Oversight

GAO: IRS has information security control weaknesses

gold shield on top of computer code

The Internal Revenue Service continues to have weaknesses in information security control that the Government Accountability Office fears could affect the confidentiality, integrity and availability of financial and sensitive taxpayer data.

An April 8 GAO report found that although the IRS has improved on information security control and internal control over financial reporting, significant risks remain.

The agency has failed to consistently install the appropriate patches on all databases and servers to protect against known vulnerabilities, GAO found, and also failed to sufficiently monitor database controls and appropriately restrict access to its mainframe environment. The IRS has also allowed individuals to make changes to mainframe data processing without following required procedures.

“Without effective audit and monitoring, IRS’s ability to establish individual accountability, monitor compliance with security and configuration management policies, and investigate information systems security violations is limited,” the report reads.

GAO found one of the main reasons for the ongoing weaknesses is the failure of the IRS to implement portions of its information security program, which have not always functioned as intended, such as the agency’s testing procedures for financial reporting systems.  

GAO also provided three recommendations for the IRS to fix its weaknesses: update access request procedures to ensure appropriate access privileges; update information policies and procedures; and develop a plan to address the known and newly identified vulnerabilities.

About the Author

Mike Cipriano is a GCN editorial intern, and also writes occasionally for FCW. Connect with him on Twitter: @mikecip07.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Shutterstock image (by wk1003mike): cloud system fracture.

    Does the IRS have a cloud strategy?

    Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

  • Shutterstock image: illuminated connections between devices.

    Who won what in EIS

    The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

  • Wikimedia Image: U.S. Cyber Command logo.

    Trump elevates CyberCom to combatant command status

    The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

  • Photo credit: John Roman Images / Shutterstock.com

    Verizon plans FirstNet rival

    Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

  • AI concept art

    Can AI tools replace feds?

    The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

  • DOD Common Access Cards

    DOD pushes toward CAC replacement

    Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

Reader comments

Mon, Apr 21, 2014 Gary Morgan Texas

The vast majority of network vulnerabilities are patch related subsequently weekly Vulnerability Scans/Gold disk scans should be implemented to identified missing patches; the ISSM/ISSO should be tracking until re-mediated; Quarterly self inspection should identified these issues, consequently a PO&AM developed to track these issues until they are Mitigated or re-mediated.

I believe these problems could be re mediated or mitigated with the proper implementation of 800-53a, FISMA and FIPS 199/200 management and follow-up by the ISSM and ISSO.

Also role based access controls/ and configuration management boards should be set up and implemented.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group