IRS: 2 Audits, 2 Conclusions on Risk ManagementOne Audit Illustrates Weaknesses in Annual FISMA Audit
Two audits of the U.S. Internal Revenue Service, issued a day apart by the same watchdog agency, reached different conclusions about how effectively the tax agency manages information risk.
In its annual Federal Information Security Management Act audit for fiscal year 2014, the Treasury Inspector General for Tax Administration declared that the IRS met the performance metrics specified in Department of Homeland Security guidelines for risk management. However, as a footnote in the audit points out:
"Although the IRS met the performance metrics specified by the DHS for risk management, TIGTA found deficiencies with the IRS's risk-based decisions process that were not in alignment with policy. Specifically, we found that not all risk-based decisions are adequately documented and tracked."
Indeed, a day before the IG published the FISMA audit on Sept. 23, it issued another report titled: The Internal Revenue Service Does Not Adequately Manage Information Technology Security Risk-Based Decisions. (The publication dates don't coincide with when the IG makes them public; these two audits were unveiled earlier this month.)
Put together, the two audits illustrate a major concern many IT security and risk professionals have with the effectiveness of FISMA audits: They are checklists of whether organizations comply with federal regulations that require specific processes but do not determine if the processes are effective.
"It's easy to have a process that's labeled 'this is our risk management process'," says Allan Friedman, research scientist at George Washington University's Cybersecurity Policy Center. "Actually assuring that risk management process adheres to proper tenets of what's necessary to the ... process, that's more difficult."
Allan Friedman on audits and checking boxes.
Under the category "risk management" in the FISMA audit, the IG checked "yes" when answering the question: "Has the organization established a risk management program that is consistent with FISMA requirements, Office of Management and Budget policy and applicable National Institute of Standards and Technology guidelines?"
The FISMA audit checklist identifies 16 attributes of risk management that include whether the IRS documents policies and procedures; addresses risk from an organizational, mission and systems perspectives; requires senior officials be regularly briefed on security; and ensures information security controls are monitored continuously. In each case, the "yes" box was checked.
The other audit, on the IRS management of risk-based decisions, clarifies how the agency could be in compliance with FISMA rules but not provide the appropriate procedures to ensure proper decision-making. Instead of determining whether the agency complied with a specific item, such as ensuring a designated official receives updates on the state of the system, this second audit determined whether the IRS's risk-based decision process provides an effective platform for identifying, assessing and addressing risks related to IT projects and systems.
Minimal Information Gathered
Treasury auditors who conducted that second examination of management of risk-based decisions contend the IRS collects and tracks minimal information about risk-based decisions and does not require supporting documents about why decisions were made. The failure to adequately document risk-based decisions means those responsible for making IT security decisions could lack the right information to make sound choices.
The IG says making poor choices could result in security breaches, which can cause network disruption and prevent the IRS from performing vital taxpayer services, such as processing tax returns, issuing refunds and answering taxpayer questions.
"When risk-based decisions are not made within the established guidelines, the organization may be accepting too much risk related to security of its systems and data," the IG says. "Consequently, taxpayer data may not be secured and may be vulnerable to unauthorized disclosure, which can lead to identity theft."