The Treasury Inspector General for Tax Administration, in two reports, critiqued the IRS on cybersecurity for both its data warehouse and its cloud infrastructure.
Data warehouse security
TIGTA said this can be attributed to two root causes. First is that, within the CDW Platform Audit Worksheets, the coding script used to identify system logins in the CDW logs was referencing an incorrect file name. Upon recognizing the error, IRS alerted the appropriate cybersecurity officials and continued to collaborate to identify and implement a resolution. Second, when the login information search period is greater than 90 days, the search does not return complete and accurate login information. As of April 3, 2024, the exact cause of this error was still unknown; however, cybersecurity officials are continuing to troubleshoot the issue. The IRS reports that restricting the search to 90 days or fewer helps manage performance and response time, given the sheer volume of CDW log data. The IRS plans to add a note to the audit trail repository to advise about the 90-day limitation and noted that multiple searches for 90 days or fewer may be run.
Further, TIGTA said that while actionable events require timely review to determine if additional escalation or notifications are needed, the Compliance and Audit Monitoring team is not reviewing any of them. A management official stated that CDW’s actionable events are not being reviewed because of a miscommunication between the Compliance and Audit Monitoring team and CDW personnel, and that the team began the review of all required actionable audit events in March 2024. Further, TIGTA said the monitoring that is being done is highly inefficient, as the IRS’s audit trail repository does not permit users to export or download multiple auditable or actionable events at the same time. As a result, the team is restricted to reviewing, analyzing and reporting on singular audit events.
TIGTA did, however, concede that all 1,173 CDW users as of April 2024 completed each of the four mandatory training courses. However, mandatory training requirements for unpaid hires (academic researchers and student volunteers) were not managed via the Integrated Talent Management system. According to management officials from the IRS’s Human Capital Office, this limitation was due to an integration issue within the agency’s human resources system. While TIGTA found that the current manual process for tracking training requirements for unpaid hires is functional, it does not afford any type of verification that the training was actually completed.
TIGTA recommended that: 1) the IRS’s chief data and analytics officer ensure the agency’s audit trail repository accurately displays and reports all CDW login information; 2) the chief information officer ensure that all required actionable audit events for the CDW are reviewed; 3) the CIO ensure that automated mechanisms are incorporated into the actionable audit event escalation process; 4) the CIO and chief data and analytics officer ensure that identified vulnerabilities are timely remediated; and 5) the chief data and analytics officer ensure that all CDW servers are included in configuration compliance scans. The IRS agreed with all five recommendations.
Cloud infrastructure security
TIGTA,
Specifically, inspectors determined that 35 (70%) of the 50 cloud systems reviewed had the same individuals assigned as either the authorizing official or the AO’s designated representative and system owner. The remaining 15 (30%) of the 50 cloud systems reviewed demonstrated appropriate separation of duty with different individuals assigned as the AO or the AO-designated representative and system owner.
While the National Institute of Standards and Technology guidelines recommend that organizations ensure there are no conflicts of interest when assigning the same individual to multiple risk management roles, there was no IRS policy statement that specifically prevented the roles from being occupied by the same person. After this issue was brought to management’s attention, IRS officials stated they will review the NIST guidance and work to ensure that updates are made as appropriate to have different individuals occupy these roles.
TIGTA also noted that the IRS was not preparing summary reports for 11 (22%) of 50 cloud systems every month as required. The Cloud Continuous Monitoring Strategic Operating Plan requires cloud information system security officers to prepare a monthly summary report for each of their assigned systems and provide it to the system’s AO. Further, summary reports for 45 of the 50 cloud systems identified that the reports were missing required information. Also, 31 of the 45 cloud systems reviewed were missing the trackable Plan of Action and Milestones weakness identification number on the summary report. And security documents were missing approvals or were not properly approved within the Department of the Treasury data repository. Specifically, the repository was missing five (10%) of the 50 cloud systems’ Authorization-to-Operate memorandums. Finally, 15 of 50 cloud systems were missing required Federal Risk and Authorization Management Program Security Threat Analysis Reports.
TIGTA recommended that the IRS’s chief information officer ensure that: 1) separation of duty controls reflect guidance and require that all cloud systems have a unique System Owner and Authorizing Official; 2) an Authorization-to-Operate memorandum is approved for the system to remain in production; 3) summary reports are timely created; 4) procedures are updated; 5) management approvals are consistent and documented; and 6) the Cloud Security Assessment and Authorization process is completed annually. The IRS agreed with four recommendations and plans to ensure separation of duty controls reflect guidance; the system obtains authorization; that summary reports are timely created; and that management approvals are documented. The IRS disagreed with two recommendations, stating its weakness summary reporting is sufficient without unique identifiers and that cloud security assessments are completed in accordance with existing procedures.
Credit: Source link