Another year, another raft of IT security concerns for IRS
- By Derek B. Johnson
- Jul 19, 2019
In the course of its tax administration duties, the IRS collects and stores an ample amount of personal and financial information for each U.S. taxpayer. Auditors at the Government Accountability Office are concerned about a number of newly discovered holes in information security that could put that data at risk.
The 2018 information security audit released July 18 found 14 new information system security control deficiencies, including eight in the area of access control, four in configuration management, one related to segregation of duties and one concerning contingency planning.
Many of the listed problems were either minor or isolated to particular systems or assets, but together they are "important enough to merit attention by those charged with governance of IRS" and still represent "a significant deficiency" in internal controls on IRS financial reporting systems, GAO said.
In one case, a failure to disable a function within a single application could have allowed a user to download the application's entire database, even though there's no business reason for doing so. The oversight could have potentially allowed an employee to steal IRS data in bulk. The agency also failed to encrypt a number of servers and email services and to enforce certain encrypted database connections.
Officials at the Department of Treasury, which houses IRS, are already on high alert after a number of employees were caught accessing and downloading sensitive financial data from government systems and leaking it to the public. In February, prosecutors charged John C. Fry with downloading confidential Suspicious Activity Reports related to President Donald Trump's former lawyer Michael Cohen before handing them off to lawyer Michael Avenatti. Last year, a Department of Treasury employee was arrested and charged with downloading and leaking SARs containing information about former Trump campaign manager Paul Manafort's finances, the details of which later ended up in dozens of news articles.
Other infractions, such as a spotty patching cadence and a lack of resources dedicated to contingency planning, also were cited.
The GAO made 20 recommendations to IRS, none of which were made public in the report, bringing the total number of open recommendations related to information systems security to 127. Auditors issued a separate, non-public version of the report to IRS at the request of the agency, which expressed concerns that much of the information contained in the report was sensitive.
The IRS is set to embark on a six-year, $2.7 billion overhaul of its IT and cybersecurity infrastructure, with data security listed as one of the top priorities for improvement.
Derek B. Johnson is a former senior staff writer at FCW.