Information Security: Control Deficiencies Continue to Limit IRS's Effectiveness in Protecting Sensitive Financial and Taxpayer Data
Highlights
What GAO Found
The Internal Revenue Service (IRS) made progress in addressing previously reported control deficiencies; however, continuing and newly identified control deficiencies limited the effectiveness of security controls for protecting the confidentiality, integrity, and availability of IRS's key financial and tax processing systems. During fiscal year 2016, IRS made improvements in access controls over a number of system administrator accounts and updated certain software to prevent exposure to known vulnerabilities. However, the agency did not always (1) limit or prevent unnecessary access to systems, (2) monitor system activities to reasonably assure compliance with security policies, (3) reasonably assure that software was supported by the vendor and was updated to protect against known vulnerabilities, (4) segregate incompatible duties, and (5) update system contingency plans to reflect changes to the operating environment.
An underlying reason for these control deficiencies is that IRS had not effectively implemented components of its information security program. The agency had a comprehensive framework for its program, including developing and documenting security plans; however, it did not fully implement other program components. For example, IRS did not always effectively manage information security risk or update certain policies and procedures. GAO has made recommendations to IRS to correct the identified security control deficiencies (see table). However, corrective actions for a number of the deficiencies have not been completed and the associated recommendations remained open at the conclusion of the audit of IRS's financial statements for fiscal year 2016.
Status of GAO Information Security Recommendations to IRS for Correcting Control Deficiencies at the Conclusion of Fiscal Year 2016 Audit
Information security control area |
Prior recommendations open at the beginning of FY 2016 audit |
Recommendations closed at the end of FY 2016 audit |
New recommendations resulting from FY 2016 audit |
Total outstanding recommendations at the conclusion of FY 2016 audit |
Access controls |
62 |
(12) |
70 |
120 |
Other controls |
22 |
(11) |
21 |
32 |
Information security program |
10 |
(3) |
7 |
14 |
Total |
94 |
(26) |
98 |
166 |
Legend: FY = fiscal year
Source: GAO analysis of Internal Revenue Service (IRS) data. | GAO-17-395
Until IRS takes additional steps to address unresolved and newly-identified control deficiencies and effectively implements components of its information security program, its financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO's determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2016.
Why GAO Did This Study
The IRS has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the financial and sensitive taxpayer data that resides on those systems.
As part of its audit of IRS's fiscal year 2016 and 2015 financial statements, GAO assessed whether controls over key financial and tax processing systems were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at four locations.
Recommendations
In addition to the prior recommendations that have not been implemented, GAO is recommending that IRS take 10 additional actions to more effectively implement security-related policies and plans. In a separate report with limited distribution, GAO is recommending 88 actions that IRS can take to address newly identified control deficiencies. In commenting on a draft of this report, IRS neither agreed nor disagreed with the recommendations, but stated that it would review each of the recommendations and ensure that its corrective actions include sustainable fixes that implement appropriate security controls.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment. |
In fiscal year 2021, we verified that the IRS, in response to our recommendation, developed audit plans for the systems and applications we reviewed in accordance with IRS policy.
|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures. |
In fiscal year 2021, we verified that the IRS, in response to our recommendation, more effectively leveraged existing tools to alert system administrators and security operations analysts in the event of an audit processing failure.
|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should update information contingency plan test procedures to include updating contingency plans to reflect changes to the current operating environment. |
In fiscal year 2018, we verified that IRS, in response to our recommendation, developed a new procedure for testing its information system contingency plans. The procedure also requires contingency plans to be updated to reflect changes to the current operating environment.
|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that approved risk-based decisions pertaining to database configurations are based on suitable justification. |
In fiscal year 2018, we verified that IRS, in response to our recommendation, updated its standard operating procedures for risk acceptance and ensured that the selected risk-based decisions for database configurations were based on suitable justifications. .
|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop, document, and implement the use of detailed procedures to facilitate the periodic review and analysis of audit records for its financial systems. |
In fiscal year 2018, we verified that IRS, in response to our recommendation, updated its audit log analysis and review procedures with detailed instructions for periodically reviewing and analyzing audit records for its financial systems.
|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop an enterprise-wide system owner procedural document to control critical mainframe operating system commands. |
IRS does not plan to establish an enterprise-wide procedural document to guide system owners in making critical mainframe operating system commands because the agency changed its internal processes so that this procedural document is no longer required. In fiscal year 2018, we verified that IRS replaced its Internal Revenue Manual requirements with a security technical implementation guide. The new guide does not require the agency to develop an enterprise-wide procedural document to guide system owners in making critical mainframe operating system commands. As such, our review of IRS's documentation showed that the agency plans no further action on our recommendation. Although current guidance used by IRS no longer requires this procedural document, we continue to believe that this document would help IRS properly control access to and use of critical mainframe operating system commands.
|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment. |
In fiscal year 2021, we verified that the IRS, in response to our recommendations, updated its configuration standards and guidelines for network devices to incorporate recommendations and key practices for addressing known security vulnerabilities.
|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe. |
In fiscal year 2021, we verified that the IRS, in response to our recommendations, implemented a configuration compliance checking application to verify and validate that the agency comprehensively tested configuration management controls over the mainframe environment.
|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that all known significant audit findings and recommendations related to financial reporting, which includes those in GAO's public and limited official use only reports, that directly relate to the objective of A-123 internal control tests are reviewed and monitored. |
In fiscal year 2018, we verified that IRS, in response to our recommendation, had reviewed all relevant GAO products including those in public and limited official use only reports to ensure that all known findings and recommendations related to A-123 internal controls were reviewed and monitored.
|
Internal Revenue Service | To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls. |
In fiscal year 2020, we verified that IRS, in response to our recommendation, implemented a process to Identify and review service organizations' listing of user controls that are deemed relevant and tested those controls to appropriately draw conclusions about the operating effectiveness of the controls.
|