While the Internal Revenue Service has made some progress in correcting its computer security material weakness, the agency prematurely closed the security roles and responsibilities component and only completed four of six corrective-action objectives, according to a recently released Treasury Inspector General for Tax Administration report.

Portions of the agency's training curriculum, and roles and responsibilities manual overlap, while other sections are missing job descriptions and performance metrics, the report states. Until these documentation errors are addressed, the IRS cannot ensure that contractors will preserve the confidentiality, integrity and availability of taxpayer data.

Specifically, the IRS did not:

• Document all IT security roles and responsibilities in the Internal Revenue Manual;
• develop day-to-day IT security procedures and guidelines;
• properly assess compliance of day-to-day IT procedures; and,
• establish effective metrics for monitoring compliance with IT security roles and responsibilities.

The errors in reference materials may be having a direct affect on IT personnel performance as the report cites "recent evidence of employee noncompliance with security responsibilities," as a reason the component should have remained open.

The inspector general asked that this component be reopened and the outlined deficiencies be corrected. In a response to TIGTA, the IRS outlined how it will resolve all suggested corrections. It also requested that the component be downgraded to a "significant deficiency" rather than be reopened, because the component "has dropped below the threshold of materiality and is in a state of significant deficiency," said IRS Chief Technology Officer Terence Milholland. However, TIGTA said no.

The IRS has formally tracked and monitored computer security since it was identified as a material weakness in Government Accountability Office-led audit in 1997. The Office of Management and Budget also monitors agencies' material weaknesses and defines them as shortcomings in operations or systems that may impact an agency's ability to fulfill it's mission.

For more:
- download this TIGTA audit report (.pdf)

Related Articles:
IRS not making best use of third party data to catch tax fraud, says TIGTA
Attention identity thieves: Tax notices still printed with social security numbers
IRS needs better grip on contractors with taxpayer data access, says TIGTA