An insider threat is defined as an employee or contractor who has authorized access to an organization’s network, systems, or data and could intentionally misuse that access to have a negative effect on information or information systems. The IRS implemented its insider threat capability (renamed the User Behavior Analytics Capability (UBAC)) to detect and mitigate risks to data and systems arising from insider threats.
The overall objective of this audit was to evaluate the effectiveness of the insider threat capabilities and follow up on TIGTA, Report No. 2020-20-043, Substantial Progress Has Been Made in Implementing the Insider Threat Capability, but Improvements Are Needed (Aug. 2020), recommendations.
The Treasury Inspector General for Tax Administration found that the IRS did not have a complete inventory of systems to monitor for the UBAC. The UBAC list of systems that store or process Federal Tax Information and Personally Identifiable Information is missing 234 (67 percent) of 351 systems included in the Enterprise Security Audit Trails system list. The systems not included in the UBAC list are not subject to user behavior analysis. While the UBAC team has been developing their analytics and inventory of systems for analysis, they have not coordinated with the Enterprise Security Audit Trails team to ensure that they have all the correct systems in place.
The UBAC team is experiencing delays in receiving access to systems with information to improve its analytics. For example, the UBAC team requested access to the Human Resources Connect System and is waiting on approval. Data from this system will allow the UBAC team to incorporate 16 risk indicators into the UBAC.
TIGTA determined that UBAC analysts performed appropriate reviews of the incidents of potential insider threats, documented the reviews in the anomaly report, and either escalated the incidents as necessary or closed the incidents if the analysts determined the risks of insider threats were low.
TIGTA reviewed UBAC Anomaly Reports for 229 incidents and found that 109 (48 percent) of the incidents were forwarded to the TIGTA Office of Investigations for review and possible investigation. TIGTA also determined there is no formal process to document feedback from stakeholders on referred incidents. The IRS recorded feedback in anomaly reports for only three (3 percent) of the 109 incidents. Finally, implemented planned corrective actions generally addressed prior TIGTA recommendations
TIGTA recommended that the Chief Information Officer ensure that the UBAC team coordinates with the Enterprise Security Audit Trails Project Management Office to identify and update the inventory of all systems on a regular basis and subject the systems to user behavior analysis, and the UBAC team implements a process to document feedback from stakeholders on referred incidents.
The IRS agreed with all of our recommendations. The Cybersecurity function plans to coordinate with the Enterprise Security Audit Trails Project Management Office to establish a process to access and review the central repository where the inventory of all auditable systems is maintained. In addition, the IRS stated that the primary source of feedback on referred incidents is TIGTA, which provides information to the Human Capital Office. The Cybersecurity function plans to partner with the Human Capital Office to implement a process to receive updates and document feedback, as appropriate.