TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Office of Audit

Updating Computer Room and Tape Library Physical Access Controls Will Significantly Improve Security

Final Report Issued on September 29, 2016

Highlights

Highlights of Reference Number:  2016-20-093 to the Internal Revenue Service Chief Information Officer.

IMPACT ON TAXPAYERS

Computer rooms and tape libraries house critical IRS systems and data that reside on mainframes, servers, and other information technology equipment as well as back-up tapes for operations.  These systems are essential to the operations of the IRS.  Unauthorized access could result in the theft of equipment and taxpayer information and disruption of service.

WHY TIGTA DID THE AUDIT

This audit was initiated as part of our statutory requirement to annually review the adequacy and security of IRS technology.  The overall objective was to assess the controls in place to restrict access to computer rooms and tape libraries, and to prevent and detect unauthorized accesses to those resources.

WHAT TIGTA FOUND

TIGTA determined that computer room and tape library perimeter security needs to be updated.  Two-factor authentication was not being used for one of the data center locations, and door testing was not being performed after changes to or implementation of the door groups in the enterprise Physical Access Control System (ePACS).  As a result, general access was allowed into the restricted computer rooms.  Also, surveillance equipment was either outdated or did not exist, which limited the IRS’s ability to monitor its critical infrastructure.

TIGTA also determined that the continued use of temporary badges as a form of identification presents security concerns because these badges do not provide specific employee information.  Also, the IRS uses a manual and visual process to identify visitors, increasing the risk that an unauthorized individual could gain access.  Authenticating individuals by their Personal Identity Verification cards reduces that risk because the card authenticates the individual entering the room.

Lastly, TIGTA determined that automating access monitoring to the computer rooms and tape libraries will increase efficiency and security.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief, Agency‑Wide Shared Services, periodically test card readers to ensure correct association with the door group in the ePACS, implement compliant two-factor authentication, update security surveillance equipment, align policy for temporary badges with Federal policy, add unique identifiers to the ePACS, and maintain and ensure consistency in the use of Limited Area Registers.  TIGTA also recommended that the Chief Information Officer update policies and/or procedures to require the use of a secure automated system to authorize and approve access, ensure sufficient oversight and coordination between the Enterprise Computing Center Project Response Incident and Management office and tape library management, review monthly ePACS reports, and discontinue Level 1 and Level 2 designations based on frequency of access.

The IRS agreed with six recommendations, partially agreed with two recommendations on repairing cameras and updating procedures for monthly reconciliation of logs, and disagreed with the five recommendations on updating policies for cameras and monitoring physical intrusion alarms, temporary badges, controlling of access into computer rooms, the need to remove Levels of access, and business need for access.

TIGTA maintains that the IRS should take additional corrective actions with respect to both of the partially agreed recommendations and the five disagreed recommendations.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treasury.gov/tigta/auditreports/2016reports/201620093fr.pdf.