http://www.fcw.com/online/news/151988-1.html
By Mary Mosquera
FCW.com
March 20, 2008
The Internal Revenue Service needs to take more action to monitor and
enforce compliance with security policies and procedures, and provide
more effective guidance, the Treasury Inspector General for Tax
Administration said in a new report.
Although IRS has made progress in its information security, it needs to
be more comprehensive, the IG said. For example, the agency did not
validate actions taken to correct security weaknesses, and testing to
verify compliance with security configurations was inadequate.
IRS also did not adequately analyze security incidents for underlying
causes. The agency did not always identify the causes of the 1,172
incidents reported in a one-year period and did not always follow up to
ensure that the weaknesses were corrected, TIGTA said in the report,
released today. In another audit, TIGTA said it found 15 of 20 systems
did not meet basic annual testing requirements.
Although IRS’ cybersecurity organization is primarily responsible for
monitoring compliance with security guidance, the Modernization and
Information Technology Services organization and each of the business
functions are responsible for implementing the guidance. It is difficult
for one office to enforce implementation across organizational lines in
an agency as large and diverse as the IRS, TIGTA said.
IRS did not enforce compliance with continuous-monitoring requirements
and did not develop the metrics to measure the effectiveness of security
measures, the audit found.
“Until improvements are made, security weaknesses are more likely to
occur, and the IRS cannot provide assurance that systems containing
sensitive taxpayer data are adequately protected from security
breaches,” said Michael Phillips, deputy inspector general for audit, in
the report.
IRS’ cybersecurity organization developed guidance that incorporates
nine of the 12 key techniques from the National Institute for Standards
and Technology, including:
* System owners are required to ensure that corrective actions are taken
to resolve security weaknesses.
* All devices connected to the IRS network are to be scanned quarterly
for configuration compliance.
* The IRS is required to semiannually analyze incidents reported,
identify common weaknesses and follow up to ensure that the weaknesses
are corrected.
* Security controls should be tested at least annually to ensure that
they are accomplishing their intended purposes.
* Analysis of metrics should be a part of the IRS’ monitoring efforts.
Guidance for the remaining three elements -- system development life
cycle, capital planning, and security services and products acquisition
-- did not meet all necessary NIST requirements and made references to
obsolete standards and controls.
For guidance to be effective, it must be communicated to those who need
it. IRS’ cybersecurity organization should make it easier for users to
locate security policy guidance on its Web site, which is the primary
source for communicating security requirements, TIGTA said.
“Confusion caused by difficulty in locating guidance increases the
likelihood that employees could unknowingly create weaknesses that
result in security breaches,” Phillips said in the report.
IRS is implementing TIGTA’s recommendations. Among them, the chief
information officer, through the Security Services and Privacy Executive
Steering Committee, should require system owners to regularly report to
the committee on progress in addressing plans of action and milestones
items; require the cybersecurity organization to improve the
verification of compliance with standard configurations; analyze
incidents reported to the Computer Security Incident Response Center to
identify common or systemic underlying weaknesses that contributed to
these incidents and track corrective actions in the appropriate plan of
action and milestones.
The system owners should prepare continuous-monitoring plans that
implement annual testing of system controls compliant with NIST
guidance, the report said, and develop quantifiable security metrics
based on IRS information security goals. The cybersecurity organization
should analyze anomalies for root causes and report its results
regularly to the steering committee.
To improve security guidance, TIGTA recommended, the associate CIO for
cybersecurity should coordinate with other IRS executives to include
complete NIST-compliant security guidance for the three areas that need
to be updated, and improve the cybersecurity organization’s Web site by
maintaining all security procedures in one location and providing direct
links to other federal guidance. IRS should also develop a system to
notify employees and contractors of changes to security guidance.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments