Delays in implementing a computer security tool resulted in the lack of continuous monitoring for security issues on employee workstations at the Internal Revenue Service, according to a new report.

J. Russell George

The report, released Tuesday by the Treasury Inspector General for Tax Administration, found that the IRS’s Treasury Enhanced Security Initiatives project, which includes the continuous monitoring tool for workstation security, has experienced several delays. In addition, the project’s oversight board did not take required actions to manage the delays or associated costs.

“Effective continuous monitoring allows security weaknesses to be promptly identified and mitigated, reducing the likelihood of a security breach,” said TIGTA Inspector General J. Russell George in a statement. “Any interruption in such monitoring can jeopardize the security of computers and data and leave taxpayer information vulnerable to unauthorized disclosure and theft.”

TIGTA initiated the audit to determine whether the IRS is effectively and efficiently implementing its continuous monitoring tool to monitor security settings on employee workstations and laptop computers.

TIGTA recommended that the IRS review the total actual life cycle costs for projects at least quarterly and review variances between actual costs and the originally proposed estimated costs. The report also suggested the IRS manage costs by considering the postponement of projects with long-term delays, and escalate ongoing project delays to the higher level Security Services and Privacy Executive Steering Committee.

The IRS agreed with TIGTA’s recommendations and plans to take corrective actions.

“The security and privacy of taxpayer information is of utmost importance to us, and your report recommendations will further assist us in continuing to improve our information technology security posture,” wrote IRS chief technology officer Terence V. Milholland in response to the report.