GAO: IRS slow to fix numerous IT security gaps

Information Security: Further Efforts Needed to Address Significant Weaknesses at the Internal Revenue Service

The Internal Revenue Service has not corrected numerous information security weaknesses that impair its ability to ensure the confidentiality, integrity and availability of financial and sensitive information, the Government A. These problems constitute a major weakness in the IRS’ internal controls over its financial and tax processing systems, the Government Accountability Office said.

The tax agency experiences gaps in access controls related to user identification and authentication, authorization, encryption, monitoring, and physical security. Data is at risk from weaknesses in configuration management, segregation of duties, media destruction and disposal, and personnel security controls.

The IRS has not resolved these vulnerabilities because it has not yet fully implemented the critical elements of a comprehensive information security program, including risk assessments, enhanced policies and procedures, security plans, training, adequate testing and evaluation, and continuity of operations for all major systems.

“As a result, weaknesses in information security controls over its key financial and tax processing systems could impair IRS’ ability to perform vital functions and could increase the risk of unauthorized disclosure, modification or destruction of financial and sensitive taxpayer information,” said Gregory Wilshusen, director, GAO Information Security Issues, and Keith Rhodes, GAO’s chief technologist, in their recent report..

The IRS has corrected 25 of the 73 IT security weaknesses from last year, such as implementing controls to authorize access to Windows systems, network devices, databases and mainframe systems. The agency has improved password controls on its servers and enhanced audit and monitoring efforts for mainframe and Windows user activity. Still, 48 of the 73 weaknesses are not fixed, GAO said.

Among GAO’s 10 recommendations, IRS needs to update risk assessments for systems and policies and procedures on configuring mainframe IDs used by the operating system and certain mainframe programs, develop a system security plan for the system that supports the general ledger for tax administration and enhance the Enterprise learning management System to include all security training courses that IRS employees and contractors take.

The IRS’ chief information officer and chief of mission assurance and security services are working with agency executives to make sure security policies, standards and procedures are followed across the enterprise, IRS Commissioner Mark Everson said.

“While we have made significant progress, we recognize that continued diligence is required,” he said. The IRS will provide GAO with a corrective action plan for each of the 10 recommendations.

Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.