The Internal Revenue Service has made progress in automating installation and monitoring in a large segment of its computers, but it hasn't yet implemented key patch management policies and procedures, according to a new report by the Treasury Inspector General for Tax Administration.

J. Russell George

Properly installing software patches to address vulnerabilities is an important element in mitigating security risks, and requires strong policies to ensure patches are installed quickly to avoid giving attackers opportunities to exploit weaknesses in software, and to deny them potential access to sensitive data.

TIGTA initiated an audit to evaluate the IRS's security patch management process, and found some ground-level progress in automating the installation and monitoring of patching, it still had work to do on other levels, such as completing a complete and accurate inventory of all its technology assets (so it knows which systems need patching), and to improve systems to make sure patches are installed on a timely basis.

"Although the IRS has made some progress, we found that it has not implemented controls to secure unsupported operating systems," said Inspector General J. Russell George. "The IRS needs enterprise-level oversight and leadership to complete the implementation of its standardized patch management program and to reduce associated risks."

TIGTA also recommended the complete deployment of an automated asset discovery tool, the construction of an accurate and complete inventory of information technology assets, an enterprise-wide approach to buying tools to avoid redundancy and excessive cost, and complete implementation of controls to ensure that unsupported operating systems are not putting the IRS at risk.

The IRS agreed with TIGTA's recommendations and planned appropriate corrective actions for seven of the eight recommendations. Although the IRS agreed with the intent of the recommendation to hold system owners accountable for patching computers within prescribed time frames, it stated that its existing procedures addressed this recommendation and planned no corrective actions.