TRENDING:

The Public Eye with Eric Chabrow

One Step Forward, Two Steps Back for IRS

Eric Chabrow (GovInfoSecurity) • February 23, 2009    
One Step Forward, Two Steps Back for IRS

Take, for instance, a recently released report Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS. In the report, GAO states: "IRS has continued to make progress in correcting previously reported information security weaknesses. It has corrected or mitigated 49 of the 115 weaknesses that GAO reported as unresolved during its last audit. ... However, most of the previously identified weaknesses remain unresolved."

GAO praises the IRS for implementing controls for unauthenticated network access and user IDs on the mainframe, encrypting sensitive data going across its network, improving the patching of critical vulnerabilities and updating updated contingency plans to document critical business processes. All well and good, and about time. Still, read further, and more troubling facts about compliance emerge. "Despite IRS's progress, information security control weaknesses continue to jeopardize and detect unauthorized access to its systems and information."

Over the years ... the IRS corrects vulnerabilities on systems audited, but doesn't check to see if those same weaknesses exist on similar systems. 

Here's what the IRS didn't do: Enforce strong password management to identify and authenticate users, authorize user access to personally identifiable information, encrypt some sensitive data, effectively monitor changes on its mainframe, and physically protect computer resources.

I asked Gregory Wilshusen, the information security issues director at GAO who authored the IRS audit, why agencies like the IRS consistently get these "but" audits? Over the years, he says, the IRS corrects vulnerabilities on systems audited, but doesn't check to see if those same weaknesses exist on similar systems. The GAO doesn't have time to audit 100 percent of an agency's devices and systems, but selects a few key ones to examine, and expects agencies to determine if identified vulnerabilities exist on similar systems and correct them. "So," Wilshusen says, "when we came back and said, 'Well, this weakness still exists?' (An IRS manager) said, 'Whoa, I corrected that.' 'But you didn't look at all the other devices.'"

How did the IRS respond to the latest audit? Basically, it made a boilerplate commitment to do better next time. Wrote IRS Commissioner Douglas Shulman: "We appreciate that your draft report recognizes the progress that the Internal Revenue Service has made to improve our information security programs and that numerous initiatives are underway. The security and privacy of taxpayer information is of utmost importance to us and the integrity of our financial systems continues to be sound. We are committed to securing our computer environment as we continually processes, promote user awareness and apply innovative ideas to increase compliance."

Shulman ended his message by basically telling GAO: We'll get back to you with a more detailed response later. Got questions? Give our tech guys a call.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

AI in Healthcare: The Growing Promise - and Potential Risks
AI in Healthcare: The Growing Promise - and Potential Risks
How AI Can Help Speed Up Physician Credentialing Chores
How AI Can Help Speed Up Physician Credentialing Chores
How the Healthcare Sector Can Boost Credential Management
How the Healthcare Sector Can Boost Credential Management
How State Governments Can Regulate AI and Protect Privacy
How State Governments Can Regulate AI and Protect Privacy
Why Hospitals Should Beware of Malicious AI Use
Why Hospitals Should Beware of Malicious AI Use
Getting a Tighter Grip on Vendor Security Risk in Healthcare
Getting a Tighter Grip on Vendor Security Risk in Healthcare
Joe Sullivan on What CISOs Need to Know About the Uber Trial
Joe Sullivan on What CISOs Need to Know About the Uber Trial
Mapping Access - and Attack - Paths in Active Directory
Mapping Access - and Attack - Paths in Active Directory
How Biden's AI Executive Order Will Affect Healthcare
How Biden's AI Executive Order Will Affect Healthcare
Protocol Isolation: The Key to Securing OT Environments
Protocol Isolation: The Key to Securing OT Environments

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.