GAO: IRS Needs To Resolve Information Security Issues

By | March 21, 2013

Posted in: Network Security Trends

The taxman isn't immune to information security woes.

The Government Accountability Office (GAO) has just issued a new report highlighting continued information security woes at the IRS. The report titled, "Information Security: IRS Has Improved Controls but Needs to Resolve Weaknesses," says that longstanding policies and endemic network issues continue to plague information security at the IRS.

The report maintains that despite years of incremental progress, serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data.

If this sounds familiar, it should.

The GAO has released similar reports for the past few years (2011 PDF, 2012), each highlighting various weaknesses in the IRS's control infrastructure. While the GAO continues to say that the IRS has made marked improvements to its information security protocols, issues remain.

"[The agency continues] to make progress in addressing information security control weaknesses, improving its internal control over financial reporting. During fiscal year 2012, IRS management devoted attention and resources to addressing information security controls, and resolved a significant number of the information security control deficiencies that GAO previously reported," said the report.

The GAO found the agency to be lacking in a number of key areas: "authentication controls for certain databases were not set to prevent certain vulnerabilities; passwords were stored without adequate controls to prevent them from being disclosed; and controls over complexity and age of passwords for some databases were not adequate," said the report.

In one instance, the GAO found that agency often used simple passwords and, in some instances, had not changed some passwords in nearly two years. This vulnerability was "compounded by the fact that the unauthorized access would be virtually undetectable since no unusual system activity would be involved—the unauthorized access would be via a valid username and password," said the report.

The GAO report maintains that weaknesses will remain "until the IRS appropriately controls users' access to its systems and effectively implements its procedures for authorization, the agency has limited assurance that its information resources are being protected from unauthorized access, alteration, and disclosure."

In a March 15, 2013 letter, Steven Miller, Acting Commissioner of Internal Revenue Service, in a response to the report said that while the IRS "had made important progress in addressing information system-related internal control deficiencies," there were "remaining deficiencies in information security, along with new deficiencies we identified during this year’s audit and discussed in this report, while not collectively considered a material weakness, are important enough to merit the attention of those charged with governance of IRS."

The agency pledged to address these issues.

Lest you think the GAO is only after the IRS's info security shortcomings. In a previous GAO report released in January, the watchdog agency said that the IRS should audit the wealthy with even more frequency.

A complete copy of the information security audit (PDF) can be found HERE.

You May Also Be Interested In: