Oversight

GAO finds IRS still struggling with IT security

keyhole digital

The Internal Revenue Service may have stronger IT security in place since last year’s Government Accountability Office audit, but it still needs to address several vulnerabilities to avoid compromising financial and sensitive taxpayer data, the watchdog concluded.

During fiscal year 2012, the IRS dealt with several of the information security control deficiencies GAO previously identified. For example, improvement was seen in controls over the encryption of data transferred between accounting systems, and upgrades to critical network devices on the IRS internal network system. Cross-functional working groups were also launched to identify and fix specific at-risk control areas.

However, a review released March 15 found that although the IRS said it had dealt with 58 of the previous information system security-related recommendations GAO made in 2012, more than 20 percent were in fact never resolved. For example, the IRS had not adopted effective controls for identifying and authenticating users, such as enforcing password complexity on certain servers. The agency also failed to restrict access to its mainframe environment and monitor the mainframe environment well enough.

Additionally, the IRS did not ensure up-to-date patches were installed on systems to protect against known vulnerabilities – a familiar problem for the agency. As recently as November 2012, the Treasury Inspector General for Tax Administration rapped the IRS for failing to take an enterprisewide approach to installing and monitoring software patches.

However, the IRS’ challenges with swift implementation of security elements date back several years. A 2009 report from TIGTA found the agency implemented 102 of the 254 required security settings on its computers - nine months after the deadline imposed by the Office of Management and Budget.

Most of IRS’ current weaknesses resulted from the agency’s failure to fully implement its information security program. For example, the IRS lacked a procedure to reconcile certain access privileges, and its policies did not cover situations where systems share data storage. Additionally, the IRS’ security standards for systems supporting tax processing and financial management had outdated information.

The IRS has agreed with GAO’s recommendations to more effectively implement portions of its information security program, and address newly identified control weaknesses.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.