IRS rife with security weaknesses

"Information Security: Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks"

Critical information security weaknesses at the Internal Revenue Service demonstrate the importance of moving past the development of an information security program to actually implement the measures outlined in the plan.

The General Accounting Office found almost 900 weaknesses across the 11 IRS organizations included in its review, particularly in the areas of access and authorization. All of the weaknesses can be traced to IRS' incomplete implementation of its agencywide security program, according to the report dated May 30.

The IRS has made progress toward addressing security, including developing a milestone-based plan to fix vulnerabilities — a step required by the Office of Management and Budget under the Government Information Security Reform Act of 2000 and continued under the Federal Information Security Management Act of 2002.

The tax agency also has increased the number of resources and people devoted to information security and created an around-the-clock incident response team.

But the many weaknesses that still exist and the lack of an agencywide process to identify and address future vulnerabilities leave sensitive personal data open to unauthorized users.

"Such individuals could possibly obtain personal taxpayer information and use it to commit financial crimes in the taxpayer's name (identity fraud), such as establishing credit and incurring debt," the report states.

Beyond the need to meet all of the standard requirements, such as performing risk assessments and certifying and accrediting systems, GAO also strongly recommended incorporating accountability for security controls into employee performance appraisals.

"Until such performance standards and measures are developed and incorporated into the appraisal process, agency personnel may not devote sufficient attention and effort to implementing effective security controls," the report states.

In a written response to GAO, new IRS Commissioner Mark Everson said that his agency plans to address each of the report's recommendations this year, although incorporating security into performance appraisals will have to wait until fiscal 2004 because of legal constraints.