[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] GAO: IRS has fixed only 30 percent of security gaps


By Mary Mosquera
January 8, 2008

The Internal Revenue Service has fixed only 29 of 98 weaknesses in its 
information security controls, threatening the confidentiality and 
availability of its financial processing systems and information and 
limiting the reliability of its taxpayer and financial data.

IRS has been slow to correct the weaknesses because it has not fully 
implemented an agencywide information security program to make sure that 
controls are effectively established and maintained, the Government 
Accountability Office said in a report released today.

As a result, IRS is at increased risk of unauthorized disclosure, 
modification or destruction of financial and taxpayer information, said 
Gregory Wilshusen, director of GAOs information security issues.

GAO evaluated IRS data security based on requirements called for in the 
Federal Information Security Management Act, which established key 
elements for an effective information security program

IRS relies extensively on computerized systems to collect taxes, process 
returns and enforce tax laws. Effective information security controls 
are the foundation to protecting financial and taxpayer information from 
misuse, fraud and improper disclosure or destruction.

IRS has put in place controls for user IDs for certain critical servers, 
improved physical protection for its procurement system, developed 
security for a key financial system and upgraded servers that had been 
using obsolete operating systems. IRS also established enterprisewide 
objectives for improving information security through initiatives for 
protecting and encrypting data, securing IT assets and building security 
into new applications.

But the IRS has not resolved about 70 percent of weaknesses that GAO 
previously identified, the report said. It continues to use passwords 
that are not complex, grant access to individuals who do not need it and 
install patches in an untimely manner.

GAO recommended that IRS take several actions to establish an 
enterprisewide data security program. In July 2007, IRS reorganized 
information security management from its chief of mission assurance to 
the newly created position of associate chief information officer for 

IRS will provide a detailed corrective action plan for each of GAOs 
recommendations, said Linda Stiff, acting IRS commissioner. IRS has 
taken many steps to improve its security, such as installing automatic 
disk encryption on its 52,000 laptop PCs and creating a team of security 
and computer experts to improve mainframe controls.

We recognize that there is significant work to be accomplished to 
address our information security deficiencies, and we are taking 
aggressive steps to correct previously reported weaknesses and improve 
our overall information security program, Stiff said in a written 
response dated Dec. 14.

As part of the performance agreements with IRS executives, the agency 
will also include a standard focused on resolving security weaknesses 
and reporting the security compliance status of all computer systems 
connected to the IRS network. Additionally, IRS hired technical support 
to assist in developing a comprehensive security analysis of the 
architecture, processes and operations of the mainframe computing center 
complex to create a roadmap to address the issues, she said.

Among GAOs recommendations, IRS should:

    * Update policies for configuring mainframes so they can control and 
      log changes.
    * Identify those with security responsibilities to receive special 
    * Expand scope for testing and evaluating controls.
    * Strengthen contractor oversight to detect noncompliance with IRS 
      security policy.

Visit InfoSec News