In a new report, GAO concluded that “[a]lthough IRS made progress in correcting previously reported information security weaknesses, control weaknesses over key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information.”
Of particular note, GAO found that
Although IRS has processes in place intended to monitor and assess its internal controls, these processes were not always effective. For example, IRS’s testing did not detect many of the vulnerabilities GAO identified during this audit and did not assess a key application in its current environment. Further, the agency had not effectively validated corrective actions reported to resolve previously identified weaknesses. Although IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended.
GAO further explained that
To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to determine what, when, and by whom specific actions have been taken on a system. Organizations accomplish this by implementing system or security software that provides an audit trail—a log of system activity—that they can use to determine the source of a transaction or attempted transaction and to monitor users’ activities. The way in which organizations configure system or security software determines the nature and extent of information that can be provided by the audit trail. To be effective, organizations should configure their software to collect and maintain audit trails that are sufficient to track security-relevant events. The Internal Revenue Manual states that IRS should enable and configure audit logging on all systems to aid in the detection of security violations, performance problems, and flaws in applications. Additionally, IRS policy states that security controls in information systems shall be monitored on an ongoing basis.
GAO’s findings highlight the need for NIST to enact detailed, rigourous continuous monitoring requirements in SP 800-137.
Attached below is the complete GAO report. Also attached below are CRE’s comments on NIST’s draft continuous monitoring guidance, SP 800-137.
Leave a Reply