GAO: Weak Controls Put IRS System at Risk

Existing Processes Haven't Remediated All Security Woes, GAO Says Eric Chabrow (GovInfoSecurity) • November 12, 2010

Three-quarters of IT security vulnerabilities and controls identified in previous years' audits of the Internal Revenue Service financial systems have yet to be corrected and puts IRS computers and data at risk, the Government Accountability Office's annual audit of the tax agency's financial systems reveals.

Among the weaknesses the GAO audit identifies:

Allowing individuals more access to sensitive information contained on the network than needed to perform their assigned duties.
Permitting users to enter commands that bypassed normal application security controls in its procurement system.
Providing unnecessary access to secured areas by visitors.
Failing to secure adequately the database associated with the online system IRS used to support and manage its computer access request, approval and review processes.
Using unencrypted protocols on a server supporting the Electronic Federal Tax Payment System and several internal routers, potentially exposing user identifies and passwords transmitted in clear text across the network to inappropriate disclosure and unauthorized use.
Failing to update the database software on the Microsoft Windows servers that supports the IRS's general ledger system to protect against known vulnerabilities.
Failing to install critical patch updates on several databases supporting the system.

"An underlying reason for these deficiencies is that IRS has not yet fully implemented key components of its comprehensive information security program," Steven Sebastian, GAO director of financial management and assurance, says in a letter to Treasury Secretary Timothy Geithner. "Although IRS has processes in place intended to monitor and assess its internal controls, these processes were not always effective."

In a letter responding to the GAO audit, IRS Commissioner Douglas Shulman (pictured) says material weaknesses in security controls have decreased over the past year, and steps are being taken to reduce them further. "The improvements we made have significantly reduced the overall risk, and we look forward to work with GAO to develop testing of the IT security controls and the compensating processes and procedures during the FY 2011 audit to demonstrate the overall risk has been reduced to below a material weakness," Shulman says.

GAO points out that the IRS has initiated various programs to address critical information security weaknesses, such as those tied to access controls, audit trails, contingency planning and training. According to the plan, the last of these weaknesses is scheduled to be resolved in fall 2013. The IRS also told the GAO it has developed metrics to measure success in complying with guides, policies and standards in such areas as configuration management, access authorizations, auditing and change management.

"As long as these efforts include the flexibility to adapt to changing technology and evolving threats, encompass the findings of GAO and the Treasury inspector general for tax administration in measuring success, and are fully and effectively implemented, they should improve the agency's overall information security posture," Sebastian says.