Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] IRS underestimates IT security weaknesses

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] IRS underestimates IT security weaknesses
Date: Mon, 24 Jan 2005 03:40:04 -0600 (CST) 
http://www.gcn.com/vol1_no1/daily-updates/34887-1.html

By Mary Mosquera 
GCN Staff
01/21/05

The process the IRS has used to track IT program and system security 
weaknesses is flawed and ineffective, the Treasury Inspector General 
for Tax Administration's office said in a report released this week. 
As a result, the IRS provided the Treasury Department and the Office 
of Management and Budget with inaccurate and misleading information 
related to the Federal Information Security Management Act. 

"The system-level (Plans of Action and Milestones) did not accurately 
and completely describe the security weaknesses and milestones, 
understated the number of weaknesses, and overstated progress in 
addressing the weaknesses," said Gordon Milbourn III, Treasury.s 
assistant inspector general for audit, in the report. 

The review took place in April and May but auditors took into account 
IRS progress in its next FISMA report dated September. 

IRS prepared near-identical plans for each system, noting broad 
categories of weaknesses instead of specific weak points. The agency 
did not provide detailed actions to correct the problems nor the names 
of the managers responsible for them, according to the report. 

In its most recent action report, IRS listed 319 weaknesses for its 80 
major systems. But those weaknesses only represent management control 
problems, such as lack of certification and accreditation, security 
and tested contingency plans. They do not include operational and 
technical control weaknesses, the report said. 

IRS assumed that if a system had been certified and accredited, most 
noted weaknesses could be closed. .This assumption is not valid since 
certified and accredited systems can still have security weaknesses,. 
the IG said. 

IRS has since established a working group of IT modernization and 
business unit executives to figure out how best to manage the process 
for correcting security problems, said Daniel Galik, chief of IRS 
mission assurance and security services. IRS will provide detailed 
corrective actions by line item instead of grouping the actions "to 
ensure there is not a perception of underreporting of corrective 
actions," he said in a written response earlier this month. 

IRS will also team with Treasury to acquire an automated application 
that will standardize and streamline all action plan reporting and 
tracking across the department, he said. Treasury is adapting its 
process for reporting and tracking financial management weaknesses 
through its Joint Audit Management Enterprise System in order to 
synchronize its security reporting. This will create one source for 
tracking corrective actions related to audits by TIGTA and the 
Government Accountability Office, Galik said. 


 

_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] IRS underestimates IT security weaknesses, InfoSec News <=
Previous by Date:  [ISN] DOD fights 'Net, InfoSec News
Next by Date:  [ISN] Prosecutors ask 37-month sentence for Hopkins teen in Internet worm case, InfoSec News
Previous by Thread:  [ISN] DOD fights 'Net, InfoSec News
Next by Thread:  [ISN] Prosecutors ask 37-month sentence for Hopkins teen in Internet worm case, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]