Information Security:

Continued Efforts Needed to Address Significant Weaknesses at IRS

GAO-09-136: Published: Jan 9, 2009. Publicly Released: Jan 9, 2009.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Internal Revenue Service (IRS) relies extensively on computerized systems to carry out its demanding responsibilities to collect taxes (about $2.7 trillion in fiscal years 2008 and 2007), process tax returns, and enforce the nation's tax laws. Effective information security controls are essential to protect financial and taxpayer information from inadvertent or deliberate misuse, improper disclosure, or destruction. As part of its audits of IRS's fiscal years 2008 and 2007 financial statements, GAO assessed (1) the status of IRS's actions to correct previously reported weaknesses and (2) whether controls were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies and procedures and other documents; tested controls over key financial applications; and interviewed key agency officials.

IRS has continued to make progress in correcting previously reported information security weaknesses. It has corrected or mitigated 49 of the 115 weaknesses that GAO reported as unresolved during its last audit. For example, the agency (1) implemented controls for unauthenticated network access and user IDs on the mainframe, (2) encrypted sensitive data going across its network, (3) improved the patching of critical vulnerabilities, and (4) updated contingency plans to document critical business processes. However, most of the previously identified weaknesses remain unresolved. For example, IRS continues to, among other things, allow sensitive information, including IDs and passwords for mission-critical applications, to be readily available to any user on its internal network, and grant excessive access to individuals who do not need it. According to IRS officials, they are continuing to address the uncorrected weaknesses and, subsequent to GAO site visits, had completed additional corrective actions. Despite IRS's progress, information security control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information. IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information. For example, IRS did not always (1) enforce strong password management for properly identifying and authenticating users; (2) authorize user access, including access to personally identifiable information, to permit only the access needed to perform job functions; (3) encrypt certain sensitive data; (4) effectively monitor changes on its mainframe; and (5) physically protect its computer resources. A key reason for these weaknesses is that IRS has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively. Specifically, IRS did not annually review risk assessments for certain systems, comprehensively test for certain controls, or always validate the effectiveness of remedial actions. Until these weaknesses are corrected, the agency remains particularly vulnerable to insider threats and IRS is at increased risk of unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as inadvertent or deliberate disruption of system operations and services.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that IRS had ensured that its system risk assessments had been reviewed at least annually

    Recommendation: In addition to implementing our previous recommendations, and to implement an agencywide information security program, the Commissioner of Internal Revenue should ensure risk assessments for IRS systems are reviewed at least annually.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: In 2012, we validated that IRS implemented steps to improve the scope of testing by updating its standard operating procedures for system testing associated with its enterprise continuous monitoring process.

    Recommendation: In addition to implementing our previous recommendations, and to implement an agencywide information security program, the Commissioner of Internal Revenue should implement steps to improve the scope of testing and evaluating controls, such as those for weak passwords.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here