Patch management lacking at IRS


The Internal Revenue Service lacks patch management policies and procedures that ensure information technology systems operate securely, according to a Treasury Inspector General for Tax Administration report (.pdf) dated Sept. 25 but not published until Nov. 1.

Auditors find the agency lacks a complete inventory of its IT assets, making patch monitoring and application difficult. The agency is required to keep an accurate and updated inventory of operating systems, versions of all software, patch levels and installed applications.

Right now, IRS is in the processes of standing up two automated asset discovery tools: a Business DNA tool for establishing and validating IT device inventory, and a Discovery and Dependency Mapping Advanced tool for crafting an inventory of configuration items for which changes to configuration settings need to be managed, say report authors.

Auditors note that the National Institute of Standards and Technology recommends patch management and vulnerability scanning capabilities be integrated in one agent "instead of having to install and manage two separate agents on each computer."

Inventory and patch management should be implemented through an enterprisewide approach, write report authors, in order to avoid redundancy, reduce cost and minimize risk.

The IRS agreed with seven of TIGTA's eight recommendations. The IRS believes it has existing procedures in place to address the recommendation that system owners be held accountable for patching systems within prescribed time frames. However, TIGTA maintains that further actions should be taken.

For more:
- download the report, "An Enterprise Approach is Needed to Address the Security Risk of Unpatched Computers," (.pdf)

Related Articles:
ITA security categorization and controls deficient, finds OIG
GAO: IRS taxpayer information threatened by inadequate internal controls
DOE configuration management lacking, says OIG

Filed Under