TIGTA Report: IRS Computer Security Center Effective, Could Be Better
- The CSIRC's host-based intrusion detection system is not monitoring 34 percent of IRS servers, which puts the IRS network and data at risk.
- The CSIRC is not reporting all computer security incidents to the Department of the Treasury, as required.
- The CSIRC incident response policies, plans, and procedures are either nonexistent or are inaccurate and incomplete.
The TIGTA recommended that the Assistant Chief Information Officer, Cybersecurity, direct the CSIRC to:
- Develop its Cybersecurity Data Warehouse capability to correlate and reconcile active servers connected to the IRS network with servers monitored by the host-based intrusion detection system;
- Revise and expand the Memorandum of Understanding with the TIGTA Office of Investigations to ensure that all reportable and relevant security incidents are shared with the CSIRC;
- Collaborate with the TIGTA Office of Investigations to create common identifiers to help the CSIRC reconcile its incident tracking system with the TIGTA Office of Investigations' incident system;
- Develop a standalone incident response policy or update the policy in the IRS's Internal Revenue Manual with current and complete information;
- Develop an incident response plan; and
- Develop, update, and formalize all critical standard operating procedures.
- TIGTA Finds IRS Not Fully Compliant 
- IRS Needs Better Oversight of Repayment by Tax Cheats  (TIGTA Report)