Computer Security: Contingency Plans and Risk Analyses Needed for IRS Computer Centers
IMTEC-86-10
Published: Mar 27, 1986. Publicly Released: Mar 27, 1986.
Skip to Highlights
Highlights
GAO reviewed the Internal Revenue Service's (IRS): (1) plans for ensuring the continuity of its computer operations if any of its 12 computer centers were destroyed or significantly disabled for an extended period; and (2) efforts to implement a risk management program to assess and reduce potential threats to computer operations.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Assistant Commissioner, Support and Services (for the Detroit Data Center), and the Assistant Commissioner, Returns and Information Processing (for all other computer centers), to expedite efforts to develop, certify, and periodically test ADP contingency plans for all IRS computer centers according to the criteria and procedures set forth in the IRS Internal Revenue Manual and Office of Management and Budget (OMB) Circular A-130. |
As of June 20, 1990, IRS had completed a service-wide disaster recovery strategy report for its computing centers. Contingency plans were being developed at each IRS processing site. Passage of time makes further evaluation of IRS actions difficult without additional audit work.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Assistant Commissioner, Support and Services (for the Detroit Data Center), and the Assistant Commissioner, Returns and Information Processing (for all other computer centers), to expedite efforts to perform periodic risk analyses to: (1) aid in developing and maintaining effective ADP contingency plans; and (2) help assess the internal controls environment, as required by the Federal Managers' Financial Integrity Act of 1982 (FMFIA) and the OMB circular. |
IRS has completed risk analyses at its 12 computer centers.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Assistant Commissioner, Support and Services (for the Detroit Data Center), and the Assistant Commissioner, Returns and Information Processing (for all other computer centers), to expedite efforts to continue to report the lack of contingency plans and periodic risk analyses as material control weaknesses under FMFIA until contingency plans have been developed, certified, and tested, and risk analyses, as well as needed corrective action identified by such analyses, have been completed for all computer centers. |
IRS reported that these areas were material control weaknesses in its 1986 FMFIA report. IRS stated that it would continue to report them as weaknesses under FMFIA until they are properly resolved.
|
Full Report
Public Inquiries
Topics
Agency missionsComputer backupsComputer capacityComputer equipment managementComputer securityContingency plansElectronic data processingIncome taxesPlanningRisk assessmentTax returns