IRS Systems Security: Although Significant Improvements Made, Tax Processing Operations and Data Still at Serious Risk

In our FY 1999 summary report of IRS computer security weaknesses, we noted that access to sensitive computing areas, such as computer rooms, data communication areas, and tape libraries was not adequately controlled. We recommended that IRS implement appropriate control measures to limit physical access to facilities, computer rooms, and computing resources based on job responsibilities. IRS has since developed a corrective action plan to adequately ensure that access to key computer applications and systems is limited to authorized persons for authorized purposes by issuing new and updated computer and physical access controls, and personnel security requirements. In addition, IRS conducted an extensive analysis of its guard forces to ensure adequate staffing and performed security reviews at each computing center to identify security vulnerabilities. As a result, IRS has greater assurance that physical access to its computing resources and facilities would be more secured.

In our FY 1999 summary report of IRS computer security weaknesses, we noted that IRS did not limit access to system software to individuals with a need to know, access to key system logs was available, and the powerful "root" authority had been granted to users whose assigned duties did not require such capabilities. We recommended that IRS limit access authority to only those computer programs and data needed to perform job responsibilities and review access authority regularly to identify and correct inappropriate access. IRS has since implemented corrective actions to adequately ensure that access to key computer applications and systems was limited to authorized persons for authorized purposes. As a result, IRS has greater assurance that only authorized personnel would be granted access to sensitive programs and data.

In our FY 1999 summary report of IRS computer security weaknesses, we noted that security software was not configured to provide optimum security over tape media. We recommended that IRS configure security software to provide optimum security over tape media. IRS has since restricted access to the security software to provide improved security over access to data on tape media. As a result, IRS has greater assurance that access to sensitive data on tape media would be limited to authorized personnel.

In our FY 1999 summary report of IRS computer control, we noted that IRS did not physically protected telecommunications equipment and dial-in access was not adequately protected, thereby increasing the risk of unauthorized access and disclosure of sensitive taxpayer data. We recommended that IRS establish adequate safeguards over telecommunications equipment and remote access to IRS systems. IRS has since secured physical access to telecommunications equipment and established security offices responsible for monitoring security controls over external and internal connections. In addition, IRS has established appropriate security policy standards to provide controls over telecommunications infrastructure. As a result, IRS has greater assurance that unauthorized individuals would not have access to sensitive taxpayer information.

In our FY 1999 summary report of IRS computer security controls, we noted that IRS did not implement independent quality assurance review or testing of locally developed programs. In addition, application programmers used live taxpayer data for software testing purposes, increasing the risk that sensitive taxpayer data could be disclosed to unauthorized individuals. We recommended that IRS ensure that all computer programs and program modifications are authorized, tested, and independently reviewed and that live taxpayer data is not used for software testing. IRS has begun a configuration management improvement whose focus includes evaluation, resolution and standardization of all application and system development and operations. In addition, IRS instituted an approval process before live taxpayer data could be used for software testing. As a result, IRS has greater assurance of improved security over its software quality control process.

In our FY 1999 summary report of IRS computer security controls, we noted that IRS's disaster recovery plans lacked essential information, were not adequately tested, did not meet users' business needs and were incomplete. We recommended that IRS establish controls that ensure that disaster recovery plans and business resumption plans are comprehensive, current, and fully tested. IRS has since established oversight support for the paper tests of disaster recovery plans and reviewed campus and area disaster recovery activities. Also, IRS Office of Security acted as the lead partner in identification and prioritization of business processes. Furthermore, the headquarters's continuity of operations plan has been upgraded and tested. As a result, IRS is in a better position to resume its operations in the aftermath of a disaster.

In our FY 1999 summary report of IRS computer security weaknesses, we noted that IRS had not fully assessed risks for all of its facilities, networks, major systems, and data. We recommended that IRS developed procedures for assessing risk for all of IRS's facilities, networks, major systems, and taxpayer data on a regular, ongoing basis to ensure that controls are adequate. IRS has since developed security policy and guidance pertaining to requirements for periodic risk assessment commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. As a result, IRS has greater assurance that through such policy its controls are adequate.

In our FY 1999 summary report of IRS computer security control, we noted that IRS had not fully evaluated controls over key computing resources. We recommended that IRS periodically evaluate the effectiveness of controls over key computing resources at IRS facilities. IRS's Office of Security Services has established and implemented a program for reviewing and evaluating security controls over information systems at IRS facilities. As a result, IRS has greater assurance that components comply with its security policies.

In our FY 1999 summary report of IRS computer security control, we noted that IRS had not consistently implemented actions to eliminate or mitigate the weaknesses identified during computer control evaluations. We recommended that IRS implement actions to correct or mitigate weaknesses identified during such computer control evaluations. IRS, as verified by our follow-up general control reviews, has since implemented numerous corrective actions. As a result, IRS has enhanced its effectiveness in protecting taxpayer information against unauthorized access attempts.