Government Computer News
Security challenges persist at IRS despite progress: TIGTA
The IRS has not installed patches on all its computers in the face of security flaws, leaving sensitive taxpayer information at risk to unauthorized disclosure. The Treasury Inspector General for Tax Administration released several recent reports citing the need for the tax agency to strengthen patch management and other aspects of IRS security.
Digg
De.licio.us
Slashdot
Technorati
Although IRS has made process changes, they have not yet had a positive effect on certification and accreditation and tracking the resolution of security vulnerabilities. Risks to sensitive data on IRS systems are increasing due to more connectivity of computer systems and use of laptops and overall higher hacker activity, TIGTA said.
“Sufficient attention is not yet being given to the security of sensitive systems,” said J. Russell George, inspector general at TIGTA, in reference to IRS’ challenges in managing security.
Even with improvements in patch management practices, for example, inadequate management of controls still allow for unpatched systems, TIGTA said in one report.
The IRS plans to complete by February nationwide rollout of a self-install program that identifies and installs patches on workstations and laptops. The agency also has taken steps to better manage its Tivoli security software endpoints and is considering an approach that would not allow workstations onto the network until missing patches were updated.
In another report, TIGTA found that the IRS does not adequately collect, review and retain audit trails of activities to detect unauthorized access on its modernized systems and applications, such as the Customer Account Data Engine, its taxpayer database.
“Consequently, unauthorized access and theft of taxpayer records may be occurring without being detected, possibly resulting in theft of taxpayer identities,” said Michael Phillips, deputy inspector general for audit, in the report.
The IRS provided plans to be implemented in 2007 to correct the situation to review and retain audit logs, said Daniel Galik, chief, IRS mission assurance and security services, in a letter last month.
Despite the vulnerabilities, the IRS has made progress on complying with requirements under the Federal Information Security Management Act, based on a sample of IRS systems that TIGTA tested, the auditor said in another report.
In fiscal 2006, the IRS reassessed security risks of each of its systems so that auditors are confident that the inventory of IRS systems is substantially complete and the risk categorizations are accurate. The agency reported on its total inventory of 264 systems. The risk categorization is the basis for deciding which security controls to use to protect the confidentiality, integrity and availability of systems and data.
| |||
| Latest News |  WashingtonTechnology.com |
FCW.com |
|
GCN.com
The latest technology news from GCN.com
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
 |
![1105 Government Information Group [purity]](/images/1105logo_website.gif "Government Computer News [purity]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
