The Internal Revenue Service is making progress on improving its authentication processes after a string of data breaches on some of its e-Services and online apps, but some of the improvements haven’t been completely implemented, according to a new report.
The
TIGTA found the IRS has made progress in improving its electronic authentication controls. It deployed a more rigorous electronic authentication process that provides two-factor authentication via a security code sent to text-enabled mobile phones. It completed or updated electronic authentication risk assessments for 28 of its online applications to determine appropriate levels of authentication assurance, and enhanced its network monitoring and audit log analysis capabilities.
However, TIGTA auditors also found the network monitoring tools that the IRS bought to improve the prevention and detection of automated attacks weren’t fully implemented because of issues related to resources, incompatibility and higher priorities. On top of that, the controls that are supposed to prevent a fraudulent user from improperly creating profiles weren’t fully implemented. Further, the IRS isn’t fulfilling requirements for monitoring audit logs for suspicious activity due to inadequate processes for generating and reviewing audit log reports, nor is it ensuring that reports are useful for investigating and responding to suspicious activities.
TIGTA made four recommendations in the report. It recommended the IRS’s chief information officer prepare a plan of action and milestones to ensure that remaining issues preventing full implementation of the two network monitoring tools are addressed; establish a process to adequately test and subsequently monitor enhancements made to application controls until it can be confirmed that the controls are effective; ensure that electronic authentication audit logs capture adequate data to allow for tracking and analysis of user activity; and ensure that IRS policy is met in regards to audit log report generation and review, and reports are useful for investigation and response to suspicious activities.
The IRS agreed with TIGTA’s recommendations, including coming up with a plan to ensure the remaining issues preventing full implementation of network monitoring tools are addressed and continuing to implement the capability to generate reports from the audit logs. That should allow on-demand audit review, analysis, and after-the-fact investigations.
“The IRS is committed to continuously improving the identification proofing process and capabilities and maintaining required levels of assistance as directed by National Institute of Standards and Technology and the Office of Management and Budget,” wrote IRS CIO Gina Garza in response to the report. “This is critical to help maintain the integrity, confidentiality and availability of taxpayer data.”
