Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

IRS Improvements in IT Security Not Enough: GAO

GAO Report: IRS Has Improved Controls but Needs to Resolve Weaknesses

The Internal Revenue Service has addressed some of the security issues in its IT infrastructure, but it still has a long way to go, the Government Accountability Office said in a new report.

GAO Report: IRS Has Improved Controls but Needs to Resolve Weaknesses

The Internal Revenue Service has addressed some of the security issues in its IT infrastructure, but it still has a long way to go, the Government Accountability Office said in a new report.

The IRS claimed to have resolved 58 information system security-related recommendations made by the GAO last year, but it turns out more than 20 percent were not fully addressed, according to a GAO audit released March 15.

The report acknowledged that the IRS had devoted more attention and resources in fiscal year 2012 to beef up information security controls the GAO has previously identified, but the federal agency still had to address several vulnerabilities to avoid compromising sensitive taxpayer information and financial data.

The GAO pointed out that most of the current weaknesses in the IRS infrastructure stemmed from its failure to fully implement an information security program. The IRS had established a comprehensive framework for the program and continued to make strides with various initiatives to improve the controls, but there were some issues there, as well.

“Serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data,” the GAO said in its report (PDF).

The testing procedures over a financial reporting system did not always determine whether required controls were operating effectively, the GAO found. There were also control weaknesses that the IRS had not detected. These issues would have been flagged in a comprehensive security program.

The IRS improved controls over encrypting data transferred between accounting systems and upgraded critical network devices in fiscal year 2012, two weaknesses the GAO previously identified. The IRS also launched cross-functional working groups to identify and fix specific at-risk control areas.

Advertisement. Scroll to continue reading.

However, one of the recommendations involved adopting effective controls for identifying and authentication users, such as enforcing password complexity on certain servers, changing passwords frequently, and storing passwords to prevent them from being disclosed. Some of the databases did not have authentication controls in place to prevent certain types of vulnerabilities, the GAO found.

The IRS has not yet done so, and also failed to restrict access to its mainframe environment or thoroughly monitor the environment, the GAO found.

“Until the IRS appropriately controls users’ access to its systems and effectively implements its procedures for authorization, the agency has limited assurance that its information resources are being protected from unauthorized access, alteration, and disclosure,” said the report.

The IRS was not keeping up with patch management, as several of its systems did not have up-to-date patches installed. This isn’t the first time the IRS is getting dinged about out-of-date patches, as the Treasury Inspector General for Tax Administration called out the agency back in November for not taking an enterprise-wide approach to installing and monitoring software updates.

The IRS does not yet have a procedure to reconcile access privileges, and some of its policies had outdated information, such as wrong software versions and control capabilities.

“Until the IRS takes additional steps to more effectively implement its testing and monitoring capabilities, ensure that policies and procedures are updated, and address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate use, modification or disclosure, possibly without being detected,” the GAO warned.

The GAO concluded that the IRS still had a significant deficiency in its internal control over financial reporting in the fiscal year 2012. The IRS has committed to reviewing all the recommendations and developing an action plan to address them.

“We will review of all of GAO’s reported recommendations to ensure that our actions include sustainable fixes that implement appropriate security controls,” IRS Acting Commissioner Steven T. Miller wrote in a response to the report.

Related: GAO Blasts IRS Over Information Security Weaknesses

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...