TIGTA Raises IRS Cybersecurity Concerns

Last month, TIGTA released two reports entitled, “The Cybersecurity Data Warehouse Needs Improved Security Controls” and “Active Directory Oversight Needs Improvement and Criminal Investigation Computer Rooms Lack Minimum Security Controls.” TIGTA performed these two audits to determine whether “IRS implemented adequate and effective logical and physical access controls over the CSDW” and to review the implementation and effectiveness of the IRS Active Directory Technical Advisory Board.

In May 2015, IRS discovered that its Get Transcript application left the tax returns of over 600,000 taxpayers vulnerable to identity thieves. After this security breach, the agency made the decision to transfer audit logs containing taxpayer Personally Identifiable Information (PII) to the CSDW application. The CSDW collects and stores security logs from dedicated devices used to protect the IRS network and retains the information for seven years in accordance with records retention rules from the National Archives Records Administration. The main reason IRS cyber executives made the decision to transfer the PII to CSDW was to more easily facilitate fraud analysis by the Cybersecurity Fraud Analytics and Management (CFAM) team within the Computer Security Incident Response Center.

TIGTA found that the IRS “implemented physical security controls over the CSDW consistent with federal and agency requirements, encrypted all transmitted data to the CSDW from source systems, and effectively implemented user access, identification, and authentication controls.” However, IRS did not follow federal security change management processes. In particular, appropriate change request processes were not carried out prior to the transfer of audit logs, necessary officials were not notified that CSDW would contain PII, and a risk assessment was not completed. Additionally, IRS could not provide TIGTA auditors with a complete inventory of systems and applications that transfer taxpayer data to CSDW.

TIGTA recommended that in the future the CIO should ensure that change management policies are followed, employees are held accountable, CSDW risk assessments and security plans be completed and updated, activities of IRS personnel with access to CSDW be automatically monitored, and an inventory of systems that transfer taxpayer data to CSDW be maintained.  

With respect to IRS Active Directory governance, TIGTA found that the agency-wide Active Directory Technical Advisory Board was not providing adequate oversight and that computer rooms in Criminal Investigation (CI) field offices need more physical security controls.

IRS uses Microsoft Active Directory (AD) domain service which provides “authentication, authorization, and directory technologies to create enterprise security boundaries that are highly scalable. AD also enables administrators to assign agency-wide policies, deploy programs to many computers, and apply critical updates to an entire organization’s systems simultaneously from a central, organized, accessible database.”

The IRS Active Directory Technical Advisory Board was established to finalize and enforce forest design criteria, develop standards, oversee trusts, and ensure that unauthorized forests or domains are not implemented. However, the board is not providing these agency-wide oversight functions.

Additionally, during TIGTA’s review of CI field office computer rooms, auditors found 88 physical security control weaknesses related to “limited areas, two-factor authentication, control and safeguarding lock combinations, fire extinguishers, temperature and humidity controls, emergency power shutoff switches, and backup power sources.”

TIGTA recommended that the charter for the Active Directory Technical Advisory Board be updated and that they begin providing adequate oversight. TIGTA also recommended that a cost analysis be performed to determine the most cost-effective solution to securing CI field office computer rooms, either relocating assets to IRS computer rooms or upgrading individual CI computer rooms.