GAO: IRS has fixed only 30 percent of security gaps

The agency has not fully implemented an information security program to make sure that controls are effectively established and maintained, according to a new report.

The Internal Revenue Service has fixed only 29 of 98 weaknesses in its information security controls, threatening the confidentiality and availability of its financial processing systems and information and limiting the reliability of its taxpayer and financial data. IRS has been slow to correct the weaknesses because it has not fully implemented an agencywide information security program to make sure that controls are effectively established and maintained, the Government Accountability Office said in a report released today. “As a result, IRS is at increased risk of unauthorized disclosure, modification or destruction of financial and taxpayer information,” said Gregory Wilshusen, director of GAO’s information security issues. GAO evaluated IRS’ data security based on requirements called for in the Federal Information Security Management Act, which established key elements for an effective information security program IRS relies extensively on computerized systems to collect taxes, process returns and enforce tax laws. Effective information security controls are the foundation to protecting financial and taxpayer information from misuse, fraud and improper disclosure or destruction. IRS has put in place controls for user IDs for certain critical servers, improved physical protection for its procurement system, developed security for a key financial system and upgraded servers that had been using obsolete operating systems. IRS also established enterprisewide objectives for improving information security through initiatives for protecting and encrypting data, securing IT assets and building security into new applications. But the IRS has not resolved about 70 percent of weaknesses that GAO previously identified, the report said. It continues to use passwords that are not complex, grant access to individuals who do not need it and install patches in an untimely manner. GAO recommended that IRS take several actions to establish an enterprisewide data security program. In July 2007, IRS reorganized information security management from its chief of mission assurance to the newly created position of associate chief information officer for cybersecurity. IRS will provide a detailed corrective action plan for each of GAO’s recommendations, said Linda Stiff, acting IRS commissioner. IRS has taken many steps to improve its security, such as installing automatic disk encryption on its 52,000 laptop PCs and creating a team of security and computer experts to improve mainframe controls. “We recognize that there is significant work to be accomplished to address our information security deficiencies, and we are taking aggressive steps to correct previously reported weaknesses and improve our overall information security program,” Stiff said in a written response dated Dec. 14. As part of the performance agreements with IRS executives, the agency will also include a standard focused on resolving security weaknesses and reporting the security compliance status of all computer systems connected to the IRS network. Additionally, IRS hired technical support to assist in developing a comprehensive security analysis of the architecture, processes and operations of the mainframe computing center complex to create a roadmap to address the issues, she said. Among GAO’s recommendations, IRS should:

























  • Update policies for configuring mainframes so they can control and log changes.

  • Identify those with security responsibilities to receive special training.

  • Expand scope for testing and evaluating controls.

  • Strengthen contractor oversight to detect noncompliance with IRS security policy.