GAO finds IRS still struggling with IT security
Review concludes that progress was made in 2012, but serious problems remain unaddressed.
The Internal Revenue Service may have stronger IT security in place since last year’s Government Accountability Office audit, but it still needs to address several vulnerabilities to avoid compromising financial and sensitive taxpayer data, the watchdog concluded.
During fiscal year 2012, the IRS dealt with several of the information security control deficiencies GAO previously identified. For example, improvement was seen in controls over the encryption of data transferred between accounting systems, and upgrades to critical network devices on the IRS internal network system. Cross-functional working groups were also launched to identify and fix specific at-risk control areas.
However, a review released March 15 found that although the IRS said it had dealt with 58 of the previous information system security-related recommendations GAO made in 2012, more than 20 percent were in fact never resolved. For example, the IRS had not adopted effective controls for identifying and authenticating users, such as enforcing password complexity on certain servers. The agency also failed to restrict access to its mainframe environment and monitor the mainframe environment well enough.
Additionally, the IRS did not ensure up-to-date patches were installed on systems to protect against known vulnerabilities – a familiar problem for the agency. As recently as November 2012, the Treasury Inspector General for Tax Administration rapped the IRS for failing to take an enterprisewide approach to installing and monitoring software patches.
However, the IRS’ challenges with swift implementation of security elements date back several years. A 2009 report from TIGTA found the agency implemented 102 of the 254 required security settings on its computers - nine months after the deadline imposed by the Office of Management and Budget.
Most of IRS’ current weaknesses resulted from the agency’s failure to fully implement its information security program. For example, the IRS lacked a procedure to reconcile certain access privileges, and its policies did not cover situations where systems share data storage. Additionally, the IRS’ security standards for systems supporting tax processing and financial management had outdated information.
The IRS has agreed with GAO’s recommendations to more effectively implement portions of its information security program, and address newly identified control weaknesses.