IRS Must Implement SharePoint Controls, TIGTA Says

IMPACT ON TAXPAYERS

The IRS uses thousands of SharePoint® sites for collaboration, document management, records management, and enterprise content management. The implementation of operational and security controls for these sites is critical to the protection of sensitive IRS data.

WHY TIGTA DID THE AUDIT

The overall objective was to assess the IRS's implementation of SharePoint operational and security controls, including the SharePoint governance structure, policies and procedures, user access controls, protection of sensitive data, and the Information Technology Contingency Plan.

WHAT TIGTA FOUND

Improved risk management across the IRS SharePoint environment is needed to ensure that adequate operational and security controls are in place and functioning as intended to protect sensitive SharePoint sites and data. Operational controls are needed to ensure that SharePoint sites containing sensitive data are identified and have an approved Privacy and Civil Liberties Impact Assessment. Security controls are needed to ensure that a security assessment of the SharePoint product, sites, and data is completed; SharePoint site collection audit trails are enabled; quarterly reviews of users' accesses are performed; users' accounts and permissions are efficiently managed; security and content management policies are consistently enforced; and the Information Technology Contingency Plan and Business Impact Analysis are finalized.

The IRS has not evaluated and justified its SharePoint approach as a long-term solution within the Department of the Treasury's shared services strategy. As a result, the IRS may be incurring duplicate operational costs; operating in a less secure environment; and, in the event of a disruption, functioning in an environment in which SharePoint is not defined as a mission-critical system. The SharePoint Program Management Office allocated $5 million for operations and maintenance of the Fiscal Year 2016 IRS SharePoint program. However, sufficient cost information for SharePoint expenses across the IRS enterprise was not available to verify possible duplicate expenditures or potential net savings related to transitioning to the Treasury Enterprise Content Management environment.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Information Officer ensure that SharePoint sites are routinely scanned for sensitive data; privacy assessments are completed; a security assessment is completed for the SharePoint product, sites, and data; IRS business commissioners ensure that SharePoint site collection audit trails are enabled, quarterly security reviews are performed, access permissions are efficiently managed, and security policies are enforced; a contingency plan and a Business Impact Analysis are finalized; and a feasibility analysis of using the Treasury Enterprise Content Management environment is completed.

IRS management agreed with five of our 10 recommendations and partially agreed with the other five recommendations primarily because business unit commissioners have a shared responsibility for implementing SharePoint controls. The IRS has taken or plans to take corrective actions, including scanning sites for sensitive data, ensuring that privacy assessments are completed, ensuring that security controls are documented, issuing a memorandum to business unit commissioners on SharePoint responsibilities, and conducting a feasibility analysis.

Management's complete response to the draft report is included as Appendix VI.

Copies of this report are also being sent to the IRS managers affected by the report recommendations. If you have any questions, please contact me or Danny R. Verneuille, Acting Assistant Inspector General for Audit (Security and Information Technology Services).

                           Table of Contents

Internal Revenue Service (IRS) business units rely on the SharePoint platform primarily for collaboration, document management, records management, and enterprise content management. Figure 1 presents the IRS Information Technology (IT)² organization's Enterprise Operations (EOps) SharePoint capabilities and services.

 

Figure 1: IRS SharePoint Capabilities and Services

 

 

 

The cornerstone of IRS SharePoint governance is the SharePoint Governance Board, which provides guiding principles for current and future direction. The SharePoint Governance Board includes business unit and Cybersecurity organization executives and other IRS IT organization stakeholders. The chair is the Director, EOps, Enterprise Technology Implementation. The SharePoint Governance Board coordinates with the existing EOps governance structures and escalates issues to the EOps Infrastructure Executive Steering Committee for dispute resolution. The SharePoint Customer Advisory Board and the SharePoint Users Group support the SharePoint Governance Board as depicted in Figure 2.

 

Figure 2: SharePoint Governance Structure

 

 

 

The EOps SharePoint Program Management Office provides operational oversight and governance of the SharePoint platform including infrastructure, support, and management. In addition, the SharePoint Program Management Office establishes management, technical, and operational standards; reviews policy impact on the use of SharePoint; recommends training; and supports configuration and customization of site solutions deployed on the SharePoint platform. The SharePoint Team maintains these practices and procedures on its SharePoint Central website, which is accessible to SharePoint users.

SharePoint site ownership is the responsibility of site collection owners within IRS business units. The site collection owners operate, manage, and maintain their SharePoint sites and are responsible for day-to-day site management, support, and compliance for user access, user permissions, content management, and audit trail management. End users within the business units are expected to work directly with their respective site collection owners to resolve questions and issues. Additionally, the SharePoint Program Management Office may require the site collection owners to participate in resolving support tickets.

The related mission of the Privacy, Government Liaison, and Disclosure (PGLD) Office is to preserve and enhance public confidence by advocating for the protection and proper use of identity information. Personally Identifiable Information (PII) and Sensitive But Unclassified (SBU) data can be stored within SharePoint, but special precautions must be taken, including having a Privacy and Civil Liberties Impact Assessment (PCLIA) approved by the PGLD Office. The PGLD Office has made available a SharePoint PCLIA template and corresponding policy to facilitate compliance. If PII or SBU content will be stored within a SharePoint site collection, the site collection should have an approved PCLIA before the owner or administrator submits the SharePoint site creation request to the SharePoint Program Management Office.

This review was performed at the New Carrollton Federal Building in Lanham, Maryland, in the SharePoint Program Management Office during the period February through September 2015. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.

The IRS has not yet evaluated and justified its SharePoint strategy as a long-term solution within the Department of the Treasury's shared services strategy. For instance, IRS IT officials did not perform an assessment to determine whether using the Treasury Department's Enterprise Content Management environment for its SharePoint operations would be more effective or efficient. Our assessment of the IRS decision to not adopt the Treasury Department's shared service solution for SharePoint indicates that, by developing and maintaining its own SharePoint solution, the IRS may be incurring duplicate operational costs; operating in a less secure environment; and, in the event of a disruption, functioning in an environment in which SharePoint is not defined as a mission-critical system.

Improved Risk Management Across the SharePoint Environment Is Needed to Ensure That Effective Controls Protect Sensitive Sites and Data

IRS business units are increasingly relying on SharePoint sites for business processes and operations. At the time of our review, the SharePoint Program Management Office had completed its upgrade of Microsoft SharePoint 2003/2007 to SharePoint 2010. In April 2015, the IRS had approximately 16,218 SharePoint sites, 1,105 SharePoint site collections, 90,000 internal SharePoint users, 35 SharePoint licenses, and 91 primary SharePoint servers (27 for production, 14 for development, 13 for tests, 23 for disaster recovery, and 14 for utilities).

A SharePoint site collection is a grouping of one or more related SharePoint sites. Each site can contain subsites. Thus, a SharePoint site collection is a hierarchy of sites and subsites, as depicted in Figure 3.

 

Figure 3: Relationship of the SharePoint Platform to SharePoint

 

Site Collections and SharePoint Sites

 

 

 

IRS internal SharePoint users use the SharePoint sites for multiple purposes, including storing and sharing PII and SBU data. Examples of PII and SBU data on IRS SharePoint sites include:

• Social Security Numbers

• Names

• Addresses

• Cell phone numbers

• Standard Employee Identifiers

• E-mail addresses

• Passport numbers

• Financial account records

• Criminal records

• Dates of birth

• Employer Identification Numbers

• Operational controls did not ensure that all sites with PII or SBU data were identified and supported by PCLIAs.

• The SA&A process was not completed for the SharePoint 2010 product, sites, and data.

• SharePoint site collection audit trails were not enabled to track user accesses and actions.

• SharePoint site collection owners and administrators were not maintaining approved user lists, performing quarterly reviews of accesses, or efficiently assigning users and permissions to groups.

• SharePoint governance roles and responsibilities did not ensure enterprise adherence to established SharePoint security and content management policies.

• An Information Technology Contingency Plan, including a Business Impact Analysis, was not in place to ensure the availability of SharePoint operations.

The IRS has established policies and procedures that are intended to ensure that a privacy risk management process is documented and implemented to assess the privacy risk to individuals that results from the collection, sharing, storing, transmitting, use, and disposal of PII or SBU data. A PCLIA must be conducted for information systems, programs, or other activities that pose a privacy risk.

In February 2013, the Treasury Inspector General for Tax Administration (TIGTA) reported on the effectiveness of the PCLIA process and stated that, "The IRS does not have adequate assurance that it is complying with the privacy provisions set forth by the Office of Management and Budget because PII could be stored on SharePoint sites for which a PCLIA has not been conducted."³ In response to the report recommendations, the PGLD Office issued an interim guidance memorandum to IRS business unit executives on September 13, 2013, stating that the following actions were effective immediately:

• Internal collaborative application sites, e.g., SharePoint, containing PII require a PCLIA at the site collection level.

• New SharePoint site collections with PII cannot be created without an approved PCLIA.

• Existing SharePoint site collections that transitioned to SharePoint 2010 and have PII are required to go through a SharePoint recertification.

• The PGLD Office of Privacy Compliance will monitor SharePoint site collections to ensure compliance with this policy and the use of PII as stated in the site collection's PCLIA.

The PGLD Office has a three-year cycle for SharePoint recertification for sites that are identified as containing PII or SBU data. However, the EOps SharePoint Program Management Office recognizes that some of the existing SharePoint 2003/2007 sites that transitioned to SharePoint 2010 may not have gone through a SharePoint recertification and thus may be deployed without an approved PCLIA.

From the population of 1,303 IRS SharePoint sites created after September 13, 2014, we selected a judgmental sample⁷ of 16 sites. A year earlier, on September 13, 2013, PGLD interim guidance stated that the Internal Revenue Manual (IRM) would be updated with privacy guidelines by September 13, 2014. We selected the sample after this date to allow PGLD officials a year to incorporate the privacy controls into the IRM. However, after selecting our sample, PGLD officials subsequently issued updated guidance stating that the IRM would not be updated until August 28, 2017. We selected a judgmental sample because our review was to evaluate whether controls were in place and working. We selected sample sites based on whether the site names indicated the potential for the presence of taxpayer information. Figure 4 provides the number of SharePoint sites sampled by business unit.

     Figure 4: Number of SharePoint Sites Sampled Per Business Unit

Our review also noted that the IRS has not implemented a tool to automatically search its SharePoint websites and identify all sites containing PII and SBU data. In July 2010, the SharePoint Program Management Office began evaluating an automated tool for consideration within the IRS SharePoint environment. The tool's vendor states that the software product adds a layer of security at the content level to enforce data and web governance policies and improve collaboration while minimizing risk on a wide range of digital environments including SharePoint. However, the automated tool has not performed well during testing within the IRS SharePoint environment. The EOps SharePoint Program Management Office noted that there were multiple areas of concern with the tool, and the application of software patches did not resolve the problems. The tool's vendor is working with the IRS to attempt to address identified issues. In order to address the concerns, the SharePoint Program Management Office has begun considering an alternate tool.

Taking steps to adopt and fully implement an automated tool to periodically scan the IRS SharePoint site environment could help to better ensure that SharePoint site collections containing PII or SBU data have approved PCLIAs. When PCLIAs are not obtained, it increases the risk that confidential and sensitive information could be published on IRS SharePoint sites without the appropriate security access controls.

The SA&A process was not completed for the SharePoint 2010 product, sites, and data

The IRS requires that any implementation of a collaborative technology, such as SharePoint, is based on an assessment of risk with mitigation and assumption of risk by the appropriate authorizing official.⁸ The risk assessment, performed as part of an SA&A, tests and evaluates the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Additional requirements of the security assessment include:

• Security Categorization -- Federal Information Processing Standards Publication 199⁹ requires the IRS to categorize information and information systems. The security categorization results and the supporting rationale should be documented in the security plan for the information system, and the security categorization decision must be reviewed and approved by the authorizing official. The security categories describe the potential adverse impacts to organizational operations, assets, and individuals if organizational information systems are compromised through a loss of confidentiality, integrity, or availability.

• System Security Plan -- A formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.

• Security Control Assessment -- The actual testing or evaluation of the security controls in an information system.

Cybersecurity officials stated that the SA&A was not completed because the related IRM is inaccurate. The IRM states: "The IRS has made a risk-based decision determining that internal collaborative application sites (e.g., SharePoint, Centra) established and configured for basic file sharing and team collaboration will not require a security authorization." When TIGTA requested documentation of the risk-based decision, IRS security personnel provided the following response: "The reference in IRM 10.8.1 to a risk-based decision is inaccurate, and the language was inadvertently changed in the name of consistency. It should be noted that in IRM 10.8.1, we are trying to convey that the SharePoint technology, used for basic file sharing and collaboration, is an exception to the SA&A process."

In the absence of an SA&A on the SharePoint 2010 product, sites, and data, PII and SBU data may not be protected from unauthorized disclosure and inappropriate use. IRM 10.8.1 states that continuous monitoring and security assessments are interrelated. Information obtained during continuous monitoring and security assessments is used when making authorization decisions. According to NIST Special Publication 800-37,¹⁰ a critical aspect of managing risk to information involves the continuous monitoring of the security controls employed within or inherited by the system. The objective of continuous monitoring is to determine if the set of deployed security controls continue to be effective over time in light of the changes that occur. Continuous monitoring is a proven technique to address the security impacts on an information system resulting from changes to the hardware, software, firmware, or operational environment. A complete SA&A, including a risk assessment for SharePoint, would detail the security posture of important technical security controls such as access controls, identification and authentication, system and communications protection, and audit and accountability.

SharePoint site collection audit trails were not enabled to track user accesses and actions

Audit trails maintain a record of system activity, both by system and application processes and by user activity on systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications. IRS security standards state that the IRS shall create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Audit trails for all IRS systems and applications shall capture, at a minimum, the following data for each auditable event:

• The date and time the event occurred.

• The unique identifier of the user or application initiating the event.

• The type of event.

• The subject of the event and the action taken on that subject.

• The success or failure of the event.

• Who is accessing the system and when?

• What sites are viewed?

• What files are viewed, modified, deleted, or checked out?

• What type of content is stored in the system?

SharePoint site collection owners and administrators were not maintaining approved user lists, performing quarterly reviews of accesses, or efficiently assigning users and permissions to groups

Within the scope of our review, we reviewed user and permission management for the SharePoint site collections, sites, and subsites. The relevant IRM states that site administrators must maintain an approved users list and perform quarterly reviews of accesses to ensure that only authorized users with a business need have access to the collaborative sites necessary to perform their job responsibilities.

We interviewed the site owners and administrators for the 16 sampled SharePoint sites to determine whether quarterly reviews of user accounts and permissions were performed. Our tests found that site owners and administrators for only two of the 16 sample sites were performing quarterly reviews. If quarterly reviews of accesses are not performed, it increases the risk that sensitive data in SharePoint sites could be subject to manipulation by unauthorized users.

The IRM states that site owners of internal collaborative sites shall decide what the users can do when accessing the collaborative sites by granting appropriate access. For efficiency of maintaining user permissions for a large user base, the SharePoint Site Owner's Guide cites the best practice of assigning users and permissions to groups. "When assigning permissions within SharePoint, it is recommended to grant access via groups. Assigning permissions to individual users is not recommended and can lead to problems managing access." Our sample tests found that six of the 16 SharePoint site collection owners were assigning permissions to individual users instead of assigning permissions to groups. While site owners and administrators were aware of the IRS guidance, they were not following the recommended practice of granting access to groups. Consistently assigning users and permissions to groups would help the IRS support manageability and allow site owners to efficiently review and maintain permissions across approximately 1,105 SharePoint site collections. Figure 5 summarizes the results of our testing of SharePoint sample sites, which shows whether quarterly reviews were performed and whether permissions were appropriately assigned to groups.

       Figure 5: SharePoint Site Owners and Administrators Shared

The SharePoint 2010 product includes features that enable site owners to collect, report, and analyze the usage and effectiveness of their sites. Best practices for SharePoint deployment and governance published by ISACA® state that SharePoint implementations should be subject to regular monitoring and reporting based on criticality and sensitivity of data and adherence to management oversight requirements.¹¹ In addition, the IRS SharePoint Site Owner's Guide requires SharePoint site collection owners to monitor sites and ensure that the sites conform to acceptable practices. Site owners are encouraged to actively monitor their sites not only to identify and stop undesirable behavior and policy compliance issues but also to learn and understand how users are interacting with the sites.

Our review of the established SharePoint governance structure and the underlying roles and responsibilities found that existing governance does not require regular monitoring and oversight of the approximately 1,105 SharePoint site collection owners and administrators. Monitoring and oversight is necessary to ensure that site collection owners and administrators are effectively complying with SharePoint security and content management policies and procedures. Our review of SharePoint site collection audit trails, quarterly reviews, and permissions management showed inconsistent enforcement of the governance policies and procedures. As a result, the IRS has little assurance that the approximately 16,218 SharePoint sites are secure, contain only authorized content, and are operating in accordance with established SharePoint enterprise policies and procedures.

An Information Technology Contingency Plan, including a Business Impact Analysis, was not in place to ensure the availability of SharePoint operations

The IRM states that the IRS shall develop a contingency plan for each information system that identifies essential mission and business functions.¹² The contingency plan should describe how these functions would be maintained in the event of a system disruption, compromise, or computing failure. The plan must also address full system restoration without deterioration of the security safeguards originally in the system.

The IRS SharePoint Information Technology Contingency Plan should identify the criticality of the SharePoint 2010 product, the SharePoint sites, and related data. EOps officials explained that they did not consider SharePoint as mission-critical because it does not process the production workload related to tax-processing applications. However, IRS officials in the Taxpayer Advocate Service advised us that they had key program functions residing in the IRS SharePoint environment. If IRS SharePoint operations were to fail, it could create serious issues for the Taxpayer Advocate Service program by not being considered mission-critical because would not be restored immediately. If there were a disaster that affected the computing operations, only mission-critical systems would have Service Level Agreements in place that would assure funding for immediate restoration of the system.

A key component of the Information Technology Contingency Plan is a Business Impact Analysis, which is used to determine recovery priorities in the event of a significant disruption to SharePoint computing resources. Because the IRS wanted the Information Technology Contingency Plan to reflect its current disaster recovery technology, in February 2015, the SharePoint Program Management Office paused its work on the SharePoint 2010 Information Technology Contingency Plan while it began to design and implement a warm disaster recovery capability.¹³ Without an approved plan and a related Business Impact Analysis to determine the criticality of business processes, analyze resource requirements, and identify recovery priorities, the IRS may not timely recover the SharePoint environment and restore services if a disruption to IRS computing resources occurs.

Recommendations

The Chief Information Officer should:

Recommendation 1: Ensure that an automated tool is identified, deployed, and routinely executed to identify SharePoint sites containing PII or SBU data.

The IRS Enterprise Life Cycle¹⁴ recognizes that governance is a critical component of the software development framework. The primary objective of IRS governance is to ensure that assigned investment, program, and project objectives are met; risks are managed appropriately; and enterprise expenditures are fiscally sound. The governance process applies to all information technology assets, including information technology and security projects, programs, systems, and components. Each IRS governance board is required to ensure adherence to the Enterprise Life Cycle methodology and framework principles and IRS security requirements.

The Enterprise Life Cycle is a software development framework used by IRS projects to ensure consistency and compliance with Government and industry best practices. The Enterprise Life Cycle framework is the workflow that projects follow to move an information technology solution from concept to production while making sure that the projects comply with IRS guidelines and are compatible with the overall goals of the IRS. The Enterprise Life Cycle also states that projects which are part of the current production environment may undergo a combination of maintenance and new development. The classification of these projects, new development or maintenance, depends on the extent of the changes to the solution. In addition, the Enterprise Life Cycle requires that business cases should include a well-reasoned argument to convince the stakeholders of the benefits of an information technology investment while educating them about the changes, costs, and risks that will be part of the effort.

The IRM requires that an SA&A be performed on IRS systems and applications as part of the security authorization process.¹⁵ The SA&A includes a System Security Plan that identifies and evaluates the status of security controls and a Security Control Assessment that tests the security controls. The IRM further requires that the implementation of collaborative technology and systems, such as SharePoint, be based on an assessment of risk with mitigation and assumption of risk by the appropriate authorizing official.

In May 2010, the Treasury Department's Assistant Secretary for Management and Chief Financial Officer issued a policy memorandum to bureau and departmental office heads announcing that the Treasury Department is focused on increasing the efficiencies of departmental operations and will soon begin leveraging the Enterprise Content Management program to provide the strategy, management discipline, architectural framework, and technology to meet this goal. Enterprise Content Management is a set of web-based tools to electronically capture, store, search, analyze, collaborate, share, and manage documents. At its core, Enterprise Content Management uses SharePoint, which is an online platform for inter-office collaboration and centralization. In May 2010, all Treasury Department offices were required to be governed by the Enterprise Content Management Executive Steering Committee for information technology systems and services associated with the Freedom of Information Act; eDiscovery; correspondence tracking; collaborative document review; evidence management; case management; and paper reduction through digitization, accessibility, and storage of information in a centralized records repository.

In June 2011, the Treasury Department's Deputy Assistant Secretary and Chief Information Officer issued a memorandum to all Treasury Department bureaus mandating the establishment of two-way trust between each bureau and the Treasury Enterprise Content Management environment by July 29, 2011. According to the Treasury Department's Fiscal Year 2014 Interagency Agreement with the IRS, the Shared Services Division within the Treasury Department provides shared services on a centralized basis, where they can be administered more advantageously and economically. The Treasury Department's Enterprise Content Management environment was initially developed with department-wide systems and capital investment program funds. The environment was developed with the understanding that ongoing operations and maintenance costs would be shared by Treasury Department bureaus. Interagency agreements exist between the Treasury Department and its bureaus by which each bureau pays shared costs for about 20 shared services, such as Clearance Tracker for documents needing the signature of the Secretary of the Treasury, Apportionment Tracker for budgeting, and the Treasury Federal Information Security Modernization Act¹⁶ System. The amount of the shared cost is based on usage and the number of bureau full-time equivalents.

From Fiscal Year 2013 to Fiscal Year 2015, the IRS paid the Treasury Department approximately $7.9 million for the use of the Treasury Enterprise Content Management environment. IRS payments were made using IRS funds in the Treasury Franchise Fund as part of the Enterprise Content Management Program. During the same period, IRS IT officials expended approximately $15 million to operate and maintain the IRS SharePoint environment.¹⁷ For Fiscal Year 2016, Treasury Enterprise Content Management officials estimated that the IRS mandatory annual payment would be $3.6 million, while IRS IT officials estimated it would spend $5 million to operate and maintain the IRS SharePoint environment.¹⁸

Following the June 2011 Treasury Department mandate, IRS IT management officials did not fully comply with the Enterprise Life Cycle and information technology security IRM requirements. In particular, IRS IT management officials did not: 1) perform an SA&A of the IRS SharePoint product, sites, and data to identify and evaluate the security controls; 2) complete an assessment to identify risks and mitigation actions; and 3) conduct a feasibility analysis regarding use of the Treasury Enterprise Content Management environment, including an assessment of costs and benefits. While key events are included in the body of the report, Appendix IV provides a timeline and supporting details of events for the Treasury Enterprise Content Management and the IRS SharePoint environments.

The Treasury SharePoint application is categorized as mission-critical and, as such, funding to support the immediate restoration of SharePoint services if there were a disaster would be made available. In contrast, since the IRS SharePoint solution is not considered mission-critical, funding has not been secured to support the immediate restoration of SharePoint if needed. In 2014, the IRS Taxpayer Advocate Service sought approval to move its SharePoint sites and data to the Treasury Enterprise Content Management environment. The request, based on a need to approach SharePoint as a mission-critical platform, addressed the Taxpayer Advocate Service's concerns about lack of funding for the IRS's SharePoint environment. However, the IRS Chief Information Officer did not approve this request and subsequently directed that all IRS business units residing on the Enterprise Content Management environment return to the IRS SharePoint environment. According to the December 15, 2014, SharePoint Governance Board minutes, the Chief Information Officer expressed concerns regarding network security, safeguarding of taxpayer data, and compliance with IRS policies. During the review, we shared our assessment with IRS SharePoint and Cybersecurity officials regarding the need to identify and document specific security concerns or other reasons for the decision to prevent IRS business units from using the Treasury Enterprise Content Management environment.

Our assessment of the IRS's decision to not adopt the Treasury Department's shared service solution indicates that, by developing and maintaining its own SharePoint solution, the IRS may be incurring duplicate operational costs; operating in a less secure environment; and, in the event of a disruption, functioning in an environment in which SharePoint is not defined as a mission-critical system. Further, we found that the IRS solution did not provide a comparable level of operational capabilities related to security and disaster recovery as shown below. Figure 6 provides an overview of the size, security, and mission-critical attributes of the Treasury Enterprise Content Management solution verses the IRS SharePoint environment.

      Figure 6: Key Attributes of the Treasury Enterprise Content

Recommendations

The Chief Information Officer should:

Recommendation 9: Ensure that a feasibility analysis is conducted regarding use of the Treasury Enterprise Content Management environment, including an assessment of functionality, security, risks, costs, and benefits.

² As of July 7, 2016, the IRS IT organization is now led by the Chief Information Officer instead of the Chief Technology Officer. Where possible, all references to the Chief Technology Officer have been revised to the Chief Information Officer.

³ TIGTA, Ref. No. 2013-20-023, Improvements Are Needed to Ensure the Effectiveness of the Privacy Impact Assessment Process p. 7 (Feb. 2013).

⁴ IRS EOps organization, SharePoint Site Owner's Guide (Feb. 2015).

⁵ NIST, Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (Apr. 2013).

⁶ Internal Revenue Manual 10.8.1, Information Technology Security, Policy, and Guidance (July 2015). Freedom of Information Act, Pub. L. 104-231, 5 U.S.C. 552.

⁷ A judgmental sample is a nonprobability sample, the results of which cannot be projected to the population.

⁸ IRM 10.8.1, Information Technology Security, Policy, and Guidance (July 2015).

⁹ NIST, Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems (Feb. 2004).

¹⁰ NIST, Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Feb. 2010).

¹¹ SharePoint Deployment and Governance Using CobiT 4.1: A Practical Approach (2010).

¹² IRM 10.8.1, Information Technology Security, Policy, and Guidance (July 2015).

¹³ Warm sites are partially equipped office spaces that contain some or all of the system hardware, software, telecommunications, and power sources.

¹⁴ IRM 2.16.1.1, Enterprise Life Cycle Guidance (May 2014).

¹⁵ IRM 10.8.1, Information Technology Security, Policy, and Guidance (July 2015).

¹⁶ Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283, 128 Stat. 3073.

¹⁷ Our analysis did not include the costs incurred by IRS business units for administering SharePoint sites.

¹⁸ The dollar amounts were provided by the SharePoint Program Management Office and the Treasury Enterprise Content Management Office, and the auditors did not verify the completeness or accuracy of the data provided.

I. Determined whether IRS SharePoint operations include a sufficient governance structure to guide necessary policies and procedures for administrators and owners with day-to-day operations of the SharePoint environment.

Internal controls methodology

Internal controls relate to management's plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined that the following internal controls were relevant to our audit objective: the SharePoint governance structure and decisions, including SharePoint operational policies and procedures; implementation of adequate security and privacy risk mitigation practices; and the SharePoint Information Technology Contingency Plan. We evaluated these controls by conducting interviews with management, reviewing and analyzing evidence of compliance with SharePoint guidelines, determining if management followed required security guidelines when developing and deploying the SharePoint environment, and selecting and testing a judgmental sample of SharePoint sites' security controls.

² TIGTA, Ref. No. 2013-20-023, Improvements Are Needed to Ensure the Effectiveness of the Privacy Impact Assessment Process p. 7 (Feb. 2013).

³ IRM 10.8.1, Information Technology Security, Policy, and Guidance (July 2015).

⁴ NIST, Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (Apr. 2013).

⁵ NIST, Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems (Feb. 2004).

⁶ This is the date that the Privacy Office guidance regarding controls over the development of PCLIAs was to be incorporated into IRM 10.5.1, Privacy, Information Protection, and Data Security.

⁷ A judgmental sample is a nonprobability sample, the results of which cannot be projected to the population.

Gwendolyn A. McGowan, Director

Carol L. Taylor, Audit Manager

Wallace C. Sims, Lead Auditor

Mildred Rita Woody, Senior Auditor

Felicia A. Heard, Information Technology Specialist

Office of the Commissioner -- Attn: Chief of Staff

Deputy Commissioner for Operations Support

Deputy Commissioner for Services and Enforcement

National Taxpayer Advocate

Commissioner, Large Business and International Division

Commissioner, Small Business/Self-Employed Division

Commissioner, Tax Exempt and Government Entities Division

Commissioner, Wage and Investment Division

Associate Chief Information Officer, Cybersecurity

Associate Chief Information Officer, Enterprise Operations

Associate Chief Information Officer, Strategy and Planning

Director, Office of Audit Coordination

Maintains a record of system activity, both by system and application processes and by user activity on systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications.

Availability

Ensuring timely and reliable access to and use of information.

Best Practice

A technique or methodology that, through experience and research, has proven to reliably lead to a desired result.

Business Impact Analysis

An analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.

Commercial Off-the-Shelf

Prepackaged, vendor-supplied software that will be used with little or no modification to provide all or part of the solution.

Confidentiality

Preserving authorized restrictions on information access and disclosure, including a means for protecting personal privacy and proprietary information.

Enterprise Life Cycle

Establishes a set of repeatable processes and a system of reviews, checkpoints, and milestones that reduce the risks of system development and ensure alignment with the overall business strategy.

Federal Information Processing Standards 199

Standards for categorizing information and information systems; establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur that jeopardize the information and information systems.

Information System Contingency Plan

Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.

Integrity

Guarding against improper information modification or destruction; includes ensuring information nonrepudiation and authenticity.

Personally Identifiable Information

Any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity, such as name, Social Security Number, date and place of birth, and mother's maiden name.

Privacy and Civil Liberties Impact Assessment

An analysis of how information in an identifiable form is collected, stored, protected, shared, and managed. The process also provides a means to assure compliance with all applicable laws and regulations governing taxpayer and employee privacy.

Production Environment

The location where the real-time staging of programs that run an organization are executed; this includes the personnel, processes, data, hardware, and software needed to perform day-to-day operations.

Risk Assessment

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation of an information system.

Security Categorization

The process of determining the security category for information or an information system. Security categorization methodologies are described in Federal Information Processing Standards 199 for non-national security systems.

Security Controls

The management, operational, and technical controls (prescribed for an information system) to protect the confidentiality, integrity, and availability of the system and its information.

Sensitive But Unclassified

Refers to any information that, if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest, the conduct of Federal programs (including IRS operations), or the privacy to which individuals are entitled under the Freedom of Information Act (5 U.S.C. 552).

Site Collections

A site collection is a logical container for grouping sites and allows hierarchical arrangement of sites within it. A site collection has exactly one default top-level site and may have many subsites. By default, all sites of a site collection share navigation, security, permissions, templates, and content types.

Sites

A site allows the IRS to organize and store all content in SharePoint; the content can be lists, libraries (document, picture, report, and form), web pages, or sites. Further, a site can have subsites in its hierarchy.

Standard Employee Identifier

The standard identifier for any user of an IRS system. A randomly generated five-character designation.

System Security Plan

Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.

Taxpayer Advocate Service

An independent organization within the IRS to help taxpayers resolve problems with the IRS and recommend changes that will prevent the problems.

Technical Controls

Security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of a system.

Web Application

In the SharePoint hierarchy, a web application is the top tier. It is an Internet Information Services website that is specifically configured to run as a SharePoint site and contains at least one or more site collections.

We have made significant advances in the governance, alignment of training, policy, security, and service delivery for our SharePoint environment. In addition, the IRS is ahead of schedule in implementing SharePoint infrastructure that will enable us to meet the federal regulations for records management on SharePoint.

The IRS strongly believes in the value of risk assessments, security plans, and a robust governance process. We partially agree with your security and risk recommendation and will ensure SharePoint is identified within the appropriate security authorization boundary and applicable security controls are identified, assessed, and appropriately disposition.

We value the analysis and recommendations your organization provides to improve our IT systems and business processes. If you have any questions, please contact me at (240) 613-9373, or contact Karen Mayr at (202) 368-8396.

RECOMMENDATION 1:

Ensure that an automated tool is identified, deployed, and routinely executed to identify SharePoint sites containing PII or SBU data.

CORRECTIVE ACTION #1:

The IRS agrees with this recommendation. We ensured that an automated tool was identified, deployed, and executed to identify Share Point sites containing PII or SBU data.

IMPLEMENTATION DATE #1:

Closed on June 1, 2016.

RESPONSIBLE OFFICIAL #1:

Associate Chief Information Officer Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN #1:

N/A

RECOMMENDATION 2:

Ensure that SharePoint site collections containing Personally Identifiable Information (PII) or Sensitive but Unclassified (SBU) data have approved Privacy & Civil Liberties Impact Assessment (PCLIA).

CORRECTIVE ACTION #2:

The IRS agrees with this recommendation. We will ensure that SharePoint site collections containing Personally Identifiable Information (PII) or Sensitive but Unclassified (SBU) data have approved Privacy & Civil Liberties Impact Assessment (PCLIA).

IMPLEMENTATION DATE #2:

April 15, 2017.

RESPONSIBLE OFFICIAL #2:

Associate Chief Information Officer Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN #2:

We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

RECOMMENDATION #3:

Ensure that a Security Assessment and Authorization (SA&A) considers the SharePoint product. sites, and data within the appropriate authorization boundary and assesses key security controls.

CORRECTIVE ACTION #3:

The IRS partially agrees with this recommendation. The IRS will ensure the SharePoint product is clearly identified and applicable security controls are documented within the authorization boundary in which it resides.

IMPLEMENTATION DATE #3:

April 15, 2017.

RESPONSIBLE OFFICIAL #3:

Associate Chief Information Officer Cybersecurity

CORRECTIVE ACTION MONITORING PLAN #3:

We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

RECOMMENDATION 4:

Coordinate with the respective business unit commissioners to ensure that the SharePoint site collection owners and administrators enable audit trails of key user activities on their sites and that they review audit trails on a regular basis.

CORRECTIVE ACTION #4:

IRS partially agrees with the recommendation. We will ensure that audit trails are enabled to capture all key user activities on all SharePoint sites. We will also issue a memo to all business unit commissioners to remind them of the IRM requirement that site collection owners and administrators review audit trails on a regular basis.

IMPLEMENTATION DATE #4:

June 15, 2017.

RESPONSIBLE OFFICIAL #4:

Associate Chief Information Officer Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN #4:

We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

RECOMMENDATION 5:

Coordinate with the respective business commissioners to ensure that SharePoint site owners and administrators perform quarterly reviews of users' accesses in order to ensure that only authorized users with a business need have access to perform their assigned responsibilities.

CORRECTIVE ACTION #5:

The IRS partially agrees with the recommendation. We will issue a memo to all business commissioners to remind them of the IRM requirement that SharePoint site owners and administrators perform quarterly reviews of users' accesses so only authorized users with a business need have access to perform their assigned responsibilities.

IMPLEMENTATION DATE #5:

June 15, 2017.

RESPONSIBLE OFFICIAL #5:

Associate Chief Information Officer Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN #5:

We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

RECOMMENDATION 6:

Coordinate with the respective business unit commissioners to ensure that the SharePoint site owners and administrators efficiently manage user permissions by consistently assigning users and appropriate permissions to groups.

CORRECTIVE ACTION #6:

The IRS partially agrees with the recommendation. We will ensure training is available for SharePoint site owners and administrators on efficient management of user permissions. We will also provide information on best practices for efficient management of user permissions to SharePoint site owners and administrators so they can consistently and appropriately assign user permissions.

IMPLEMENTATION DATE #6:

June 15, 2017.

RESPONSIBLE OFFICIAL #6:

Associate Chief Information Officer Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN #6:

We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

RECOMMENDATION #7:

Coordinate with the respective business commissioners to ensure that the SharePoint governance structure is enhanced to provide enterprise adherence to SharePoint security and content management policies.

CORRECTIVE ACTION #7:

The IRS agrees with this recommendation. We will ensure coordination with the respective business commissioners SharePoint Governance Board representatives so the SharePoint governance structure, where needed, is enhanced to provide enterprise adherence to SharePoint security and content management policies.

IMPLEMENTATION DATE #7:

June 15, 2017.

RESPONSIBLE OFFICIAL #7:

Associate Chief Information Officer Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN #7:

We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

RECOMMENDATION #8:

Ensure that the Draft Share Point Information Technology Contingency Plan, including a Business Impact Analysis, are finalized and approved by management.

CORRECTIVE ACTION #8:

The IRS agrees with this recommendation. The draft SharePoint Information Technology Contingency Plan (ITCP) is being updated to relied the current environment and will be submitted for review to finalize the document.

IMPLEMENTATION DATE #8:

May 15, 2017

RESPONSIBLE OFFICIAL #8:

Associate Chief Information Officer Enterprise Operations

CORRECTIVE ACTION MONITORING PLAN #8:

We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

RECOMMENDATION 9:

Ensure that a feasibility analysis is conducted regarding utilizing the Treasury Enterprise Content Management environment, including an assessment of functionality, security, risks, costs, and benefits.

CORRECTIVE ACTION #9:

The IRS agrees with this recommendation. A feasibility analysis will be conducted regarding utilizing the Treasury Enterprise Content Management environment, including an assessment of functionality, security, risks, costs, and benefits.

IMPLEMENTATION DATE #9:

June 15, 2017

RESPONSIBLE OFFICIAL #9:

Associate Chief Information Officer Enterprise Services

CORRECTIVE ACTION MONITORING PLAN #9:

We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

RECOMMENDATION 10:

Ensure that the IRS's decision regarding use of the Treasury Enterprise Content Management environment is based on the conclusions of the above feasibility analysis.

CORRECTIVE ACTION #10:

The IRS partially agrees with this recommendation and will include the results of the feasibility analysis, outlined in recommendation #9, as one of the factors in the decision to use the Treasury Enterprise Content Management environment.

IMPLEMENTATION DATE #10:

June 15, 2017

RESPONSIBLE OFFICIAL #10:

Associate Chief Information Officer Enterprise Services

CORRECTIVE ACTION MONITORING PLAN #10:

We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.