GAO: IRS security is weak

Taxpayers’ financial and personal information remains at risk because the Internal Revenue Service has not yet strengthened its information security measures, according to a new Government Accountability Office report.

The IRS fixed 41 of the 81 faults GAO discovered last year, the report states. Nevertheless, “GAO identified new information security control weaknesses that threaten the confidentiality, integrity and availability of IRS’ financial information systems and the information they process,” according to the report, which was released today.

The IRS has not established effective electronic access controls related to network management, user accounts, file permissions and logging and monitoring of security-related events, the report states. The agency has also failed to install other controls to secure computers physically.

“Collectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification or loss, possibly without detection, and place IRS operations at risk of disruption,” the report states.

GAO recommends that the IRS align policies related to password age and configuration settings with federal guidelines, review system security plans, give specialized training to contractors, and update emergency action plans.

For emergency plans, the report suggests training non-IRS staff members to restore operations and updating disaster recovery plans. It also recommends installing UNIX-based hardware and equipment for processing applications and data at the IRS’ disaster recovery hot site, an alternative processing place to use in an emergency. Until the agency acts on these recommendations, “it is at risk of not being able to appropriately recover in a timely manner,” the report states.

IRS Commissioner Mark Everson expressed agreement with GAO’s assessment in a Feb. 27 letter to GAO’s director of information technology, Gregory Wilshusen.

“Because the IRS’ solution extends beyond the specific findings and addresses the root cause of the weaknesses at an enterprisewide level, a majority of the weaknesses remain open,” Everson wrote. “However, as a result of this agencywide approach and other initiatives we have under way, the IRS now has stronger controls to protect taxpayer data.”

He said IRS officials share the responsibility for IT security.

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.