DIRECTOR, OFFICE OF SYSTEMS STANDARDS AND EVALUATION INTERNAL REVENUE SERVICE
SUBCOMMITTEE ON SCIENCE, TECHNOLOGY, AND SPACE
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
FEBRUARY 10, 1998
Mr. Chairman and Distinguished Members of the Committee: I am pleased to be here today to discuss computer security at the Internal Revenue Service (IRS).
The IRS has long understood that protecting taxpayer information is essential to the operation of our country=s self-assessment tax system. Policies and procedures to protect the security and confidentiality of taxpayer information have been established in accordance with various laws and other federal guidance, including the Privacy Act of 1974, the Computer Security Act of 1987, and Section 6103 of the Internal Revenue Code. A more recent example is the Taxpayer Browsing Protection Act, which was signed into law in August 1997. In short, this new law helps to better address an internal threat to taxpayer records by making all cases of willful unauthorized access and inspection of taxpayer recordsCelectronic and paperCa crime.
Although policies and procedures have been established, the IRS is aware that more emphasis is needed to adequately mitigate security weaknesses. Audits and reviews of the IRS= security and operations have identified weaknesses and instances where individuals have misused our systems to commit fraud and other crimes. For example, the General Accounting Office (GAO) reported in April 1997 on its concerns with various systems security weaknesses at the IRS. It also raised concerns with the IRS= effectiveness in dealing with unauthorized accesses to taxpayer records by IRS employees.
The IRS= Office of the Chief Inspector is responsible for investigations dealing with criminal acts. In this regard, Inspection=s investigations have identified criminal acts involving employees who have improperly accessed computer systems and used taxpayer information from these systems to commit acts such as embezzlement, submitting false claims for tax refunds, and unauthorized disclosure of tax information. Since October 1, 1997, Inspection also assumed total responsibility for investigating all allegations of unauthorized access and inspection of taxpayer records.
Whereas preventing fraud and misuse is the ultimate goal of any security program, a good security program also must adequately detect and react to situations that cannot always be prevented. In this regard, the IRS= security program is focused on improving its prevention, detection, and reaction capabilities.
EXECUTIVE-LEVEL LEADERSHIP ESTABLISHED
In response to internal and external security concerns raised by the Congress, auditors, and an IRS task force, the IRS centralized responsibility for security and privacy issues in its Office of Systems Standards and Evaluation (SSE) in January 1997. This was initiated just after I joined the IRS to manage SSE--after almost 22 years with GAO.
SSE is responsible for establishing and enforcing standards and policies for all major security programs including, but not limited to, physical security, data security and systems security. In this regard, SSE provides IRS with a proactive, independent security group that is directly responsible for the adequacy and consistency of security over all operations. This organization and approach are consistent with GAO=s September 1996, report, Information Security: Opportunities for Improved OMB Oversight of Agency Practices, which noted that, ASuch a program can provide senior officials a means of managing information security risks and the related costs rather than just reacting to individual incidents.@
SSE was not assigned this management oversight responsibility to duplicate evaluation and review efforts by the IRS= Office of the Chief Inspector, which focuses many of its efforts on overseeing and strengthening computer security. SSE was established to provide consistent executive-level leadership and enforcement for security throughout the IRS. Using some of the same evaluation disciplines employed by the Office of the Chief Inspector and external auditors, SSE focuses on evaluating, guiding, and enforcing IRS= security and privacy programs and processes. However, it uses the same evaluation disciplines to baseline security operations at the IRS= facilities and support functions. It also works with the management of these entities to drive solutions, develop sound security processes, and establish enforcement mechanism that hold these managers responsible for maintaining these processes.
In March 1997, the IRS further strengthened its security capabilities with the appointment of Mr. William Hadesty to direct SSE=s Office of Security Standards and Evaluation. Mr. Hadesty is a recognized security expert in both the public and private sector with over 10 years of GAO experience in leading comprehensive computer security reviews at IRS, numerous other government agencies, and financial market entities. Mr. Hadesty has staffed his Office with a team of experienced managers that have the skill mix that is needed to strengthen security across the IRS . SSE is also utilizing contractor support in areas where even more specialized skills can help the IRS to institutionalize Abest practices.@ For example, SSE is working with such a contractor to enhance the IRS= emergency response capabilities, which includes state-of-the-art practices to better recognize and prevent hostile attacks.
Besides bringing together an experience-based team, SSE=s efforts were focused on evaluations of important support functions and all the IRS= computing centers and service centers in 1997. Work has progressed in a timely manner as planned, without any major obstacles. In this regard, managers and staff of these support functions and centers have been focused on working with SSE managers to implement security improvements. Because these managers and staff are the key players in institutionalizing the security improvements that are needed, SSE has initiated security-training efforts to enhance the skill mixes needed at the support functions and centers. For 1998, training and work are continuing at these support functions and centers. Moreover, SSE=s work has been broadened to cover the IRS= 33 District Offices in 1998.
Our work at centers and offices is focused on key areas, which include:
UNAUTHORIZED ACCESS TO TAXPAYER RECORDS
In August 1997, the Treasury Department issued a report on actions being taken to control unauthorized access to taxpayer records by IRS employees. This report reflected a study completed by IRS that focused on better addressing this access problem. Actions noted in the report are progressing as planned, and have included:
Over the longer term, the IRS= Modernization Blueprint consolidates security mechanisms, audit data, and user profile data. Currently, the IRS= various automated systems cannot provide an integrated security solution to prevent unauthorized activities by internal users. However, the planned services for security will include:
Overall, the long-range plans for security functionality are aimed at improving security performance and effectiveness while minimizing administrative, maintenance, and operational costs. User efficiency has been taken into account and the best practices of both the government and private sector have been considered and adopted in formulating the security initiatives for modernization. The resulting systems will be architecturally consistent to facilitate interoperability, data sharing, reduced development risk, reduced maintenance burden, and lower life cycle costs of ownership.
Beyond the consolidation of security mechanisms, audit data, and user profile data, the new architecture will support data mining techniques to further enhance the overall suite of security services. Private industry and government have found this technology to be highly effective in counteracting fraud such as might be perpetrated in connection with credit cards, checks, cell phones, insurance claims, and money laundering. Similarly, the IRS will mine data on its taxpayer record activity to better detect and react to unauthorized activities.
In closing, we believe that our current approach and program are focused on establishing a world-class security environment, which is commensurate with protecting the IRS= $1.4 trillion financial services program. At the IRS, we fully understand that although new technologies will help to streamline the agency=s operations and improve the delivery of services to taxpayers, these same technologies bring with them new risks that must be controlled to ensure adequate security. This continues to take on greater significance as IRS= reliance on paper decreases and its dependence on new technologies increases. In this regard, our new security program provides the IRS with the disciplined approach that is needed to continually improve the IRS= ability to protect the confidentiality and integrity of taxpayer data, and the processes and resources to operate our country=s self-assessment tax system.
This concludes my statement, and I will be glad to answer any questions.