This audit was performed as part of the Treasury Inspector General for Tax Administration’s strategy to assess the relevance and reliability of the customer satisfaction performance measures relating to the Internal Revenue Service’s (IRS) compliance with the Government Performance and Results Act of 1993 (GPRA). The overall objective of this audit was to evaluate the integrity, confidentiality, and security of the taxpayer data in possession of the vendor and its subcontractors who conduct the surveys used to judge customer satisfaction.

The IRS balanced measurement system measures customer satisfaction, business results, and employee satisfaction. IRS management is using surveys as the measurement of taxpayers’ opinions on service provided. To do this, the IRS contracted with a vendor, at a cost of over $4 million, to survey taxpayers who have had contact with the IRS.

As part of the survey process, the IRS provides sensitive but unclassified Federal Tax Information (FTI), such as taxpayers’ names and addresses, to the vendor. Eight surveys involve FTI data that the vendor receives from the IRS and forwards to one of its subcontractors to generate the survey samples. In Calendar Year 1999, the vendor received slightly less than 1 million taxpayer records from the IRS to be processed for the customer satisfaction surveys. Due to the private and personal nature of the FTI, Internal Revenue Code § 6103 requires the data to be protected from unauthorized disclosure. Unauthorized disclosure is subject to both civil and criminal penalties. Accordingly, the vendor and its subcontractors must establish security controls (safeguards) to protect FTI from unauthorized access and use.

We reviewed six key security processes that covered physical and logical accesses, hiring and termination procedures, security awareness, and contingency planning. Three of the security processes were adequate, while the remaining three need to be improved. The vendor and its subcontractors were not meeting some of the security requirements in the contract and the IRS had not conducted a review of the safeguard measures employed by the vendor and its subcontractors. Although there were security weaknesses, the audit found no evidence of improper disclosure of FTI by the vendor or its subcontractors.

We identified three security controls that need to be enhanced to ensure the protection of FTI from unauthorized disclosure during the survey process.

• The minimum-security requirements were not being met for the Department of Defense "Class (C2): Controlled Access Protection" that the Department of the Treasury has adopted. Specifically, the vendor and the subcontractors did not maintain documentation on the security mechanisms within their computer systems. The vendor and its subcontractors did not have a control measure in place to determine who accesses protected information on the system. In addition, the vendor and one of the subcontractors did not have a security policy describing the system in terms of categories of data processed, users allowed access, and access rules between the users and the data.
• Physical controls need to be improved in handling and accounting for computer diskettes and tapes with FTI, storing FTI, and purging or destroying FTI after the customer satisfaction survey process is completed.
• A security awareness program is needed to ensure vendor employees have an understanding of security procedures required to protect FTI.

The IRS Office of Safeguards provides national oversight on contracts issued to federal, state, and local government agencies that have access to FTI. The Office of Safeguards applies the same oversight to private sector contractors who have access to FTI. The terms of the MOBIS contract permit the agency to send its officers and employees into the offices and plants of the contractor for inspection of the facilities and operations provided for the performance of any work under the contract. This includes reviewing the security measures that the vendor and its subcontractors have taken to protect FTI. In accordance with the IRS Disclosure of Official Information Handbook, the Office of Safeguards is to conduct a review within 1 year of any contractors who are receiving FTI for the first time. Since the inception of the MOBIS contract, the Office of Safeguards has not performed an evaluation of the safeguard measures employed by the vendor and its subcontractors. Moreover, as of May 31, 2000, there were 1,211 open IRS contracts involving FTI or other disclosure issues that had been awarded since October 1, 1997. Of the 1,211 contracts, 1,022 (84 percent) qualified to be selected for a safeguard review. Of the 1,022 contracts only 47 (5 percent) had been reviewed by field Disclosure Officers or the National Office of Safeguards’ staff.

We recommend that the Director, Office of Program Evaluation and Risk Analysis, coordinate with the Office of Safeguards to develop a process to ensure that on-site security reviews of the vendor’s and subcontractors’ facilities are conducted and safeguards are in place and functioning as stated in the contract. We further recommend that the Office of the Chief Communications and Liaison evaluate the Office of Safeguards staffing and workload to determine if enough focus is being given to private industry vendors to ensure that sensitive taxpayer data are properly safeguarded.

Management’s Response: IRS management agreed to ensure that on-site security reviews of the vendor’s and subcontractors’ facilities are conducted. Also, the Chief Communications and Liaison will conduct a review of the entire Safeguard Office operation environment, including staffing and workload. Management’s complete response is included as an appendix to the report.