GAO Faults IRS Security ProcessesAlleges Agency Fails to Appropriately Secure Key Applications
A Government Accountability Office audit shows that Internal Revenue Service financial and taxpayer data remain unnecessarily vulnerable to inappropriate and undetected use, modification and disclosure.
Although the IRS has made some progress in implementing information security controls, weaknesses persist, limiting the controls' effectiveness in safeguarding the confidentiality, integrity and availability of the data, Gregory Wilshusen, GAO director of information security issues, says in the audit report.
The report cites the tax agency as failing to install appropriate security updates on all of its databases and servers and failing to sufficiently monitor control activities that support its financial reporting. GAO says the IRS did not effectively maintain the secure configuration of a key application or appropriately segregate duties by allowing a developer unnecessary access to the application. Auditors also found the use of weak passwords.
"An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program," Wilshusen says. "The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans and providing employees with security awareness and specialized training. However, aspects of its program were not yet effectively implemented."
The audit points out that the IRS' testing methodology did not consistently determine whether required controls operated effectively, which resulted in GAO examiners discovering control weaknesses undetected by IRS.
Other weaknesses the audit reveals include the IRS failing to:
- Update key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring of access. That, in turn, increased the risk of unauthorized access to tax processing systems not being detected.
- Reassess controls for a key system after significant changes had been made in the operating environment.
- Implement 45 of 69 corrective actions recommended from a previous GAO audit.
Treasure Trove of PII
Wilshusen says failing to implement GAO recommendations exposes IRS data and systems to fraudsters seeking taxpayers' personally identifiable information, hackers seeking to disrupt U.S. government operations, and employees who either act recklessly or maliciously attempt to pilfer data or cause disruption.
"IRS would make an attractive target because it processes a treasure trove of personally identifiable information on American taxpayers," he says.
GAO recommended 19 actions the IRS should take to bolster its IT security. IRS Commissioner John Koskinen agreed to develop corrective action plans to address GAO's recommendations. Koskinen, in a written response to the IRS, characterizes the integrity of the IRS financials systems as "sound," noting that auditors found fewer flaws than it did in past audits.