Auditors find IRS security holes

"Managers and System Administrators Need to Limit Employees’ Access to Computer Systems"

An audit of Internal Revenue Service computer systems shows that unauthorized access to tax information systems remains a danger.

Individuals who leave or employees whose duties have changed continue to have access to confidential information because IRS managers have not followed existing IT security procedures, according to a Treasury Inspector General for Tax Administration (TIGTA) audit released last month.

TIGTA auditors looked at five IRS systems for six months ending in January 2005 and found that 21 percent of registered users “no longer had a business need to have systems access,” the report states.

Auditors found five instances of system access by former employees. They also found that of 513 employees that did have a business need, in only a quarter of those cases did proper documentation for system access exist.

That lack of documentation might merely be an administrative oversight as a result of paper records not being digitally inputted when IRS fully automated the access request process in 2004. Another explanation is “system administrators may have granted employees access to systems without proper authorization,” the report states.

These problems would be largely rectified by automatically disabling, then deleting user accounts after periods of inactivity, auditors state.

In a written response, IRS Chief Information Officer W. Todd Grams said he will institute by Sept. 1 a policy that disables user accounts after 45 days and deletes them after 90 days, for most systems.

User accounts on some systems such as travel or training, often remain inactive beyond those time periods because employees only access them on an as-needed basis, Grams wrote in his response.

The CIO shop will also prepare a report by Dec. 31 evaluating whether the disablement and deletion process could be automated. Already, e-mail notifications are being sent out to systems' administrators directing them to disable accounts following the departure of an employee.

In addition, IRS employees are required to annually recertify their adherence to security procedures, but now system administrators will cut off the user accounts of those people who do not do so within 45 days.