While it has made some progress in protecting and securing its data, the IRS continues to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information.
Until these weaknesses are corrected, the agency remains particularly vulnerable to insider threats and is at increased risk of unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as inadvertent or deliberate disruption of system operations and services.
Those were the chief conclusions of the conclusion of the Government Accountability Office in a report issued today that noted among other issues, the IRS did not always:
The GAO said the IRS had mitigated 49 of the 115 information security weaknesses that the GAO reported in early 2008. For example, the agency implemented controls for unauthenticated network access and user IDs on the mainframe, encrypted sensitive data going across its network, improved the patching of critical vulnerabilities, and updated contingency plans to document critical business processes.
However, about 57% of the previously identified weaknesses remain unresolved. For example, IRS continues to, among other things, let sensitive information, including IDs and passwords for mission-critical applications, be readily available to any user on its internal network, and grant excessive access to individuals who do not need it, the GAO said.
According to IRS officials, they are continuing to address the uncorrected weaknesses and, subsequent to the GAO audit have completed additional corrective actions.
The GAO report included comments from the Commissioner of Internal Revenue that stated the security and privacy of taxpayer information is of the utmost importance to the agency and noted that IRS is committed to securing its computer environment. He further stated that IRS would develop a detailed corrective action plan addressing each of our recommendations.
The GAO acknowledged the IRS' daunting tasks in collecting taxes, processing tax returns, and enforcing the nation's tax laws, and said it relies extensively on computerized systems to support its financial and mission-related operations. IRS collected about $2.7 trillion in tax payments in fiscal years 2008 and 2007; processed hundreds of millions of tax and information returns; and paid about $426 billion and $292 billion, respectively, in refunds to taxpayers. The agency employs tens of thousands of people in its Washington, D.C., headquarters, 10 service center campuses, 3 computing centers, and numerous other field offices throughout the US. But it is this complexity that requires the utmost confidentiality and security of the sensitive information it deals with, the GAO stated. Otherwise, taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes.
The IRS isn't the only Federal agency with cyber security problems. The GAO last year said only 2 of 24 agencies it had reviewed implemented all of the security requirements mandated by the Office of Management and Budget last year to protect personal information.
Layer 8 in a box
Check out these other hot stories:
Government spends over $30 million to sharpen cyber security saber
FBI/DOJ warns of economic cybergeddon
NSF looking for wicked cool visual and data analysis algorithms
NASA forecasts impact of severe space weather on communications, power grids
FBI issues code cracking challenge
Beam up my shape shifting robot Scotty: Layer 8's Best of 2008
Ducks, dorks and deviants: Wackiest stories of 2008
Researchers seek advanced network prioritization, security technology
Servers bog down "historic" FBI hiring spree
Despite challenges, EPA says recycled electronics programs are growing
Advertisement: |
The Leader in Network Knowledge
Lookinf Inside for Threats
This post really underscores the need for organizations to take a more holistic approach to securing the enterprise by looking internally as well as externally for potential weaknesses and threats.
Most data leakage comes from inside an organization, study after study confirms the single greatest threat to data comes from inside the network perimeter. It seems over the past several years we’ve become increasingly focused on securing the perimeters of our networks and have virtually ignored the threats posed by internal, authorized users.
With the continuing proliferation of iPods and phones, smartphones, portable USB devices and external hard drives capable of carrying a Terabyte and more of data it’s more important than ever to step back and view network security from a broader, more holistic perspective. After all, even banks put the valuables in a vault despite having stout and sturdy doors with heavy-duty locks securing their perimeters.
There are companies like Zecurion who have and continue to develop security products designed specifically to protect organizations from small business through multinational corporations to government agencies like the IRS from the exact threats outlined in this article.
Post new comment