Information Security: IRS Needs to Address Pervasive Weaknesses
Highlights
The Internal Revenue Service (IRS) relies extensively on computerized systems to carry out its demanding responsibilities to collect taxes (about $2.7 trillion in fiscal year 2007), process tax returns, and enforce the nation's tax laws. Effective information security controls are essential to ensuring that financial and taxpayer information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. As part of its audit of IRS's fiscal years 2007 and 2006 financial statements, GAO assessed (1) IRS's actions to correct previously reported information security weaknesses and (2) whether controls were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies and procedures, guidance, security plans, reports, and other documents; tested controls over key financial applications at three IRS data centers; and interviewed key security representatives and management officials.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, update policies and procedures for configuring mainframe operations to ensure they provide the necessary detail for controlling and logging changes. |
In December 2009, we verified that IRS, in response to our recommendation, updated its policies and procedures for configuring mainframe operations and reasonably provided the necessary detail for controlling and logging changes.
|
| Internal Revenue Service | To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, identify individuals with significant security responsibilities to ensure they receive specialized training. |
In fiscal year 2009, we reported that IRS has identified staff with significant security responsibilities to ensure they receive the appropriate training.
|
| Internal Revenue Service | To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, expand scope for testing and evaluating controls to ensure more comprehensive testing. |
GAO validated that IRS has expanded the scope of its procedures for testing and evaluating controls.
|
| Internal Revenue Service | To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, enhance contractor oversight to better ensure that contractors' noncompliance with IRS information security policies is detected. |
At the time of our audit work in 2012, although IRS has a program for reviewing contractor activities, it had not yet enhanced contractor oversight to better ensure contractors' noncompliance with its policies is detected.
|
| Internal Revenue Service | To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, update remedial action plans to ensure that they include what, if any, resources are required to implement corrective actions. |
GAO validated that IRS had ensured that its remedial action plans included what, if any, resources are required to implement corrective actions.
|
| Internal Revenue Service | To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, identify and prioritize critical IRS business processes as part of contingency planning. |
In fiscal year 2009, we reported that IRS had identified and prioritized business processes as part of contingency planning.
|
| Internal Revenue Service | To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, test contingency plans at least annually. |
In fiscal year 2009, we reported that, for the contingency plans that we reviewed, IRS had tested the plans annually.
|