TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

The Internal Revenue Service Successfully Accounted for Employees and Restored Computer Operations After Hurricanes Katrina and Rita

 

 

 

March 2006

 

Reference Number:  2006-20-068

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

 

Phone Number   |  202-927-7037

Email Address   |  Bonnie.Heald@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

 

March 30, 2006

 

 

MEMORANDUM FOR CHIEF INFORMATION OFFICER

                                         CHIEF, MISSION ASSURANCE AND SECURITY SERVICES

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Internal Revenue Service Successfully Accounted for Employees and Restored Computer Operations After Hurricanes Katrina and Rita (Audit # 200620036)

 

This report presents the results of our review of the Internal Revenue Service’s (IRS) efforts to protect employees and taxpayer data in the offices affected by Hurricanes Katrina and Rita.  The overall objectives of this review were to evaluate the IRS’ preparatory actions prior to the arrival of Hurricanes Katrina and Rita, the recovery actions taken in the Hurricanes’ aftermath, and the actions taken to protect taxpayer data in the offices damaged by the Hurricanes.  This review was conducted in conjunction with the President’s Council on Integrity and Efficiency (PCIE)[1] as part of its examination of relief efforts provided by the Federal Government in the aftermath of Hurricanes Katrina and Rita.  As such, a copy of the report will be forwarded to the PCIE Homeland Security Working Group, which is coordinating the Inspectors’ General reviews of this important subject.

Synopsis

The IRS employs over 500 persons in the offices most affected by Hurricanes Katrina and Rita.  These employees are responsible for communicating directly with taxpayers to provide customer service and enforce tax laws by examining tax returns and collecting delinquent taxes.  By adequately planning and taking aggressive actions after the Hurricanes, the IRS was able to locate its employees and restore its computer operations to continue tax administration activities in the Gulf Coast area.  This audit is 1 of 10 audits the Treasury Inspector General for Tax Administration is conducting to address additional tax administration issues resulting from these natural disasters.

Hurricane Katrina made landfall at the Central Gulf Coast of the United States on August 29, 2005.  It caused unprecedented damage to New Orleans, Louisiana, as well as the coastal areas of Mississippi and Alabama, and became the most destructive and costliest natural disaster in the United States’ history.  Hurricane Rita followed less than 1 month later and further damaged New Orleans and the Gulf Coast area of Texas.  The IRS had 25 offices affected by the Hurricanes, many of which were closed for short durations due to sustained power outages.  The following five offices, however, received significant damage, which forced closure for longer periods of time:  New Orleans, Louisiana (Poydras Street); New Orleans, Louisiana (Hebert Building); Lake Charles, Louisiana; Gulfport, Mississippi; and Beaumont, Texas.

The IRS adequately prepared for Hurricanes Katrina and Rita.  The IRS had sufficiently updated its Occupant Emergency Plans[2] in May 2005 and Incident Management Plans[3] in March 2004 for the offices affected by the Hurricanes and conducted training sessions for its designated Incident Commanders.[4]  It also took actions immediately prior to the Hurricanes to enhance post-hurricane employee communications, ensure continued salary payments, and minimize computer damage in its offices affected by the Hurricanes.

After the Hurricanes made landfall, the IRS took appropriate actions to expeditiously locate all employees and restore computer operations in the offices affected by the Hurricanes.  Emergency Operations Command Centers were established in Nashville, Tennessee, and Dallas, Texas, immediately after Hurricanes Katrina and Rita, respectively.  The IRS focused its primary attention on finding all employees in offices affected by the Hurricanes.  All 517 employees in those offices were accounted for within 13 days after Hurricane Katrina, and all 35 employees were accounted for within 5 days after Hurricane Rita.

As for its computer operations in the offices affected by the Hurricanes, the IRS restored system access to its Integrated Collection System[5] application from the 5 affected offices to the Atlanta, Georgia, office within 5 workdays.  Personnel from the Modernization and Information Technology Services[6] organization also transferred employees’ work files to another network so employees in affected offices had access to them and could continue to work.

However, we are unable to definitively state that taxpayer data were protected in the wake of Hurricanes Katrina and Rita because we were unable to locate seven computers from two offices affected by the Hurricanes.

·         The IRS’ one-story Gulfport, Mississippi, office sustained hurricane damage that could have allowed an intruder to enter the office through a portion of the metal roof that was damaged.  The building was unprotected for 2 weeks.  We conducted a reconciliation of computers in that office and could not locate three desktop computers.  We believe these computers may have contained taxpayer data because the computers were used by customer service and enforcement employees.  The IRS had not conducted a physical reconciliation of its computers for any of the five offices affected by the Hurricanes before we began our review.  As such, we could not determine if the computers were stolen by an intruder, lost during the move into temporary trailers after the Hurricane, or removed from the office prior to the Hurricane.

·         We were also unable to locate four laptop computers in the New Orleans, Louisiana, Poydras Street office.  The laptop computers were not assigned to specific employees and, according to the IRS, all data are routinely erased before the computers are returned to a storage room.  The IRS indicated it may have reassigned the laptop computers to employees affected by the Hurricanes without updating the computer asset tracking system.

We confirmed that none of the missing computers were used to access the IRS computer network after the Hurricanes, so any loss of data would have been limited to the data on the computers.

Recommendations

We recommended the Chief, Mission Assurance and Security Services, establish procedures to require a team of employees or government entities to visit an office as soon as possible, but no later than 72 hours, after a major disaster to evaluate the security of the office’s perimeter.  If security has been compromised, the team should take necessary actions to either secure the perimeter or implement measures to prevent unauthorized access into the office.  We also recommended the Chief Information Officer establish procedures to conduct an inventory reconciliation of all computers at IRS facilities which suffer extensive damage after any major disaster to identify possible loss or theft of computers.  This reconciliation should be performed within 30 days after the disaster.

Response

The IRS agreed with our findings and recommendations.  However, the Chief, Mission Assurance and Security Services, indicated that, depending on the type and severity of the disaster, there may be circumstances in which the IRS might be unable to physically access the affected IRS facility or the surrounding area, or not be allowed access to the affected facility or area by local authorities, within 72 hours of the disaster.  The Chief, Mission Assurance and Security Services, further stated the IRS has procedures currently in place for conducting an initial and thorough damage assessment of IRS facilities affected by an incident or disaster and for providing appropriate security of IRS property and information.

The Chief Information Officer will revise the Internal Revenue Manual to include procedures for conducting an inventory reconciliation of all computers at extensively damaged IRS facilities after any major disaster.  The inventory reconciliation will be performed within 30 days after a disaster pending the advice of local authorities.  Management’s complete response to the draft report is included as Appendix IV.

Office of Audit Comment

We agree the procedures for damage assessment after an incident or disaster are comprehensive; however, there is no time criterion given for when the assessment should occur.  We acknowledge our 72-hour criterion is arbitrary, but its inclusion in the procedures would illustrate the criticality and need to quickly assess and protect IRS assets, including taxpayer data.  For Hurricane Katrina and the IRS’ Gulfport, Mississippi, office, the assessment team arrived 2 weeks after the Hurricane, even though a Criminal Investigation function manager visited the damaged office 2 days after the Hurricane.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

 

Table of Contents

 

Background

Results of Review

The Internal Revenue Service Was Adequately Prepared to Resume Operations at the Offices Affected by Hurricanes Katrina and Rita

The Internal Revenue Service Took Aggressive Actions to Account for Its Employees and Restore Computer Operations After Hurricanes Katrina and Rita

Recommendations 1 and 2:

Appendices

Appendix I – Detailed Objectives, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

 

 

Background

 

Hurricane Katrina made landfall at the Central Gulf Coast of the United States on August 29, 2005, and caused unprecedented damage to New Orleans, Louisiana, as well as the coastal areas of Mississippi and Alabama.  The National Hurricane Center described this Category 5[7] Hurricane as one of the most powerful storms ever to form over the Atlantic Ocean.  Several levee systems in New Orleans, Louisiana, collapsed and most of the city was flooded by water, making Hurricane Katrina the most destructive and costliest natural disaster in the United States’ history.  Less than 1 month later, Hurricane Rita made landfall in Florida and proceeded west to strike Louisiana and Texas.  Hurricane Rita, also classified as a Category 5 hurricane, further damaged some of the levee breaches caused by Hurricane Katrina and reflooded parts of New Orleans, Louisiana.  Also, post-landfall damage was extensive in the coastal areas of southwestern Louisiana and southern Texas.

Because of these 2 Hurricanes, over 430 counties across Florida, Alabama, Mississippi, Louisiana, and Texas were declared disaster areas.  The Internal Revenue Service (IRS) had 25 offices affected by the Hurricanes, many of which were closed for short durations due to sustained power outages.  The following five offices, however, received significant damage forcing them to close for longer periods of time:

·         New Orleans, Louisiana (Poydras Street).

·         New Orleans, Louisiana (Hebert Building).

·         Lake Charles, Louisiana.

·         Gulfport, Mississippi.

·         Beaumont, Texas.

The Senate Finance Committee requested the Treasury Inspector General for Tax Administration determine whether the IRS protected taxpayer data in the offices affected by the Hurricanes.  In response to this Congressional inquiry, we initiated a review focused on disaster preparation, recovery efforts, and the protection of taxpayer data.  This audit is 1 of 10 audits we are conducting to address additional tax administration issues resulting from these natural disasters.

In addition, we conducted this review in conjunction with the President’s Council on Integrity and Efficiency (PCIE)[8] as part of its examination of relief efforts provided by the Federal Government in the aftermath of Hurricanes Katrina and Rita.

This review covered the five offices significantly affected by the Hurricanes and was performed in IRS offices of the Mission Assurance and Security Services organization and the Modernization and Information Technology Services (MITS) organization in New Carrollton, Maryland, and the Area Offices in New Orleans, Louisiana, and Gulfport, Mississippi, during the period November 2005 through February 2006.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objectives, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The Internal Revenue Service Was Adequately Prepared to Resume Operations at the Offices Affected by Hurricanes Katrina and Rita

The IRS maintains several types of documents on handling emergencies and disaster preparedness.  Two of these documents, the Occupant Emergency Plans and Incident Management Plans, are pertinent to all disasters and cover all IRS offices.

·         An Occupant Emergency Plan is required for all IRS offices and is designed to address safety issues of the employees and any visitors to a building at the time of an emergency.  When an emergency exists within a building, the occupants are directed to follow an evacuation plan.  However, if the emergency exists outside of the building, shelter-in-place plans[9] may be activated.  An Occupant Emergency Plan designates individuals to take charge and ensure the safety of the employees, the visitors, and the facility itself.  IRS guidelines define specific potential emergencies that include fires, bomb threats, explosions, hazardous materials, demonstrations, winter storms, tornados, power failures, severe weather, earthquakes and other natural and human-caused disasters.  Larger employee-occupied offices have a customized Occupant Emergency Plan tailored to the specific office, while smaller offices have a basic Occupant Emergency Plan.

·         An Incident Management Plan defines how to establish an Incident Management team and defines the responsibilities of the emergency team members.  An Incident Management Plan provides guidelines for the Incident Commander[10] to follow in responding to the incident and communicating with the National Headquarters office.  An Incident Management Plan also covers the important function of locating missing employees.  As such, an Incident Management Plan provides the structure for the Incident Commander to create and maintain an Incident Management team where all incident response efforts are coordinated and integrated.

We reviewed the Occupant Emergency Plans for the five offices significantly affected by the Hurricanes and found the specific Occupant Emergency Plans were updated by May 2005 and complied with IRS guidance and standards.  The Occupant Emergency Plans for three offices, the Beaumont, Texas, and the two New Orleans, Louisiana, offices, provided extensive information on dealing with many different types of emergencies.  Managers in these three offices were directed to maintain current home telephone numbers for employees reporting to them.  In addition to providing instructions on dealing with the more common emergencies, the Occupant Emergency Plans for these three offices covered shelter-in-place plans and potential terrorist threats.  The abbreviated Occupant Emergency Plans for the Lake Charles, Louisiana, and Gulfport, Mississippi, offices contained the basic information for local staff members to deal with five types of emergencies:  fire or smoke, earthquakes, severe weather, bomb threats, and civil disturbances.  Individuals were designated specific responsibilities, and local emergency telephone contact information was listed.

In March 2004, the IRS issued an Incident Management Plan template to be used by its 18 Senior Commissioner’s Representatives.[11]  Each Senior Commissioner’s Representative was to maintain the core format of the Incident Management Plan template but could add the local contact information for the assigned area.  In April 2005, the IRS held a training session for its Incident Commanders on the implementation of its standardized Incident Management Plan.  Coincidentally, the emergency used during the training session was a hurricane.

In July 2004, the IRS formed a cross-functional group, the Emergency Management and Preparedness Working Group,[12] that meets monthly to address issues associated with the IRS’ response to potential disasters or crises.  This Group considers the overall responsibilities of the staff during a crisis and which functional areas of the IRS are best suited to respond to the various issues related to an incident.  The Group also defines the roles and responsibilities of the staff designated in the Incident Management Plan template and coordinates IRS actions and activities in the areas of emergency management, business continuity of operations, business resumption planning, Occupant Emergency Plans, shelter-in-place plans, Incident Management Plans, as well as information systems disaster recovery and backup operations.

The IRS also completed several other noteworthy actions to prepare for disasters as well as for these Hurricanes.  First and foremost, the welfare of its employees is paramount when a disaster occurs.  For example:

·         All managers were required to obtain personal contact information for employees in the event of an emergency.  A reminder for this requirement was sent prior to the Hurricanes.

·         In June 2005, an emergency hotline telephone number for its employees was established as well as an Internet web site where employees could obtain help, guidance, and information in the event of an emergency.

·         The IRS planned for the delivery of paychecks in the event employees could not obtain money from their banks, and Western Union[13] was used to facilitate immediate delivery of cash to several employees.

As for pre-hurricane computer-related efforts, local staffs from the MITS organization[14] took actions to properly shut down all services supported by computer operations in the five offices, which minimized any electrical damage to computer hardware and its data.  In addition, the IRS had 13 servers for its Integrated Collection Systems (ICS)[15] application in the New Orleans, Louisiana, Poydras Street office, 1 ICS server in the Gulfport, Mississippi, office, and 1 ICS server in the Beaumont, Texas, office.  For this application, the MITS organization maintained a Technical Contingency Document, which provides information for local system recovery in the event of a disaster.  The MITS organization also created routine daily backup tapes of the ICS servers as well as employee home directory servers both locally and centrally at another location.  In addition, a pre-Hurricane Rita message advised laptop computer users to take their laptop computers home with them.

Overall, we believe the IRS took adequate preparatory actions to ensure an orderly resumption of operations in the offices affected by the Hurricanes.  In addition, the Emergency Management and Preparedness Working Group performed a post-hurricane review of the IRS’ response to the Hurricanes and identified the following issues to improve the IRS preparation for future disasters:

·         Clarification of the roles and responsibilities of IRS staff members as related to disasters and emergencies, including the establishment of national leadership roles and responsibilities for a large-scale disaster, like the ones inflicted by Hurricanes Katrina and Rita.

·         Establishment of policies and procedures governing administrative leave, timekeeping, and temporary placement for disaster-affected employees.

·         Consideration of alternate methods of communicating with displaced employees.

·         Development of a process-flow diagram to help IRS employees understand the roles and responsibilities of the Incident Commander and the Incident Management team during a disaster.

·         Preparation of a presentation entitled Emergency Preparedness and Response at the Internal Revenue Service to raise awareness of emergency preparedness in its employees.

·         Continuation of the Emergency Management and Preparedness Working Group’s assistance to business units in the development of plans to maintain or resume IRS functional operations.

·         Consideration of the legal and privacy issues surrounding employee emergency contact information.

·         Revisions of written guidance for emergencies.

The Internal Revenue Service Took Aggressive Actions to Account for Its Employees and Restore Computer Operations After Hurricanes Katrina and Rita

While the IRS was as prepared as possible, we acknowledge the arrival of 2 Category 5 Hurricanes in a span of 1 month could not have been reasonably foreseen.  The IRS’ Incident Management Plans did not consider the destruction of an entire region but were focused to handle a disruption of any single IRS site.  Much to its credit, the IRS adapted its Incident Management Plans effectively to deal with the aftermath of the two Hurricanes.

The IRS established Emergency Operations Command Centers[16] in Nashville, Tennessee, and Dallas, Texas, for Hurricanes Katrina and Rita, respectively.  These locations were selected due to their close proximity to the areas affected by the Hurricanes and accessibility for Incident Management team members.  Approximately 30 IRS employees staffed the Nashville Center during the days after Hurricane Katrina made landfall.  The Emergency Operations Command Centers coordinated and monitored all efforts and activities, and communicated updates on their progress to the Deputy Commissioner for Operations Support on a daily basis.

Because of the widespread geographic damage of Hurricane Katrina and the multiple disaster-related issues, incident management guidelines had to be adapted quickly and were focused on operations (resumption of business), planning (tracking resources), logistics (physical security and communications), and finance/administration (budget, time and attendance, and procurements).  The Emergency Operations Command Center in Nashville, Tennessee, was staffed with employees possessing the specialized skills and knowledge to assist with these efforts.  As a result, the IRS expeditiously accounted for all IRS employees and restored computer operations in offices affected by the Hurricanes.

All IRS employees were accounted for and actions were taken to ensure their safety

From the onset of Hurricane Katrina, the IRS’ number one priority was locating employees and providing any needed assistance.  The IRS employees working at the Emergency Operations Command Centers in Nashville, Tennessee, and Dallas, Texas, used creative methods at their disposal to locate the employees.  Current time and attendance payroll records were initially used as the basis for identifying employees in affected areas.  Other methods used to locate affected employees included contacts made by text messaging; visiting disaster web sites; and contacting churches, food pantries, shelters, hospitals, and pharmacies.  The IRS also contacted co-workers, past and present, to elicit their aid in locating affected employees.  A United States Coast Guard helicopter was sent to two employees’ residences because it was impossible to reach them through any other means.

In addition to actions taken by the Emergency Operations Command Centers, IRS employees assisted in locating and helping their fellow employees.  For example, an IRS Criminal Investigation function manager in the Gulfport, Mississippi, office personally visited the homes of every unaccounted employee from that office to confirm their safety.  Another Gulfport, Mississippi, employee drove approximately 50 miles to Slidell, Louisiana, to check the safety and condition of a co-worker.

The IRS had a total of 517 employees displaced by Hurricane Katrina.  All affected employees were located within 13 days after the disaster.  Hurricane Rita displaced 35 additional employees, 11 employees at the Lake Charles, Louisiana, office and 24 employees at the Beaumont, Texas, office.  All affected employees were located within 5 days after this respective disaster.

Concurrent with locating all of its affected employees, the IRS focused on assisting its employees in maintaining basic needs.  Because the offices in Gulfport, Mississippi; New Orleans, Louisiana; Beaumont, Texas; and Lake Charles, Louisiana, were closed for varying lengths of time due to health issues as well as electrical and telecommunications failures, employees in these offices evacuated to other cities and States.  Some IRS employees were restricted from returning to their homes by local authorities, and some employees’ homes were completely destroyed.  The IRS worked with these displaced employees to provide them with temporary employment in other locations.  A total of 232 employees were given temporary work in 19 different States across the nation.  In addition, personnel from the IRS Human Capital Office[17] worked with the Office of Personnel Management to obtain approval for the 30-day administrative leave for displaced IRS employees from the Hurricanes.  Also, a counselor was assigned to the IRS’ Emergency Operations Command Center staff to talk with employees and their families to help them to cope with the trauma and devastation.

Computer operations were restored and data were protected, but we could not locate seven computers

For the five offices, the IRS restored system access to its ICS application within 5 workdays by moving data files from the offices affected by the Hurricanes to its Atlanta, Georgia, office.  Personnel from the MITS organization also transferred employees’ personal “home” directories from local file servers to the servers in another office, allowing employees to have access to their work files on the network so they could continue to work.

In addition, personnel from the MITS organization’s Enterprise Networks Division[18] assisted the National Finance Center[19] in transferring its computer processing operations from New Orleans, Louisiana, to its recovery site in Philadelphia, Pennsylvania.  The Enterprise Networks Division also provided emergency equipment to the overwhelmed Federal Emergency Management Agency[20] call sites and reconfigured[21] 2,500 existing IRS workstations to enable Federal Emergency Management Agency staff members to work from 4 IRS locations.

However, we are unable to definitively state that taxpayer data were protected in the wake of Hurricanes Katrina and Rita because we were unable to locate seven computers from two offices affected by the Hurricanes.

·         Of all IRS offices, the Gulfport, Mississippi, office sustained the greatest amount of structural damage from Hurricane Katrina.  This 1-story office, which housed 39 IRS employees from various functions, sustained damage to the roof as well as interior structures, such as ceiling tiles and insulation.  An IRS assessment team visited the office 2 weeks after the Hurricane and indicated an intruder could have entered the office through a portion of the bent metal roof.  Because most of the roof had to be removed to complete repairs, the building’s lessor required the IRS to remove all contents from the office.  The IRS acquired temporary workspace for its employees in early October 2005.  During this transition period, the IRS temporarily secured the damage and procured guard service to ensure no breaches occurred before the IRS could move its assets into more secure temporary quarters.

We were unable to locate three desktop computers in the Gulfport, Mississippi, office that may have contained taxpayer data.

Because of the damage to the building and the 2-week time period when the building was unprotected, we conducted a reconciliation of the 13 computers assigned to this office.  We were unable to locate three desktop computers, which were not assigned to specific employees according to the Information Technology Asset Management System, the IRS’ official computer inventory tracking system.  These three desktop computers were listed as shared computers, meaning anyone in the office could use them.  We were unable to identify the contents on these computers.  However, the employees in this office worked for various IRS customer service and enforcement functions and often used taxpayer data to either assist taxpayers or enforce tax requirements.  As a result, we believe it is likely that the missing computers contained taxpayer data.

When we initiated this review in November 2005, the IRS had not conducted a physical reconciliation of computer assets in any of the five offices affected by the Hurricanes.  Therefore, we could not determine if the missing computers were stolen by an intruder, lost during the move into temporary trailers after the Hurricane, or removed from the office prior to the Hurricane.

·         The IRS provides laptop computers for employees to use when they work outside of an IRS facility.  The portability of laptop computers increases the likelihood of their being lost or stolen.  The laptop computers may store sensitive information (e.g., taxpayer data) and they can also be used to access taxpayer data on the IRS network.  To address these risks, laptop computers are equipped with upfront security controls (e.g., passwords) to limit access to the laptop computers’ contents as well as specific software to securely connect to the IRS network from offsite locations.

We conducted an inventory reconciliation of all laptop computers in the five IRS offices affected by both Hurricanes.  We identified 417 laptop computers assigned to the 5 IRS offices (273 assigned to specific employees and 144 listed as unassigned).[22]  We were unable to account for four laptop computers, which were listed as “In Stock” in the New Orleans, Louisiana, Poydras Street office on the Information Technology Asset Management System.  We could not determine if the missing laptop computers contained taxpayer data.  When we discussed this issue with the IRS, the local MITS organization staff stated all data are routinely erased before laptop computers are returned to storage.

We identified three possible scenarios for the missing laptop computers.

1.      Personnel from the MITS organization indicated the laptop computers may have been reassigned to displaced employees and the Information Technology Asset Management System was not properly updated with the new assignments.  However, during our reconciliation of the 417 laptop computers, we contacted all 273 employees assigned laptop computers in the 5 offices and determined that none of the employees had the missing computers.

2.      Hurricane Katrina caused some damage to the New Orleans, Louisiana, Poydras Street office.  The IRS occupies the second through fifth floors of this highrise building.  The damage to this office included broken windows, one on each of the second and third floors.  Fortunately, very little interior damage was sustained.  The building’s lessor boarded up the broken windows 17 days after Hurricane Katrina made landfall.  Under normal circumstances, access through these windows would have been difficult.

During the period when the windows remained broken, local and Federal Government officials maintained a heavily armed military and police presence in the area.  Because the offices with the broken windows were visible from the main street, we believe the presence of law enforcement would have deterred anyone from attempting to enter through the broken windows.  Although remote, it is possible that an intruder accessed the office and stole the laptop computers.

3.      During our visit to the New Orleans, Louisiana, Poydras Street office, we found one of the two rooms used to store computers was accessible to anyone with an IRS card key for the building.  It is possible that someone with a building key could have accessed this room and stolen the laptop computers prior to our reconciliation.

The other three IRS offices sustained minor exterior damage, but entry points into the offices were not damaged and showed no signs of unauthorized entry.

In addition to our reconciliation of laptop computers, we evaluated the validity of network connections made from laptop computers.  IRS employees can connect to the network either through the local area network in the office or by secure communication channels using telephone lines or high-speed cable connections in their homes.  We identified 118 laptop computers assigned to employees who connected to the IRS network within 1 month after Hurricane Katrina made landfall or within 1 week after Hurricane Rita made landfall.  We contacted employees for all 118 laptops and confirmed the connections were legitimate and made by IRS employees.  Using IRS software, we also confirmed none of the seven missing computers identified during our review were used to access the IRS network after the Hurricanes, so any loss of data would have been limited to the data on the computers.

Recommendations

Recommendation 1:  The Chief, Mission Assurance and Security Services, should establish procedures to require the IRS Incident Commander to send a small team of employees or other government entities to affected IRS offices as soon as possible, but no later than 72 hours, after a major disaster to assess each office’s structural state and ensure secure perimeters are maintained.  If perimeter security has been compromised, the team should take actions to either secure the perimeter or implement measures to prevent unauthorized access into the office.

Management’s Response:  The IRS concurred with this recommendation.  However, the Chief, Mission Assurance and Security Services, indicated that, depending on the type and severity of the disaster, there may be circumstances in which the IRS might be unable to physically access the affected IRS facility or the surrounding area, or not be allowed access to the affected facility or area by local authorities, within 72 hours of the disaster.  The Chief, Mission Assurance and Security Services, further stated the IRS has procedures currently in place for conducting an initial and thorough damage assessment of IRS facilities affected by an incident or disaster and for providing appropriate security of IRS property and information.

Office of Audit Comment:  We agree the procedures for damage assessment after an incident or disaster are comprehensive; however, there is no time criterion given for when the assessment should occur.  We acknowledge our 72-hour criterion is arbitrary, but its inclusion in the procedures would illustrate the criticality and need to quickly assess and protect IRS assets, including taxpayer data.  For Hurricane Katrina and the IRS’ Gulfport, Mississippi, office, the assessment team arrived 2 weeks after the Hurricane, even though a Criminal Investigation function manager visited the office 2 days after the Hurricane.

Recommendation 2:  The Chief Information Officer should establish procedures to conduct an inventory reconciliation of all computers at IRS facilities which suffer extensive damage after any major disaster to identify possible loss or theft of computers.  This reconciliation should be performed within 30 days after the disaster.

Management’s Response:  The IRS concurred with this recommendation.  The Chief Information Officer will revise the Internal Revenue Manual to include procedures for conducting an inventory reconciliation of all computers at extensively damaged IRS facilities after any major disaster.  The inventory reconciliation will be performed within 30 days after a disaster pending the advice of local authorities.

 

Appendix I

 

Detailed Objectives, Scope, and Methodology

 

The overall objectives of this review were to evaluate the Internal Revenue Service’s (IRS) preparatory actions prior to the arrival of Hurricanes Katrina and Rita, the recovery actions taken in the Hurricanes’ aftermath, and the actions taken to protect taxpayer data in the offices damaged by the Hurricanes.  We focused our review on the five IRS offices which received significant damage and were forced to close for long periods of time:  New Orleans, Louisiana (Poydras Street); New Orleans, Louisiana (Hebert Building); Lake Charles, Louisiana; Gulfport, Mississippi; and Beaumont, Texas.  To accomplish our objectives, we conducted the following audit steps:

I.                   To determine whether the IRS was adequately prepared for a disaster of the magnitude of Hurricane Katrina and whether IRS business resumption plans could be improved to prepare for future disasters, we:

A.    Assessed the IRS’ overall preparedness for disaster recovery and business resumption efforts related to buildings, equipment, and personnel by reviewing the:

·         Occupant Emergency Plans[23] for the five offices.

·         Incident Management Plan[24] template provided to all 18 of the IRS’ Senior Commissioner’s Representatives.[25]

·         Internal Revenue Manual sections related to emergency preparedness.

·         Training session presentation for Incident Commanders.[26]

·         Leader’s Digest articles on a nationwide emergency contact telephone number and about how to obtain emergency information through the Internet.

B.     Assessed the IRS’ post-disaster recovery and business resumption activities related to buildings, equipment, and personnel.  We:

1.      Interviewed the Incident Commander of the Nashville, Tennessee, Emergency Operations Command Center[27] and the Associate Director, Emergency Management Program Office,[28] regarding their post-Hurricane assignments.  We also interviewed personnel from their staffs.

2.      Reviewed the following documents relating to activities after the Hurricanes made landfall.

·         The IRS’ summary document sent to the Department of the Treasury that included the lessons learned from the disasters.

·         Minutes of the IRS’ Emergency Management and Preparedness Working Group[29] meetings held after the two Hurricanes.

·         The IRS’ summary of temporary duty assignments provided to employees in the affected areas.

C.     Assessed the preparedness disaster recovery and business resumption efforts related to buildings, equipment, and personnel by reviewing documentation from the IRS’ Modernization and Information Technology Services organization,[30] including logs of daily backup tapes and the policies and procedures for the business continuity.

D.    Assessed the post-disaster recovery and business resumption activities related to protection of taxpayer data through research of email messages made in the post-Hurricane aftermath.  We focused on messages relating to the following important activities.

·         Restoration of network service to the users in the affected areas, including obtaining equipment, changing the physical location of the servers, transporting backup tapes to another city, and providing network connectivity to the data files.

·         Additional activities to assist other Federal Government bureaus and agencies, such as the Federal Emergency Management Agency[31] and the National Finance Center.[32]

II.                To determine whether taxpayer data had been adequately protected within IRS office buildings affected by Hurricanes Katrina and Rita, we:

A.    Met with Mission Assurance and Security Services[33] organization personnel and local officials to determine whether any incidents of vandalism or theft had been reported and addressed.

B.     Obtained the latest status of visits and assessments made by the IRS related to the five offices affected by the Hurricanes.

C.     Determined whether damage assessments indicated a lack of physical security of IRS office space and conducted further tests to determine whether physical data loss occurred.  We:

1.      Identified the inventory of 13 computers assigned to the Gulfport, Mississippi, office using the Information Technology Asset Management System[34] and the Enterprise Systems Management’s Tivoli^®[35] system, as of October 7, 2005.

2.      Conducted a physical reconciliation of the 13 computers to ensure all computers were accounted for properly.

3.      For three missing computers, identified possible content of the computers by profiling the employees who used the computers.

III.             To determine whether taxpayer data had been adequately protected outside of IRS office buildings in areas affected by Hurricanes Katrina and Rita, we:

A.    Met with personnel from the Mission Assurance and Security Services and the Modernization and Information Technology Services organizations to determine whether the IRS had initiated any efforts to identify missing or lost laptop computers of those employees affected by the disasters.

B.     Identified 417 laptop computers on the Information Technology Asset Management System assigned to the 5 offices affected by the disasters as of October 7, 2005.

C.     Conducted a reconciliation of the 417 laptop computers to ensure they were accounted for properly. 

1.      For the 273 laptop computers assigned to specific employees, we obtained current email addresses and contact telephone numbers for the employees and contacted the employees to confirm the computer name and bar code of each employee’s laptop computer.

2.      For the 144 laptop computers not assigned to specific employees, we conducted a physical reconciliation to ensure all laptop computers were accounted for properly.

3.      For four missing laptop computers, we identified the possible content of the computers through discussions with local Information Technology Service organization personnel.

IV.             To determine whether employee user accounts in the five offices were compromised and used to make unauthorized accesses, we:

A.    Met with Mission Assurance and Security Services organization personnel to identify all reported incidents as a result of the Hurricanes in the affected five offices, particular those pertaining to compromised user accounts or unauthorized accesses.

B.     Analyzed Tivoli^® data for the 417 laptop computers to identify 118 laptop computers for which Tivoli^® recorded a successful network connection after the Hurricanes made landfall.  The remaining 299 laptop computers had not connected to the network after the Hurricanes made landfall, as of October 7, 2005.

C.     Contacted the employees assigned to the 118 laptop computers to confirm they used their laptop computers to connect to the IRS network.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Steve Mullins, Director

Kent Sagara, Audit Manager

Dan Ardeleano, Senior Auditor

Jacqueline Nguyen, Senior Auditor

Midori Ohno, Senior Auditor

Larry Reimer, Senior Auditor

Stasha Smith, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Chief, Agency-Wide Shared Services  OS:A

Deputy Chief, Mission Assurance and Security Services  OS:MA

Director, Communications, Liaison, and Disclosure  SE:S:CLD

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Management Controls  OS:CFO:AR:M

Audit Liaisons:

            Chief Information Officer  OS:CIO

            Chief, Mission Assurance and Security Services  OS:MA

            Management Controls Coordinator, Agency-Wide Shared Services  OS:A:F

 

Appendix IV

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.