Jan 24, 2005 (09:01 AM EST)
IRS Needs Better IT Security Plan, Inspector General Says
Read the Original Article at InformationWeek
The Internal Revenue Service isn't doing enough to assure the security of its IT systems, according to a Treasury Department Inspector General's report made public last week.
The report, written by assistant inspector general for audit Gordon Milbourn, says the IRS has prepared action plans and milestones to track program-level and system-level weaknesses, as required by the White House Office of Management and Budget.
But the process the IRS employs to identify weaknesses and report progress is flawed and ineffective, Milbourn writes. That means the information the IRS provides Treasury and has been inaccurate and misleading. Without effective action and milestone plans, Milbourn says, the IRS can't identify and monitor security weaknesses to ensure that the most significant weaknesses are addressed in a timely fashion.
Among the other observations the inspector general made:
To ensure an effective system is established to monitor security weaknesses, the Inspector General's office recommends that the IRS chief of mission assurance and security services coordinate with the department's CIO and business-unit owners to develop plans that specifically identify all known security weaknesses.
The IRS chief of mission assurance and security services agrees with the inspector general's recommendations, and has initiated a number of corrective actions. Among them, according to the inspector general's report, is establishing a working group of executives and senior staffers from business units and the agency's modernization and technology services unit to develop and implement an approach to managing the plans. In coordination with the CIO and business unit owners, the chief of mission assurance and security services will develop a plan to allow the reconciliation and validation of corrective actions through the testing process.