The Internal Revenue Service’s information security program is not fully effective, according to a new government report, even though it generally complies with the Federal Information Security Management Act.

J. Russell George

The report, by the Treasury Inspector General for Tax Administration, identified seven areas where the IRS’s information security program was not fully effective. TIGTA found that the program fell short in the areas of configuration management, security training, plans of actions and milestones, identity and access management, continuous monitoring management, contingency planning, and contractor systems oversight.

“The IRS collects and maintains a significant amount of personal and financial taxpayer information and relies heavily on computerized systems to support its responsibility in collecting taxes,” said TIGTA Inspector General J. Russell George in a statement. “As custodians of taxpayer information, the IRS has an obligation to protect the confidentiality of this sensitive information against unauthorized access or loss. The failure to do so could expose taxpayers to invasion of privacy and financial loss or damage from identity theft and other financial crimes.”

The Federal Information Security Management Act was enacted to strengthen the security of information and systems within federal agencies. As part of the legislation, the Offices of Inspector General must perform an annual independent evaluation of each federal agency’s information security policies and procedures and evaluate its compliance with FISMA requirements.

The audit report reflects TIGTA’s independent evaluation of the status of information technology security for unclassified systems at the IRS for fiscal year 2010. TIGTA found three program areas where the IRS met the level of performance specified by the Office of Management and Budget’s fiscal year 2010 FISMA checklist. Those include the IRS’s certification and accreditation program, incident response and reporting program, and remote access management. TIGTA did not make any recommendations to the IRS in this audit report.