WASHINGTON - The Internal Revenue Service (IRS) needs to clarify the roles and responsibilities of those employees responsible for protecting the security of taxpayer data and other sensitive information, according to a new report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).

While the IRS has educated its employees about information technology (IT) issues, TIGTA found that it did not document all IT security roles and responsibilities in the Internal Revenue Manual (IRM); develop and document day-to-day IT security procedures and guidelines; properly conduct compliance assessments to test IT procedures; or establish effective metrics for measuring compliance with procedures.

As a result, TIGTA concluded, the IRS cannot ensure all IRS and contract employees will carry out their responsibilities to protect the confidentiality, integrity and availability of taxpayer data.

"Protecting taxpayer data is vital to maintaining taxpayer confidence in the Nation's tax system," said J. Russell George, the Treasury Inspector General for Tax Administration. "While the IRS has educated its employees and contractors about the need to protect taxpayer data, it must fully document which employees have information technology security roles and responsibilities and develop day-to-day IT security procedures and guidelines."

TIGTA recommended that the IRS update the IRM to include all IT security roles, ensure that security roles and responsibilities are periodically reviewed and updated, and develop procedures to validate compliance with IT procedures. In addition, TIGTA recommended that the IRS reopen the roles and responsibilities component of the computer security material weakness.

The IRS agreed with three of TIGTA's recommendations but declined to reopen the roles and responsibility component of the computer security material weakness.