Information Security: IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer Data
Fast Facts
IRS must keep its computer systems secure to protect sensitive financial and taxpayer information. We assessed whether it had effective controls in place to safeguard this information in fiscal 2016 and 2017.
We found IRS made progress in resolving a number of previously reported deficiencies, such as enforcing the use of encryption. However, we found continuing and new deficiencies, such as unenforced rules for password security.
In this report, we recommended that IRS take 5 additional actions to bolster security. In a separate report with limited distribution, we recommended 32 other actions to address newly identified deficiencies.
This is a photo of an IRS building.
Highlights
What GAO Found
The Internal Revenue Service (IRS) has made progress in resolving a number of previously reported control deficiencies. During fiscal year 2017, the agency made improvements in access controls by, for example, restricting unnecessary user access to certain applications and enforcing strong encryption on certain systems. IRS also corrected a previously identified contingency planning weakness for one system.
Nevertheless, continuing and newly identified control deficiencies limited the effectiveness of security controls for protecting the confidentiality, integrity, and availability of IRS's financial and tax processing systems. For example, IRS did not consistently (1) implement access controls by enforcing password expirations and minimum password lengths or by updating expiration dates for contractor passwords; (2) apply configuration management controls by documenting authorizations and approvals for changes to mainframe data and processing, or by installing critical security patches on multiple devices; and (3) implement certain components of its security program by correcting weaknesses in procedures or by updating system security plans. GAO has made recommendations to IRS to correct the identified security control deficiencies (see table). However, many deficiencies have not been corrected, and a large number of recommendations remained open at the conclusion of the audit of IRS's financial statements for fiscal year 2017.
Status of GAO Information Security Control Recommendations to IRS to Correct Control Deficiencies at the Conclusion of Fiscal Year 2017
|
Information security control area |
Prior recommendations open at the beginning of FY 2017 |
Prior recommendations closed at the end of FY 2017 |
New recommendations resulting from FY 2017 audit |
Total outstanding recommendations at the end of FY 2017 |
|
Access controls |
120 |
(35) |
21 |
106 |
|
Configuration management |
29 |
(10) |
13 |
32 |
|
Segregation of duties |
1 |
(0) |
0 |
1 |
|
Contingency planning |
2 |
(1) |
1 |
2 |
|
Security program |
14 |
(3) |
2 |
13 |
|
Total |
166 |
(49) |
37 |
154 |
Legend: FY = fiscal year
Source: GAO analysis of Internal Revenue Service (IRS) data. | GAO-18-391
Until IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implements components of its information security program, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO's determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2017.
Why GAO Did This Study
The IRS has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the sensitive financial and taxpayer information that reside on those systems.
As part of its audit of IRS's fiscal year 2017 and 2016 financial statements, GAO assessed whether controls over financial and tax processing systems were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over selected financial systems and applications; and interviewed key agency officials at four IRS locations.
Recommendations
In addition to the prior recommendations that have not been implemented, GAO is recommending that IRS take 5 additional actions to more effectively implement security-related policies and plans. In a separate report with limited distribution, GAO is recommending 32 actions that IRS can take to address newly identified control deficiencies. In commenting on a draft of this report, IRS agreed with GAO's recommendations and stated that it would review each of the recommendations and ensure that its corrective actions include a root cause analysis for sustainable fixes that implement appropriate security controls.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by entering correct contractor password expiration dates, per IRS's policy, in the system used for managing user access authorizations. (Recommendation 1) |
In fiscal year 2020, we verified that the IRS, in response to our recommendation, improved their information security program by entering correct contractor password expiration dates, per IRS's policy, in the system used for managing user access authorizations.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by documenting access authorizations for non-unique accounts. (Recommendation 2) |
In fiscal year 2021, we verified that IRS, in response to our recommendation, documented access authorizations for non-unique accounts that were approved by the system or application owners.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by reviewing non-unique accounts at least annually, per IRS's policy. (Recommendation 3) |
In fiscal year 2021, we verified that IRS, in response to our recommendation, reviewed non-unique accounts on a weekly basis.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by updating security plans for three systems to reflect changes to their operating environment. (Recommendation 4) |
In fiscal year 2019, we verified that IRS, in response to our recommendation, updated the system security plans for the three identified systems to reflect current system changes and all changes to their operating environment. These corrective actions met the intent of our recommendation.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by removing from five systems security plans, references to logging standards that IRS has rescinded. (Recommendation 5) |
In fiscal year 2018, we verified that IRS, in response to our recommendation, removed from the five systems security plans we reviewed, references to logging standards that it had rescinded.
|