IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses

Highlights

Pursuant to a congressional request, GAO reviewed the Internal Revenue Service's (IRS) computer security, focusing on whether IRS is effectively: (1) managing computer security; and (2) addressing employee browsing of electronic taxpayer data.

Recommendations

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Internal Revenue Service	The Commissioner of Internal Revenue should prepare a plan by April 30, 1997, for: (1) correcting all the weaknesses GAO identified at the five facilities GAO visited; and (2) for identifying and correcting security weaknesses at the other IRS locations.	Closed – Implemented On May 7, 1997, IRS issued its plan to correct the weaknesses identified at the five facilities, and identify and correct the weaknesses at other data facilities. IRS is implementing this plan. Those weaknesses are now being corrected at all five facilities.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 1.	Closed – Implemented IRS has corrected the significant weaknesses in logical security at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 2.	Closed – Implemented IRS has corrected the key weaknesses in physical security at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 3.	Closed – Implemented IRS has corrected the significant weaknesses in physical security at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 4.	Closed – Implemented IRS has corrected the key weaknesses in physical security at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 5.	Closed – Implemented IRS has taken actions to address physical security at Facility 5. The actions include upgrading the capability of perimeter camera monitors.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 1.	Closed – Implemented IRS has corrected the key weaknesses in logical security at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 2.	Closed – Implemented IRS has corrected all the weaknesses in logical security at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 3.	Closed – Implemented IRS has taken actions to address logical security practices at Facility 3. This includes prohibiting database administrators and computer systems analysts from performing security administration-related functions and revoking special system privileges from those users who did not have a need for such access.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 4.	Closed – Implemented IRS has taken actions to address logical security practices at Facility 4. This includes prohibiting application programmers to stage their own software for production.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 5.	Closed – Implemented IRS has corrected all the logical security weaknesses identified at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 1.	Closed – Implemented IRS has corrected the key weaknesses in data communications management at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 2.	Closed – Implemented IRS has corrected a majority of the data communications weaknesses at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 3.	Closed – Implemented IRS has corrected the significant weaknesses in data communications management at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 4.	Closed – Implemented IRS has corrected all the weaknesses in data communications management at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 5.	Closed – Implemented IRS has increased physical protection over the consolidated data network node and has implemented a policy restricting the use of data to officials who have a need for the information.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 1.	Closed – Implemented IRS has corrected some of the risk analysis weaknesses at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 2.	Closed – Implemented IRS has corrected all the risk analysis weaknesses at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 3.	Closed – Implemented IRS has corrected some of the risk analysis weaknesses at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 4.	Closed – Implemented IRS has strengthened IRS risk analysis practices and procedures at Facility 4. For example, IRS has incorporated the facility's risk management program into its system certification program.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 5.	Closed – Implemented IRS has strengthened IRS risk analysis practices and procedures at Facility 5. For example, IRS has performed a risk analysis of its network at the facility for locally developed programs.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 1.	Closed – Implemented IRS has corrected all the weaknesses in quality assurance at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 2.	Closed – Implemented IRS has implemented policies and procedures for testing all locally developed programs. In addition, programmers are no longer allowed to use taxpayer data for testing purposes.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 3.	Closed – Implemented IRS officials at Facility 3 have taken steps to phase out most locally developed software and have implemented policies and procedures to ensure remaining locally developed programs adhere to Y2K programming standards.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 4.	Closed – Implemented IRS has corrected the significant weaknesses in quality assurance at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 5.	Closed – Implemented IRS has corrected a majority of the quality assurance weaknesses at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all internal audit and security weaknesses GAO identified at facility 1.	Closed – Implemented IRS has corrected all the internal audit weaknesses identified at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the internal audit and security weaknesses GAO identified at facility 2.	Closed – Implemented Based on GAO's followup work, facility 2 has corrected all reported internal audit and security weaknesses.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the internal audit and security weaknesses GAO identified at facility 3.	Closed – Implemented Since the report, IRS has taken several steps to address this recommendation, including developing procedures to monitor activities of information system personnel to deter employee browsing of taxpayer data.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the internal audit and security weaknesses GAO identified at facility 4.	Closed – Implemented IRS is implementing this recommendation by initiating security reviews and forwarding weekly violation reports to managers in the field for their review and appropriate followup.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the internal audit and security weaknesses GAO identified at facility 5.	Closed – Implemented IRS has developed and implemented a comprehensive set of local security policies and procedures to ensure that security safeguards are adequate and that potential security problems are brought to management's attention.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the security awareness weaknesses GAO identified at facility 2.	Closed – Implemented IRS has corrected all the security awareness weaknesses identified at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the security awareness weaknesses GAO identified at facility 3.	Closed – Implemented IRS has developed and implemented a new awareness program known as UNAX (Unauthorized Access). All employees are required to attend UNAX training and employees are required to sign a statement acknowledging that they have read the material and are aware of their rights.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the security awareness weaknesses GAO identified at facility 4.	Closed – Implemented IRS has developed and implemented a new awareness program known as UNAX (Unauthorized Access). All employees are required to attend UNAX training and employees are required to sign a statement acknowledging that they have read the material and are aware of their rights.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the security awareness weaknesses GAO identified at facility 5.	Closed – Implemented Based on GAO's followup work, facility 5 has corrected all reported security awareness weaknesses.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 1.	Closed – Implemented IRS has developed and implemented a new awareness program known as UNAX (Unauthorized Access). All employees are required to attend UNAX training and employees are required to sign a statement acknowledging that they have read the material and are aware of their rights.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 2.	Closed – Implemented IRS has corrected all the contingency planning weaknesses identified at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 3.	Closed – Implemented IRS has corrected the key contingency planning weaknesses at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 4.	Closed – Implemented IRS has implemented procedures for loading the operating system and restoring direct access storage devices, applications, and telecommunications services.
Internal Revenue Service	The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 5.	Closed – Implemented IRS has corrected all the contingency planning weaknesses identified at this facility.
Internal Revenue Service	The Commissioner of Internal Revenue should provide this plan to selected congressional committees, including the Senate Committee on Governmental Affairs.	Closed – Implemented On May 14, 1997, IRS provided its corrective action plan to the Senate Committee on Governmental Affairs and to other interested congressional committees.
Internal Revenue Service	The Commissioner of Internal Revenue should report IRS' progress against this plan in its fiscal year 1999 budget submissions.	Closed – Implemented In August 1997, IRS delivered a security plan to the Congress for correcting the computer security weaknesses identified in the report. In February 1998, IRS reported on the progress made against that plan in its FY 1999 budget submission.
Internal Revenue Service	The Commissioner of Internal Revenue should, until corrected, report the security control weaknesses that GAO identified as material weaknesses in Treasury's Federal Managers' Financial Integrity Act reports.	Closed – Implemented With the fiscal year 1997 Treasury Federal Manager's Financial Integrity Act (FMFIA) report, IRS began reporting the security control weaknesses identified by GAO as material weaknesses. The material weaknesses were reported by facility type--computing center, service center, district office, and other.
Internal Revenue Service	The Commissioner of Internal Revenue should, by June 1997, reevaluate IRS' approach to computer security and report the results to selected congressional committees, including the Senate Committee on Governmental Affairs.	Closed – Implemented In March 1997, IRS assigned its Office of System Standards and Evaluation (SSE) responsibility for reevaluating IRS' approach to computer security and for reporting the results of this reevaluation to the Congress by June 1997. In August 1997, the SSE reported the results of its reevaluation to the Congress.
Internal Revenue Service	The Commissioner of Internal Revenue should ensure that IRS completely and consistently monitors, records, and reports the full extent of electronic browsing.	Closed – Implemented In October 1997, IRS designated the Office of the Chief Inspector as the responsible office for centralized tracking, reporting, and adjudication of unauthorized access (browsing) cases. In February 1998, as a part of its FY 1999 budget submission, IRS reported to the Congress on the number of employees disciplined for intentional unauthorized access to taxpayer records. IRS plans to annually report on all unauthorized access as a part of its annual budget submissions.
Internal Revenue Service	The Commissioner of Internal Revenue should report IRS' progress in eliminating browsing in IRS' annual budget submission.	Closed – Implemented In August 1997, the Department of Treasury and IRS reported to key Congressional Committees on the actions being taken to control unauthorized access to taxpayer records. In February 1998 as a part of its FY 1999 budget submission, IRS reported to the Congress on the number of employees disciplined for intentional unauthorized access to taxpayer records. IRS plans to annually report on all unauthorized access as a part of its annual budget submissions.

See All 46 Recommendations

Full Report

Full Report (35 pages)

GAO Contacts

Robert (Bob) Dacey

Chief Accountant

Applied Research and Methods

daceyr@gao.gov

Media Inquiries

Sarah Kaczmarek

Managing Director

Office of Public Affairs

media@gao.gov

Public Inquiries

Public Affairs

PublicAffairs@gao.gov

Topics

Tax Policy and Administration

Automated security systemsComputer securityConfidential communicationsData storageDisaster recovery plansElectronic formsEmergency preparednessFederal employeesInternal controlsNatural disastersPersonnel managementTax information confidentialityTax returns