[ISN] IRS underestimates IT security weaknesses
isn at c4i.org
Mon Jan 24 04:40:04 EST 2005
By Mary Mosquera
The process the IRS has used to track IT program and system security
weaknesses is flawed and ineffective, the Treasury Inspector General
for Tax Administration's office said in a report released this week.
As a result, the IRS provided the Treasury Department and the Office
of Management and Budget with inaccurate and misleading information
related to the Federal Information Security Management Act.
"The system-level (Plans of Action and Milestones) did not accurately
and completely describe the security weaknesses and milestones,
understated the number of weaknesses, and overstated progress in
addressing the weaknesses," said Gordon Milbourn III, Treasury.s
assistant inspector general for audit, in the report.
The review took place in April and May but auditors took into account
IRS progress in its next FISMA report dated September.
IRS prepared near-identical plans for each system, noting broad
categories of weaknesses instead of specific weak points. The agency
did not provide detailed actions to correct the problems nor the names
of the managers responsible for them, according to the report.
In its most recent action report, IRS listed 319 weaknesses for its 80
major systems. But those weaknesses only represent management control
problems, such as lack of certification and accreditation, security
and tested contingency plans. They do not include operational and
technical control weaknesses, the report said.
IRS assumed that if a system had been certified and accredited, most
noted weaknesses could be closed. .This assumption is not valid since
certified and accredited systems can still have security weaknesses,.
the IG said.
IRS has since established a working group of IT modernization and
business unit executives to figure out how best to manage the process
for correcting security problems, said Daniel Galik, chief of IRS
mission assurance and security services. IRS will provide detailed
corrective actions by line item instead of grouping the actions "to
ensure there is not a perception of underreporting of corrective
actions," he said in a written response earlier this month.
IRS will also team with Treasury to acquire an automated application
that will standardize and streamline all action plan reporting and
tracking across the department, he said. Treasury is adapting its
process for reporting and tracking financial management weaknesses
through its Joint Audit Management Enterprise System in order to
synchronize its security reporting. This will create one source for
tracking corrective actions related to audits by TIGTA and the
Government Accountability Office, Galik said.
More information about the ISN