The Government Accountability Office recently reported that the Internal Revenue Service has made limited progress toward correcting or mitigating previously reported information security weaknesses. The report found 66 percent of the weaknesses that GAO had previously identified still existed.

As part of its audit of the IRS’s 2005-06 financial statements, the GAO took a look at what the agency was doing to correct previously reported information security weaknesses. To examine whether the controls in place were effective in ensuring the “confidentiality, integrity, and availability of financial and sensitive taxpayer information,” the GAO examined IRS information security policies and procedures, guidance, security plans, reports, and other documents. The office also tested controls over five critical applications at a trio of IRS sites and interviewed key security representatives and management officials.

Specifically, the IRS has corrected or mitigated 25 of the 73 information security weaknesses that the GAO reported as unresolved during its last review. Significant weaknesses in access controls and other information security controls continue to threaten the IRS’s financial and tax processing systems and information.

For example, while the IRS has improved password controls on its servers, it continues to use inadequate account lockout settings for Windows servers and inadequately verify employees’ identities against official IRS photo identification.

A primary reason for the weaknesses is that the IRS has not yet fully implemented its information security program. The GAO recommended, and the IRS agreed, that the agency-wide program -- that includes risk assessments, enhanced policies and procedures, security plans, training, adequate tests and evaluations, and a continuity of operations process for all major systems -- must be implemented.

The full report is available at www.gao.gov/new.items/d07364.pdf.