Sensitive Taxpayer Information at Risk

GAO Audit of IRS Reveals IT Weaknesses
Sensitive Taxpayer Information at Risk
More than two-thirds of the weaknesses and deficiencies in the Internal Revenue Services IT systems remain unresolved one year after being identified by the GAO, jeopardizing the confidentiality, integrity and availability of sensitive taxpayer information, the Government Accountability Office reported Friday.

"Until these control weaknesses and program deficiencies are corrected, the agency remains unnecessarily vulnerable to insider threats related to the unauthorized access to and disclosure, modification or destruction of financial and taxpayer information, as well as the disruption of system operations and services," Nancy Kingsbury and Gregory Wilshusen, GAO's managing director of applied research and methods and director of information security issues, respectively, wrote in the 30-page report.

The audit by the investigative arm of Congress covered fiscal year 2009, and the GAO noted that 28 of the 89 weaknesses it identified in 2008 had been resolved. Still, that left 69 percent of the weaknesses or program deficiencies unresolved.

As an example, the GAO cited the IRS's failure to install patches in a timely manner and employ complex passwords. The IRS also didn't always verify that remedial actions were implemented or effectively mitigated the security weaknesses. IRS officials told GAO they continued to address uncorrected weaknesses and, subsequent to GAO's site visits, had completed additional corrective actions on some of them.

GAO said that despite these actions, the tax agency failed to consistently implement controls that were intended to prevent, limit and detect unauthorized access to its systems and information. For example, IRS didn't always:

  • Enforce strong password management for properly identifying and authenticating users;
  • Authorize user access to permit only the access needed to perform job functions;
  • Log and monitor security events on a key system; and
  • Physically protect its computer resources.

GAO said a key reason for these weaknesses was that IRS had not yet fully implemented its agency-wide information security program to ensure that controls are appropriately designed and operating effectively. "Although IRS has made important progress in developing and documenting its information security program," the report's authors wrote, "it did not, among other things, review risk assessments at least annually for certain systems or ensure contractors receive awareness training."

The IRS did not challenge the GAO's conclusions, and said it would try to comply with its suggested remedies. And to remedy these problems, GAO recommended the IRS:

  • Develop and implement policies and procedures for more securely configuring routers to encrypt network traffic, configuring switches to defend against attacks that could crash the network, and for notifying the Computer Security Incident Response Center of network changes that could affect its ability to detect unauthorized access.

  • Ensure contractors receive security awareness training within the first 10 working days.

  • Guarantee the results of testing and evaluating controls are effectively documented and reviewed.

  • Ensure key disaster recovery documentation, such as keystroke manuals, are available in a timely manner, and appropriate contacts are readily identified.

GAO also made 23 detailed recommendations in a separate report with limited distribution. GAO said these recommendations consist of actions to be taken to correct specific information security weaknesses related to access controls, configuration management and segregation of duties identified during this audit.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.