An inspector general report stresses that IT security requires physical security as well as digital, saying they “are important for protecting computer facilities and resources from espionage, sabotage, damage, and theft.”
The report said that in a review of six IRS locations to evaluate the security controls in computer rooms–physical security controls, including environmental protections, fire safety and suppression, temperature and humidity controls, emergency power sources, shutoff switches and multifactor authentication—it found 15 violations.
It said for example that the emergency power shutoff switch in the computer room for one location “was disabled by a large paper clip purposefully lodged behind it, not allowing the switch to be engaged, and was covered with a piece of paper.”
Also, while all six locations annually tested the automatic fire suppression systems, one failed its most recent test, and the report on that test did not specify what was needed to correct it. At another the fire extinguisher was not tested monthly as required.
Auditors also found violations of access control policies in three locations, with personnel at one location lacking the required indication on their ID cards, two others not always requiring visitors to sign required forms and one of them not reviewing those forms. In addition, none of the rooms required multifactor identification to enter, it said.
The findings were part of a broader review of IT at the agency, which has been struggling for years to keep outdated systems operating or to replace them. Among the other issues raised in the report were system security and privacy of taxpayer data, access controls, system environment security, separation of duties, and security policies, procedures, and documentation.