The US Internal Revenue Service continues to puttaxpayers personal data at risk by not strengthening itsinformation security systems, according to a report by the USGovernment Accountability Office.
“Although [the] IRS has made progress [over the past year],controls over its key financial and tax processing systems locatedat two sites were ineffective,” the GAO said in the report, whichwas released late last month.
The report concluded that the tax agencycorrected 41 of 81 specific technical weaknesses that the GAO foundlast year. But the GAO also found that the security system nowneeds further updates to correct “new information security controlweaknesses that threaten the confidentiality, integrity andavailability of IRS’s financial information systems and theinformation they process.”
According to the GAO, the IRS has not yetimplemented effective electronic access controls related to networkmanagement, user accounts and passwords, user rights and filepermissions, and logging and monitoring of security-related events.Also, the report said, the IRS doesn’t always follow its own policydealing with password expiration and complexity.
For example, the IRS has not implemented the useof complex passwords on its Windows servers, and it does notadequately control the storage of passwords on its systems, the GAOsaid. The agency has also failed to restrict users’ access to justthe information they need to do their jobs, according to thereport.
“Collectively, these weaknesses increase therisk that sensitive financial and taxpayer data will beinadequately protected against disclosure, modification or loss,possibly without detection, and place IRS operations at risk ofdisruption,” the GAO said.
Until the IRS fully implements a comprehensiveinformation security program, its facilities and computers, as wellas the information that is processed, stored and transmitted on itssystems, will be vulnerable, the report said.
The GAO recommends, in part, that the IRSenhance policies and procedures related to password andconfiguration settings to comply with federal guidelines, ensurethat contractors with significant information securityresponsibilities are given specialized training, ensure thatdisaster recovery plans are complete and updated, and continue toenhance continuity capabilities by training non-IRS staff torestore operations.
In a letter to Gregory Wilshusen, the GAO’s ITdirector, IRS Commissioner Mark Everson acknowledged that hisagency needs a comprehensive security program and agreed toimplement the five recommendations in the report.