Taxpayer data is vulnerable to inappropriate use, modification or disclosure, perhaps without being detected, according to a new government report that found problems with the Internal Revenue Service’s technology for configuration management and identity and access management.
The
Under the FISMA legislation, the Offices of Inspectors General are required to perform an annual independent evaluation of each federal agency’s information security programs and practices. The report released Monday by TIGTA presents the results of its FISMA evaluation of the IRS’s information security program for fiscal year 2013.
Based on the evaluation, TIGTA found that nine out of 11 security program areas were generally compliant with the FISMA requirements. In addition, six of the nine security program areas included all of the program attributes specified by the Department of Homeland Security’s fiscal year 2013 Inspector General Federal Information Security Management Act Reporting Metrics, including continuous monitoring management, risk management, a plan of action and milestones, contingency planning, contractor systems and security capital planning.
Three of the nine security program areas, while generally compliant, were not fully effective due to one program attribute that was missing or not working as intended. These areas were incident response and reporting, security training, and remote access management.
However, two of the 11 security program areas were not compliant with FISMA requirements and did not meet the level of performance specified by the DHS’s FY 2013 Inspector General Federal Information Security Management Act Reporting Metrics due to the majority of the DHS-specified attributes being missing or not working as intended. These were in the areas of configuration management and identity and access management.
TIGTA did not include recommendations in the report, and no response from the IRS was included either.
