Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS Doesn't Check Cyberaudit Logs

Posted by samzenpus on from the check-your-work-twice dept.

An anonymous reader writes "The US Internal Revenue Service's IT staff hasn't routinely checked its cybersecurity audit logs, according to a report released this week by the agency's inspector general's office. The report is not exactly flattering for the IRS. The report, with large chunks redacted, recommends the IRS allow independent review of audit logs and establish procedures to save audit logs. It also recommended that the IRS regularly test its Internet gateways for compliance with standard security configurations."

3 of 78 comments (clear)

  1. Re:Why redacted? by fprintf · · Score: 5, Insightful

    Never mind. I just figured it out... social security numbers and private information. Once again, that little problem of social security numbers raises its ugly head. If it was just used for social security taxes, and nothing else we'd be fine. But now it is used for all kinds of financial transactions any organization has to guard those 9 numbers better than Fort Knox guards its gold.

    --
    This post brought to you by your friendly neighborhood MBA.
  2. Read the whole report by BenEnglishAtHome · · Score: 5, Informative

    It's linked from the story. It's short and, like all such reports, its has a proforma organization that makes it easy to read. The synopsis tends to have the spin (and that's what got the attention of PC World and the Slashdot folks) but the actual findings are also clearly stated so that you can draw your own conclusions.

    The inspectors made three findings.

    1. "Intrusion detection systems were deployed effectively."

    2. "Access controls over firewall and router system administrator accounts are operating effectively"

    3. "Management of firewall and router audit logs needs to be improved."

    Under # 3, they found one high-risk error, the only high-risk error in the report. That finding was "Audit logs were not independently reviewed".

    The IRS agreed with all findings and promised to fix things.

    My personal opinion? I think a report that says, to paraphrase, "All your stuff works fine. However, you aren't regularly running it all past someone not in the normal administrative chain; that failure is a serious error" is certainly something to be taken seriously but it's unlikely to be a career-killer for anyone. I've seen far, far worse reports on many different subjects from amny different agencies. The IRS, however, is really big and touches everyone so a finding that procedures are suboptimal is far more newsworthy than some of the truly horrific crap that passes for security practice at other agencies. I certainly feel no ill will towards those who are publishing this stuff. When you work for the IRS, you get used to seeing bad news (mostly exaggerated bad news) almost exclusively. Such is life.

  3. Re:I don't either... by Anonymous Coward · · Score: 5, Funny

    Have you stopped to think that perhaps automated tools don't always work as expected?

    Frist Post!!1!