Security Weaknesses Still Plague the IRS, Says GAO
A recent report by the US Government Accountability Office (GAO) indicates that the IRS still falls short in providing adequate protection of taxpayers’ financial and personal data.
Though the IRS has made progress in implementing security controls, weaknesses limit their effectiveness, Nancy Kingsbury, the GAO’s managing director of applied research and methods, and Gregory Wilshusen, the agency’s director of information security issues, wrote in a March 28 letter to IRS Commissioner John Koskinen.
“An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program,” the letter states. “The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training. However, aspects of its program had not yet been effectively implemented.”
Specifically, the letter notes that the IRS failed to update key mainframe policies and procedures to handle comprehensive auditing and monitoring access, failed to provide enough detail in its authorization procedures to ensure appropriate access to its systems, and failed to make sure that corrections of prior problems actually were working. (Nine of the 28 prior recommendations the IRS said it had implemented actually hadn’t made the necessary corrections.)
“Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies, and (2) effectively implement elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure,” the letter states.
Here’s a snapshot of the key findings:
- The IRS’s identification and authentication controls have improved; however, they aren’t strong enough to properly control access to the agency’s systems and data. Passwords on several systems could be guessed, not all password expirations were double-checked, and proper password settings were inconsistent. All told, the agency has a tough time controlling who accesses systems and data.
- While the IRS manual requires system access to be based on the principle of least privilege, there’s more access to certain systems than what employees need to have. For example, system users can access or change tax payment data, which is more access than needed to do their jobs.
- The IRS expanded its use of encryption, but cryptography controls were weak. For example, some systems didn’t encrypt user-authentication data. That, in turn, increased the likelihood that an unauthorized user could use the authentication data to access a system.
- Weaknesses in the physical security of the IRS’s computing centers against theft or other actions, which had been identified in prior audits, continue.
- Policies, procedures, and techniques need to be in place to ensure software updates and access to information.
- The IRS failed to ensure that corrections had been made, per its remedial processes.
- The IRS didn’t always ensure that contractors had security training.
- Not all security plans had been updated.
The letter recommends that Koskinen stay current on policies and guidelines to update system and application audit plans, and update security for network infrastructure as changes occur.
The GAO letter also cryptically notes that 43 technical recommendations were made “in a separate report with limited distribution.” They address security-control weaknesses in identification and authentication, authorization, cryptography, audit and monitoring, and configuration management.
In a letter to the GAO’s Wilshusen, dated about two weeks before the final report was released, Koskinen wrote, “While we agree with GAO’s recommendations, we will review them to ensure that our actions include sustainable fixes that implement appropriate security controls balanced against information technology and human capital resource limitations.”
Koskinen indicated that the agency will provide a detailed corrections plan in its 60-day letter response to Congress. He also thanked the GAO for its specificity in making recommendations, noting that prior audits were “quite general.” The increased detail likely produced more recommendations, he wrote, but that will allow the IRS to better address cybersecurity risk.
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.