of its responsibilities for preventing, detecting, and responding to computer security incidents," said TIGTA Inspector General J. Russell George in a statement.  "However, further improvements could be made.”

George noted that the CSIRC's host-based intrusion detection system is not monitoring 34 percent of IRS servers, which puts the IRS network and data at risk. In addition, the CSIRC is not reporting all computer security incidents to the Department of the Treasury, as required. Finally, incident response policies, plans, and procedures are either nonexistent or are inaccurate and incomplete.

TIGTA recommended that the assistant chief information officer of cybersecurity at the IRS direct the CSIRC to develop its Cybersecurity Data Warehouse capability to correlate and reconcile active servers connected to the IRS network with servers monitored by the host-based intrusion detection system. The report also recommended that the IRS revise and expand its memorandum of understanding with the TIGTA Office of Investigations to ensure that all reportable and relevant security incidents are shared with the CSIRC.

In addition, the cybersecurity chief should collaborate with the TIGTA Office of Investigations to create common identifiers to help the CSIRC reconcile its incident tracking system with the TIGTA Office of Investigations' incident system, the report recommended. The IRS also needs to develop a standalone incident response policy or update the policy in the IRS's Internal Revenue Manual with current and complete information. The report noted that the cybersecurity chief also needs to develop an incident response plan; and develop, update, and formalize all the critical standard operating procedures.

The IRS agreed with the recommendations and corrective actions are planned or in process for five of the six recommendations.  While he IRS agreed with the recommendation to correlate and reconcile active servers connected to the IRS network with servers monitored by the host-based intrusion detection system, its proposed corrective actions did not address TIGTA's recommendation.  Specifically, the IRS did not commit to implementing the controls TIGTA recommended.