Auditor IRS must review network audit logs

The Internal Revenue Service should bolster network and information security by improving how it manages audit logs, the Treasury Inspector General for Tax Administration said.

TIGTA made the recommendation while acknowledging that the agency has effectively deployed systems to detect network intrusions at Internet gateways.

Audit logs record who accessed a computer system, what operations they performed and when, TIGTA said in a report released today. The auditor redacted portions of the report.

The IRS did not properly save and review its audit logs, which increased the likelihood that intruders could use the Internet to gain access to sensitive taxpayer data without detection, the report states.

Auditing system logs is essential for detecting potential security events, such as hacking attempts and other threats, said Michael Phillips, TIGTA’s deputy inspector general for audit. Proper management of audit logs ensures that operations performed on a system can be traced back to an individual at a specific time, he added.

To minimize the risk to taxpayer data, the IRS has consolidated about 95 percent of its Internet traffic into a limited number of gateways, the report states, although TIGTA redacted the number of external connections. The Office of Management and Budget has directed all agencies to reduce the number of gateways they have under the Trusted Internet Connections initiative.

The IRS uses firewalls, routers and intrusion-detection systems for each of its Internet gateways to make sure that only authorized traffic passes through, the report states.

Although the agency effectively operated the access controls, TIGTA recommended that the IRS Enterprise Networks organization establish and regularly test security configurations on firewalls and routers.

“Its systems administrators should configure the firewalls and routers to prevent unauthorized traffic from gaining access to the IRS internal network,” Phillips said.

Based on TIGTA’s recommendations, Arthur Gonzalez, IRS’ chief information officer, said he would:

• Make sure the IRS conducts an independent review of the audit logs for routers and firewalls.

• Implement a redundant audit log collection system for firewall and router events.

• Use an automated security application to conduct biweekly tests of routers and firewalls.

The IRS has already configured audit logs to use Coordinated Universal Time for time stamps and correlate security events across devices regardless of their physical location, Gonzalez said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group