The Treasury Inspector General for Tax Administration faulted the IRS's cybersecurity program as ineffective, since it failed 17 out of the 20 relevant metrics on which it was judged.
The metrics themselves come from the
The TIGTA
"As examples of specific metrics that were not considered effective, TIGTA found that the IRS could improve on maintaining a comprehensive and accurate inventory of its information systems; tracking and reporting on an up-to-date inventory of hardware and software assets; maintaining secure configuration settings for its information systems; implementing flaw remediation and patching on a consistent and timely basis; and ensuring that security controls for protecting personally identifiable information are fully implemented," said the report.
For instance, the report said the IRS cannot always ensure that information systems included in its inventory are subject to the monitoring processes defined within its Information Security Continuous Monitoring (ISCM) Program Plan because of gaps in tools used to monitor its system inventories. Yet the IRS, according to TIGTA, has not closed the scanning tool gaps necessary to perform checks for unauthorized hardware components or devices and to notify appropriate organizational officials.
There was only one area that TIGTA thinks has been "optimized" at full maturity: incident response. The report said the IRS uses dynamic reconfiguration (e.g., changes to router rules, access control lists, and filter rules for firewalls and gateways) to stop attacks, misdirect attackers and isolate components of systems.
For the remainder of the program, though, TIGTA was less than impressed.
"The IRS needs to take further steps to improve its security program deficiencies and fully implement all security program components in compliance with FISMA requirements; otherwise, taxpayer data could be vulnerable to inappropriate and undetected use, modification, or disclosure," said the report.