Security Experts:

Connect with us

Hi, what are you looking for?



IRS Improvements in IT Security Not Enough: GAO

GAO Report: IRS Has Improved Controls but Needs to Resolve Weaknesses

The Internal Revenue Service has addressed some of the security issues in its IT infrastructure, but it still has a long way to go, the Government Accountability Office said in a new report.

GAO Report: IRS Has Improved Controls but Needs to Resolve Weaknesses

The Internal Revenue Service has addressed some of the security issues in its IT infrastructure, but it still has a long way to go, the Government Accountability Office said in a new report.

The IRS claimed to have resolved 58 information system security-related recommendations made by the GAO last year, but it turns out more than 20 percent were not fully addressed, according to a GAO audit released March 15.

The report acknowledged that the IRS had devoted more attention and resources in fiscal year 2012 to beef up information security controls the GAO has previously identified, but the federal agency still had to address several vulnerabilities to avoid compromising sensitive taxpayer information and financial data.

The GAO pointed out that most of the current weaknesses in the IRS infrastructure stemmed from its failure to fully implement an information security program. The IRS had established a comprehensive framework for the program and continued to make strides with various initiatives to improve the controls, but there were some issues there, as well.

“Serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data,” the GAO said in its report (PDF).

The testing procedures over a financial reporting system did not always determine whether required controls were operating effectively, the GAO found. There were also control weaknesses that the IRS had not detected. These issues would have been flagged in a comprehensive security program.

The IRS improved controls over encrypting data transferred between accounting systems and upgraded critical network devices in fiscal year 2012, two weaknesses the GAO previously identified. The IRS also launched cross-functional working groups to identify and fix specific at-risk control areas.

However, one of the recommendations involved adopting effective controls for identifying and authentication users, such as enforcing password complexity on certain servers, changing passwords frequently, and storing passwords to prevent them from being disclosed. Some of the databases did not have authentication controls in place to prevent certain types of vulnerabilities, the GAO found.

The IRS has not yet done so, and also failed to restrict access to its mainframe environment or thoroughly monitor the environment, the GAO found.

“Until the IRS appropriately controls users’ access to its systems and effectively implements its procedures for authorization, the agency has limited assurance that its information resources are being protected from unauthorized access, alteration, and disclosure,” said the report.

The IRS was not keeping up with patch management, as several of its systems did not have up-to-date patches installed. This isn’t the first time the IRS is getting dinged about out-of-date patches, as the Treasury Inspector General for Tax Administration called out the agency back in November for not taking an enterprise-wide approach to installing and monitoring software updates.

The IRS does not yet have a procedure to reconcile access privileges, and some of its policies had outdated information, such as wrong software versions and control capabilities.

“Until the IRS takes additional steps to more effectively implement its testing and monitoring capabilities, ensure that policies and procedures are updated, and address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate use, modification or disclosure, possibly without being detected,” the GAO warned.

The GAO concluded that the IRS still had a significant deficiency in its internal control over financial reporting in the fiscal year 2012. The IRS has committed to reviewing all the recommendations and developing an action plan to address them.

“We will review of all of GAO’s reported recommendations to ensure that our actions include sustainable fixes that implement appropriate security controls,” IRS Acting Commissioner Steven T. Miller wrote in a response to the report.

Related: GAO Blasts IRS Over Information Security Weaknesses

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.