IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses

On May 7, 1997, IRS issued its plan to correct the weaknesses identified at the five facilities, and identify and correct the weaknesses at other data facilities. IRS is implementing this plan. Those weaknesses are now being corrected at all five facilities.

IRS has corrected the significant weaknesses in logical security at this facility.

IRS has corrected the key weaknesses in physical security at this facility.

IRS has corrected the significant weaknesses in physical security at this facility.

IRS has corrected the key weaknesses in physical security at this facility.

IRS has taken actions to address physical security at Facility 5. The actions include upgrading the capability of perimeter camera monitors.

IRS has corrected the key weaknesses in logical security at this facility.

IRS has corrected all the weaknesses in logical security at this facility.

IRS has taken actions to address logical security practices at Facility 3. This includes prohibiting database administrators and computer systems analysts from performing security administration-related functions and revoking special system privileges from those users who did not have a need for such access.

IRS has taken actions to address logical security practices at Facility 4. This includes prohibiting application programmers to stage their own software for production.

IRS has corrected all the logical security weaknesses identified at this facility.

IRS has corrected the key weaknesses in data communications management at this facility.

IRS has corrected a majority of the data communications weaknesses at this facility.

IRS has corrected the significant weaknesses in data communications management at this facility.

IRS has corrected all the weaknesses in data communications management at this facility.

IRS has increased physical protection over the consolidated data network node and has implemented a policy restricting the use of data to officials who have a need for the information.

IRS has corrected some of the risk analysis weaknesses at this facility.

IRS has corrected all the risk analysis weaknesses at this facility.

IRS has corrected some of the risk analysis weaknesses at this facility.

IRS has strengthened IRS risk analysis practices and procedures at Facility 4. For example, IRS has incorporated the facility's risk management program into its system certification program.

IRS has strengthened IRS risk analysis practices and procedures at Facility 5. For example, IRS has performed a risk analysis of its network at the facility for locally developed programs.

IRS has corrected all the weaknesses in quality assurance at this facility.

IRS has implemented policies and procedures for testing all locally developed programs. In addition, programmers are no longer allowed to use taxpayer data for testing purposes.

IRS officials at Facility 3 have taken steps to phase out most locally developed software and have implemented policies and procedures to ensure remaining locally developed programs adhere to Y2K programming standards.

IRS has corrected the significant weaknesses in quality assurance at this facility.

IRS has corrected a majority of the quality assurance weaknesses at this facility.

IRS has corrected all the internal audit weaknesses identified at this facility.

Based on GAO's followup work, facility 2 has corrected all reported internal audit and security weaknesses.

Since the report, IRS has taken several steps to address this recommendation, including developing procedures to monitor activities of information system personnel to deter employee browsing of taxpayer data.

IRS is implementing this recommendation by initiating security reviews and forwarding weekly violation reports to managers in the field for their review and appropriate followup.

IRS has developed and implemented a comprehensive set of local security policies and procedures to ensure that security safeguards are adequate and that potential security problems are brought to management's attention.

IRS has corrected all the security awareness weaknesses identified at this facility.

IRS has developed and implemented a new awareness program known as UNAX (Unauthorized Access). All employees are required to attend UNAX training and employees are required to sign a statement acknowledging that they have read the material and are aware of their rights.

IRS has developed and implemented a new awareness program known as UNAX (Unauthorized Access). All employees are required to attend UNAX training and employees are required to sign a statement acknowledging that they have read the material and are aware of their rights.

Based on GAO's followup work, facility 5 has corrected all reported security awareness weaknesses.

IRS has developed and implemented a new awareness program known as UNAX (Unauthorized Access). All employees are required to attend UNAX training and employees are required to sign a statement acknowledging that they have read the material and are aware of their rights.

IRS has corrected all the contingency planning weaknesses identified at this facility.

IRS has corrected the key contingency planning weaknesses at this facility.

IRS has implemented procedures for loading the operating system and restoring direct access storage devices, applications, and telecommunications services.

IRS has corrected all the contingency planning weaknesses identified at this facility.

On May 14, 1997, IRS provided its corrective action plan to the Senate Committee on Governmental Affairs and to other interested congressional committees.

In August 1997, IRS delivered a security plan to the Congress for correcting the computer security weaknesses identified in the report. In February 1998, IRS reported on the progress made against that plan in its FY 1999 budget submission.

With the fiscal year 1997 Treasury Federal Manager's Financial Integrity Act (FMFIA) report, IRS began reporting the security control weaknesses identified by GAO as material weaknesses. The material weaknesses were reported by facility type--computing center, service center, district office, and other.

In March 1997, IRS assigned its Office of System Standards and Evaluation (SSE) responsibility for reevaluating IRS' approach to computer security and for reporting the results of this reevaluation to the Congress by June 1997. In August 1997, the SSE reported the results of its reevaluation to the Congress.

In October 1997, IRS designated the Office of the Chief Inspector as the responsible office for centralized tracking, reporting, and adjudication of unauthorized access (browsing) cases. In February 1998, as a part of its FY 1999 budget submission, IRS reported to the Congress on the number of employees disciplined for intentional unauthorized access to taxpayer records. IRS plans to annually report on all unauthorized access as a part of its annual budget submissions.

In August 1997, the Department of Treasury and IRS reported to key Congressional Committees on the actions being taken to control unauthorized access to taxpayer records. In February 1998 as a part of its FY 1999 budget submission, IRS reported to the Congress on the number of employees disciplined for intentional unauthorized access to taxpayer records. IRS plans to annually report on all unauthorized access as a part of its annual budget submissions.