Two recent government reports have focused on privacy and security problems at the Treasury Department. The department has been criticized before over its privacy and security processes. In a previous post, I discussed the sorry state of computer security in the federal government. The Treasury Department has received an “F” for the last two years the annual Computer Security Report Card released by the House Committee on Oversight and Government Reform. In September, the Treasury Inspector General for Tax Administration released an audit report (pdf) and (html), “Unauthorized and Insecure Internal Web Servers Are Connected to the Internal Revenue Service Network,” which found security risks at the IRS.

The Government Accountability Office reviewed the Financial Crimes Enforcement Network (FinCEN), which relies on its own computer systems, those of the IRS and the Treasury Communications System (TCS), to administer the Bank Secrecy Act. Treasury notes that ”TCS is onnected to more than 4,500 locations around the nation with approximately 120,000 users operating on a single integrated network.” These systems contain “sensitive financial information used by law enforcement agencies to prosecute financial crime, is protected from inappropriate or deliberate misuse, improper disclosure, or destruction,” the GAO says.

FinCEN, TCS, and IRS have taken important steps in implementing numerous controls to protect the information and systems that support FinCEN’s mission; however, significant information security weaknesses remain in protecting the confidentiality, integrity, and availability of these systems and information. The three organizations implemented many information security controls to protect the information and systems [...] Nonetheless, the organizations had inconsistently applied or not fully implemented controls to prevent, limit, or detect unauthorized access to this information and these systems. For example, the organizations did not always (1) implement user and password management controls for properly identifying and authenticating users, (2) restrict user access to data to only what was required for performing job functions, (3) adequately encrypt data, (4) protect the external and internal boundaries on its systems, and (5) log user activity on databases. Furthermore, weaknesses in which systems were insecurely configured and patches were not applied to critical systems also existed. As a result, sensitive information used by the federal government, financial institutions, and law enforcement agencies to combat money laundering and terrorist financing is at an increased risk of unauthorized use, modification, or disclosure.

A key reason for many of the weaknesses was that FinCEN and IRS had not fully implemented key information security program activities. For example, FinCEN did not always include detailed implementation guidance in its policies and procedures and adequately test and evaluate information security controls. Furthermore, GAO has previously reported that IRS did not sufficiently verify whether remedial actions were implemented or effective in mitigating vulnerabilities and recommended that it implement a revised remedial action verification process.

Full report: Government Accountability Office, “Information Security: Further Actions Needed to Address Risks to Bank Secrecy Act Data GAO-09-195″ (January 2009) (pdf).

Treasury’s Inspector General found the department has failed to comply with Section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act,
2005, Pub. L. No. 108-447, which requires agencies: 

1. Appoint a Chief Privacy Officer (CPO) to assume primary responsibility for privacy and data protection policy.
2. Establish privacy and data protection procedures and policies.
3. Prepare a written report of the use of information in an identifiable form (IIF) and privacy and data protection procedures to be recorded with the Inspector General (IG) to serve as a benchmark for the agency.
4. Perform an independent, third-party review of the use of IIF.

Also, there are requirements for the agency’s Inspector General, who must:

1. Perform a periodic assessment of the implementation of this section.
2. Report the results to the certain congressional committees.

The Inspector General found that “(1) annual congressional reporting requirements were not met, (2) reporting requirements to the OIG were not met, and (3) policies and procedures required by Section 522 and OMB Memorandum 07-16 were still in draft.” The deadline for agency compliance with Section 522 was December 8, 2005.

Under (1), “Treasury has not prepared and submitted any annual reports to Congress on activities that affect privacy, including complaints of privacy violations; implementation of Section 552a of Title 5, 11 United States Code; internal controls; and other relevant matters.” Under (2), “Treasury did not record with the OIG a written report on the use of [information in an identifiable form], as well as its privacy and data protection policies and procedures. [...] Furthermore, Treasury does not have a benchmark on its use of IIF, along with privacy and data protection policies and procedures.”

Under (3):

Section 522 of the Consolidated Appropriations Act, 2005, issued on December 8, 2004, required agencies to develop policies and procedures for privacy and data protection within one (1) year of the law being signed. In addition, OMB Memorandum 07-16, issued on May 22, 2007, required that policies be developed for the PII breach notifications. OMB Memorandum 07-16 required that these policies and procedures be issued within 120 days after the date of the memorandum, September 22, 2007. To date, Treasury has only finalized Treasury Directive (TD) 25-07 Privacy Impact Assessment, dated August 6, 2008, and TD 25-09 Privacy and Civil Liberties Activities Pursuant to Section 803 of The Implementing Recommendation of the 9/11 Commission Act of 2007, P.L. 110.53, dated September 3, 2008. However, Treasury Directive Publication 25-07 Privacy Impact Assessment Manual and TD 25-08 Personally Identifiable Information (PII) Protection, Breach Response, and Notification are still in draft.

The Inspector General notes, “Without formal directives and policies related to the collection, use, sharing, disclosure, transfer, and storage of PII in place at the Treasury, [information in an identifiable form] may not be adequately protected.”

Full report: Inspector General, Treasury Department, “United States Department of the Treasury’s Compliance with Section 522 of the Consolidated Appropriations Act of 2005 (OIG-09-014)” (December 3, 2008) (pdf).

This entry was posted on Wednesday, February 11th, 2009 and is filed under Security, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Possibly related posts:

• Department of Homeland Security Privacy Office Releases Reports on Cybersecurity Programs
• Treasury Inspector General Finds Security Risk at IRS, Unauthorized Web Servers
• Government Accountability Office Releases Three Reports on Privacy