Oversight

GAO finds IRS still struggling with IT security

keyhole digital

The Internal Revenue Service may have stronger IT security in place since last year’s Government Accountability Office audit, but it still needs to address several vulnerabilities to avoid compromising financial and sensitive taxpayer data, the watchdog concluded.

During fiscal year 2012, the IRS dealt with several of the information security control deficiencies GAO previously identified. For example, improvement was seen in controls over the encryption of data transferred between accounting systems, and upgrades to critical network devices on the IRS internal network system. Cross-functional working groups were also launched to identify and fix specific at-risk control areas.

However, a review released March 15 found that although the IRS said it had dealt with 58 of the previous information system security-related recommendations GAO made in 2012, more than 20 percent were in fact never resolved. For example, the IRS had not adopted effective controls for identifying and authenticating users, such as enforcing password complexity on certain servers. The agency also failed to restrict access to its mainframe environment and monitor the mainframe environment well enough.

Additionally, the IRS did not ensure up-to-date patches were installed on systems to protect against known vulnerabilities – a familiar problem for the agency. As recently as November 2012, the Treasury Inspector General for Tax Administration rapped the IRS for failing to take an enterprisewide approach to installing and monitoring software patches.

However, the IRS’ challenges with swift implementation of security elements date back several years. A 2009 report from TIGTA found the agency implemented 102 of the 254 required security settings on its computers - nine months after the deadline imposed by the Office of Management and Budget.

Most of IRS’ current weaknesses resulted from the agency’s failure to fully implement its information security program. For example, the IRS lacked a procedure to reconcile certain access privileges, and its policies did not cover situations where systems share data storage. Additionally, the IRS’ security standards for systems supporting tax processing and financial management had outdated information.

The IRS has agreed with GAO’s recommendations to more effectively implement portions of its information security program, and address newly identified control weaknesses.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.