[ISN] TIGTA: IRS needs to better monitor security compliance

From: InfoSec News (alerts@private)
Date: Mon Mar 24 2008 - 10:53:50 PST


http://www.fcw.com/online/news/151988-1.html

By Mary Mosquera
FCW.com
March 20, 2008

The Internal Revenue Service needs to take more action to monitor and 
enforce compliance with security policies and procedures, and provide 
more effective guidance, the Treasury Inspector General for Tax 
Administration said in a new report.

Although IRS has made progress in its information security, it needs to 
be more comprehensive, the IG said. For example, the agency did not 
validate actions taken to correct security weaknesses, and testing to 
verify compliance with security configurations was inadequate.

IRS also did not adequately analyze security incidents for underlying 
causes. The agency did not always identify the causes of the 1,172 
incidents reported in a one-year period and did not always follow up to 
ensure that the weaknesses were corrected, TIGTA said in the report, 
released today. In another audit, TIGTA said it found 15 of 20 systems 
did not meet basic annual testing requirements.

Although IRS’ cybersecurity organization is primarily responsible for 
monitoring compliance with security guidance, the Modernization and 
Information Technology Services organization and each of the business 
functions are responsible for implementing the guidance. It is difficult 
for one office to enforce implementation across organizational lines in 
an agency as large and diverse as the IRS, TIGTA said.

IRS did not enforce compliance with continuous-monitoring requirements 
and did not develop the metrics to measure the effectiveness of security 
measures, the audit found.

“Until improvements are made, security weaknesses are more likely to 
occur, and the IRS cannot provide assurance that systems containing 
sensitive taxpayer data are adequately protected from security 
breaches,” said Michael Phillips, deputy inspector general for audit, in 
the report.

IRS’ cybersecurity organization developed guidance that incorporates 
nine of the 12 key techniques from the National Institute for Standards 
and Technology, including:

* System owners are required to ensure that corrective actions are taken 
  to resolve security weaknesses.

* All devices connected to the IRS network are to be scanned quarterly 
  for configuration compliance.

* The IRS is required to semiannually analyze incidents reported, 
  identify common weaknesses and follow up to ensure that the weaknesses 
  are corrected.

* Security controls should be tested at least annually to ensure that 
  they are accomplishing their intended purposes.

* Analysis of metrics should be a part of the IRS’ monitoring efforts.

Guidance for the remaining three elements -- system development life 
cycle, capital planning, and security services and products acquisition 
-- did not meet all necessary NIST requirements and made references to 
obsolete standards and controls.

For guidance to be effective, it must be communicated to those who need 
it. IRS’ cybersecurity organization should make it easier for users to 
locate security policy guidance on its Web site, which is the primary 
source for communicating security requirements, TIGTA said.

“Confusion caused by difficulty in locating guidance increases the 
likelihood that employees could unknowingly create weaknesses that 
result in security breaches,” Phillips said in the report.

IRS is implementing TIGTA’s recommendations. Among them, the chief 
information officer, through the Security Services and Privacy Executive 
Steering Committee, should require system owners to regularly report to 
the committee on progress in addressing plans of action and milestones 
items; require the cybersecurity organization to improve the 
verification of compliance with standard configurations; analyze 
incidents reported to the Computer Security Incident Response Center to 
identify common or systemic underlying weaknesses that contributed to 
these incidents and track corrective actions in the appropriate plan of 
action and milestones.

The system owners should prepare continuous-monitoring plans that 
implement annual testing of system controls compliant with NIST 
guidance, the report said, and develop quantifiable security metrics 
based on IRS information security goals. The cybersecurity organization 
should analyze anomalies for root causes and report its results 
regularly to the steering committee.

To improve security guidance, TIGTA recommended, the associate CIO for 
cybersecurity should coordinate with other IRS executives to include 
complete NIST-compliant security guidance for the three areas that need 
to be updated, and improve the cybersecurity organization’s Web site by 
maintaining all security procedures in one location and providing direct 
links to other federal guidance. IRS should also develop a system to 
notify employees and contractors of changes to security guidance.



___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Mar 24 2008 - 11:09:24 PST