Auditors rap IRS for weak information security

The Internal Revenue Service has failed to secure sensitive electronic taxpayer information properly, increasing the potential for identity theft, according to an audit report released on Thursday.

Comment on this article in The Forum.The inspector general review of three computer systems at the IRS Office of Research, Analysis and Statistics showed several weaknesses in control over access to applications containing sensitive information.

"Managers and system administrators had not placed sufficient emphasis on maintaining the security and privacy of the taxpayer data they are charged with protecting," the report stated. Furthermore, officials failed to provide guidance or monitor compliance with IRS information security policies, and did not supply software to scan for security weaknesses, the IG found.

The report comes one month after the release of another IG review pointing to computer security weaknesses at the agency.

Thursday's report examines management controls for the Compliance Data Warehouse, which gives the research community access to a variety of tax return, enforcement, compliance, and other data; the Statistics of Income Distributed Processing System, which supports the IRS requirement to annually report to Congress the numbers, types and content of tax returns filed; and the YK1 Link Analysis Tool, which extracts information from a tax return databaseto show trends in financial gains and losses.

The IG did not find fault with the IRS office's security policies. The agency has a number of procedures in place to prevent breaches, the report noted. For example, managers must authorize each request for access to a system, and ensure that users have a legitimate need for access and have passed background investigations. The policies also require annual reviews and updates of employee and contractor access rights. Systems must be configured to disable accounts that have not been used in 45 consecutive calendar days, and to remove accounts that have not been used in 90 consecutive calendar days. Finally, administrators must log on to their own accounts before accessing systems and performing their duties.

Security policies, however, were ignored too often on the three systems reviewed, the IG reported. Administrators provided access to 67 of 613 employees, or 11 percent, without proper authorization from managers. And three users with administrative rights for the YK1 Link Analysis Tool system lacked the appropriate authorization.

Also, systems were not configured to disable and remove inactive accounts. Seventy-one Compliance Data Warehouse accounts and 31 Statistics of Income Distributed Processing System accounts remained enabled even though they had not been accessed for more than 45 calendar days. Across all three systems, a total of 81 accounts remained open even though they had not been accessed in more than 90 days. Accounts for 17 former employees also remained active.

In addition, auditors found that managers repeatedly gave people access without confirming that they had passed background investigations. On two of the three systems, managers permitted the use of generic and shared administrator accounts, which "contain powerful authorities and present malicious intruders additional opportunities to access a system," the IG reported.

While details were redacted, the report also cited as a weakness system administrators' compliance with the requirement to log into personal accounts before using sensitive permissions. These permissions are associated with "the most powerful account on the computer system," the IG reported, providing greater access to information and ability to modify content.

"If an intruder or hacker were to gain access to the root account, management would be unable to distinguish the actions of the intruder from those performed by the administrator," the IG noted.

Other security issues included weak passwords, failure to store system backups at an off-site facility, lack of updated intrusion detection and virus protection software and failure to properly lock down database applications. Also, the IG discovered regular transfers of unencrypted sensitive data.

Mark Mazur, director of the Office of Research, Analysis and Statistics, noted in a written response to the report that the agency has started to upgrade its security.