IRS Computer Security Incident Response Center needs improvement
The Internal Revenue Service’s Computer Security Incident Response Center is preventing some cybersecurity violations, but could use some improvements, according to a new report.
The report, from the Treasury Inspector General for Tax Administration, noted that the CSIRC is responsible for preventing, detecting, reporting, and responding to cybersecurity incidents, such as computer related threats and attacks targeting the IRS’s technology assets. As the IRS holds tax information on all taxpayers, the agency presents an attractive target for hackers. But weaknesses in the CSIRC program could prevent the timely detection, prevention, or reporting of unauthorized access and disclosure of taxpayer data.
In general, according to the report, the CSIRC prevented, detected, reported and responded to a number of cybersecurity incidents. TIGTA took a sampling of 100 incidents out of a total population of 368 incidents during fiscal years 2015 and 2016, through April 30, 2016. It found the CSIRC properly identified and documented the type, nature and scope of all 100 incidents, including the systems and applications affected, the source of the incident, and the specific kind of lost equipment. However, TIGTA found several areas in which the CSIRC could improve its operations.
For example, the report noted the CSIRC could improve some aspects of its incident case work. TIGTA found that not all cybersecurity incidents were properly reported. Some of the supporting documentation on the document was deemed insufficient, incident costs weren’t captured, and reporting procedures were inconsistently applied. Sixty-four of the 100 incidents were required to be reported to the Treasury Department’s CSIRC because the incidents were confirmed to have compromised the confidentiality, integrity or availability of a federal government information system. Of the 64 incidents, 22 were not reported as required. On Feb. 15, 2017, after bringing the noncompliance to the IRS’s attention, the 22 incidents were reported to the Treasury Department’s CSIRC.
The IRS has suffered a number of high-profile data breaches in recent years that led to shutting down several of its online applications for the public, including its Get Transcript app, its Identity Protection Personal Identification Number service and its data retrieval tool for the Free Application for Federal Student Aid.
CSIRC employees and contractors didn’t always meet training guidelines, and the skill assessments indicated a need for more training. Not all CSIRC employees complied with the Federal Information Security Modernization Act, and they needed internal specialized security training for fiscal years 2015 and 2016. The employees took courses the IRS considered specialized; however, TIGTA disagreed with the designation after a closer review of the courses’ objectives. In addition, there was no documentation that contractors met the same requirements for the same periods.
Finally, the Incident Response Plan, which provides the organization with a roadmap for implementing its incident response capability, was developed, but was not updated to fully comply with federal guidelines.
The IRS corrected several of the issues before TIGTA completed the report, but TIGTA made five recommendations to the IRS’s chief information officer. The recommendations included correcting reporting inconsistencies of incidents and ensuring the costs of handling and responding to incidents are captured. The IRS should also ensure CSIRC employees and contractors comply with specialized security training requirements, TIGTA recommended, and it should remove contractor access privileges to IRS systems when contractors don’t comply with training requirements. The IRS should also ensure employees receive the necessary training to move toward high proficiency levels.
The IRS agreed to correct reporting inconsistencies and ensure that CSIRC employees and contractors comply with specialized security training requirements. The IRS partially agreed to remove system access by removing network access and ensure its employees receive training to achieve high and intermediate proficiency levels.
But the IRS disagreed with TIGTA’s recommendation that it capture the costs of handling and responding to an incident because it is not required by federal standards. TIGTA agreed that capturing costs is not explicitly required, but pointed out that doing so can help determine if additional funding is needed for the incident response team and can be used to measure the success of the team and effect of changes to capabilities on performance.
“The IRS is committed to continuous improvement to ensure the IRS CSIRC operates at the highest level of effectiveness,” wrote IRS chief information officer S. Gina Garza in response to the report. “To achieve this objective, we have enhanced the documentation and reporting of incidents involving lost/stolen cell phones. We have also implemented new technology, policies and processes to provide, gather, track and monitor all security training for both contractors and employees.”