GAO: Lack of Controls Puts IRS Data at RiskIRS's Shulman: Agency Complies with Spirit of NIST Guidance
"A lack of fully effective compensating and mitigating controls impair IRS's ability to ensure that its financial and taxpayer information is secure from internal threats," GAO Applied Research Managing Director Nancy Kingsbury and Information Security Issues Director Gregory Wilshusen wrote in the 36-page report.
See Also: Ransomware: The Look at Future Trends
IRS Commissioner Douglas Shulman responded to the audit, saying the IRS will furnish GAO with a detailed corrective action plan to address auditors' concerns, but contends the tax agency, in essence, has adhered to IT security guidance established by the National Institute of Standards and Technology
"The integrity of our financial systems continues to be sound," Shulman said in a written response to the GAO audit. "We are committed to securing our computer environment as we continually evaluate processes, promote user awareness and apply innovative ideas to increase compliance. The IRS has fully implemented a comprehensive information security program, with the spirit and intent of the National Institute of Standards and Technology guidelines."
GAO said the IRS implemented numerous controls and procedures intended to protect key financial and tax-processing systems, but noted that security control weaknesses in these systems continue to jeopardize the confidentiality, integrity and availability of the financial and sensitive taxpayer information processed by IRS's systems. Specifically, GAO said, the agency continues to face challenges in controlling access to its information resources. For example, GAO said, the IRS had not always:
- Implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time.
- Restricted appropriately access to certain servers.
- Ensured that sensitive data were encrypted when transmitted.
- Audited and monitored systems to assure that unauthorized activities would be detected.
- Guarantee management validation of access to restricted areas.
GAO also said unpatched and outdated software exposed IRS to known vulnerabilities, and the agency had not enforced backup procedures for a key system.
IRS Lacks Follow-Through
"An underlying reason for these weaknesses is that IRS has not fully implemented a comprehensive information security program," the auditors wrote. "IRS has established a comprehensive framework for such a program, and has made strides to address control deficiencies, such as establishing working groups to identify and remediate specific at-risk control areas; however, it has not fully implemented all key components of its program."
The auditors cited IRS's security testing and monitoring programs that continued not to detect many of the vulnerabilities GAO identified during the audit. IRS also did not promptly correct known vulnerabilities. For instance, GAO said, the agency indicated that 76 of the 105 previously reported weaknesses open at the end of GAO's prior year audit had not been corrected [see IRS Financial Systems Vulnerable to Insider Threats].
IRS also did not always validate that its actions to resolve known weaknesses were implemented effectively. The auditors noted that nearly half of identified weaknesses had failed to be addressed fully. "Although IRS had a process in place for verifying whether each weakness had been corrected," Kingsbury and Wilshusen wrote, "this process was not always working as intended."
The potential internal threat reduces IRS's assurance that its financial statements and other financial information are fairly presented or reliable. "Sensitive IRS and taxpayer information is [not] being sufficiently safeguarded from unauthorized disclosure or modification," the auditors wrote.
GAO recommended six specific actions that the IRS should take to fully implement key components of its comprehensive information security program. In a separate report with limited distribution, auditor recommended that the IRS take 23 defined actions to correct newly identified control weaknesses.