IRS Earns Higher Grades for Security Testing
The Internal Revenue Service substantially upped the efficacy of its security review programs during fiscal 2008, according to a new report issued by the Treasury Inspector General for Tax Administration (TIGTA).
The federal review of the IRS's security policies, procedures and standing, carried out in accordance with the Federal Information Security Management Act (FISMA), revealed that the agency has come a long way in the last year.
"Overall, the IRS has made steady progress in complying with FISMA requirements since enactment of the FISMA in 2002, and it continues to place a high priority on efforts to improve its security program. We observed significant improvements in the areas of security that we had identified as needing improvement in our 2007 FISMA evaluation," the report concludes.
The TIGTA review included 9 individual security audits conducted over the last twelve months, involving some 22 different IT systems, the report said.
TIGTA auditors also credited the IRS Modernization and Information Technology Services organization's Cybersecurity Office for improving its certification and accreditation process, among other efforts.
However, despite the improvements, the report contends that the IRS still has many remaining security issues that need to be addressed.
"While the IRS improved its certification and accreditation process, more needs to be done to adequately secure its systems and data. The most significant area of concern is implementation of configuration management standards," the report states.
The guidelines issued to all agencies by the U.S. Office of Management and Budget under FISMA for minimum security controls in their information systems require that all systems be certified and accredited every 3 years, or when major system changes occur.
"Overall, 28 percent of the controls were not sufficiently tested for the 11 systems from our [22 system] sample. Thirty-seven percent of the operational controls were not adequately tested, and 67 percent of the technical controls were not adequately tested. These tests were limited to examining certification and accreditation documentation without securing evidence from the system. As a result, some tests were insufficient to identify controls that might not be operating as intended to protect the systems and data," the report claims.
The TIGTA report card goes on to highlight a handful of other areas that the IRS needs to address going forward in its testing, such as developing criteria to assess the timeliness of retrieving backup tapes from offsite locations, but no matter how you cut it, it would seem that progress is being made.
Some may criticize the government for moving too slowly to adopt stricter security policies and failing to aggressively ensure that all of its requirements are being met, but, no matter how you cut it, even slow and steady improvement is a good thing for everyone.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.