As GAO watches, IRS works to patch security holes

The IRS, caught in a thicket of IT security problems, is hoping to be mostly out the woods by fall.The agency’s shortcomings in cybersecurity management put taxpayer and other financial data at risk, the Government Accountability Office said in a recent report.“Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored and transmitted on its systems will remain vulnerable,” said Gregory Wilshusen, director of GAO’s information security issues.GAO again will review the IRS’ progress in securing its systems this summer, Wilshusen said.“Most weaknesses we identified were management-related issues in terms of how IRS configured systems and assured that established procedures were followed,” Wilshusen said. “Managing the security risk is the key to securing your systems.”The IRS already is fixing the vulnerabilities and anticipates having most problems corrected by September, a Treasury Department official said.By then, officials said, they expect to have certified and accredited all systems to comply with the Federal Information Security Management Act.“The IRS anticipates significantly improved performance in this summer’s FISMA annual systems security review,” said Arnold Havens, Treasury’s acting deputy secretary, in a response to GAO earlier this month.Treasury received a D+ as its most recent overall FISMA grade, and IRS systems constitute the bulk of Treasury’s systems.Completing certification and accreditation will be a big step forward for the IRS, said a spokesman for House Government Reform Committee chairman Tom Davis (R-Va.).Certification and accreditation lets agencies assess controls for each system and lets management sign off on acceptance of risk and authorize system operations. But “it does not necessarily mean that a system is secure,” Wilshusen said.Other threats could emerge, new vulnerabilities could be identified and changes could occur in the operating environment that would not necessarily be covered by certification and accreditation, he said.Legacy systems also present a challenge because security must be bolted on, rather than being incorporated in development as with new systems.“These systems can be costly and complicated to transform or update, but not doing so can create greater vulnerabilities,” Government Reform Committee spokesman Drew Crockett said.In addition to taxpayer data, the IRS also maintains monthly reports related to suspicious financial transactions under the Bank Secrecy Act for Treasury’s Financial Crimes Enforcement Network. The record keeping provides a paper trail for law enforcement to investigate money laundering and terrorist financing.GAO’s report criticized the agency for a broad range of weaknesses that must be addressed before the IRS really has a handle on its security. To read the report, go to and enter 418 in the Quickfind search box.Even as the IRS has fixed some security weaknesses, others have emerged, auditors found. In the two years since the last review, the IRS has fixed 32 of 53 previously identified security weaknesses. But auditors uncovered 39 more during their recent evaluation.The weak spots include ineffective electronic access controls over its mainframe computers to separate its taxpayer data from Bank Secrecy Act report data. Consequently, the IRS granted all 7,460 mainframe users, including IRS employees, non-IRS employees and contractors, regardless of their official duties, the ability to access taxpayer and Bank Secrecy Act data.“As a result, all mainframe users could read or copy Bank Secrecy Act data, and law enforcement users could read or copy taxpayer data,” Wilshusen said.Bank Secrecy Act data includes the name, Social Security number and driver’s license number of the individual under investigation and the amounts of financial transactions.The IRS will determine whether taxpayer or Bank Secrecy data has been compromised, Treasury’s Havens said.