Security Experts:

IRS Improvements in IT Security Not Enough: GAO

GAO Report: IRS Has Improved Controls but Needs to Resolve Weaknesses

The Internal Revenue Service has addressed some of the security issues in its IT infrastructure, but it still has a long way to go, the Government Accountability Office said in a new report.

The IRS claimed to have resolved 58 information system security-related recommendations made by the GAO last year, but it turns out more than 20 percent were not fully addressed, according to a GAO audit released March 15.

The report acknowledged that the IRS had devoted more attention and resources in fiscal year 2012 to beef up information security controls the GAO has previously identified, but the federal agency still had to address several vulnerabilities to avoid compromising sensitive taxpayer information and financial data.

The GAO pointed out that most of the current weaknesses in the IRS infrastructure stemmed from its failure to fully implement an information security program. The IRS had established a comprehensive framework for the program and continued to make strides with various initiatives to improve the controls, but there were some issues there, as well.

"Serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data," the GAO said in its report (PDF).

The testing procedures over a financial reporting system did not always determine whether required controls were operating effectively, the GAO found. There were also control weaknesses that the IRS had not detected. These issues would have been flagged in a comprehensive security program.

The IRS improved controls over encrypting data transferred between accounting systems and upgraded critical network devices in fiscal year 2012, two weaknesses the GAO previously identified. The IRS also launched cross-functional working groups to identify and fix specific at-risk control areas.

However, one of the recommendations involved adopting effective controls for identifying and authentication users, such as enforcing password complexity on certain servers, changing passwords frequently, and storing passwords to prevent them from being disclosed. Some of the databases did not have authentication controls in place to prevent certain types of vulnerabilities, the GAO found.

The IRS has not yet done so, and also failed to restrict access to its mainframe environment or thoroughly monitor the environment, the GAO found.

"Until the IRS appropriately controls users' access to its systems and effectively implements its procedures for authorization, the agency has limited assurance that its information resources are being protected from unauthorized access, alteration, and disclosure," said the report.

The IRS was not keeping up with patch management, as several of its systems did not have up-to-date patches installed. This isn't the first time the IRS is getting dinged about out-of-date patches, as the Treasury Inspector General for Tax Administration called out the agency back in November for not taking an enterprise-wide approach to installing and monitoring software updates.

The IRS does not yet have a procedure to reconcile access privileges, and some of its policies had outdated information, such as wrong software versions and control capabilities.

“Until the IRS takes additional steps to more effectively implement its testing and monitoring capabilities, ensure that policies and procedures are updated, and address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate use, modification or disclosure, possibly without being detected,” the GAO warned.

The GAO concluded that the IRS still had a significant deficiency in its internal control over financial reporting in the fiscal year 2012. The IRS has committed to reviewing all the recommendations and developing an action plan to address them.

"We will review of all of GAO's reported recommendations to ensure that our actions include sustainable fixes that implement appropriate security controls," IRS Acting Commissioner Steven T. Miller wrote in a response to the report.

Related: GAO Blasts IRS Over Information Security Weaknesses

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.