Tag Archive for Privacy
According to a Treasury Inspector General for Tax Administration (TIGTA) Report Issued on May 18th 2010 the Internal Revenue Service (IRS) procedures do not identify all contractors who process, store or house confidential taxpayer information at their facilities, thereby placing such data at risk for unauthorized access or disclosure, according to a report released today by the Treasury Inspector General for Tax Administration (TIGTA).
The IRS regularly provides taxpayer data to contractors who store and process the data at contractor facilities outside of IRS offices. While sharing this information is necessary for contractors to support the IRS’s mission of tax administration, contractors must comply with security control requirements including annual security reviews. The IRS, which is ultimately responsible for identifying and regulating all contractors who have data access, does not always ensure that contractors are complying with IRS security policies and procedures and protecting taxpayer information, according to the report.
In its review, TIGTA also found that security weaknesses identified by the IRS at contractor facilities were not corrected in a timely manner. TIGTA’s review of eight contractor site visits by the IRS officials found security weaknesses in all eight facilities, and the IRS was unable to provide monitoring documents for seven of these facilities.
“The IRS needs to improve its current processes and controls to identify all contractors who process, manage, or store IRS taxpayer data at contractor facilities and to ensure timely corrective actions are taken to correct security weaknesses,” said J. Russell George, the Treasury Inspector General for Tax Administration. “It is imperative that taxpayer data be protected from unauthorized access or disclosure at all times.”
TIGTA recommended that the IRS implement a better system to identify contractors receiving and using IRS taxpayer data at contractor facilities and that the IRS improve its system for monitoring and identifying security weaknesses at such facilities, to ensure the weaknesses’ timely correction.
In their response to the report, IRS management agreed with TIGTA’s recommendations and stated that they plan to take appropriate corrective actions.
The Treasury Inspector General for Tax Administration (TIGTA) issued the following report
IMPACT ON TAXPAYERS
The Automated Collection System (ACS) is a telephone contact system used by Internal Revenue Service (IRS) employees to perform critical IRS processes such as collecting tax revenues and helping taxpayers resolve their tax issues. The IRS needs to implement additional security controls to protect the ACS and sensitive taxpayer data. The lack of complete security controls increases the risks that taxpayer data could be stolen or computer operations could be disrupted.
WHY TIGTA DID THE AUDIT
The ACS plays a vital role in the IRS collection program. In Fiscal Year 2008, the ACS contributed to the collection of $4.8 billion (17 percent) of the $27.5 billion collected by the IRS Small Business/Self-Employed and Wage and Investment Divisions. The overall objective of this audit was to determine whether the IRS has implemented access, audit trail, and configuration management controls to secure the ACS.
WHAT TIGTA FOUND
The IRS configured several access controls for the ACS. For example, the IRS configured the ACS to automatically disable or delete user accounts that are inactive and separated key duties among ACS personnel to limit conflicts of interest. In addition, the IRS configured the ACS to automatically lock out users after three unsuccessful logon attempts and implemented a session lockout control on employee workstations to prevent unauthorized users from gaining access to the ACS when the workstations are left unattended.
However, managers were not reviewing their employees’ access privileges and did not always timely remove their employees’ user account when the employee transferred to another IRS function. In addition, 6 of our sampled 109 employees’ system privileges were not restricted to only those privileges needed to perform assigned duties, and managers did not always document their approval of their employees’ access privileges.
The IRS is not capturing all of the required auditable events in ACS audit trails. In addition, the IRS had not developed an overall configuration management plan for the ACS; had not documented and maintained a complete, accurate inventory of the ACS hardware, software, and document configuration items; had not properly documented, tested, and authorized changes to ACS software configuration items; and had not timely corrected high- and medium-risk system vulnerabilities.
WHAT TIGTA RECOMMENDED
TIGTA recommended the Chief Technology Officer: 1) make the IRS’ current efforts to enhance or replace its online user access control system a top priority; 2) instruct the Modernization and Information Technology Services organization to create call site procedures to clarify the capabilities of ACS users’ profiles; 3) set completion dates and prioritize the work needed to complete the high level and ACS configuration management plans; 4) appoint an ACS configuration manager to oversee ACS configuration management activities and protect critical ACS documentation by storing the documents in the required electronic document management system; 5) identify key software configuration items and maintain the items in a secure system to allow efficient monitoring; 6) ensure the IRS’ required change management procedures are followed for all changes to the ACS servers; and 7) establish criteria and completion dates for addressing vulnerabilities found on servers. TIGTA also recommended the Commissioners, Small Business/ Self-Employed and Wage and Investment Divisions, instruct ACS managers to review their employees’ access privileges annually and remove users’ accounts from the ACS when the users transfer to non-ACS functions. Lastly, TIGTA recommended the IRS reinstate the ACS Security Maintenance Report that identifies changes to employees’ access levels.
In their response to the report, IRS officials agreed with most recommendations and stated it has already revised some procedures. The IRS disagreed with the recommendation to appoint an ACS configuration manager and stated it is currently aligning with configuration management procedures to implement corrective actions. TIGTA continues to believe an ACS configuration manager should be appointed and the weaknesses identified in the report could persist without appointment of this responsible official.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
John R. Dundon, EA – 720-234-1177
The IRS has mandated six (6) new security, privacy, and business standards to better serve taxpayers and protect their information collected, processed and stored by Online Providers of individual income tax returns.
Individual income tax returns generally refer to the 1040 family of returns. Refer to the IRS Publication 3112, IRS e-file Application and Participation, for definition of Online Provider.
These new standards are intended to supplement the Gramm-Leach-Bliley Act and the implementing rules and regulations promulgated by the Federal Trade Commission.
The security and privacy objectives of these standards are: setting minimum encryption standards for transmission of taxpayer information over the internet and authentication of Web site owner/operator’s identity beyond that offered by standard version SSL certificates; periodic external vulnerability scan of the taxpayer data environment; protection against bulk-filing of fraudulent income tax returns; and the ability to timely isolate and investigate potentially compromised taxpayer information.
These standards also address certain business and customer service objectives such as instant access to Web site owner/operator’s contact information, and Online Provider’s written commitment to maintaining physical, electronic, and procedural safeguards of taxpayer information that comply with applicable law and federal standards.