The Internal Revenue Service is making steady progress toward complying with an initiative from the federal government to improve the security of external computer network connections, according to a new government report, but further improvements could still be made.
A new
The Obama administration expects federal agencies to achieve 100 percent compliance with TIC requirements by fiscal year 2014. But although the IRS has made good progress implementing the TIC requirements, TIGTA’s review revealed areas where improvements could strengthen the security posture of the TICs. For example, the report found that the IRS was not logging its administrative activity on TIC equipment. The IRS also had not completed actions to fully implement TIC requirements for a data loss prevention program; and was not regularly scanning TIC equipment to ensure timely discovery and mitigation of vulnerabilities or misconfigurations.
TIGTA made six recommendations to the IRS’s chief technology officer, including capturing and reviewing administrator activity on TIC devices, implementing a data loss prevention solution and implementing vulnerability scans on TIC equipment.
The IRS agreed with all of TIGTA’s recommendations and intends to correct the issues. The IRS plans to implement audit logging and review administrator activity on TIC devices. It also plans to fully implement TIC requirements related to Data Loss Prevention, obtain security clearances for operational employees, and complete implementation of proper locations for handling classified information at TIC locations. In addition, the agency plans to implement vulnerability scanning on TIC equipment and update all TIC equipment to the most current operating systems.
“The Service has already taken steps to strengthen TIC security, and additional activities are underway to further improve security,” wrote IRS chief technology officer Terence V. Milholland in response to the report. “As the IRS moves toward full compliance with TIC requirements we remain committed to improving information systems security.”