The U.S. General Accounting Office (GAO) reported this week that while the Internal Revenue Service (IRS) has made “important” progress toward improving its security and implementing an information security program, weaknesses continue to pose a risk to taxpayer data.
GAO’s report, "Progress Made, But Weaknesses at the Internal Revenue Service Continue to Pose Risks," states that the "confidentiality, integrity and availability of sensitive systems and taxpayer data" are at risk. The report further found that the agency’s implementation of "logical internal controls — those designed to ensure that only authorized individuals can read, alter or delete data — has been inconsistent and accounts for three quarters of the 765 general control weaknesses found at the 11 facilities reviewed."
As part of its annual audits of IRS financial statements, GAO looked at the effectiveness of information security controls at some IRS facilities and over some applications — controls intended to protect agency systems and taxpayer data. The GAO website states, "Because the detailed reports that followed these reviews contained sensitive information and could have been detrimental to government if released to the public, they were issued only to the IRS and congressional requesters. This public report is based on 18 such reports issued during the three-year period, ending July 31, 2002. Although it does not identify specific IRS facilities or applications, the report does provide GAO’s assessment of the overall effectiveness of IRS’s information security."
In this week’s report, GAO recommends the IRS implement an effective agencywide information security program with the Commissioner of Internal Revenue directing the chief information officer and the senior management official for each operating division to:
- Assess risks and evaluate security needs;
- Establish and implement adequate policies and controls;
- Enhance security awareness and training; and
- Monitor the effectiveness of controls and mitigate known weaknesses as detailed in the report.
GAO said that the IRS generally agreed with the report and its recommendations. "IRS management is committed to completing such an agencywide program," stated the GAO report. "Until it does, however, IRS will remain at heightened risk of access to critical data by unauthorized persons — individuals who could obtain personal taxpayer data to perpetuate identity theft and commit financial crimes."