14 DAY TRIAL // The Government Accountability Office (GAO) has released a new report (PDF) regarding the information security policies enforced by the Internal Revenue Service (IRS) on its internal network. The investigation concluded that taxpayer information was still at risk, due to unresolved weaknesses found in the system.
GAO notes that the IRS has resolved only 49 out of the 115 security problems identified during the previous audit, in November 2008. “Information security control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information,” GAO explains in its report.
The Government Accountability Office has admitted that some improvements have been made since its last audit. Amongst these, it has mentioned the encryption of sensitive data transmitted across the network, the patching of critical vulnerabilities, the implementation of better network access control, and the development of contingency plans.
Even so, resolving less than half of the problems still leaves the system with a lot of shortfalls. For example, GAO has concluded that the IRS failed to physically protect its computers, monitor mainframe changes, or enforce strong password management. The report also notes that some users have excessive access to resources and information that they do not need.
An important part of the problem, GAO officials argue, is the failure of implementation of an agency-wide information security program. In addition to resolving the remaining security issues, such a program would be needed in order to ensure that “Risk assessments are appropriately reviewed for all systems, tests and evaluations of controls for systems are comprehensive, and the remedial action process effectively validates corrective actions.”
“Until IRS takes these steps, financial and taxpayer information are at increased risk of unauthorized disclosure, modification, or destruction, and the agency’s management decisions may be based on unreliable or inaccurate financial information,” the report signed by Nancy R. Kingsbury, managing director of Applied Research and Methods, and Gregory C. Wilshusen, director of Information Security Issues, adds.
IRS Commissioner Douglas H. Shulman has responded to the GAO officials through a letter. “We appreciate your continued support and guidance as we work to improve our security posture and look forward to working with you to develop appropriate measures. We will provide the detailed corrective plan addressing each of the recommendations with our response to the final report,” he writes, adding that “The security and privacy of taxpayer information is of utmost importance to us.”
The IRS, which collected $2.7 trillion in taxes during fiscal years 2007 and 2008, has come under scrutiny regarding the security of its computer network before. The Treasury Inspector General for Tax Administration (TIGTA) also reported last year that, following an investigation, 2,093 insecure web servers were found on the IRS network, out of which 540 were suffering from at least one critical vulnerability. In addition, 1,811 web servers were not authorized to run on the internal network.