TIGTA: IRS Generally Responsive on Cybersecurity But Could Use Some Improvement

Chris Gaetano
Published Date:
Sep 1, 2017

The Treasury Inspector Generation for Tax Administration (TIGTA), in a recent report, said that the IRS's Computer Security Incident Response Center (CSIRC) generally does a good job in detecting, preventing, reporting and responding to cyber attacks, but could use some improvement in case work, staff training and implementing its Incident Response Plan. TIGTA noted that cybersecurity is becoming more and more important to tax authorities like the IRS, who are increasingly the subject of attacks designed to access sensitive data, adding that for FY2016 the IRS reported 364 incidents. After sampling 100 of these incidents, TIGTA concluded that the CSIRC properly identified and documented the type, nature, and scope of all 100 incidents with information such as the systems and applications affected, the source of the incident, and the specific kind of lost equipment. 

However, it was found that not all incidents were properly reported, some supporting incident documentation was insufficient, incident costs were not captured, and reporting procedures were inconsistently applied. For example, it failed to report 22 incidents to the Department of the Treasury, as it needed to in case of incidents that compromise the confidentiality, integrity of availability of the federal government's information system. 

TIGTA also said that staff and contractors did not always meet training guidelines, and skill assessments have demonstrated that they need more training. It also said that not all employees comply with the internal specialized security training as mandated by Federal Information Security Modernization Act. While the IRS did have these employees take courses, TIGTA disagreed with that the courses met standards. Also, TIGTA noted that while the IRS had developed an Incident Response Plan as required, it was not updated to fully comply with federal guidelines. 

The IRS agreed to correct reporting inconsistencies and ensure that CSIRC employees and contractors are compliant with specialized security training requirements. The IRS partially agreed to remove system access by removing network access and ensure that employees receive training to achieve high proficiency levels as well as intermediate proficiency levels. The IRS disagreed with capturing the costs of handling and responding to an incident because it is not required by Federal standards. TIGTA agreed that capturing costs is not explicitly required; however, it can help determine if additional funding is needed for the incident response team and can be used to measure the success of the team and effect of changes to capabilities on performance.

Click here to see more of the latest news from the NYSSCPA.