Information security still a problem at IRS

The Internal Revenue Service failed to address more than half of the security weaknesses identified in previous audits, according to a report released by the Government Accountability Office on Friday. Inadequate monitoring of network activity and a lack of computer access controls continues to put financial and taxpayer information at risk.

The IRS made some progress on improving information security at its three data centers and another agency facility, GAO reported. The agency addressed 49 of 115 security weaknesses identified in 2008 or in prior year audits, including deployment of encryption technologies to protect information traveling on its network, as well as better auditing of network activities. The IRS also improved patching of some critical vulnerabilities and added access controls to its mainframe computer environment.

Still, about 57 percent of weaknesses remain open or unmitigated, GAO reported.

For example, IRS continues to make sensitive information, including user IDs and passwords for mission-critical applications, readily available to any user on the internal network, and uses passwords that are not complex enough to avoid being guessed or cracked, according to the report. The agency grants unnecessary electronic access to network applications, is inconsistent in applying software patches, and in the case of one system, fails to remove employees' access privileges in a timely manner after they're no longer needed. The report also noted a failure to encrypt certain sensitive data, effectively monitor changes on computer systems, and physically protect computer resources.

"These weaknesses continue to jeopardize the confidentiality, integrity and availability of IRS' systems and contributed to IRS' material weakness in information security," GAO reported.

Part of the problem is the lack of an agencywide information security program that ensures controls are effectively established and maintained, according to the report. The agency did not annually review risk assessments for certain systems, for example, or comprehensively test for certain controls.

"Until these weaknesses are corrected, the agency remains particularly vulnerable to insider threats and IRS is at increased risk of unauthorized access to and disclosure, modification or destruction of financial and taxpayer information, as well as inadvertent or deliberate disruption of system operations and services," GAO reported. A separate, classified report provided IRS officials with more detailed recommendations for improving security.

IRS officials said they are continuing to address security weaknesses and completed additional corrective actions following the completion of GAO's analysis. In a letter of response to the report, IRS commissioner Douglas Shulman said the agency will provide GAO with a detailed corrective action plan that addresses each recommendation.