From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Securing Financial and Taxpayer Data at IRS

Description: Audio interview by GAO staff with Greg Wilshusen, Director,
Information Technology

Related GAO Work: GAO-14-405: Information Security: IRS Needs to Address
Control Weaknesses That Place Financial and Taxpayer Data at Risk

Released: April 2014

[ Background Music ]

[ Narrator: ] Welcome to GAO's Watchdog Report; your source for news and
information from the U.S. Government Accountability Office. It's April
2014. In the course of collecting taxes, IRS handles sensitive financial
and personal taxpayer information. It relies on its information systems
and security controls to keep that information secure. A team led by
Greg Wilshusen, a director in GAO's Information Technology team,
recently reviewed how well IRS secures citizens' financial and taxpayer
data. GAO's Sarah Kaczmarek sat down with Greg to talk about what they
found.

[ Sarah Kaczmarek: ] Does IRS have effective information security
measures in place to protect financial and taxpayer information?

[ Greg Wilshusen: ] Well, the IRS has been making a great deal of
progress in protecting taxpayer information. We noted as part of our
recent audit that IRS has taken actions to improve several controls,
including some related to encrypting data and the like. And in fact,
they actually implemented actions to mitigate or correct 42 out of the
91 recommendations that we had outstanding relative to IRS's information
security program. And they continue to devote quite a bit of resources
and attention to this matter. However -- and it always seems like
there's another however, we continue to find a number of significant
vulnerabilities within IRS's information and security program and the
controls that they use. For example, we noticed that many of the tests
that they perform do not adequately identify weaknesses that we often
identify as part of our tests when they examine their information
security controls. In addition, we notice that they had not always
installed appropriate patches on their databases and in servers and this
is particularly important because individuals who wish to gain
unauthorized access often will use and exploit the vulnerabilities that
a patch is supposed to correct so by not installing the patch allows
another opportunity for someone with mischief on their mind to take
advantage of that. And we also noticed that they did not always restrict
access appropriately to some of their mainframe computers and this is
also important because much of the tax processing is conducted on these
mainframe computers and it's important to note that the IRS does process
over like 241 million returns back in fiscal year 2013 and that's also
where a lot of the taxpayer information resides.

[ Sarah Kaczmarek: ] What did your team find then as the main reasons
for these risks to keeping information secure?

[ Greg Wilshusen: ] Well, the main reason is that IRS had not fully
implemented its -- at least portions of its information security
program. On the plus side, it had established a comprehensive security
program but we noticed that portions of it were not really functioning
as it had intended. For example, you know, I mentioned about the testing
procedures that they do that tend not to be comprehensive. In addition,
a number of its policies needed to be updated and did not contain
sufficient detail to ensure that proper security procedures were being
implemented, and so those were kind of the key issues that we identified
relative to the security program, and that's something that they
continue to need to work on.

[ Sarah Kaczmarek: ] What is GAO recommending then to improve the
situation?

[ Greg Wilshusen: ] Well, we're recommending that IRS update its
policies and procedures, particularly as it relates to granting access
to its users and to mainframe systems and also that they develop
remedial action plans to address known vulnerabilities.

[ Sarah Kaczmarek: ] Finally then, as we all get ready to file our
individual tax returns later this month, what do you see as the bottom
line of this report?

[ Greg Wilshusen: ] Well, I see that until IRS takes appropriate steps
to more effectively implement its testing programs, ensure that its
policies are current and provide sufficient security protections over
systems and that they address unresolved and newly identified weaknesses
that taxpayer information and its control over its financial reporting
will still be subject to risk and unnecessarily exposed to unauthorized
access, modification, and disruption.

[ Background Music ]

[ Narrator: ] To learn more visit GAO.gov and be sure to tune in to the
next episode of GAO's Watchdog Report for more from the Congressional
Watchdog, the U.S. Government Accountability Office.