Information Security:

Further Efforts Needed to Address Significant Weaknesses at the Internal Revenue Service

GAO-07-364: Published: Mar 30, 2007. Publicly Released: Mar 30, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In fiscal year 2006, the Internal Revenue Service (IRS) collected about $2.5 trillion in tax payments and paid about $277 billion in refunds. Because IRS relies extensively on computerized systems, effective information security controls are essential to ensuring that financial and taxpayer information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. As part of its audit of IRS's fiscal years 2006 and 2005 financial statements, GAO assessed (1) IRS's actions to correct previously reported information security weaknesses and (2) whether controls were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies and procedures, guidance, security plans, reports, and other documents; tested controls over five critical applications at three IRS sites; and interviewed key security representatives and management officials.

IRS has made limited progress toward correcting or mitigating previously reported information security weaknesses at two data processing sites, but 66 percent of the weaknesses that GAO had previously identified still existed. Specifically, IRS has corrected or mitigated 25 of the 73 information security weaknesses that GAO reported as unresolved at the time of our last review. For example, IRS has improved password controls on its servers and enhanced audit and monitoring efforts for mainframe and Windows user activity, but it continues to (1) use inadequate account lockout settings for Windows servers and (2) inadequately verify employees' identities against official IRS photo identification. Significant weaknesses in access controls and other information security controls continue to threaten the confidentiality, integrity, and availability of IRS's financial and tax processing systems and information. For example, IRS has not implemented effective access controls related to user identification and authentication, authorization, cryptography, audit and monitoring, physical security, and other information security controls. These weaknesses could impair IRS's ability to perform vital functions and increase the risk of unauthorized disclosure, modification, or destruction of financial and sensitive taxpayer information. Accordingly, GAO has reported a material weakness in IRS's internal controls over its financial and tax processing systems. A primary reason for the new and old weaknesses is that IRS has not yet fully implemented its information security program. IRS has taken a number of steps to develop, document, and implement an information security program. However, the agency has not yet fully or consistently implemented critical elements of its program. Until IRS fully implements an agencywide information security program that includes risk assessments, enhanced policies and procedures, security plans, training, adequate tests and evaluations, and a continuity of operations process for all major systems, the financial and sensitive taxpayer information on its systems will remain vulnerable.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In September 2009, we verified that IRS, in response to our recommendation, incorporated findings from GAO reports into the application risk assessments we reviewed.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service (IRS) should update the risk assessments for the five systems reviewed to include the vulnerabilities identified in this report.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: In December 2009, we verified that IRS updated their policies and procedures to include the needed guidance.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should update policies and procedures to include guidance on configuring mainframe ID's used by the operating system and certain powerful mainframe programs used to control processing.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: In fiscal year 2008, we verified that IRS had completed a system security plan for the system that supports its general ledger for tax administration activities.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should develop a system security plan for the system that supports the general ledger for tax administration activities.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Implemented

    Comments: In September 2009, we verified that IRS, in response to our recommendation, implemented a mitigating control and manually enters external training taken by its employees.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should enhance the Enterprise Learning Management System to include all security-related training courses taken by IRS employees and contractors and to differentiate required training hours for all employees.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: In September 2009, we verified that IRS, in response to our recommendation, updated their test and evaluation templates to include tests for the vulnerabilities identified in our report.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should update test and evaluation procedures to include tests for vulnerabilities identified in this report, such as password expiration, insecure protocols, and removal of system access after separation from the agency.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Closed - Not Implemented

    Comments: Although IRS has actions underway to improve its remedial action process, it has not yet fully implemented the actions and the condition continues to persist.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should implement a revised remedial action verification process that ensures actions are fully implemented.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Closed - Implemented

    Comments: In fiscal year 2008, we verified that IRS had documented weaknesses identified during security assessments in a remedial action plan.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should document weaknesses identified during security assessments in a remedial action plan.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Closed - Implemented

    Comments: In fiscal year 2008, we verified that IRS had implemented appropriate environmental controls for the computer room that houses the procurement system, including sufficient air conditioning and up-to-date fire extinguishers.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should provide adequate environmental controls for the computer room that houses the procurement system, such as a sufficient air-conditioning system and up-to-date fire extinguishers.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that IRS has established an alternate processing site for the procurement application.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should establish an alternate processing site for the procurement application.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  10. Status: Closed - Implemented

    Comments: In July 2009, we verified that IRS, in response to our recommendation, tested the procurement system recovery plan.

    Recommendation: To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should test the procurement system recovery plan.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here