By Mary Mosquera
January 8, 2008
The Internal Revenue Service has fixed only 29 of 98 weaknesses in its
information security controls, threatening the confidentiality and
availability of its financial processing systems and information and
limiting the reliability of its taxpayer and financial data.
IRS has been slow to correct the weaknesses because it has not fully
implemented an agencywide information security program to make sure that
controls are effectively established and maintained, the Government
Accountability Office said in a report released today.
As a result, IRS is at increased risk of unauthorized disclosure,
modification or destruction of financial and taxpayer information, said
Gregory Wilshusen, director of GAOs information security issues.
GAO evaluated IRS data security based on requirements called for in the
Federal Information Security Management Act, which established key
elements for an effective information security program
IRS relies extensively on computerized systems to collect taxes, process
returns and enforce tax laws. Effective information security controls
are the foundation to protecting financial and taxpayer information from
misuse, fraud and improper disclosure or destruction.
IRS has put in place controls for user IDs for certain critical servers,
improved physical protection for its procurement system, developed
security for a key financial system and upgraded servers that had been
using obsolete operating systems. IRS also established enterprisewide
objectives for improving information security through initiatives for
protecting and encrypting data, securing IT assets and building security
into new applications.
But the IRS has not resolved about 70 percent of weaknesses that GAO
previously identified, the report said. It continues to use passwords
that are not complex, grant access to individuals who do not need it and
install patches in an untimely manner.
GAO recommended that IRS take several actions to establish an
enterprisewide data security program. In July 2007, IRS reorganized
information security management from its chief of mission assurance to
the newly created position of associate chief information officer for
IRS will provide a detailed corrective action plan for each of GAOs
recommendations, said Linda Stiff, acting IRS commissioner. IRS has
taken many steps to improve its security, such as installing automatic
disk encryption on its 52,000 laptop PCs and creating a team of security
and computer experts to improve mainframe controls.
We recognize that there is significant work to be accomplished to
address our information security deficiencies, and we are taking
aggressive steps to correct previously reported weaknesses and improve
our overall information security program, Stiff said in a written
response dated Dec. 14.
As part of the performance agreements with IRS executives, the agency
will also include a standard focused on resolving security weaknesses
and reporting the security compliance status of all computer systems
connected to the IRS network. Additionally, IRS hired technical support
to assist in developing a comprehensive security analysis of the
architecture, processes and operations of the mainframe computing center
complex to create a roadmap to address the issues, she said.
Among GAOs recommendations, IRS should:
* Update policies for configuring mainframes so they can control and
* Identify those with security responsibilities to receive special
* Expand scope for testing and evaluating controls.
* Strengthen contractor oversight to detect noncompliance with IRS
Visit InfoSec News