This is the accessible text file for GAO report number GAO-11-308 
entitled 'Information Security: IRS Needs to Enhance Internal Control 
over Financial Reporting and Taxpayer Data' which was released on 
March 15, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to the Commissioner of Internal Revenue: 

March 2011: 

Information Security: 

IRS Needs to Enhance Internal Control over Financial Reporting and 
Taxpayer Data: 

GAO-11-308: 

GAO Highlights: 

Highlights of GAO-11-308, a report to the Commissioner of Internal 
Revenue. 

Why GAO Did This Study: 

The Internal Revenue Service (IRS) has a demanding responsibility in 
collecting taxes, processing tax returns, and enforcing the nation’s 
tax laws. It relies extensively on computerized systems to support its 
financial and mission-related operations and on information security 
controls to protect financial and sensitive taxpayer information that 
resides on those systems. 

As part of its audit of IRS’s fiscal years 2010 and 2009 financial 
statements, GAO assessed whether controls over key financial and tax 
processing systems are effective in ensuring the confidentiality, 
integrity, and availability of financial and sensitive taxpayer 
information. To do this, GAO examined IRS information security 
policies, plans, and procedures; tested controls over key financial 
applications; and interviewed key agency officials at four sites. 

What GAO Found: 

Although IRS made progress in correcting previously reported 
information security weaknesses, control weaknesses over key financial 
and tax processing systems continue to jeopardize the confidentiality, 
integrity, and availability of financial and sensitive taxpayer 
information. Specifically, IRS did not consistently implement controls 
that were intended to prevent, limit, and detect unauthorized access 
to its financial systems and information. For example, the agency did 
not sufficiently (1) restrict users’ access to databases to only the 
access needed to perform their jobs; (2) secure the system it uses to 
support and manage its computer access request, approval, and review 
processes; (3) update database software residing on servers that 
support its general ledger system; and (4) enable certain auditing 
features on databases supporting several key systems. In addition, 65 
of 88—about 74 percent—of previously reported weaknesses remain 
unresolved or unmitigated. 

An underlying reason for these weaknesses is that IRS has not yet 
fully implemented key components of its comprehensive information 
security program. Although IRS has processes in place intended to 
monitor and assess its internal controls, these processes were not 
always effective. For example, IRS’s testing did not detect many of 
the vulnerabilities GAO identified during this audit and did not 
assess a key application in its current environment. Further, the 
agency had not effectively validated corrective actions reported to 
resolve previously identified weaknesses. Although IRS had a process 
in place for verifying whether each weakness had been corrected, this 
process was not always working as intended. For example, the agency 
reported that it had resolved 39 of the 88 previously identified 
weaknesses; however, 16 of the 39 weaknesses had not been mitigated. 

IRS has various initiatives underway to bolster security over its 
networks and systems; however, until the agency corrects the 
identified weaknesses, its financial systems and information remain 
unnecessarily vulnerable to insider threats, including errors or 
mistakes and fraudulent or malevolent acts by insiders. As a result, 
financial and taxpayer information are at increased risk of 
unauthorized disclosure, modification, or destruction; financial data 
is at increased risk of errors that result in misstatement; and the 
agency’s management decisions may be based on unreliable or inaccurate 
financial information. These weaknesses, considered collectively, are 
the basis for GAO’s determination that IRS had a material weakness in 
internal control over financial reporting related to information 
security in fiscal year 2010. 

What GAO Recommends: 

GAO recommends that IRS take eight actions to fully implement key 
components of its comprehensive information security program. In a 
separate report with limited distribution, GAO is recommending 32 
specific actions for correcting newly identified control weaknesses. 
In commenting on a draft of this report, IRS agreed to develop a 
detailed corrective action plan to address each recommendation. 

View [hyperlink, http://www.gao.gov/products/GAO-11-308] or key 
components. For more information, contact Nancy R. Kingsbury at (202) 
512-2700 or kingsburyn@gao.gov, or Gregory C. Wilshusen at (202)512-
6244 or wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Significant Weaknesses Continue to Place Financial and Taxpayer 
Information at Risk: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Comments from the Internal Revenue Service: 

Appendix III: GAO Contacts and Staff Acknowledgments: 

Abbreviations: 

FISMA: Federal Information Security Management Act: 

IRS: Internal Revenue Service: 

NIST: National Institute of Standards and Technology: 

TIGTA: Treasury Inspector General for Tax Administration: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

March 15, 2011: 

The Honorable Douglas H. Shulman: 
Commissioner of Internal Revenue: 

Dear Commissioner Shulman: 

The Internal Revenue Service (IRS) has a demanding responsibility in 
collecting taxes, processing tax returns, and enforcing the nation's 
tax laws. It relies extensively on computerized systems to support its 
financial and mission-related operations and on information security 
controls[Footnote 1] to protect the confidentiality, integrity, and 
availability of the financial and sensitive taxpayer information that 
resides on those systems. 

As part of our audit of IRS's fiscal years 2010 and 2009 financial 
statements,[Footnote 2] we assessed the effectiveness of the agency's 
information security controls over its key financial and tax 
processing systems, information, and interconnected networks at four 
locations. These systems support the processing, storage, and 
transmission of financial and sensitive taxpayer information. In our 
report on IRS's fiscal years 2010 and 2009 financial statements, we 
reported that IRS could not rely on the internal controls[Footnote 3] 
contained in its automated financial management system to provide 
reasonable assurance that (1) its financial statements, taken as a 
whole, were fairly stated; (2) the information IRS relied on to make 
decisions on a daily basis was accurate, complete, and timely; and (3) 
proprietary financial and taxpayer information was appropriately 
safeguarded. We concluded that the new information security weaknesses 
we identified in fiscal year 2010 and the unresolved weaknesses from 
prior audits, considered collectively, represent a material weakness 
[Footnote 4] in internal control over financial reporting related to 
information security. 

Our objective was to determine whether IRS's controls over key 
financial and tax processing systems are effective in ensuring the 
confidentiality, integrity, and availability of financial and 
sensitive taxpayer information. To do this, we examined IRS 
information security policies, plans, and procedures; tested controls 
over key financial applications; interviewed key agency officials; and 
reviewed our prior reports to identify previously reported weaknesses 
and assessed the effectiveness of corrective actions taken. We 
concentrated our evaluation on threats emanating from sources internal 
to IRS's computer networks. 

We conducted this audit from May 2010 to March 2011 in accordance with 
U.S. generally accepted government auditing standards. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objective. For additional information 
about our objective, scope, and methodology, refer to appendix I. 

Background: 

The use of information technology has created many benefits for 
agencies such as IRS in achieving their missions and providing 
information and services to the public, but extensive reliance on 
computerized information also creates challenges in securing that 
information from various threats. Information security is especially 
important for government agencies, where maintaining the public's 
trust is essential. 

Without proper safeguards, computer systems are vulnerable to 
individuals and groups with malicious intentions who can intrude and 
use their access to obtain sensitive information, commit fraud, 
disrupt operations, or launch attacks against other computer systems 
and networks. The risk to these systems are well-founded for a number 
of reasons, including the increase in reports of security incidents, 
the ease of obtaining and using hacking tools, and steady advances in 
the sophistication and effectiveness of attack technology. The Federal 
Bureau of Investigation has identified multiple sources of threats, 
including foreign entities engaged in intelligence gathering and 
information warfare, domestic criminals, hackers, virus writers, and 
disgruntled employees or contractors working within an organization. 
In addition, the U.S. Secret Service and the CERT® Coordination Center 
[Footnote 5] studied insider threats in the government sector and 
stated in a January 2008 report[Footnote 6] that "government sector 
insiders have the potential to pose a substantial threat by virtue of 
their knowledge of, and access to, employer systems and/or databases." 
Insider threats include errors or mistakes and fraudulent or 
malevolent acts by insiders. 

Our previous reports, and those by federal inspectors general, 
describe persistent information security weaknesses that place federal 
agencies, including IRS, at risk of disruption, fraud, or 
inappropriate disclosure of sensitive information. Accordingly, we 
have designated information security as a governmentwide high-risk 
area since 1997, most recently in 2011.[Footnote 7] 

Information security is essential to creating and maintaining 
effective internal controls. The Federal Managers' Financial Integrity 
Act of 1982 requires us to issue standards for internal control in 
federal agencies.[Footnote 8] The standards[Footnote 9] provide the 
overall framework for establishing and maintaining internal control 
and for identifying and addressing major performance and management 
challenges and areas at greatest risk of fraud, waste, abuse, and 
mismanagement. The term internal control is synonymous with the term 
management control, which covers all aspects of an agency's operations 
(programmatic, financial, and compliance). The attitude and philosophy 
of management toward information systems can have a profound effect on 
internal control. Information system controls consist of those 
internal controls that are dependent on information systems processing 
and include general controls at the entitywide, system, and business 
process application levels (security management, access controls, 
configuration management, segregation of duties, and contingency 
planning); business process application controls (input, processing, 
output, master file, interface, and data management system controls); 
and user controls (controls performed by people interacting with 
information systems). 

Recognizing the importance of securing federal agencies' information 
systems, Congress enacted the Federal Information Security Management 
Act (FISMA)[Footnote 10] in December 2002 to strengthen the security 
of information and systems within federal agencies. FISMA requires 
each agency to develop, document, and implement an agencywide 
information security program for the information and information 
systems that support the operations and assets of the agency, using a 
risk-based approach to information security management. Such a program 
includes assessing risk; developing and implementing cost-effective 
security plans, policies, and procedures; providing specialized 
training; testing and evaluating the effectiveness of controls; 
planning, implementing, evaluating, and documenting remedial actions 
to address information security deficiencies; and ensuring continuity 
of operations. 

IRS Is the Tax Collector for the United States: 

IRS has demanding responsibilities in collecting taxes, processing tax 
returns, and enforcing federal tax laws, and relies extensively on 
computerized systems to support its financial and mission-related 
operations. In fiscal year 2010, IRS processed hundreds of millions of 
tax returns, collected about $2.3 trillion in federal tax payments, 
and paid about $467 billion in refunds to taxpayers. Further, the size 
and complexity of IRS add unique operational challenges. IRS employs 
over 100,000 people in its Washington, D.C., headquarters and over 700 
offices in all 50 states and U.S. territories and in some U.S. 
embassies and consulates. To manage its data and information, the 
agency operates three enterprise computing centers located in Detroit, 
Michigan; Martinsburg, West Virginia; and Memphis, Tennessee. IRS also 
collects and maintains a significant amount of personal and financial 
information on each American taxpayer. Protecting the confidentiality 
of this sensitive information is paramount; otherwise, taxpayers could 
be exposed to loss of privacy and to financial loss and damages 
resulting from identity theft or other financial crimes. 

The Commissioner of Internal Revenue has overall responsibility for 
ensuring the confidentiality, integrity, and availability of the 
information and information systems that support the agency and its 
operations. FISMA requires the Chief Information Officer (CIO) or 
comparable official at federal agencies to be responsible for 
developing and maintaining an information security program. IRS has 
delegated this responsibility to the Associate Chief Information 
Officer for Cybersecurity, who heads the Office of Cybersecurity. The 
Office of Cybersecurity's mission is to protect taxpayer information 
and the IRS's electronic system, services, and data from internal and 
external cyber security-related threats by implementing security 
practices in planning, implementation, risk management, and 
operations. IRS develops and publishes its information security 
policies, guidelines, standards, and procedures in the Internal 
Revenue Manual and other documents in order for IRS divisions and 
offices to carry out their respective responsibilities in information 
security. In October 2010, the Treasury Inspector General for Tax 
Administration (TIGTA) stated that security, including computer 
security, was the top priority in its list of top 10 management 
challenges for IRS in fiscal year 2011.[Footnote 11] 

Significant Weaknesses Continue to Place Financial and Taxpayer 
Information at Risk: 

Although IRS has made progress in correcting information security 
weaknesses that we have reported previously, many weaknesses have not 
been corrected and we identified many new weaknesses during fiscal 
year 2010. Specifically, 65 out of 88 previously reported weaknesses 
[Footnote 12]--about 74 percent--have not yet been corrected. In 
addition, we identified 37[Footnote 13] new weaknesses. These 
weaknesses relate to access controls, configuration management, and 
segregation of duties. Weaknesses in these areas increase the 
likelihood of errors in financial data that result in misstatement and 
expose sensitive information and systems to unauthorized use, 
disclosure, modification, and loss. An underlying reason for these 
weaknesses--both old and new--is that IRS has not yet fully 
implemented key components of a comprehensive information security 
program. These weaknesses continue to jeopardize the confidentiality, 
integrity, and availability of the financial and sensitive taxpayer 
information processed by IRS's systems and, considered collectively, 
are the basis of our determination that IRS had a material weakness in 
internal control over its financial reporting related to information 
security in fiscal year 2010.[Footnote 14] 

IRS Did Not Sufficiently Control Access to Information Resources: 

A basic management objective for any organization is to protect the 
resources that support its critical operations from unauthorized 
access. Organizations accomplish this objective by designing and 
implementing controls that are intended to prevent, limit, and detect 
unauthorized access to computing resources, programs, information, and 
facilities. Access controls include those related to user 
identification and authentication, authorization, cryptography, audit 
and monitoring, and physical security. However, IRS did not fully 
implement effective controls in these areas. Without adequate access 
controls, unauthorized individuals may be able to login, access 
sensitive information, and make undetected changes or deletions for 
malicious purposes or personal gain. In addition, authorized 
individuals may be able to intentionally or unintentionally add, 
modify, or delete data to which they should not have been given access. 

Controls Were Not Consistently Implemented for Identifying and 
Authenticating Users: 

A computer system needs to be able to identify and authenticate each 
user so that activities on the system can be linked and traced to a 
specific individual. An organization does this by assigning a unique 
user account to each user, and in so doing, the system is able to 
distinguish one user from another--a process called identification. 
The system also needs to establish the validity of a user's claimed 
identity by requesting some kind of information, such as a password, 
that is known only by the user--a process known as authentication. The 
combination of identification and authentication--such as user 
account/password combinations--provides the basis for establishing 
individual accountability and for controlling access to the system. 
The Internal Revenue Manual requires the use of a strong password for 
authentication (defined as a minimum of eight characters, containing 
at least one numeric or special character, and a mixture of at least 
one uppercase and one lower case letter). Furthermore, the Internal 
Revenue Manual states that database account passwords are not to be 
reused within 10 password changes[Footnote 15] and that the password 
grace time for a database--the number of days an individual has to 
change his or her password after it expires--should be set to 10. 

IRS properly configured password complexity on its servers used to 
manage access to network resources. In addition, IRS made progress in 
correcting a previously identified weakness by restricting remote 
login access. However, IRS did not consistently implement strong 
authentication controls on certain systems, as required by the 
Internal Revenue Manual. For example: 

* Databases that support IRS administrative accounting and procurement 
systems had a certain password control set to "null." This password 
control verifies certain password settings, such as password 
complexity and minimum password length, to ensure the user's password 
complies with IRS policy. By configuring this control to "null," no 
password verifications are performed. 

* Seventeen of 90 network devices[Footnote 16] we reviewed had a 
password length of 6 characters. 

* Databases that support the IRS's administrative accounting and 
procurement systems contained several password resource values that 
were not set to the settings required by IRS policy. For example, the 
password reuse and password grace time values were set to "unlimited." 

As a result of these weaknesses, increased risk exists that an 
individual with malicious intentions could gain inappropriate access 
to these sensitive IRS applications and data, and potentially use the 
access to attempt compromises of other IRS systems. 

Users Have More System Access than Needed to Perform Their Jobs: 

Authorization is the process of granting or denying access rights and 
permissions to a protected resource, such as a network, a system, an 
application, a function, or a file. A key component of granting or 
denying an individual access rights is the concept of "least 
privilege." Least privilege, which is a basic principle for securing 
computer resources and information, means that a user is granted only 
those access rights and permissions needed to perform official duties. 
To restrict legitimate users' access to only those programs and files 
needed to do their work, organizations establish access rights and 
permissions to users. These "user rights" are allowable actions that 
can be assigned to one user or to a group of users. File and directory 
permissions are rules that regulate which users can access a 
particular file or directory and the extent of that access. To avoid 
unintentionally authorizing a user access to sensitive files and 
directories, an organization should give careful consideration to its 
assignment of rights and permissions. IRS policy states that access 
control measures based on least privilege and that provide protection 
from unauthorized alteration, loss, unavailability, or disclosure of 
information should be implemented. Additionally, the Internal Revenue 
Manual requires that the guest account be disabled to prevent any user 
from being authenticated as a guest. 

Although IRS had taken steps to control access to systems, it 
continued to permit excessive access. For example, IRS had corrected a 
previously identified weakness by limiting access to certain key 
financial documents used for input into the administrative accounting 
system. However, it continued to permit excessive access to several 
systems by granting rights and permissions that gave users more access 
than they needed to perform their assigned functions. For example, IRS 
granted excessive privileges to a database account on the online 
system used to support and manage its computer access request, 
approval, and review process. In addition, the agency allowed some 
individuals to manually enter commands that would permit them to 
bypass the application programs intended to be used to access the 
data. Also, all database users had unnecessary execute permissions on 
several sensitive database packages[Footnote 17] that allowed them to 
manipulate data and gain access to sensitive files and directories on 
IRS's access authorization, administrative accounting, electronic tax 
payment, and procurement systems. Furthermore, while IRS made progress 
in correcting a previously identified weakness by disabling the guest 
account on some SQL servers, IRS had not disabled the SQL server guest 
account on its real property management system, increasing the risk 
that unauthorized users could use this account to gain system access. 
These excessive access privileges can provide opportunities for 
individuals to circumvent security controls. 

Sensitive Data Is Sent across the IRS Network Unencrypted: 

Cryptography underlies many of the mechanisms used to enforce the 
confidentiality and integrity of critical and sensitive information. A 
basic element of cryptography is encryption, which is used to 
transform plain text into cipher text using a special value known as a 
key and a mathematical process known as an algorithm. According to IRS 
policy, the use of insecure protocols should be restricted because its 
widespread use can allow passwords and other sensitive data to be 
transmitted across its internal network unencrypted. 

Although IRS discontinued the use of unencrypted protocols on the 
servers supporting the procurement system, its network devices were 
configured to use protocols that allowed unencrypted transmission of 
sensitive data. For example, 37 of the 90 network devices we reviewed 
and a server supporting the IRS's tax payment system used unencrypted 
protocols to transmit sensitive information. In addition, IRS had not 
corrected previously identified weaknesses, such as weak encryption 
controls over user login to its administrative accounting system and 
transmission of unencrypted mainframe administrator login information 
across its network. By not encrypting sensitive data, IRS is at 
increased risk that an unauthorized individual could view and then use 
the data to gain unwarranted access to its system and/or sensitive 
information. 

IRS Did Not Consistently Audit and Monitor Security-Relevant Activity 
on Certain Systems: 

To establish individual accountability, monitor compliance with 
security policies, and investigate security violations, it is crucial 
to determine what, when, and by whom specific actions have been taken 
on a system. Organizations accomplish this by implementing system or 
security software that provides an audit trail--a log of system 
activity--that they can use to determine the source of a transaction 
or attempted transaction and to monitor users' activities. The way in 
which organizations configure system or security software determines 
the nature and extent of information that can be provided by the audit 
trail. To be effective, organizations should configure their software 
to collect and maintain audit trails that are sufficient to track 
security-relevant events. The Internal Revenue Manual states that IRS 
should enable and configure audit logging on all systems to aid in the 
detection of security violations, performance problems, and flaws in 
applications. Additionally, IRS policy states that security controls 
in information systems shall be monitored on an ongoing basis. 

IRS is currently utilizing a commercial off-the-shelf audit trail 
solution allowing the agency to review audit log reports and analyze 
audit data. In addition, IRS has established the Enterprise Security 
Audit Trails Project Management Office, which is responsible for 
managing all enterprise audit initiatives and identifying and 
overseeing deployment and transition of various audit trail solutions. 
Despite these steps forward, IRS did not enable certain auditing 
features on three systems we reviewed. For example, IRS did not enable 
security event auditing[Footnote 18] or system privilege 
auditing[Footnote 19] features on databases that support its access 
authorization, administrative accounting, and procurement systems. In 
addition, IRS had not corrected a previously identified weakness in 
which certain servers were not configured to ensure sufficient audit 
trails. As a result, IRS's ability to establish individual 
accountability, monitor compliance with security policies, and 
investigate security violations was limited. 

Physical Access Controls Were Not Consistently Implemented: 

Physical security controls are important for protecting computer 
facilities and resources from espionage, sabotage, damage, and theft. 
These controls involve restricting physical access to computer 
resources, usually by limiting access to the buildings and rooms in 
which they are housed and periodically reviewing access granted, in 
order to ensure that access continues to be appropriate. At IRS, 
physical access control measures, such as physical access cards that 
are used to permit or deny access to certain areas of a facility, are 
vital to safeguarding its facilities, computing resources, and 
information from internal and external threats. The Internal Revenue 
Manual requires access controls to protect employees and contractors, 
information systems, and the facilities in which they are located. The 
policy also requires that entry to restricted areas should be limited 
to only those who need it to perform their job duties. It also 
requires department managers of restricted areas to review, validate, 
sign, and date the authorized access list for restricted areas on a 
monthly basis and then forward the list to the physical security 
office for review of employee access. 

Although IRS had implemented numerous physical security controls, 
certain controls were not working as intended, and the agency had not 
consistently applied the policy in others. IRS has a dedicated guard 
force at each computing center visitor entrance. These guards screen 
every visitor that enters these facilities. The agency had also 
corrected a previously identified weakness by consistently reviewing 
the images displayed on x-ray machines while screening employees, 
visitors, and contractors entering restricted areas. However, visitor 
physical access cards to restricted areas at one computing center 
provided unauthorized access to other restricted areas within the 
center--a weakness previously reported in 2010. In addition, IRS had 
not consistently applied its processes for reviewing access to 
restricted areas within its computing centers. For example, effective 
procedures were not in place at two of the three computing centers to 
ensure that individuals with an ongoing need to access restricted 
areas within the center were reviewed regularly in order to assess 
whether the access was warranted to perform their job. Although one 
computing center regularly reviewed the visitor access list, it did 
not review the list of individuals who had ongoing access. The other 
center only reviewed access based on the number of times in a given 
week the individual entered certain areas within the center, rather 
than based on the individual's need to perform job duties. Further, at 
the third data center, IRS was unable to provide evidence that the 
physical security office had addressed a prior recommendation to 
remove employee access to restricted areas when a manager indicated 
access was no longer needed. 

Because employees and visitors may have unnecessary access to 
restricted areas, IRS has reduced assurance that its computing 
resources and sensitive information are adequately protected from 
unauthorized access. 

Weaknesses in Other Information Security Controls Increase Risk: 

In addition to access controls, other important controls should be in 
place to ensure the confidentiality, integrity, and availability of an 
organization's information. These controls include policies, 
procedures, and techniques for securely configuring information 
systems, and segregating incompatible duties. However, IRS has 
weaknesses in these areas, thus increasing its risk of unauthorized 
use, disclosure, modification, or loss of information and information 
systems. 

Outdated and Unsupported Software Exposes IRS to Known Vulnerabilities: 

Configuration management involves, among other things, (1) verifying 
the correctness of the security settings in the operating systems, 
applications, or computing and network devices and (2) obtaining 
reasonable assurance that systems are configured and operating 
securely and as intended. Patch management, a component of 
configuration management, is an important element in mitigating the 
risks associated with software vulnerabilities. When a software 
vulnerability is discovered, the software vendor may develop and 
distribute a patch or work-around to mitigate the vulnerability. 
Without the patch, an attacker can exploit a software vulnerability to 
read, modify, or delete sensitive information; disrupt operations; or 
launch attacks against systems at another organization. Outdated and 
unsupported software is more vulnerable to an attack and exploitation 
because vendors no longer provide updates, including security updates. 
Accordingly, the Internal Revenue Manual states that IRS will manage 
systems to reduce vulnerabilities by promptly installing patches. In 
addition, the manual states that system administrators will ensure the 
operating system version is a version for which the vendor still 
offers standardized technical support. 

Although IRS made progress in updating certain systems, it did not 
always apply critical patches to its databases that support two 
financial applications. For example, the agency made major upgrades to 
key servers supporting the administrative accounting system; however, 
databases supporting this and another administrative accounting 
application had not been updated with the latest critical patches. In 
addition, patches had not been applied since 2006 for at least four 
other database installations on servers supporting the agency's 
general ledger system for tax-related activities. IRS had also not 
corrected previously identified weaknesses related to outdated and 
unsupported software on domain name servers. As a result, the agency 
has limited assurance that its systems are protected from known 
vulnerabilities. 

Incompatible Duties Were Not Appropriately Segregated on Certain 
Financial Management Systems: 

Segregation of duties refers to the policies, procedures, and 
organizational structures that help ensure that no single individual 
can independently control all key aspects of a process or computer- 
related operation and thereby gain unauthorized access to assets or 
records. Often, organizations achieve segregation of duties by 
dividing responsibilities among two or more individuals or 
organizational groups. This diminishes the likelihood that errors and 
wrongful acts will go undetected, because the activities of one 
individual or group will serve as a check on the activities of the 
other. Inadequate segregation of duties increases the risk that 
erroneous or fraudulent transactions could be processed, improper 
program changes implemented, and computer resources damaged or 
destroyed. The Internal Revenue Manual requires that IRS divide and 
separate duties and responsibilities of incompatible functions among 
different individuals so that no individual shall have all of the 
necessary authority and system access to disrupt or corrupt a critical 
security process. Furthermore, the manual specifies that the primary 
security role of any database administrator is to administer and 
maintain database repositories for proper use by authorized 
individuals and that database administrators shall not have system 
administrator access rights. 

IRS did not always appropriately segregate certain duties. 
Specifically, on its general ledger system for tax-related activities, 
IRS granted certain database administration privileges to at least 25 
database users with no database administration duties. These 
privileges allowed them to grant other users access to tables within 
the database, including the ability to add, change, or delete 
important accounting data. In addition, IRS had not corrected a 
previously identified weakness related to permitting an individual the 
ability to execute the roles and responsibilities of both a database 
and system administrator for the procurement system. By not properly 
segregating incompatible duties in these financial management systems, 
IRS reduces the effectiveness of its internal controls over financial 
management and increases the likelihood of errors and misstatements. 
Additionally, these weaknesses increase the potential for unauthorized 
use or disclosure of sensitive information or disruption of systems. 

IRS Has Not Fully Implemented Key Components of Its Information 
Security Program: 

An underlying reason for the information security weaknesses in IRS's 
financial and tax processing systems is that it has not yet fully 
implemented key components of its comprehensive information security 
program. FISMA requires each agency to develop, document, and 
implement an information security program that, among other things, 
includes: 

* periodic assessments of the risk and magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information and information systems; 

* policies and procedures that (1) are based on risk assessments, (2) 
cost-effectively reduce information security risks to an acceptable 
level, (3) ensure that information security is addressed throughout 
the life cycle of each system, and (4) ensure compliance with 
applicable requirements; 

* plans for providing adequate information security for networks, 
facilities, and systems; 

* security awareness training to inform personnel of information 
security risks and of their responsibilities in complying with agency 
policies and procedures, as well as training personnel with 
significant security responsibilities for information security; 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices, to be performed with a 
frequency depending on risk, but no less than annually, and that 
includes testing of management, operational, and technical controls 
for every system identified in the agency's required inventory of 
major information systems; 

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies in its information 
security policies, procedures, or practices; and: 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

IRS has made progress in developing and documenting elements of its 
information security program. To bolster security over its networks 
and systems and to address its information security weaknesses, IRS 
has developed various initiatives. For example, IRS has created a 
detailed roadmap to guide its efforts in targeting critical 
weaknesses. The agency is in the process of implementing this 
comprehensive plan to mitigate numerous information security 
weaknesses, such as those associated with access controls, audit 
trails, contingency planning, and training. According to the plan, the 
last of these weaknesses is scheduled to be resolved in the first 
quarter of fiscal year 2014. In addition, IRS has developed metrics to 
measure success in complying with guides, policies, and standards in 
the areas of inventory management, configuration management, access 
authorizations, auditing, and change management. As long as these 
efforts remain flexible to address changing technology and evolving 
threats, include our findings and those of TIGTA in measuring success, 
and are fully and effectively implemented, they should improve the 
agency's overall information security posture. 

Although the agency has a framework in place for its comprehensive 
information security program, as demonstrated below, key components of 
IRS's program have not yet been fully implemented. 

Although IRS Had Documented Risk Assessments, One Had Not Been Updated 
and Another Was Not Comprehensive: 

According to the National Institute of Standards and Technology 
(NIST), risk is determined by identifying potential threats to the 
organization and vulnerabilities in its systems, determining the 
likelihood that a particular threat may exploit vulnerabilities, and 
assessing the resulting impact on the organization's mission, 
including the effect on sensitive and critical systems and data. 
Identifying and assessing information security risks are essential to 
determining what controls are required. Moreover, by increasing 
awareness of risks, these assessments can generate support for the 
policies and controls that are adopted in order to help ensure that 
the policies and controls operate as intended. Consistent with NIST 
guidance, IRS requires its risk assessment process to detail the 
residual risk[Footnote 20] assessed, as well as potential threats, and 
to recommend corrective actions for reducing or eliminating the 
vulnerabilities identified. IRS policy also requires system risk 
assessments to be updated a minimum of every 3 years or whenever there 
is a significant change to the system, the facilities where the system 
resides, or other conditions that may affect the security or status of 
system accreditation. 

Although IRS had implemented a risk assessment process, which 
includes, among other things, threat and vulnerability identification, 
impact analysis, risk determination, and recommended corrective 
actions, certain risks may not have been identified. For the six 
systems that we reviewed, five of the risk assessments were up-to-
date, documented, and formally approved by IRS management. However, 
IRS's general ledger system for tax-related activities was moved from 
one mainframe environment to another at a different facility; yet, the 
risk assessment had not been updated. Further, IRS's risk assessment 
of the mainframe environment supporting its general ledger for tax-
related activities and tax processing applications was not 
comprehensive. Specifically, the assessment did not consider all 
potential threats and vulnerabilities for portions of the system; IRS 
considered the test and development environment of the system as out 
of scope although these portions could affect the system's security. 
As a result, potential risks to this system may not be fully known and 
associated controls may not be in place. 

Policies and Procedures Were in Place, but Some Were Inconsistent and 
Others Lacked Specificity: 

Another key element of an effective information security program is to 
develop, document, and implement risk-based policies, procedures, and 
technical standards that govern security over an agency's computing 
environment. If properly developed and implemented, policies and 
procedures should help reduce the risk associated with unauthorized 
access or disruption of services. In addition, technical security 
standards can provide consistent implementation guidance for each 
computing environment. Developing, documenting, and implementing 
security policies and standards are the important primary mechanisms 
by which management communicates its views and requirements; these 
policies also serve as the basis for adopting specific procedures and 
technical controls. In addition, agencies need to take the actions 
necessary to effectively implement or execute these procedures and 
controls. Otherwise, agency systems and information will not receive 
the protection that the security policies and controls should provide. 

IRS had generally developed, documented, and approved information 
security policies and procedures, and had corrected a previously 
identified weakness by enhancing its policies and procedures related 
to password age and configuration settings to comply with federal 
guidance. However, some policies were inconsistent and some were 
lacking specifics about administering, managing, and monitoring 
certain controls. For example, the agency's overall policy on password 
management requires that systems be configured such that passwords 
cannot be reused within 24 password changes; another policy specified 
3 in one section and 10 in another. Inconsistent policies can lead to 
less stringent implementation of controls, such as those for password 
management. In addition, specific policy and procedures for a key 
access control were lacking. Although IRS relies on system-managed 
storage[Footnote 21] as a key access control to prevent unauthorized 
access between logical partitions[Footnote 22] that have different 
mission support functions and different security requirements, the 
agency did not document in its policy or related procedures how this 
control environment should be administered, managed, and monitored. As 
a result, IRS does not have processes in place to verify that system- 
managed storage controls are implemented, administered, and monitored 
in a manner that provides necessary access controls. Further, in an 
August 2010 report,[Footnote 23] TIGTA reported that IRS had not 
documented all IT security roles and responsibilities in the Internal 
Revenue Manual and had not developed day-to-day IT security procedures 
and guidelines. Without having fully documented, approved, and 
implemented policies and procedures, IRS cannot ensure that its 
information security requirements are applied consistently across the 
agency. 

Security Plans Were Documented, but One Plan Did Not Describe Controls 
in the Current Environment: 

An objective of system security planning is to improve the protection 
of information technology resources. A system security plan provides 
an overview of the system's security requirements and describes the 
controls that are in place or planned to meet those requirements. OMB 
Circular A-130 requires that agencies develop system security plans 
for major applications and general support systems, and that these 
plans address policies and procedures for providing management, 
operational, and technical controls. Furthermore, IRS policy requires 
that security plans describing the security controls in place or 
planned for its information systems be developed, documented, 
implemented, reviewed annually, and updated a minimum of every 3 years 
or whenever there is a significant change to the system. 

Although IRS documented its management, operational, and technical 
controls in system security plans for the six systems we reviewed, one 
plan did not reflect the current operating environment. IRS used OMB 
Circular A-130 as guidance to develop system security plans for the 
respective systems. In addition, IRS documented the review of its 
system security plans through certification and accreditation memos, 
which provide IRS with the authorization to operate systems. These 
memos were formally approved by key officials. Further, all the plans 
reviewed were within the 3-year time frame. However, one application's 
system security plan did not describe controls in place in the current 
environment. IRS had moved this application from one mainframe to 
another, but the plan still reflected controls from the previous 
environment. Without a specific and accurate security plan for this 
key financial system, IRS cannot ensure that appropriate controls are 
in place to protect the critical information this system stores. 

Security Awareness and Specialized Training Was Provided to All 
Employees Reviewed: 

Individuals can be one of the weakest links in securing systems and 
networks. Therefore, a very important component of an information 
security program is providing sufficient training so that users 
understand system security risks and their own role in implementing 
related policies and controls to mitigate those risks. IRS policy 
requires that personnel performing information technology security 
duties meet minimum continuing professional education hours in 
accordance with their roles. Individuals performing security roles are 
required by IRS to have 12, 8, or 4 hours of specialized training per 
year, depending on their specific role. 

IRS had processes in place for providing employees with security 
awareness and specialized training. For the employees with specific 
security-related roles and the newly-hired employees that we reviewed, 
all met the required minimum security awareness and specialized 
training hours. 

Tests and Evaluations of Policies, Procedures, and Controls Were Not 
Always Effective: 

Another key element of an information security program is to test and 
evaluate policies, procedures, and controls to determine whether they 
are effective and operating as intended. This type of oversight is a 
fundamental element because it demonstrates management's commitment to 
the security program, reminds employees of their roles and 
responsibilities, and identifies and mitigates areas of noncompliance 
and ineffectiveness. Although control tests and evaluations may 
encourage compliance with security policies, the full benefits are not 
achieved unless the results improve the security program. FISMA 
requires that the frequency of tests and evaluations be based on risks 
and occur no less than annually. The Internal Revenue Manual also 
requires periodic testing and evaluation of the effectiveness of 
information security policies and procedures. 

Although IRS has processes in place intended to monitor, test, and 
evaluate its security policies and procedures, these processes were 
not always effective. For example, IRS did not: 

* Detect many of the readily identifiable vulnerabilities we are 
reporting. We previously recommended that IRS expand the scope for 
testing and evaluating controls to ensure more comprehensive testing. 

* Perform comprehensive testing within the past year for one of its 
key network components that it considered to be a high-risk system. 

* Test application security over its general ledger system for tax- 
related activities in its current production environment. This general 
ledger system was moved from one mainframe environment to another at a 
different facility; yet, the test and evaluation had not been updated 
to reflect the current operating environment. We tested access 
controls in the current environment and identified weaknesses in the 
general ledger system's controls that compromised segregation of 
duties and jeopardized the integrity of the application's data. 

* Comprehensively test security controls over the mainframe 
environment supporting its general ledger for tax-related activities 
and tax processing applications. For example, the test was limited to 
a portion of the operating environment and, therefore, did not test 
all of the relevant controls. 

In addition, in an August 2010 report,[Footnote 24] TIGTA reported 
that IRS did not properly conduct compliance assessments to test the 
implementation of day-to-day IT procedures. Because of the lack of 
comprehensive testing, IRS may not be fully aware of vulnerabilities 
that could adversely affect critical applications and data. 

Remedial Action Plans Were Complete, but Corrective Actions Were Not 
Fully Validated: 

A remedial action plan is a key component of an agency's information 
security program as described in FISMA. Such a plan assists agencies 
in identifying, assessing, prioritizing, and monitoring progress in 
correcting security weaknesses that are found in information systems. 
In its annual FISMA guidance to agencies, OMB requires agency remedial 
action plans, also known as plans of action and milestones, to include 
the resources necessary to correct identified weaknesses. According to 
the Internal Revenue Manual, the agency should document weaknesses 
found during security assessments, as well as planned, implemented, 
and evaluated remedial actions to correct any deficiencies. IRS policy 
further requires that IRS track the resolution status of all 
weaknesses and verify that each weakness is corrected. 

IRS had a process in place for evaluating and tracking remedial 
actions. The agency developed remedial action plans for the systems 
that we reviewed and implemented a remedial action process to address 
deficiencies in its information security policies, procedures, and 
practices. These plans documented weaknesses and included planned 
actions that were tracked by IRS. In addition, during fiscal year 
2010, IRS made progress toward correcting previously reported 
information security weaknesses, correcting or mitigating 23 of the 88 
previously identified weaknesses that were unresolved at the end of 
our prior audit.[Footnote 25] However, at the time of our review, 65 
of 88--about 74 percent--of the previously reported weaknesses 
remained unresolved or unmitigated. According to IRS officials, the 
agency is continuing actions toward correcting or mitigating 
previously reported weaknesses. 

However, the agency's process for verifying whether an action had 
corrected or mitigated the weakness was not working as intended. The 
agency informed us that it had corrected 39 of the 88 previously 
reported weaknesses, but we determined that IRS had not fully 
implemented the remedial actions for 16 of the 39 weaknesses that it 
considered corrected. We previously recommended that IRS implement a 
revised verification process that ensures remedial actions are fully 
implemented. Until the agency takes additional steps to implement a 
more effective verification process, it will have limited assurance 
that weaknesses are being properly mitigated or corrected and that 
controls are operating effectively. 

IRS Documented Contingency Plans for Major Systems and Made Efforts to 
Mitigate Previous Weaknesses: 

Continuity of operations planning, which includes contingency 
planning, is critical to protecting sensitive information. To ensure 
that mission-critical operations continue, organizations should be 
able to detect, mitigate, and recover from service disruptions while 
preserving access to vital information. Organizations should prepare 
plans that are clearly documented, communicated to staff who could be 
affected, and updated to reflect current operations. In addition, 
testing contingency plans is essential in determining whether the 
plans will function as intended in an emergency situation. FISMA 
requires that plans and procedures be in place to ensure continuity of 
operations for agency information systems. IRS policy states that 
individuals with responsibility for disaster recovery should be 
provided with copies of or access to agency disaster recovery plans. 

IRS had appropriately documented and communicated the four contingency 
plans we reviewed. In addition, IRS had resolved prior weaknesses by 
updating disaster recovery and business resumption plans to include 
UNIX and Windows mission-critical systems and ensuring the 
availability of a disaster recovery keystroke manual for its 
administrative accounting system. 

Conclusions: 

Although IRS continues to make progress in correcting or mitigating 
previously reported weaknesses, implementing controls over key 
financial systems, and developing and documenting a framework for its 
comprehensive information security program, information security 
weaknesses--both old and new--continue to jeopardize the 
confidentiality, integrity, and availability of IRS's systems. An 
underlying reason for the information security weaknesses in IRS's 
financial and tax processing systems is that it has not yet fully 
implemented key components of its comprehensive information security 
program. The financial and taxpayer information on IRS systems will 
remain particularly vulnerable to insider threats until the agency (1) 
addresses newly identified and previously reported weaknesses 
pertaining to identification and authentication, authorization, 
cryptography, audit and monitoring, physical security, configuration 
management, and segregation of duties; and (2) fully implements key 
components of a comprehensive information security program that 
ensures risk assessments are conducted in the current operating 
environment; policies and procedures are appropriately specific and 
effectively implemented; security plans are written to reflect the 
current operating environment; processes intended to test, monitor, 
and evaluate internal controls are appropriately detecting 
vulnerabilities; comprehensive testing is conducted on key networks on 
an at least annual basis; and tests and evaluations are conducted in 
the current operating environment. 

Until IRS takes these further steps, financial and taxpayer 
information are at increased risk of unauthorized disclosure, 
modification, or destruction; financial data is at increased risk of 
errors that result in misstatement; and the agency's management 
decisions may be based on unreliable or inaccurate financial 
information. These weaknesses, considered collectively, were the basis 
of our determination that IRS had a material weakness in internal 
control over financial reporting related to information security in 
fiscal year 2010. 

Recommendations for Executive Action: 

In addition to implementing our previous recommendations, we are 
recommending that the Commissioner of Internal Revenue take the 
following eight actions to fully implement key components of the IRS 
comprehensive information security program: 

* Update risk assessments whenever there is a significant change to 
the system, the facilities where the system resides, or other 
conditions that may affect the security or status of system 
accreditation. 

* Update the risk assessment for the mainframe environment supporting 
the general ledger for tax-related activities and tax processing 
applications to include all portions of the environment that could 
affect security. 

* Update policies and procedures pertaining to password controls to 
ensure they are consistent. 

* Document and implement policy and procedures for how systems-managed 
storage as an access control mechanism should be administered, 
managed, and monitored. 

* Update the application security plan to describe controls in place 
in its current mainframe operating environment. 

* Perform comprehensive testing of the key network component 
considered to be a high-risk system, at least annually. 

* Test the application security for the general ledger system for tax- 
related activities in its current operating environment. 

* Perform comprehensive testing of security controls over the 
mainframe environment to include all portions of the operating 
environment. 

We are also making 32 detailed recommendations in a separate report 
with limited distribution. These recommendations consist of actions to 
be taken to correct specific information security weaknesses related 
to identification and authentication, authorization, cryptography, 
audit and monitoring, physical security, configuration management, and 
segregation of duties identified during this audit. 

Agency Comments: 

In providing written comments (reprinted in app. II) on a draft of 
this report, the Commissioner of Internal Revenue stated that the 
security and privacy of taxpayer and financial information is of the 
utmost importance to the agency and that he appreciated that the draft 
report recognized the progress IRS has made in improving its 
information security program and that numerous initiatives are 
underway. He also noted that IRS is committed to securing its computer 
environment and will continually evaluate processes, promote user 
awareness, and apply innovative ideas to increase compliance. The 
Commissioner stated that IRS is steadily progressing toward 
eliminating the material weakness in information security by 
establishing enterprise repeatable processes, which are overseen by an 
internal team that performs self-inspections, identifies and mitigates 
risk, and provides executive governance over corrective actions. 
Further, he stated that IRS will provide a detailed corrective action 
plan addressing each of our recommendations. 

This report contains recommendations to you. As you know, 31 U.S.C. § 
720 requires the head of a federal agency to submit a written 
statement of the actions taken on our recommendations to the Senate 
Committee on Homeland Security and Governmental Affairs and to the 
House Committee on Oversight and Government Reform not later than 60 
days from the date of the report and to the House and Senate 
Committees on Appropriations with the agency's first request for 
appropriations made more than 60 days after the date of this report. 
Because agency personnel serve as the primary source of information on 
the status of recommendations, we request that the agency also provide 
us with a copy of the agency's statement of action to serve as 
preliminary information on the status of open recommendations. 

We are sending copies of this report to interested congressional 
committees, the Secretary of the Treasury, and the Treasury Inspector 
General for Tax Administration. The report also is available at no 
charge on the GAO Web site at [hyperlink, http://www.gao.gov]. 

If you have any questions regarding this report, please contact Nancy 
R. Kingsbury at (202) 512-2700 or Gregory C. Wilshusen at (202) 512- 
6244. We can also be reached by e-mail at kingsburyn@gao.gov and 
wilshuseng@gao.gov. Contact points for our Office of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. Key contributors to this report are listed in appendix III. 

Sincerely yours, 

Signed by: 

Nancy R. Kingsbury: 
Managing Director, Applied Research and Methods: 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

The objective of our review was to determine whether controls over key 
financial and tax processing systems were effective in protecting the 
confidentiality, integrity, and availability of financial and 
sensitive taxpayer information at the Internal Revenue Service (IRS). 
To do this, we examined IRS information security policies, plans, and 
procedures; tested controls over key financial applications; and 
interviewed key agency officials in order to (1) assess the 
effectiveness of corrective actions taken by IRS to address weaknesses 
we previously reported[Footnote 26] and (2) determine whether any 
additional weaknesses existed. This work was performed in connection 
with our audit of IRS's fiscal year 2010 and 2009 financial statements 
for the purpose of supporting our opinion on internal control over the 
preparation of those statements. 

To determine whether controls over key financial and tax processing 
systems were effective, we considered the results of our evaluation of 
IRS's actions to mitigate previously reported weaknesses, and 
performed new audit work at the three enterprise computing centers 
located in Detroit, Michigan; Martinsburg, West Virginia; and Memphis, 
Tennessee, as well as an IRS facility in New Carrollton, Maryland. We 
concentrated our evaluation on threats emanating from sources internal 
to IRS's computer networks. Considering systems that directly or 
indirectly support the processing of material transactions that are 
reflected in the agency's financial statements, we focused on eight 
critical applications/systems as well as the general support systems. 

Our evaluation was based on our Federal Information System Controls 
Audit Manual,[Footnote 27] which contains guidance for reviewing 
information system controls that affect the confidentiality, 
integrity, and availability of computerized information; National 
Institute of Standards and Technology guidance; and IRS policies and 
procedures. We evaluated controls by: 

* reviewing the complexity and expiration of password settings to 
determine if password management had been enforced; 

* analyzing users' system access to determine whether they had been 
granted more permissions than necessary to perform their assigned 
functions; 

* reviewing configuration files for servers and network devices to 
determine if encryption was being used for transmitting data; 

* assessing configuration settings to evaluate settings used to audit 
security-relevant events and discussing and observing monitoring 
efforts with IRS officials; 

* observing and analyzing physical access controls to determine if 
computer facilities and resources had been protected; 

* inspecting key servers to determine whether critical patches had 
been installed or software was up-to-date; and: 

* examining user access and responsibilities to determine whether 
incompatible functions had been segregated among different individuals. 

Using the requirements in the Federal Information Security Management 
Act that establish elements for an effective agencywide information 
security program, we reviewed and evaluated IRS's implementation of 
its security program by: 

* analyzing IRS's risk assessments for six IRS financial and tax 
processing systems that are key to supporting the agency's financial 
statements, to determine whether risks and threats had been documented; 

* comparing IRS's policies, procedures, practices, and standards to 
actions taken by IRS personnel to determine whether sufficient 
guidance had been provided to personnel responsible for securing 
information and information systems; 

* analyzing security plans for six systems to determine if management, 
operational, and technical controls had been documented and if 
security plans had been updated; 

* verifying whether new employees had received system security 
orientation within the first 10 working days; 

* verifying whether employees with security-related responsibilities 
had received specialized training within the year; 

* analyzing test plans and test results for six IRS systems to 
determine whether management, operational, and technical controls had 
been tested at least annually; 

* reviewing IRS's system remedial action plans to determine if they 
were complete; 

* reviewing IRS's actions to correct weaknesses to determine if they 
had effectively mitigated or resolved the vulnerability or control 
deficiency; 

* reviewing system backup and recovery procedures to determine if they 
had adequately provided for recovery and reconstitution to the 
system's original state after a disruption or failure; and: 

* examining contingency plans for six IRS systems to determine whether 
those plans had been tested or updated. 

In addition, we discussed with management officials and key security 
representatives, such as those from IRS's Computer Security Incident 
Response Center, Office of Cybersecurity, as well as the three 
computing centers, whether information security controls were in 
place, adequately designed, and operating effectively. 

[End of section] 

Appendix II: Comments from the Internal Revenue Service: 

Department Of The Treasury: 
Internal Revenue Service: 
Commissioner: 
Washington, D.C. 20224: 

March 1, 2011: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to comment on the draft report, 
Information Security: IRS Needs to Enhance Internal Control Over 
Financial Reporting and Taxpayer Data (GAO-11-308). We appreciate that 
your draft report recognizes the progress that the Internal Revenue 
Service has made to improve our information security program and that 
numerous initiatives are underway. 

The security and privacy of all taxpayer and financial information is 
of utmost importance to us, and the integrity of our financial systems 
continues to be sound. We are committed to securing our computer 
environment as we continually evaluate processes, promote user 
awareness, and apply innovative ideas to increase compliance. 

The IRS has established enterprise repeatable processes which are 
overseen by an internal team that performs self-inspections, 
identifies and mitigates risks, and provides executive governance over 
the corrective actions to this material weakness. The combination of 
all of these actions makes us confident that we are steadily 
progressing toward eliminating this issue as a material weakness. 

We appreciate your continued support and guidance as we work to 
improve our security posture and look forward to working with you to 
develop appropriate measures. We will provide the detailed corrective 
action plan addressing each of the recommendations with our response 
to the final report. 

If you have any questions or would like to discuss our response in 
further detail, please contact Terence V. Milholland, Chief Technology 
Officer, at (202) 622-6800. 

Sincerely, 

Signed by: 

Douglas H. Shulman: 

[End of section] 

Appendix III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Nancy R. Kingsbury (202) 512-2700 or kingsburyn@gao.gov Gregory C. 
Wilshusen (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the individuals named above, David Hayes (assistant 
director), Jeffrey Knott (assistant director), Angela Bell, Mark 
Canter, Sharhonda Deloach, Nancy Glover, Nicole Jarvis, George 
Kovachick, Sylvia Shanks, Eugene Stevens, Michael Stevens, and Daniel 
Swartz made key contributions to this report. 

[End of section] 

Footnotes: 

[1] Information security controls include logical and physical access 
controls, configuration management, segregation of duties, and 
continuity of operations. These controls are designed to ensure that 
access to data is appropriately restricted, physical access to 
sensitive computing resources and facilities is protected, only 
authorized changes to computer programs are made, incompatible duties 
are segregated among individuals, and back-up and recovery plans are 
adequate and tested to ensure the continuity of essential operations. 

[2] GAO, Financial Audit: IRS's Fiscal Years 2010 and 2009 Financial 
Statements, [hyperlink, http://www.gao.gov/products/GAO-11-142] 
(Washington, D.C.: Nov. 10, 2010). 

[3] Internal controls include the processes and procedures for 
planning, organizing, directing, and controlling program operations, 
and management's system for measuring, reporting, and monitoring 
program performance. 

[4] A material weakness is a deficiency, or a combination of 
deficiencies, in internal controls such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented or detected and corrected on a timely 
basis. 

[5] The CERT® Coordination Center is a center of Internet security 
expertise located at the Software Engineering Institute, a federally 
funded research and development center operated by Carnegie Mellon 
University. 

[6] U.S. Secret Service and Computer Emergency Response Team, Insider 
Threat Study: Illicit Cyber Activity in the Government Sector 
(Washington, D.C., and Pittsburgh, Pa.: January 2008). 

[7] GAO, High-Risk Series: Information Management and Technology, 
[hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington, 
D.C.: February 1997) and High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 
2011). 

[8] See 31 U.S.C. § 3511. 

[9] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[10] FISMA was enacted as title III, E-Government Act of 2002, Pub L. 
No. 107-347, Dec. 17, 2002. 

[11] TIGTA, Management and Performance Challenges Facing the Internal 
Revenue Service for Fiscal Year 2011 (Washington, D.C.: October 2010). 

[12] In a separate report with limited distribution, we provide the 
status of each of the 88 previously reported weaknesses. 

[13] This number includes 29 specific technical weaknesses and 8 
weaknesses associated with IRS's comprehensive information security 
program. 

[14] [hyperlink, http://www.gao.gov/products/GAO-11-142]. 

[15] As noted later in this report, IRS policy regarding this password 
control is inconsistent. 

[16] Network devices include routers, switches, and firewalls. 

[17] According to Oracle, a package is an encapsulated collection of 
related program objects stored together in the database. Program 
objects are procedures, functions, variables, constants, cursors, and 
exceptions. 

[18] Security event auditing is used to log authentication events. 

[19] System privilege auditing logs the use of powerful system 
privileges that enable corresponding actions. Privilege auditing can 
be set to log a selected user or every user in the database. 

[20] Residual risk is the risk remaining after the implementation of 
new or enhanced controls. 

[21] According to IBM, system-managed storage allows the operating 
system to take over many storage management tasks that had previously 
been performed manually. 

[22] According to IBM, logical partitioning provides users the ability 
to divide a single server into several independent systems. Each 
partition is capable of running one or more applications in an 
independent environment with its own set of operational attributes. 

[23] TIGTA, More Actions Are Needed to Correct the Security Roles and 
Responsibilities Portion of the Computer Security Material Weakness, 
2010-20-084 (Washington, D.C.: Aug. 26, 2010). 

[24] TIGTA, 2010-20-084. 

[25] GAO, Information Security: IRS Needs to Continue to Address 
Significant Weaknesses, [hyperlink, 
http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19, 
2010) and Information Security: Significant Weaknesses at IRS Continue 
to Jeopardize Financial and Taxpayer Data, [hyperlink, 
http://www.gao.gov/products/GAO-10-300SU] (Washington, D.C.: Mar. 19, 
2010). 

[26] We examined corrective actions for weaknesses IRS reported as 
having been corrected as of April 30, 2010. 

[27] GAO, Federal Information System Controls Audit Manual, 
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, 
D.C.: February 2009). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: