Information Security:

IRS Needs to Address Pervasive Weaknesses

GAO-08-211: Published: Jan 8, 2008. Publicly Released: Jan 8, 2008.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Internal Revenue Service (IRS) relies extensively on computerized systems to carry out its demanding responsibilities to collect taxes (about $2.7 trillion in fiscal year 2007), process tax returns, and enforce the nation's tax laws. Effective information security controls are essential to ensuring that financial and taxpayer information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. As part of its audit of IRS's fiscal years 2007 and 2006 financial statements, GAO assessed (1) IRS's actions to correct previously reported information security weaknesses and (2) whether controls were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies and procedures, guidance, security plans, reports, and other documents; tested controls over key financial applications at three IRS data centers; and interviewed key security representatives and management officials.

IRS made limited progress toward correcting previously reported information security weaknesses. It has corrected or mitigated 29 of the 98 information security weaknesses that GAO reported as unresolved at the time of its last review. For example, IRS implemented controls for user IDs for certain critical servers, improved physical protection for its procurement system, developed a security plan for a key financial system, and upgraded servers that had been using obsolete operating systems. In addition, IRS established enterprisewide objectives for improving information security, including initiatives for protecting and encrypting data, securing information technology assets, and building security into new applications. However, about 70 percent of the previously identified information security weaknesses remain unresolved. For example, IRS continues to, among other things, use passwords that are not complex, grant excessive access to individuals who do not need it, and install patches in an untimely manner. In addition to this limited progress, other significant weaknesses in various controls continue to threaten the confidentiality and availability of IRS's financial processing systems and information, and limit assurance of the integrity and reliability of its financial and taxpayer information. IRS has not consistently implemented effective controls to prevent, limit, or detect unauthorized access to computing resources from within its internal network. For example, IRS did not always (1) enforce strong password management for properly identifying and authenticating users, (2) authorize user access to only permit access needed to perform job functions, (3) encrypt sensitive data, (4) effectively monitor changes on its mainframe, and (5) physically protect its computer resources. In addition, IRS faces risks to its financial and taxpayer information due to weaknesses in implementing its configuration management policies, as well as appropriately segregating incompatible job duties. Accordingly, GAO has reported a material weakness in IRS's internal controls over its financial and tax processing systems. A key reason for the weaknesses is that the agency has not yet fully implemented its agencywide information security program to ensure that controls are effectively established and maintained. As a result, IRS is at increased risk of unauthorized disclosure, modification, or destruction of financial and taxpayer information.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, identify and prioritize critical IRS business processes as part of contingency planning.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we reported that IRS had identified and prioritized business processes as part of contingency planning.

    Recommendation: To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, update remedial action plans to ensure that they include what, if any, resources are required to implement corrective actions.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: GAO validated that IRS had ensured that its remedial action plans included what, if any, resources are required to implement corrective actions.

    Recommendation: To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, enhance contractor oversight to better ensure that contractors' noncompliance with IRS information security policies is detected.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Not Implemented

    Comments: At the time of our audit work in 2012, although IRS has a program for reviewing contractor activities, it had not yet enhanced contractor oversight to better ensure contractors' noncompliance with its policies is detected.

    Recommendation: To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, expand scope for testing and evaluating controls to ensure more comprehensive testing.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: GAO validated that IRS has expanded the scope of its procedures for testing and evaluating controls.

    Recommendation: To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, identify individuals with significant security responsibilities to ensure they receive specialized training.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we reported that IRS has identified staff with significant security responsibilities to ensure they receive the appropriate training.

    Recommendation: To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, update policies and procedures for configuring mainframe operations to ensure they provide the necessary detail for controlling and logging changes.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In December 2009, we verified that IRS, in response to our recommendation, updated its policies and procedures for configuring mainframe operations and reasonably provided the necessary detail for controlling and logging changes.

    Recommendation: To help establish effective information security over key financial processing systems, the Internal Revenue Service (IRS) should, in order to implement an agencywide information security program, test contingency plans at least annually.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we reported that, for the contingency plans that we reviewed, IRS had tested the plans annually.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here