Watchdogs bite IRS for continued security lapses

While it has made some progress in protecting and securing its data, the IRS continues to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information.

Until these weaknesses are corrected, the agency remains particularly vulnerable to insider threats and is at increased risk of unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as inadvertent or deliberate disruption of system operations and services.

Those were the chief conclusions of the conclusion of the Government Accountability Office in a report issued today that noted among other issues, the IRS did not always:

  • enforce strong password management for properly identifying and authenticating users;
  • authorize user access, including access to personally identifiable information, to permit only the access needed to perform job functions;
  • encrypt certain sensitive data;
  • Effectively monitor changes on its mainframe; and
  • Physically protect its computer resources.

The GAO said the IRS had mitigated 49 of the 115 information security weaknesses that the GAO reported in early 2008.   For example, the agency implemented controls for unauthenticated network access and user IDs on the mainframe, encrypted sensitive data going across its network, improved the patching of critical vulnerabilities, and updated contingency plans to document critical business processes.

However, about 57% of the previously identified weaknesses remain unresolved. For example, IRS continues to, among other things, let sensitive information, including IDs and passwords for mission-critical applications, be readily available to any user on its internal network, and grant excessive access to individuals who do not need it, the GAO said.

According to IRS officials, they are continuing to address the uncorrected weaknesses and, subsequent to the GAO audit have completed additional corrective actions.

The GAO report included comments from the Commissioner of Internal Revenue that stated the security and privacy of taxpayer information is of the utmost importance to the agency and noted that IRS is committed to securing its computer environment.  He further stated that IRS would develop a detailed corrective action plan addressing each of our recommendations.

The GAO acknowledged the IRS' daunting tasks in collecting taxes, processing tax returns, and enforcing the nation's tax laws, and said it relies extensively on computerized systems to support its financial and mission-related operations. IRS collected about $2.7 trillion in tax payments in fiscal years 2008 and 2007; processed hundreds of millions of tax and information returns; and paid about $426 billion and $292 billion, respectively, in refunds to taxpayers. The agency employs tens of thousands of people in its Washington, D.C., headquarters, 10 service center campuses, 3 computing centers, and numerous other field offices throughout the US. But it is this complexity that  requires the utmost confidentiality and security of the sensitive information it deals with, the GAO stated. Otherwise, taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes.

The IRS isn't the only Federal agency with cyber security problems. The GAO last year said only 2 of 24 agencies it had reviewed implemented all of the security requirements mandated by the Office of Management and Budget last year to protect personal information.

Layer 8 in a box

Check out these other hot stories:

Government spends over $30 million to sharpen cyber security saber

FBI/DOJ warns of economic cybergeddon

NSF looking for wicked cool visual and data analysis algorithms

NASA forecasts impact of severe space weather on communications, power grids

FBI issues code cracking challenge

Beam up my shape shifting robot Scotty: Layer 8's Best of 2008

Ducks, dorks and deviants: Wackiest stories of 2008

Researchers seek advanced network prioritization, security technology

Servers bog down "historic" FBI hiring spree

Despite challenges, EPA says recycled electronics programs are growing

Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022