TIGTA Report Says IRS Ran Reduced Security Scanning for 3 Years
The Treasury Inspector General for Tax Administration (TIGTA) recently released a report concluding that the IRS did not follow its formal written security policy and ran reduced vulnerability scans on its databases for at least three years starting in 2018.
During that time, the IRS' written policy was in compliance with National Institute of Standards and Technology guidance and a Department of the Treasury Directive. But the agency’s new strategy to not perform privileged database vulnerability scanning on all system databases, including mainframe applications, was not compliant with the IRS' formal written policy or federal guidance, the report stated.
TIGTA also found that in the case of cloud databases, the IRS did not always follow up when a scan was performed. The agency typically chose to rely on vendor-designed reports, which tended to lack security vulnerability details, instead of analyzing the raw data. In addition, the vendor reports were not always read because, depending on the vendor, the IRS was not always able to download the reports.
The report also said that the IRS inconsistently patched security vulnerabilities when they were discovered. Several specific vulnerabilities were noted with Microsoft and Oracle databases.
TIGTA recommended that the IRS:
- Update the Internal Revenue Manual to reflect the proper security requirements
- Have its information system security officers develop a formal process for recommending approval or disapproval of policy deviations
- Perform privileged vulnerability scans on cloud systems when possible
- Provide oversight to cloud service providers and obtain detailed scan results
- Create plans of action and milestones for unresolved issues from database vulnerability scans
- Patch or upgrade databases to the latest version, or at least a version within the acceptable risk tolerance
A final recommendation was redacted from the report.
In response to the TIGTA findings, the IRS said that it was unable to address the vulnerabilities of all its databases in a timely fashion and agreed with all recommendations.
TIGTA noted that the IRS began increasing its vulnerability scans soon after the inspection began.