TRENDING:

GAO Sees Vulnerabilities in IRS Systems

Auditor: IRS Infosec Program Hasn't Function as Intended Eric Chabrow (GovInfoSecurity) • March 15, 2013    
GAO Sees Vulnerabilities in IRS Systems

The Internal Revenue Service has failed to implement effectively portions of its information security program that Government Accountability Office auditors contend could adversely affect the confidentiality, integrity and availability of financial and sensitive taxpayer information.

See Also: OnDemand Webinar, View Now: Vulnerability Management in Proactive Cybersecurity

In the audit made public March 15, GAO says the IRS has not always:

  • Implemented effective controls for identifying and authenticating users, such as enforcing password complexity on certain servers;
  • Appropriately restricted access to its mainframe environment;
  • Effectively monitored the mainframe environment;
  • Ensured that patches have been installed on systems to protect against known vulnerabilities.

"The agency has established a comprehensive framework for the program and continued to make strides with various initiatives designed to improve its controls; however, certain components of the program did not always function as intended," the 28-page GAO report states.

GAO cites the following examples of weaknesses in IRS's security program:

Testing procedures over a financial reporting system did not always determine whether required controls were operating effectively and consequently. GAO identified control weaknesses that had not been detected by IRS. The tax agency had not updated an important policy concerning security standards for IRS's main tax processing environment to include current software versions and control capabilities.

GAO also says the IRS indicated that it had addressed 58 of the previous information system security-related recommendations GAO made, but 13 had not yet been fully resolved.

"Until IRS takes additional steps to more effectively implement its testing and monitoring capabilities, ensure that policies and procedures are updated and address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate use, modification or disclosure, possibly without being detected," the auditors say in the report.

GAO says these deficiencies, along with shortcomings in the information security program, were the basis of its determination that IRS had a significant deficiency in its internal control over financial reporting systems for fiscal year 2012.

In response to a draft of the audit, IRS Acting Commissioner Steven T. Miller says the agency agrees to develop a detailed corrective action plan to GAO's recommendations.

The audit wasn't devoid of praise. GAO auditors credit IRS managers for forming cross-functional working groups assigned to identify and remediate specific at-risk control areas, improving controls over the encryption of data transferred between accounting systems and upgrading critical network devices on the agency's internal network system.

Previous
Cybersecurity's Skills Deficiency
Next
Vulnerability Floors Vulnerability Database Site

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.