This is the accessible text file for GAO report number GAO-09-136 entitled 'Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS' which was released on January 9, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Commissioner of Internal Revenue: United States Government Accountability Office: GAO: January 2009: Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS: GAO-09-136: GAO Highlights: Highlights of GAO-09-136, a report to the Commissioner of Internal Revenue. Why GAO Did This Study: The Internal Revenue Service (IRS) relies extensively on computerized systems to carry out its demanding responsibilities to collect taxes (about $2.7 trillion in fiscal years 2008 and 2007), process tax returns, and enforce the nation’s tax laws. Effective information security controls are essential to protect financial and taxpayer information from inadvertent or deliberate misuse, improper disclosure, or destruction. As part of its audits of IRS’s fiscal years 2008 and 2007 financial statements, GAO assessed (1) the status of IRS’s actions to correct previously reported weaknesses and (2) whether controls were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies and procedures and other documents; tested controls over key financial applications; and interviewed key agency officials. What GAO Found: IRS has continued to make progress in correcting previously reported information security weaknesses. It has corrected or mitigated 49 of the 115 weaknesses that GAO reported as unresolved during its last audit. For example, the agency: * implemented controls for unauthenticated network access and user IDs on the mainframe, * encrypted sensitive data going across its network, * improved the patching of critical vulnerabilities, and, * updated contingency plans to document critical business processes. However, most of the previously identified weaknesses remain unresolved. For example, IRS continues to, among other things, allow sensitive information, including IDs and passwords for mission-critical applications, to be readily available to any user on its internal network, and grant excessive access to individuals who do not need it. According to IRS officials, they are continuing to address the uncorrected weaknesses and, subsequent to GAO site visits, had completed additional corrective actions. Despite IRS’s progress, information security control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information. IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information. For example, IRS did not always: * enforce strong password management for properly identifying and authenticating users; * authorize user access, including access to personally identifiable information, to permit only the access needed to perform job functions; * encrypt certain sensitive data; * effectively monitor changes on its mainframe; and; * physically protect its computer resources. A key reason for these weaknesses is that IRS has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively. Specifically, IRS did not annually review risk assessments for certain systems, comprehensively test for certain controls, or always validate the effectiveness of remedial actions. Until these weaknesses are corrected, the agency remains particularly vulnerable to insider threats and IRS is at increased risk of unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as inadvertent or deliberate disruption of system operations and services. What GAO Recommends: To fully implement an agencywide information security program, GAO recommends that the Commissioner of Internal Revenue (1) ensure risk assessments for IRS systems are reviewed at least annually and (2) implement steps to improve the testing and evaluating of controls. In commenting on a draft of this report, IRS agreed to develop a plan addressing each of the recommendations. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-136]. For more information, contact Nancy Kingsbury at (202) 512-2700 or kingsburyn@gao.gov or Gregory Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: IRS Demonstrated Progress in Correcting Previously Reported Weaknesses: Weaknesses Placed Financial and Taxpayer Information at Risk: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Internal Revenue Service: Appendix III: GAO Contacts and Staff Acknowledgments: Figure: Figure 1: Previously Identified Weaknesses at IRS Locations: Abbreviations: CIO: Chief Information Officer: FISMA: Federal Information Security Management Act: IG: Inspector(s) General: MITS: Modernization and Information Technology Services: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: [End of section] United States Government Accountability Office: Washington, DC 20548: January 9, 2009: The Honorable Douglas Shulman: Commissioner of Internal Revenue: Dear Commissioner Shulman: The Internal Revenue Service (IRS) has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations. Effective information system controls are essential for protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer information and ensuring that information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. As part of our audit of IRS's fiscal years 2008 and 2007 financial statements,[Footnote 1] we assessed the effectiveness of the agency's information security controls[Footnote 2] over key financial systems, information, and interconnected networks at four locations. These systems support the processing, storage, and transmission of financial and sensitive taxpayer information. In our report on IRS's fiscal years 2008 and 2007 financial statements, we reported that the new information security deficiencies we identified in fiscal year 2008 and the unresolved deficiencies from prior audits represent a material weakness[Footnote 3] in internal controls over financial and tax processing systems. We assessed (1) the status of IRS's actions to correct or mitigate previously reported information security weaknesses and (2) whether controls over key financial and tax processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. We conducted this work from April 2008 to January 2009, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. For additional information about our objectives, scope, and methodology, refer to appendix I. Results in Brief: IRS has continued to make progress in correcting previously reported information security weaknesses. It has corrected or mitigated 49 of the 115 information security weaknesses that we reported as unresolved at the time of our last review. For example, the agency implemented controls for unauthenticated network access and user IDs on the mainframe, encrypted sensitive data going across its network, improved the patching of critical vulnerabilities, and updated contingency plans to document critical business processes. In addition, IRS has several initiatives under way that are designed to improve information security, such as implementing a comprehensive plan to address numerous weaknesses related to network and system access, among other issues. However, about 57 percent of the previously identified weaknesses remain unresolved. For example, IRS continues to, among other things, allow sensitive information, including IDs and passwords for mission- critical applications, to be readily available to any user on its internal network, and grant excessive access to individuals who do not need it. According to IRS officials, they are continuing to address the uncorrected weaknesses and, subsequent to our site visits, had completed additional corrective actions. Despite IRS's progress, information security control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information. IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information. For example, IRS did not always (1) enforce strong password management for properly identifying and authenticating users; (2) authorize user access, including access to personally identifiable information, to permit only the access needed to perform job functions; (3) encrypt certain sensitive data; (4) effectively monitor changes on its mainframe; and (5) physically protect its computer resources. A key reason for these weaknesses is that IRS has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively. Specifically, IRS did not review risk assessments at least annually for certain systems, comprehensively test certain controls, or always validate the effectiveness of remedial actions. Until these weaknesses are corrected, the agency remains particularly vulnerable to insider threats and IRS is at increased risk of unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as inadvertent or deliberate disruption of system operations and services. We are making recommendations to the Commissioner of Internal Revenue to fully implement a comprehensive agencywide information security program. In a separate report with limited distribution, we are making recommendations to correct the specific weaknesses we identified during our review. In providing written comments on a draft of this report, the Commissioner of Internal Revenue stated that the security and privacy of taxpayer information is of the utmost importance to the agency and noted that IRS is committed to securing its computer environment as it continually evaluates processes, promotes user awareness, and applies innovative ideas to increase compliance. He further stated that IRS would develop a detailed corrective action plan addressing each of our recommendations. Background: Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission or business. It is especially important for government agencies, where maintaining the public's trust is essential. The dramatic expansion in computer interconnectivity and the rapid increase in the use of the Internet have revolutionized the way our government, our nation, and much of the world communicates and conducts business. Although this expansion has created many benefits for agencies such as IRS in achieving their missions and providing information to the public, it also exposes federal networks and systems to various threats. Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. The risks to these systems are well-founded for a number of reasons, including the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, and steady advances in the sophistication and effectiveness of attack technology. For example, the Office of Management and Budget cited[Footnote 4] a total of 12,198 incidents reported to the U.S. Computer Emergency Readiness Team (US-CERT)[Footnote 5] by federal agencies during fiscal year 2007, which is more than twice the number of incidents reported the prior year. The Federal Bureau of Investigation has identified multiple sources of threats, including foreign nation states engaged in intelligence gathering and information warfare, domestic criminals, hackers, virus writers, and disgruntled employees or contractors working within an organization. In addition, the U.S. Secret Service and the CERT Coordination Center[Footnote 6] studied insider threats and stated in a May 2005 report that "insiders pose a substantial threat by virtue of their knowledge of, and access to, employer systems and/or databases." Our previous reports, and those by federal inspectors general, describe persistent information security weaknesses that place federal agencies, including IRS, at risk of disruption, fraud, or inappropriate disclosure of sensitive information. Accordingly, we have designated information security as a governmentwide high-risk area since 1997, [Footnote 7] a designation that remains in force today. Recognizing the importance of securing federal agencies' information systems, Congress enacted the Federal Information Security Management Act (FISMA) in December 2002[Footnote 8] to strengthen the security of information and systems within federal agencies. FISMA requires each agency to develop, document, and implement an agencywide information security program for the information and systems that support the operations and assets of the agency, using a risk-based approach to information security management. Such a program includes assessing risk; developing and implementing cost-effective security plans, policies, and procedures; providing specialized training; testing and evaluating the effectiveness of controls; planning, implementing, evaluating, and documenting remedial actions to address information security deficiencies; and ensuring continuity of operations. IRS has demanding responsibilities in collecting taxes, processing tax returns, and enforcing the nation's tax laws, and relies extensively on computerized systems to support its financial and mission-related operations. IRS collected about $2.7 trillion in tax payments in fiscal years 2008 and 2007; processed hundreds of millions of tax and information returns; and paid about $426 billion and $292 billion, respectively, in refunds to taxpayers. Further, the size and complexity of IRS adds unique operational challenges. The agency employs tens of thousands of people in its Washington, D.C., headquarters, 10 service center campuses, 3 computing centers, and numerous other field offices throughout the United States. IRS also collects and maintains a significant amount of personal and financial information on each American taxpayer. The confidentiality of this sensitive information must be protected; otherwise, taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes. The Commissioner of Internal Revenue has overall responsibility for ensuring the confidentiality, integrity, and availability of the information and information systems that support the agency and its operations. FISMA requires the Chief Information Officers (CIO) at federal agencies to be responsible for developing and maintaining an information security program. Within IRS, this responsibility is delegated to the Associate CIO for Cybersecurity. The Office of Cybersecurity is within the CIO's Modernization and Information Technology Services (MITS) organization. The mission of MITS is to deliver information technology services and solutions that drive effective tax administration to ensure public confidence. MITS's goals are to improve service, deliver modernization, increase value, and assure the security and resilience of IRS information systems and data. The Office of Cybersecurity is responsible for ensuring IRS's compliance with federal laws, policies, and guidelines governing measures to assure the confidentiality, integrity, and availability of IRS electronic systems, services, and data. The Office of Cybersecurity is to manage IRS's information security program in accordance with FISMA, including to perform assessments of risks; track compliance; identify, mitigate and monitor cybersecurity threats; determine strategy and priorities; and monitor security program implementation. In order for IRS organizations to carry out their respective responsibilities in information security, information security policies, guidelines, standards and procedures have been developed and published in the Internal Revenue Manual. IRS Demonstrated Progress in Correcting Previously Reported Weaknesses: Although IRS has continued to make progress toward correcting previously reported information security weaknesses at three data centers and an additional facility, many deficiencies remain. It has corrected or mitigated 49 of the 115 information security weaknesses that we reported as unresolved at the time of our last review. IRS corrected weaknesses related to access controls, including physical security, among others. For example, it has: * implemented controls for unauthenticated network access and user IDs on the mainframe; * further limited access to its mainframe environment by limiting access to system management utility functions and mainframe console commands; * taken several measures to protect information traversing its network, such as installing a secure communication service for encryption; * taken steps to improve its auditing and monitoring capability by retaining audit logs of security-relevant events for its administrative accounting system and ensuring that audit logs were being created for such events on its procurement system; * removed authority for unrestricted physical access to the computer room and tape library from individuals who did not need it to perform their job; * improved controls over physical access proximity cards; * enhanced periodic reviews of mainframe configurations; * improved the disposal of removable media; * improved patching of critical vulnerabilities, as well as the timeliness of applying patches at certain facilities; and: * updated contingency plans to document critical business processes. In addition, IRS has made progress in improving its information security program. For example, the agency completed an organizational realignment, including creation of the Associate CIO for Cybersecurity position, and has several initiatives under way that are designed to improve information security. IRS has developed and documented a detailed road map to guide its efforts in targeting critical weaknesses. Additionally, it is in the process of implementing a comprehensive plan to address numerous information security weaknesses, such as those associated with network and system access, audit trails, system software configuration, security roles and responsibilities, and contingency planning. These efforts are a positive step toward improving the agency's overall information security posture. Although IRS has moved to correct previously identified security weaknesses, 66 out of 115 weaknesses--or about 57 percent--remained open or unmitigated at the time of our site visits (see figure 1). Figure 1: Previously Identified Weaknesses at IRS Locations: [Refer to PDF for image] This figure is a stacked vertical bar graph depicting the following data: Previously Identified Weaknesses at IRS Locations: Location: Data center 1; Corrective action not fully implemented: 27; Weakness corrected or mitigated: 21. Location: Data center 2; Corrective action not fully implemented: 21; Weakness corrected or mitigated: 12. Location: Data center 3; Corrective action not fully implemented: 10; Weakness corrected or mitigated: 2. Location: Other facility; Corrective action not fully implemented: 8; Weakness corrected or mitigated: 14. Source: GAO analysis of agency data. [End of figure] Unmitigated deficiencies include those related to access controls, as well as other controls such as configuration management and personnel security. For example, IRS continues to, among other things, * allow sensitive information, including user IDs and passwords for mission-critical applications, to be readily available to any user on IRS's internal network; * use passwords that are not complex enough to avoid being guessed or cracked; * grant excessive electronic access to individuals; * inconsistently apply patches; and: * not remove separated employees' access in a timely manner for one of its systems. Such weaknesses increase the risk of compromise of critical IRS systems and information. According to IRS officials, they are continuing to address the uncorrected weaknesses, and subsequent to our site visits, they had completed corrective actions for some of the weaknesses. Weaknesses Placed Financial and Taxpayer Information at Risk: Although IRS has continued to make progress toward correcting previously reported information security weaknesses at its three data centers, as well as an additional facility, many deficiencies remain. These deficiencies include those related to access controls, as well as other controls such as configuration management and personnel security. A key reason for these weaknesses is that IRS has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively. Furthermore, these weaknesses continue to jeopardize the confidentiality, integrity, and availability of IRS's systems and contributed to IRS's material weakness in information security during the fiscal year 2008 financial statement audit. IRS Did Not Fully Implement Access Controls: A basic management objective for any organization is to protect the resources that support its critical operations from unauthorized access. Organizations accomplish this objective by designing and implementing controls that are intended to prevent, limit, and detect unauthorized access to computing resources, programs, information, and facilities. Inadequate access controls potentially diminish the reliability of computerized information and increase the risk of unauthorized disclosure, modification, and destruction of sensitive information and disruption of service. Access controls include those related to user identification and authentication, authorization, cryptography, audit and monitoring, and physical security. IRS did not fully implement controls in the areas listed above, as the following sections in this report demonstrate. Weaknesses Exist in Controls for Identification and Authentication: A computer system must be able to identify and authenticate different users so that activities on the system can be linked to specific individuals. When an organization assigns unique user accounts to specific users, the system is able to distinguish one user from another--a process called identification. The system also must establish the validity of a user's claimed identity by requesting some kind of information, such as a password, that is known only by the user--a process known as authentication. The combination of identification and authentication--such as user account/password combinations--provides the basis for establishing individual accountability and for controlling access to the system. According to the Internal Revenue Manual, passwords should be protected from unauthorized disclosure and modification when stored and transmitted. The Internal Revenue Manual also requires IRS to enforce strong passwords for authentication (defined as a minimum of eight characters, containing at least one numeric or special character, and a mixture of at least one uppercase and one lowercase letter). Although IRS had implemented controls for identification and authentication, weaknesses continued to exist at two of the sites we visited. Specifically, usernames and passwords were still viewable on an IRS contractor-maintained Web site at one of its data centers. In addition, the agency continued to store passwords in scripts and did not enforce the use of strong passwords for systems at another data center. As a result, increased risk exists that an individual could view or guess these passwords and use them to gain unauthorized access to IRS systems. Users Have More System Access Than Needed to Perform Their Jobs: Authorization is the process of granting or denying access rights and permissions to a protected resource, such as a network, a system, an application, a function, or a file. A key component of granting or denying access rights is the concept of "least privilege." Least privilege is a basic principle for securing computer resources and information. This principle means that users are granted only those access rights and permissions that they need to perform their official duties. To restrict legitimate users' access to only those protected resources that they need to do their work, organizations establish access rights and permissions. "User rights" are allowable actions that can be assigned to individual users or groups of users. File and directory permissions are rules that regulate which users can access a particular file or directory and the extent of that access. To avoid unintentionally authorizing users' access to sensitive files and directories, an organization must give careful consideration to its assignment of rights and permissions. The Internal Revenue Manual requires that system access be assigned based on least privilege-- allowing access at the minimum level necessary to support the user's job duties. The Internal Revenue Manual also specifies that only individuals having a "need to know" in the performance of their duties should have access to sensitive information including that deemed as personally identifiable information. IRS permitted users more privileges on its systems than needed to perform their official duties. For example, IRS integrated network device controls with its Windows management controls that could provide users with excessive access to its network infrastructure. According to IRS officials, the agency made a cost-based decision to implement this configuration. In addition, IRS did not restrict access to sensitive personally identifiable information. To illustrate, the agency allowed authenticated users on its network access to shared drives containing taxpayer information, as well as performance appraisal information for IRS employees including their social security numbers. This information could allow someone to commit fraud or identity theft. In another example, the agency did not restrict access to tax data for a major corporation and allowed all employees with network access the potential to view this information. These excessive privileges could allow users unwarranted access to IRS's network or enable them to access information not needed for their jobs and could place IRS systems or information at risk. IRS Transmitted Certain Sensitive Data Across Its Network Unencrypted: Cryptography underlies many of the mechanisms used to enforce the confidentiality and integrity of critical and sensitive information. A basic element of cryptography is encryption. Encryption can be used to provide basic data confidentiality and integrity by transforming plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm. IRS policy requires the use of encryption for transferring sensitive but unclassified information between IRS facilities. The National Security Agency also recommends disabling protocols that do not encrypt information transmitted across the network, such as user ID and password combinations. Although IRS had implemented controls to encrypt information traversing its network, it did not always ensure certain sensitive data was encrypted. For example, one data center has not yet disabled unencrypted protocol services for all its UNIX servers. Similarly, at another center, users' login information is still being sent across the IRS internal network in clear text, potentially exposing account usernames and passwords. More importantly, IRS continues to transmit data, such as account and financial information, from its financial accounting system using an unencrypted protocol. By transmitting data unencrypted, IRS is at increased risk that an unauthorized individual could view sensitive information. IRS Did Not Always Effectively Monitor Its Systems: To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to know what, when, and by whom specific actions have been taken on a system. Organizations accomplish this by implementing system or security software that provides an audit trail, or logs of system activity, that they can use to determine the source of a transaction or attempted transaction and to monitor users' activities. The way in which organizations configure system or security software determines the nature and extent of information that can be provided by the audit trail. To be effective, organizations should configure their software to collect and maintain audit trails that are sufficient to track security-relevant events. IRS did not always effectively monitor its systems. For example, IRS had not configured security software controls to log changes to datasets that would support effective monitoring of the mainframe at one of its data centers. In addition, other weaknesses include inadequate logging of security-relevant events for UNIX and Windows servers at one data center and for UNIX servers at another. By not effectively logging changes to its systems, IRS will not have assurance that it will be able to detect unauthorized system changes that could adversely affect operations, or appropriately detect security-relevant events. IRS Did Not Always Fully Implement Controls for Physical Security: Physical access controls are used to mitigate the risks to systems, buildings, and supporting infrastructure related to their physical environment and to control the entry and exit of personnel in buildings, as well as data centers containing agency resources. Examples of physical security controls include perimeter fencing, surveillance cameras, security guards, and locks. Without these protections, IRS computing facilities and resources could be exposed to espionage, sabotage, damage, and theft. The Internal Revenue Manual requires that all authorized visitors and their packages and briefcases be examined when entering an IRS facility. In addition, data center security checkpoint procedures require that officers specifically screen for cameras and other items that are prohibited from IRS facilities. The Internal Revenue Manual also states that the authorized access list into restricted areas will be prepared monthly and dated and signed by the branch chief, but not before the branch chief validates the need of individuals to access the restricted area. Although IRS had implemented numerous physical security controls, certain controls were not working as intended, and the agency had not fully implemented others. For example, security guards at one data center did not ensure that visitors and their possessions were properly screened when entering the facility. Our staff inadvertently included digital cameras in packed luggage. Despite screening the luggage with the magnetometer, the guards did not confront them about the prohibited items. In another example, IRS prepared access lists identifying personnel authorized to enter sensitive areas at two centers and at an additional facility; however, the branch chiefs at the three sites had not signed or dated the lists as required. This step is essential in verifying that employees continue to warrant access into restricted areas. As a result, increased risk exists that prohibited items and individuals may inappropriately be permitted access to IRS facilities and restricted areas. IRS Had Not Fully Implemented Other Information Security Controls: In addition to access controls, other important controls should be in place to ensure the confidentiality, integrity, and availability of an organization's information. These controls include policies, procedures, and techniques for securely configuring information systems and implementing personnel security. Weaknesses in these areas increase the risk of unauthorized use, disclosure, modification, or loss of IRS's information and information systems. Configuration Management Requirements Were Inconsistently Implemented: The purpose of configuration management is to establish and maintain the integrity of an organization's work products. The Internal Revenue Manual states that IRS shall establish and maintain baseline configurations and inventories of organizational information systems and monitor and control any changes to the baseline configurations. Proactively managing vulnerabilities of systems will reduce or eliminate the potential for exploitation and involves considerably less time and effort than responding after an exploit has occurred. Patch management, a component of configuration management, is an important factor in mitigating software vulnerability risks. Patch installation can help diminish vulnerabilities associated with flaws in software code. Attackers often exploit these flaws to read, modify, or delete sensitive information; disrupt operations; or launch attacks against other organizations' systems. The Internal Revenue Manual requires that all vendor-supplied security patches be installed on all IRS systems. IRS did not fully implement its policies for managing changes to its systems. Specifically, IRS did not maintain or enforce a baseline configuration for one data center's mainframe system, which supports the revenue accounting system of record and other applications. In addition, IRS used an unsupported software package that was not current and thus vulnerable to attack. Specifically, certain IRS servers were running an outdated version of software that was no longer supported by the vendor and, therefore, could not be patched against a known vulnerability. As a result, IRS has limited assurance that system changes are being properly monitored and that its systems are protected against new vulnerabilities. IRS Did Not Always Implement Personnel Security Controls: The greatest harm or disruption to a system comes from the actions, both intentional and unintentional, of individuals. These intentional and unintentional actions can be reduced through the implementation of personnel security controls. According to the National Institute of Standards and Technology (NIST), personnel security controls help organizations ensure that individuals occupying positions of responsibility (including third-party service providers) are trustworthy and meet established security criteria for those positions. Organizations should also ensure that information and information systems are protected during and after personnel actions, such as terminations and transfers. More specifically, the Internal Revenue Manual requires that all accounts be deactivated within 1 week of an individual's departure on friendly terms and immediately upon an individual's departure on unfriendly terms. IRS did not always ensure that personnel security controls were fully implemented. For example, at three locations, IRS did not remove application access within 1 week of separation for 6 of 17 (35 percent) separated employees we reviewed. IRS also did not deactivate proximity cards immediately upon employee separation at one of its facilities. As a result, IRS is at an increased risk that individuals could gain unauthorized access to its resources. IRS Had Not Fully Implemented All Elements of Its Information Security Program: A key reason for the information security weaknesses in IRS's financial and tax processing systems is that it has not yet fully implemented its agencywide information security program to ensure that controls are effectively established and maintained. FISMA requires each agency to develop, document, and implement an information security program that, among other things, includes: * periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems; * policies and procedures that (1) are based on risk assessments, (2) cost effectively reduce information security risks to an acceptable level, (3) ensure that information security is addressed throughout the life cycle of each system, and (4) ensure compliance with applicable requirements; * plans for providing adequate information security for networks, facilities, and systems; * security awareness training to inform personnel of information security risks and of their responsibilities in complying with agency policies and procedures, as well as training personnel with significant security responsibilities for information security; * periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency's required inventory of major information systems; * a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in its information security policies, procedures, or practices; and: * plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. IRS has made important progress in developing and documenting elements of its information security program. However, not all components of its program have been fully implemented. Although a Risk Assessment Process Was Implemented, Assessments Were Not Always Annually Reviewed: According to NIST, risk is determined by identifying potential threats to the organization and vulnerabilities in its systems, determining the likelihood that a particular threat may exploit vulnerabilities, and assessing the resulting impact on the organization's mission, including the effect on sensitive and critical systems and data. Identifying and assessing information security risks are essential to determining what controls are required. Moreover, by increasing awareness of risks, these assessments can generate support for the policies and controls that are adopted in order to help ensure that these policies and controls operate as intended. Consistent with NIST guidance, IRS requires its risk assessment process to detail the residual risk [Footnote 9] assessed, as well as potential threats, and to recommend corrective actions for reducing or eliminating the vulnerabilities identified. IRS also requires system risk assessments be reviewed annually. Although IRS had implemented a risk assessment process, it did not always annually review its risk assessments. The risk assessments that we reviewed were current, documented residual risks assessed, as well as potential threats, and recommended corrective actions for mitigating or eliminating the vulnerabilities that were identified. However, two risk assessments for systems supporting tax processing and inventory control had not been reviewed annually, per IRS's policy. As a result, potential risks to these systems and the adequacy of their management, operational, and technical controls to reduce risks may be unknown. IRS Had Developed and Documented Policies and Procedures for Key Elements of Its Information Security Program: Another key element of an effective information security program is to develop, document, and implement risk-based policies, procedures, and technical standards that govern security over an agency's computing environment. If properly implemented, policies and procedures should help reduce the risk associated with unauthorized access or disruption of services. Technical security standards can provide consistent implementation guidance for each computing environment. Developing, documenting, and implementing security policies are the important primary mechanisms by which management communicates its views and requirements; these policies also serve as the basis for adopting specific procedures and technical controls. In addition, agencies need to take the actions necessary to effectively implement or execute these procedures and controls. Otherwise, agency systems and information will not receive the protection that the security policies and controls should provide. IRS has developed and documented information security policies, standards, and guidelines that generally provide appropriate guidance to personnel responsible for securing information and information systems. This has included guidance for assessing risk, security planning, security training, testing and evaluating security controls, contingency planning, and guidance for operating system platforms. However, as illustrated by the weaknesses identified in this report, IRS has not yet fully implemented its policies, standards, and guidelines. Security Plans Adequately Documented Management, Operational, and Technical Controls: An objective of system security planning is to improve the protection of information technology resources. A system security plan provides an overview of the system's security requirements and describes the controls that are in place or planned to meet those requirements. OMB Circular A-130 requires that agencies develop system security plans for major applications and general support systems, and that these plans address policies and procedures for providing management, operational, and technical controls. Furthermore, IRS policy requires that security plans be developed, documented, implemented, and periodically updated for the controls in place or planned for an information system. IRS had developed, documented, and updated the plans for eight systems we reviewed. Furthermore, those plans documented the management, operational, and technical controls in place and included information required per the OMB Circular A-130 for applications and general support systems. However, as illustrated by weaknesses identified in this report, IRS had not yet fully implemented all the controls documented in its security plans. Security Awareness and Specialized Training Was Provided for All Employees Reviewed: People are one of the weakest links in attempts to secure systems and networks. Therefore, an important component of an information security program is providing sufficient training so that users understand system security risks and their own role in implementing related policies and controls to mitigate those risks. IRS policy requires that personnel performing information technology security duties meet minimum continuing professional education hours in accordance with their roles. Personnel performing security roles are required by IRS to have 12, 8, or 4 hours of specialized training per year, depending on their specific role. IRS personnel performing information technology security duties met their minimum continuing professional education requirements. For the employees and contractors with specific security-related roles that we reviewed, 36 employees and contractors at one data center, and 24 employees and contractors at another, met the required minimum security awareness and specialized training hours. Although Controls Were Tested and Evaluated, Tests Were Not Always Comprehensive: Another key element of an information security program is to test and evaluate policies, procedures, and controls to determine whether they are effective and operating as intended. This type of oversight is a fundamental element because it demonstrates management's commitment to the security program, reminds employees of their roles and responsibilities, and identifies and mitigates areas of noncompliance and ineffectiveness. Although control tests and evaluations may encourage compliance with security policies, the full benefits are not achieved unless the results improve the security program. FISMA requires that the frequency of tests and evaluations be based on risks and occur no less than annually. IRS policy also requires periodic testing and evaluation of the effectiveness of information security policies and procedures. Although IRS had a process in place for testing and evaluating its systems, the process was not comprehensive. IRS had tested and evaluated information security controls for each of the eight systems we reviewed. However, its testing process did not identify certain weaknesses that we identified during our review. For example, IRS was not testing for complex passwords on its UNIX servers at one data center. Additionally, from an enterprisewide perspective, the agency had not identified inappropriate access to numerous shares containing sensitive information. Until IRS improves its testing of controls over its systems, it has reduced assurance that its policies and procedures are being followed and that controls for its systems are being effectively implemented and maintained. Although Remedial Action Plans Were Complete, Corrective Actions Were Not Always Validated: A remedial action plan is a key component described in FISMA. Such a plan assists agencies in identifying, assessing, prioritizing, and monitoring progress in correcting security weaknesses that are found in information systems. In its annual FISMA guidance to agencies, OMB requires agency remedial action plans, also known as plans of action and milestones, to include the resources necessary to correct identified weaknesses. According to IRS policy, the agency should document weaknesses found during security assessments, as well as document only planned, implemented, and evaluated remedial actions to correct any deficiencies. The policy further requires that IRS track the status of resolution of all weaknesses and verify that each weakness is corrected. Although remedial action plans were in place, corrective actions were not always appropriately validated. IRS has developed and implemented a remedial action process to address deficiencies in its information security policies, procedures, and practices. However, this remedial action process was not working as intended, since the verification process used to determine whether remedial actions were implemented was not always effective. For example, IRS had informed us that it had completed actions to close 65 recommendations related to previously identified weaknesses, however, we determined that 16 of the corrective actions did not mitigate or correct the underlying control deficiencies. Without a sound remediation process, IRS will not have assurance that it has taken the necessary actions to correct weaknesses in its policies, procedures, and practices. We have previously identified a similar weakness and recommended that IRS implement a revised remedial action verification process that ensures actions are fully implemented, but the condition continued to exist at the time of our review. Although Contingency Plans Were Annually Reviewed and Tested, IRS Recognizes the Need for Further Efforts: Continuity of operations planning, which includes contingency planning and disaster recovery planning, is a critical component of information protection. To ensure that mission-critical operations continue, it is necessary to be able to detect, mitigate, and recover from service disruptions while preserving access to vital information. It is important that these plans be clearly documented, communicated to potentially affected staff, and updated to reflect current operations. In addition, testing contingency plans is essential to determine whether the plans will function as intended in an emergency situation. FISMA requires that agencywide information security programs include plans and procedures to ensure continuity of operations. IRS contingency planning policy requires, among other things, that contingency plans be reviewed and tested at least annually. Although contingency plans were in place, IRS recognizes the need for improvements. The agency has completed contingency plans for the eight systems we reviewed. Additionally, it has reviewed/updated and tested these contingency plans annually.[Footnote 10] The plans also identified critical business processes, correcting a weakness we reported last year. Although the specific plans we reviewed did not have any shortcomings, IRS's comprehensive plan for addressing information security weaknesses recognizes the need for further efforts to improve the agency's contingency planning, through initiatives involving disaster recovery planning, some of which will not be completed until 2011. Until it completes these efforts, IRS is at increased risk of not being able to effectively recover and continue operations when an emergency occurs. Conclusions: IRS has made progress in correcting or mitigating previously reported weaknesses, implementing controls over key financial systems, and developing and documenting a framework for its agencywide information security program. Information security weaknesses--both old and new-- continue to impair the agency's ability to ensure the confidentiality, integrity, and availability of financial and taxpayer information. These deficiencies represent a material weakness in IRS's internal controls over its financial and tax processing systems. A key reason for these weaknesses is that the agency has not yet fully implemented certain key elements of its agencywide information security program. The financial and taxpayer information on IRS systems will remain particularly vulnerable to insider threats until the agency (1) begins to address and correct prior weaknesses across the service and (2) fully implements a comprehensive agencywide information security program that ensures risk assessments are appropriately reviewed for all systems, tests and evaluations of controls for systems are comprehensive, and the remedial action process effectively validates corrective actions. Until IRS takes these steps, financial and taxpayer information are at increased risk of unauthorized disclosure, modification, or destruction, and the agency's management decisions may be based on unreliable or inaccurate financial information. Recommendations for Executive Action: In addition to implementing our previous recommendations, we recommend that you take the following two actions to implement an agencywide information security program: * ensure risk assessments for IRS systems are reviewed at least annually, and: * implement steps to improve the scope of testing and evaluating controls, such as those for weak passwords. We are also making eight detailed recommendations in a separate report with limited distribution. These recommendations consist of actions to be taken to correct specific information security weaknesses related to authorization, physical security, and configuration management identified during this audit. Agency Comments: In providing written comments (reprinted in app. II) on a draft of this report, the Commissioner of Internal Revenue stated that the security and privacy of taxpayer information is of the utmost importance to the agency, and noted that IRS is committed to securing its computer environment as it continually evaluates processes, promotes user awareness and applies innovative ideas to increase compliance. He also stated that the agency is working to improve its security posture, and will develop a detailed corrective action plan addressing each of our recommendations. This report contains recommendations to you. As you know, 31 U.S.C. 720 requires the head of a federal agency to submit a written statement of the actions taken on our recommendations to the Senate Committee on Homeland Security and Governmental Affairs and to the House Committee on Oversight and Government Reform not later than 60 days from the date of the report and to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of this report. Because agency personnel serve as the primary source of information on the status of recommendations, GAO requests that the agency also provide us with a copy of your agency's statement of action to serve as preliminary information on the status of open recommendations. We are sending copies of this report to interested congressional committees, the Secretary of the Treasury, and the Treasury Inspector General for Tax Administration. The report also is available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you have any questions regarding this report, please contact Nancy Kingsbury at (202) 512-2700 or Gregory C. Wilshusen at (202) 512-6244. We can also be reached by e-mail at kingsburyn@gao.gov and wilshuseng@gao.gov. Key contributors to this report are listed in appendix III. Sincerely yours, Signed by: Nancy R. Kingsbury: Managing Director, Applied Research and Methods: Signed by: Gregory C. Wilshusen: Director, Information Security Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: [End of section] The objectives of our review were to determine (1) the status of the Internal Revenue Service's (IRS) actions to correct or mitigate previously reported information security weaknesses and (2) whether controls over key financial and tax processing systems were effective in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer information. This work is part of our audit of IRS's financial statements for the purpose of supporting our opinion on internal controls over the preparation of those statements. To determine the status of IRS's actions to correct or mitigate previously reported information security weaknesses, we reviewed prior GAO reports to identify previously reported weaknesses and examined IRS's corrective action plans to determine which weaknesses IRS reported corrective actions as being completed. For those instances where IRS reported it had completed corrective actions, we assessed the effectiveness of those actions by: * testing the complexity and expiration of passwords on servers to determine if strong password management was enforced; * analyzing users' system authorizations to determine whether they had more permissions than necessary to perform their assigned functions; * observing data transmissions across the network to determine whether sensitive data was being encrypted; * observing whether system security software was logging successful system changes; * testing and observing physical access controls to determine if computer facilities and resources were being protected from espionage, sabotage, damage, and theft; * inspecting key servers and workstations to determine whether critical patches had been installed or were up-to-date; and: * examining access responsibilities to determine whether incompatible functions were segregated among different individuals. We evaluated IRS's implementation of these corrective actions for three data centers and an additional facility. To determine whether controls over key financial and tax processing systems were effective, we considered the results of our evaluation of IRS's actions to mitigate previously reported weaknesses at three data centers and the additional facility. We concentrated our evaluation primarily on threats emanating from sources internal to IRS's computer networks and focused on three critical applications and their general support systems that directly or indirectly support the processing of material transactions that are reflected in the agency's financial statements. Our evaluation was based on our Federal Information System Controls Audit Manual, which contains guidance for reviewing information system controls that affect the confidentiality, integrity, and availability of computerized information. Using the requirements identified by the Federal Information Security Management Act, which establishes key elements for an effective agencywide information security program, we evaluated IRS's implementation of its security program by: * analyzing IRS's risk assessment process and risk assessments for eight key IRS financial and tax processing systems to determine whether risks and threats were documented; * analyzing IRS's policies, procedures, practices, and standards to determine whether sufficient guidance was provided to personnel responsible for securing information and information systems; * analyzing security plans for eight systems to determine if management, operational, and technical controls were documented and if security plans were updated; * examining training records for personnel with significant responsibilities to determine if they received training commensurate with those responsibilities; * analyzing test plans and test results for eight IRS systems to determine whether management, operational, and technical controls were tested at least annually and based on risk; * observing IRS's process to correct weaknesses and determining whether remedial action plans were complete; and: * examining contingency plans for eight IRS systems to determine whether those plans had been tested or updated. We also reviewed or analyzed previous reports from the Treasury Inspector General for Tax Administration and GAO; and discussed with key security representatives and management officials whether information security controls were in place, adequately designed, and operating effectively. [End of section] Appendix II: Comments from the Internal Revenue Service: Department Of The Treasury: Commissioner: Internal Revenue Service: Washington, D.C. 20224: December 18, 2008: Mr. Gregory C. Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Mr. Wilshusen: Thank you for the opportunity to comment on the draft report, Information Security: Continued Efforts Needed to Address Significant Weaknesses at Internal Revenue Service (Government Accountability Office-09-136). We appreciate that your draft report recognizes the progress that the Internal Revenue Service has made to improve our information security program and that numerous initiatives are underway. The security and privacy of taxpayer information is of utmost importance to us and the integrity of our financial systems continues to be sound. We are committed to securing our computer environment as we continually evaluate processes, promote user awareness and apply innovative ideas to increase compliance. We appreciate your continued support and guidance as we work to improve our security posture and look forward to working with you to develop appropriate measures. We will provide the detailed corrective action plan addressing each of the recommendations with our response to the final report. If you have any questions or would like to discuss our response in further detail, please contact Terence V. Milholland, Chief Technology Officer, at (202) 622-4511 or Arthur L. Gonzalez, Chief Information Officer, at (202) 622-6800. Sincerely, Signed by: Douglas H. Shulman: [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Nancy R. Kingsbury, (202) 512-2700, kingsburyn@gao.gov: Gregory C. Wilshusen, (202) 512-6244, wilshuseng@gao.gov: Staff Acknowledgments: In addition to the individuals named above, David Hayes (Assistant Director), Jeffrey Knott (Assistant Director), Harold Lewis (Assistant Director), Larry Crosland, Mark Canter, Sharhonda Deloach, Neil Doherty, Caryn English, Edward Glagola, Nancy Glover, Rebecca LaPaze, Kevin Metcalfe, Zsaroq Powe, Eugene Stevens, and Christy Tyson made key contributions to this report. [End of section] Footnotes: [1] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10, 2008). [2] Information security controls include logical and physical access controls, configuration management, segregation of duties, and continuity of operations. These controls are designed to ensure that access to data is appropriately restricted, that physical access to sensitive computing resources and facilities is protected, that only authorized changes to computer programs are made, that incompatible duties are segregated among individuals, and that back-up and recovery plans are adequate to ensure the continuity of essential operations. [3] A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. [4] OMB, Fiscal Year 2007 Report to Congress on Implementation of the Federal Information Security Management Act of 2002 (Washington, D.C.: March 2008). [5] US-CERT's mission is to protect the nation's Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks by analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities. [6] The CERT Coordination Center is a center of Internet security expertise located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. [7] GAO, High-Risk Series: Information Management and Technology, [hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington, D.C.: February 1997). [8] FISMA was enacted as title III, E-Government Act of 2002, Pub L. No. 107-347, Dec. 17, 2002. [9] Residual risk is the risk remaining after the implementation of new or enhanced controls. [10] We did not test the effectiveness of IRS's contingency plan testing. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: