Cyber

Treasury watchdog calls on IRS to step up insider threat monitoring

An IG report finds information missing for 67% of systems included in a key threat audit list.

September 28, 2022

The Internal Revenue Service (IRS) building stands on April 15, 2019 in Washington, DC. (Photo by Zach Gibson/Getty Images)

A Treasury watchdog has called on the Internal Revenue Service to improve the scope of its insider threat monitoring capabilities.

In a report published Sept. 21, the Treasury Inspector General for Tax Administration said the IRS chief information officer should work to ensure the agency’s insider threat team has access to all necessary information to carry out its work.

The team that coordinates the IRS’s insider threat response is the User Behavior Analytics Capability (UBAC) team. It is responsible for using agency technology to detect, report and manage risks arising from insider threats.

According to the inspector general’s report, information was missing for 234 of 351, or 67%, of systems included in a key enterprise security audit trails system list.

The omission of systems means they are not subject to user behavior analysis, and therefore may not be monitored for insider threats.

In its report, the watchdog said that the insider threat team has not coordinated with another audit team to ensure all necessary systems are in place and called on the agency CIO to enforce this.

“TIGTA recommended that the Chief Information Officer ensure that the UBAC team coordinates with the Enterprise Security Audit Trails Project Management Office to identify and update the inventory of all systems on a regular basis and subject the systems to user behavior analysis, and the UBAC team implements a process to document feedback from stakeholders on referred incidents,” the watchdog said in its report.

IRS agreed with the IG’s recommendations, and according to the report, its cybersecurity function plans to coordinate with the enterprise security audit trails project management office to establish a review process for auditable systems.

IRS launched its UBAC operations in August 2013 following an earlier executive order directing federal agencies to improve insider threat monitoring and to assign a senior leader responsible for safeguarding classified information held by their department.