[ISN] Report: IRS can't access security data

InfoSec News isn at c4i.org
Tue Aug 31 01:24:27 EDT 2004


By David Perera 
Aug. 30, 2004

An Internal Revenue Service database that collects information but
cannot deliver it to users raises questions about the tax agency's
modernization plans, according to a recent audit by the Treasury
Inspector General for Tax Administration.

As the IRS finally brings modern systems online - including the
Customer Account Data Engine, the Integrated Financial System and the
Custodial Accounting Project - the lack of an effective audit trail
review would "be a significant security weakness that should weight
significantly on whether to accredit future modernization
applications," the report states.

The Security Audit and Analysis System (SAAS) is intended to replace
the current system that keeps track of when IRS financial data is
accessed - a necessary tool for fending off hacker attacks or
detecting unauthorized internal access.

But even though the audit database can collect records, bad software
performance and functionality problems prevent users from querying the
information and generating reports, according to the inspector
general. As a result, IRS business units can't use the system to
identify possibly malicious actions aimed at updated applications,
according to auditors.

Since its delivery in November 2002 by Computer Sciences Corp., the
security analysis system has collected audit trail information for the
IRS' e-Services and Internet Refund Fact of Filing applications. Both
initiatives are part of the agency's $10 billion upgrade of its
tax-processing technology.

Auditors charge that agency officials knowingly accepted a defective
product - an allegation that Daniel Galik, the IRS' chief of mission
assurance, disputes in the agency's official response. "The SAAS met
all defined requirements and passed all tests," he wrote.

Citing security concerns, CSC officials declined to comment on the

Treasury Department officials also state that problems with the audit
system went undetected for almost a year because the IRS' Computer
Security Incident Response Center never wrote a help-desk ticket
describing the database's defects. The center is responsible for
thwarting hacker intrusions into IRS networks, but "apparently, the
[center] has not been using the SAAS since the November 2002 system
delivery date," the report states.

The IRS will spend $776,000 through the next fiscal year on labor and
maintenance for the audit system, according to the report. However,
IRS officials said steps are under way to correct the database's

Testing of audit trails from updated applications were set to begin
this month, and functioning logs will be online by October, according
to agency officials.

"Early tests look as if they're on track for completion," said Peggy
Begg, assistant inspector general for audit.

Officials said they are establishing internal ownership over the audit
trails to ensure that data is reviewed. Periodic compliance reviews
will start in March 2005, they said.

IRS officials rejected the auditors' recommendation that the agency
develop full-fledged alternatives to the security audit system in case
delays continue with the database. Agency officials are committed "to
ensuring that SAAS supports the business and security requirements for
sensitive systems," the agency's written response states.

More information about the ISN mailing list