IRS slow on security settings, IG says

The Internal Revenue Service has been slow to implement the required security settings on its 98,000 desktop and laptop computers, the Treasury Inspector General for Tax Administration said. The IRS implemented 102 of the 254 required security settings on its computers in October 2008, nine months after the deadline set by the Office of Management and Budget, TIGTA said in a report released today.

OMB required agencies that use Microsoft’s Windows XP or VISTA operating systems to adopt the Federal Desktop Core Configuration (FDCC), a standard set of configuration settings, by Feb. 1, 2008, to improve security and reduce operating costs. As of December 2008, the IRS had implemented 81 percent of the settings, the auditor said.

The service has faced difficulties in establishing the security settings because the tax agency’s 98,000 computers are in 670 locations, and the IRS operates 1,900 software applications, 300 of which were internally developed for specific IRS business processes, the report states. As part of the implementation effort, the IRS must test each application to ensure it operates properly with the FDCC settings, TIGTA said.

The creation of a project team to manage the security effort in January 2008, one week before the deadline, slowed implementation of the settings, TIGTA said. The untimely creation of the project team occurred because some IRS officials mistakenly assumed the IRS’ current common operating environment met the FDCC requirements, according to the report.

Once created, the team did not follow basic project-management practices while testing the applications for FDCC compatibility, the auditor said. For example, the master control list used by the project leaders did not account for many applications that needed to be tested, TIGTA said.

The IRS also has not implemented an automated monitoring application to detect and monitor changes to the settings after installation, said J. Russell George, the Treasury inspector general for tax administration. And the tax agency has not modified its software contracts to make sure that new software operates properly with the settings, he said.

“Taxpayers have every right to expect that the IRS protects their privacy and personal information to the highest possible degree. Without a complete set of security settings on employees' computers, the IRS is at risk of business disruption and unauthorized access to taxpayer data,” George said.

The IRS has improved its testing after consulting with Microsoft and had updated its internal procedures to include the FDCC settings, TIGTA said.

The service said it would follow TIGTA recommendations that it improve its technology project-management practices, consider acquiring an automated monitoring tool and prioritize the updating of software contracts.

The TIGTA report is available here.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group