One Step Forward, Two Steps Back for IRS
Take, for instance, a recently released report Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS. In the report, GAO states: "IRS has continued to make progress in correcting previously reported information security weaknesses. It has corrected or mitigated 49 of the 115 weaknesses that GAO reported as unresolved during its last audit. ... However, most of the previously identified weaknesses remain unresolved."
GAO praises the IRS for implementing controls for unauthenticated network access and user IDs on the mainframe, encrypting sensitive data going across its network, improving the patching of critical vulnerabilities and updating updated contingency plans to document critical business processes. All well and good, and about time. Still, read further, and more troubling facts about compliance emerge. "Despite IRS's progress, information security control weaknesses continue to jeopardize and detect unauthorized access to its systems and information."
Over the years ... the IRS corrects vulnerabilities on systems audited, but doesn't check to see if those same weaknesses exist on similar systems.
Here's what the IRS didn't do: Enforce strong password management to identify and authenticate users, authorize user access to personally identifiable information, encrypt some sensitive data, effectively monitor changes on its mainframe, and physically protect computer resources.
I asked Gregory Wilshusen, the information security issues director at GAO who authored the IRS audit, why agencies like the IRS consistently get these "but" audits? Over the years, he says, the IRS corrects vulnerabilities on systems audited, but doesn't check to see if those same weaknesses exist on similar systems. The GAO doesn't have time to audit 100 percent of an agency's devices and systems, but selects a few key ones to examine, and expects agencies to determine if identified vulnerabilities exist on similar systems and correct them. "So," Wilshusen says, "when we came back and said, 'Well, this weakness still exists?' (An IRS manager) said, 'Whoa, I corrected that.' 'But you didn't look at all the other devices.'"
How did the IRS respond to the latest audit? Basically, it made a boilerplate commitment to do better next time. Wrote IRS Commissioner Douglas Shulman: "We appreciate that your draft report recognizes the progress that the Internal Revenue Service has made to improve our information security programs and that numerous initiatives are underway. The security and privacy of taxpayer information is of utmost importance to us and the integrity of our financial systems continues to be sound. We are committed to securing our computer environment as we continually processes, promote user awareness and apply innovative ideas to increase compliance."
Shulman ended his message by basically telling GAO: We'll get back to you with a more detailed response later. Got questions? Give our tech guys a call.