[IMGCAP(1)]The Internal Revenue Service has made progress in implementing information security controls, but a new report from the Government Accountability Office finds that weaknesses in the controls limited their effectiveness in protecting the confidentiality, integrity and availability of financial and sensitive taxpayer data.
During fiscal year 2015, the IRS continued to devote attention to securing its information systems that process sensitive taxpayer and financial information, according to the GAO. Among those actions were further restricting access privileges on key financial applications and continuing a migration to multifactor authentication across the agency. However, significant control deficiencies remained.
For example, the agency has not always implemented controls for identifying and authenticating users, such as applying proper password settings, appropriately restricted access to servers, ensured that sensitive user authentication data were encrypted, audited and monitored systems to ensure compliance with agency policies, and ensured access to restricted areas was appropriate. In addition, unpatched and outdated software exposed IRS to known vulnerabilities.
The IRS has admitted to high-profile data breaches last tax season in its online Get Transcript app, and this tax season in its Electronic Filing PIN and Identity Protection PIN apps (see IRS Finds ‘Get Transcript’ Data Breach Was More Widespread, IRS Detects Attack on Electronic Filing PIN App and IRS Suspends IP PIN Service for Identity Theft Victims).
An underlying reason for these weaknesses, according to the GAO, is that the IRS has not effectively implemented elements of its information security program. The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training. However, aspects of its program had not yet been effectively implemented. For example, the IRS has not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring access, according to the report. In addition, the IRS did not include enough details in its authorization procedures to ensure that access to systems was appropriate.
The IRS also has not ensured that many of its corrective actions to address previously identified deficiencies were effective. For example, for the 28 prior recommendations that the IRS informed the GAO that it had addressed, nine of the associated weaknesses have not been effectively corrected, according to the report.
Until the IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implement elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure, the GAO warned. These shortcomings were the basis for the GAO’s determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2015.
In addition to the prior recommendations that have not been implemented, the GAO is recommending the IRS take two additional actions to more effectively implement security-related policies and plans. In a separate report with limited distribution, the GAO is recommending 43 actions the IRS can take to address newly identified control weaknesses. In commenting on a draft of the report, the IRS agreed with the GAO’s recommendations.
“As you know, the IRS is committed to improving the financial management, internal controls, information technology security posture, and the overall effectiveness of internal controls,” wrote IRS Commissioner John Koskinen in response to the report. “Currently, the IRS is in the process of implementing numerous additional safeguards.”