Weak Security Controls Raise Doubts About IRS Data

GAO: Confidential Records At Risk Absent Effective IT Security
Weak Security Controls Raise Doubts About IRS Data
To understanding the synergy between financial reporting and information security in government, there's no better example than the Internal Revenue Service. Simply, because of the significance of IRS tax collections to overall federal receipts and the confidentiality of its records, if security controls aren't properly implemented, financial information the IRS reports can't be fully trusted.

"As IRS continues to increase the automation of accounting and reporting processes, the need for effective security over the data these systems process becomes increasingly more critical," wrote Steven Sebastia, GAO director of financial management, in a financial audit of the IRS for the past two fiscal years. "Absent effective information security, confidential taxpayer records will remain at risk and both IRS's management and we, as IRS's auditors, will continue to be unable to rely on the automated controls built into these systems to assist in obtaining reasonable assurance that the reported balances generated by them are reliable."

In the audit, released Tuesday, the Government Accountability Office credited the IRS with making great strides in addressing several IT security weaknesses identified in previous audits, by documenting approved access privileges for its mainframe user groups, implementing role-based access controls to reduce the number of users with special privileged access on the system supporting its administrative accounting system and changing vendor-supplied database accounts and passwords to avoid potential use by malicious users.

But, the audit said, persistent, serious deficiencies in IRS's controls over IT security remain uncorrected. Those deficiencies render IRS unable to rely upon these controls to provide reasonable assurance that its financial statements are fairly stated in the absence of effective compensating procedures, have serious adverse implications related to the reliability of other financial management information produced by IRS's systems and increase the risk that confidential IRS and taxpayer information will be compromised, the 113-page report said.

GAO said it has employed alternative audit procedures to compensate for weak security controls, such as reviewing comparisons between automated systems and utilizing remaining hard-copy records, but those alternatives will as IRS's modernization efforts progress. "If IRS does not resolve its information security material weakness before these options disappear, it could have serious adverse implications for our ability to determine whether IRS's financial statements are fairly stated," Sebastia wrote.

IRS Management Reacts

IRS management told GAO that information security continues to be a priority, and noted that it had increased the security of its Interim Revenue Accounting Control System, Integrated Financial System and the Treasury Information Executive Repository environment, by limiting access to a reduced number of authorized staff. IRS managers instituted role-based access in financial management systems and implemented controls to enforce the use of strong passwords in accordance with the Internal Revenue Manual. IRS also recognized that challenges remain, but told GAO that it has a solid management team dedicated to promoting the highest standard of financial management and to continuing to increase the focus on information security and internal controls while improving financial reporting.

Good progress, but not enough, GAO said, noting that despite these actions, previously identified weaknesses in internal control over information security continue to place IRS systems at risk. GAO cited the IRS procurement system, where the tax agency had not restricted users' ability to bypass application controls, and was not removing separated employees' access in a timely manner. Managers did not always follow required procedures to timely review employee access to sensitive areas at data centers to ensure that access was limited only to employees who needed it to perform their jobs, the GAO said. "These unresolved weaknesses increase the risk that data processed by the agency's financial management systems are not reliable," Sebastia said.

During its fiscal year 2009 audit, GAO said it identified additional significant weaknesses in internal control over information security that, along with previously identified weaknesses, continued to jeopardize the confidentiality, availability and integrity of information processed by IRS's key systems, increasing the risk of material misstatement for financial reporting. Among examples sited by GAO:

The operating system software supporting IRS's Integrated Financial System has reached its "end of service" life. As a result, GAO said, IRS may receive limited or no vendor maintenance support and security patches, which increases the risk that known IT security vulnerabilities being exploited.
About 120 IRS employees had access to key documents, including cost data for input to the Integrated Financial System and a critical process-control spreadsheet used in IRS's cost allocation process. However, fewer than 10 employees needed access to perform their jobs. "The large number of employees with access to these documents increases the chances that they may intentionally or unintentionally corrupt the data in these documents, which could result in incorrect input and processing, or both, thus jeopardizing the accuracy of the cost allocation output," the audit said.
Weak encryption controls were utilized for user login to Integrated Financial System servers, increasing the risk that user IDs and passwords could be used for malicious intent.
IRS hadn't always logged and audited security-relevant events on its procurement system; this increased the risk that IRS may not be able to detect unauthorized access.
IRS hadn't always ensured it had appropriate separation of duties for its procurement system, as one individual was performing the roles of system and database administrators - critical functions that should be performed by separate individuals or groups.
IRS used vulnerable software on key servers, exposing the organization to a vulnerability that could allow a malicious user to capture user IDs and passwords by redirecting internal users' access requests to other systems without their knowledge.

How did this happen? According to GAO, the IRS hadn't fully implemented its information security program to ensure that controls are effectively established and maintained. For example, GAO said, although IRS has developed and implemented a process to address deficiencies in its information security policies, procedures and practices, it did not sufficiently verify whether remedial actions were implemented or effective in mitigating the vulnerability. To further illustrate, IRS informed GAO that it had corrected about 40 percent of the previously reported weaknesses, but auditors found that IRS had not fully implemented the remedial actions it reported for at least one-third of those that IRS considered corrected.

"Until IRS takes additional steps to fully implement key elements of its information security program ... its facilities, computing resources and information will remain vulnerable to inappropriate use, modification or disclosure, and agency management will have limited assurance of the integrity and reliability of its financial and taxpayer information," Sebastia said.

GAO said the IRS is receptive to its findings, and has several initiatives underway to address its IT security weaknesses. IRS has targeted initiatives covering identity and access management, auditing and monitoring and disaster recovery for the current fiscal year. Still, it will take time to eliminate all of the faults. According to an IRS plan, the last of these weaknesses is scheduled to be resolved in the first quarter of fiscal year 2014. "These efforts," GAO said, "if fully and effectively implemented, are positive steps towards improving the agency's overall information security posture."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.