[ISN] IRS underestimates IT security weaknesses

[InfoSec News]

http://www.gcn.com/vol1_no1/daily-updates/34887-1.html

By Mary Mosquera 
GCN Staff
01/21/05

The process the IRS has used to track IT program and system security 
weaknesses is flawed and ineffective, the Treasury Inspector General 
for Tax Administration's office said in a report released this week. 
As a result, the IRS provided the Treasury Department and the Office 
of Management and Budget with inaccurate and misleading information 
related to the Federal Information Security Management Act. 

"The system-level (Plans of Action and Milestones) did not accurately 
and completely describe the security weaknesses and milestones, 
understated the number of weaknesses, and overstated progress in 
addressing the weaknesses," said Gordon Milbourn III, Treasury.s 
assistant inspector general for audit, in the report. 

The review took place in April and May but auditors took into account 
IRS progress in its next FISMA report dated September. 

IRS prepared near-identical plans for each system, noting broad 
categories of weaknesses instead of specific weak points. The agency 
did not provide detailed actions to correct the problems nor the names 
of the managers responsible for them, according to the report. 

In its most recent action report, IRS listed 319 weaknesses for its 80 
major systems. But those weaknesses only represent management control 
problems, such as lack of certification and accreditation, security 
and tested contingency plans. They do not include operational and 
technical control weaknesses, the report said. 

IRS assumed that if a system had been certified and accredited, most 
noted weaknesses could be closed. .This assumption is not valid since 
certified and accredited systems can still have security weaknesses,. 
the IG said. 

IRS has since established a working group of IT modernization and 
business unit executives to figure out how best to manage the process 
for correcting security problems, said Daniel Galik, chief of IRS 
mission assurance and security services. IRS will provide detailed 
corrective actions by line item instead of grouping the actions "to 
ensure there is not a perception of underreporting of corrective 
actions," he said in a written response earlier this month. 

IRS will also team with Treasury to acquire an automated application 
that will standardize and streamline all action plan reporting and 
tracking across the department, he said. Treasury is adapting its 
process for reporting and tracking financial management weaknesses 
through its Joint Audit Management Enterprise System in order to 
synchronize its security reporting. This will create one source for 
tracking corrective actions related to audits by TIGTA and the 
Government Accountability Office, Galik said.