IRS Systems Security: Although Significant Improvements Made, Tax
Processing Operations and Data Still at Serious Risk (Letter Report,
12/14/98, GAO/AIMD-99-38).
The Internal Revenue Service (IRS) is making significant progress to
improve computer security at its facilities. IRS has acknowledged the
seriousness of its computer security weaknesses, consolidated overall
responsibility for computer security management within one office under
its Chief Information Officer, reevaluated its approach to computer
security management, and developed a high-level plan for mitigating
weaknesses cited by GAO. (See GAO/AIMD-97-49, Apr. 1997.) GAO found that
IRS has addressed the risks associated with 63 percent of the weaknesses
discussed in that report. Despite this progress, serious weaknesses
persist at five facilities GAO visited during its earlier audit, and GAO
identified additional weaknesses at those locations and at a sixth
facility included in this review. These weaknesses affect the agency's
ability to control physical access at its facilities and sensitive
computing areas, control electronic access to sensitive taxpayer data
and computer programs, prevent and detect unauthorized changes to
taxpayer data or computer software, and restore essential IRS operations
following an emergency or natural disaster. Until these weaknesses are
corrected, IRS tax processing centers are at risk of disruption.
Moreover, sensitive taxpayer data could be revealed to unauthorized
persons, improperly used or modified, or destroyed, thereby exposing
taxpayers to loss or damages arising from identity fraud and other
financial crimes.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-99-38
TITLE: IRS Systems Security: Although Significant Improvements
Made, Tax Processing Operations and Data Still at
Serious Risk
DATE: 12/14/98
SUBJECT: Internal controls
Computer security
Tax information confidentiality
Computer software
Tax administration systems
Facility security
Data integrity
IDENTIFIER: IRS Integrated Data Retrieval System
IRS Computer Security Management Program
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
Report to the Committee on Governmental Affairs, U.S. Senate
December 1998
IRS SYSTEMS SECURITY - ALTHOUGH
SIGNIFICANT IMPROVEMENTS MADE, TAX
PROCESSING OPERATIONS AND DATA
STILL AT SERIOUS RISK
GAO/AIMD-99-38
IRS Systems Security
(919333)
Abbreviations
=============================================================== ABBREV
IRS - x
Letter
=============================================================== LETTER
B-281559
December 14, 1998
The Honorable Fred Thompson
Chairman
The Honorable John Glenn
Ranking Minority Member
Committee on Governmental Affairs
United States Senate
This report completes our response to your request that we evaluate
the Internal Revenue Service's (IRS) progress in correcting the
serious computer security weaknesses at five IRS facilities discussed
in our April 1997 report on IRS systems security.\1 This report also
discusses additional security weaknesses identified at the five
facilities and at an IRS facility not included in our previous
report, and steps IRS has taken or plans to take to implement a
servicewide computer security management program.
On November 30, 1998, we issued to you a report that provides a more
detailed discussion of the computer security weaknesses found at IRS
facilities. Because some of the weaknesses are sensitive and could
jeopardize IRS' security if released to the public, that report is
designated "Limited Official Use." We met with IRS officials to
obtain their comments in making this report suitable for public
release. As a result, this report does not quantify either the total
number of weaknesses found or the number of weaknesses found in
specific functional categories, and does not detail the most serious
weaknesses.
This report restates recommendations made to the Commissioner of
Internal Revenue in the "Limited Official Use" version of this
report. The Commissioner of Internal Revenue commented on a draft of
that report. His comments are discussed in the "Agency Comments and
Our Evaluation" section of this report and are reprinted in appendix
I.
--------------------
\1 IRS Systems Security: Tax Processing Operations and Data Still at
Risk Due to Serious Weaknesses (GAO/AIMD-97-49, April 8, 1997). The
report summarized the computer security weaknesses detailed in a
"Limited Official Use" report issued in January 1997.
RESULTS IN BRIEF
------------------------------------------------------------ Letter :1
IRS is making significant progress to improve computer security over
its facilities. Since our April 1997 report, IRS has acknowledged
the seriousness of its computer security weaknesses, consolidated
overall responsibility for computer security management within one
executive-level office under its Chief Information Officer,
reevaluated its approach to computer security management, and
developed a high-level plan for mitigating the weaknesses we
identified. We found that IRS has corrected or mitigated the risks
associated with 63 percent of the weaknesses discussed in our prior
report.
While progress has been made, serious weaknesses continue to exist at
the five facilities visited during our prior audit, and we identified
several additional weaknesses at those locations and at a sixth
facility included in this review. These weaknesses exist primarily
because IRS has not yet fully institutionalized its computer security
management program. These weaknesses affect IRS' ability to control
physical access to its facilities and sensitive computing areas,
control electronic access to sensitive taxpayer data and computer
programs, prevent and/or detect unauthorized changes to taxpayer data
or computer software, and restore essential IRS operations following
an emergency or natural disaster. Until these weaknesses are
mitigated, IRS continues to run the risk of its tax processing
operations being disrupted. Furthermore, sensitive taxpayer data
entrusted to IRS could be disclosed to unauthorized individuals,
improperly used or modified, or destroyed, thereby exposing taxpayers
to loss or damages resulting from identity fraud and other financial
crimes.
In comments agreeing with our recommendations, IRS stated that since
the end of our review, it had addressed an additional 12 percent of
the weaknesses identified. IRS also specified actions planned and
underway to address the remaining weaknesses. We will review these
actions as part of our audit of IRS' fiscal year 1998 financial
statements.
BACKGROUND
------------------------------------------------------------ Letter :2
IRS relies on automated information systems to process over 200
million taxpayer returns and collect over $1.6 trillion in taxes
annually. IRS uses its computer systems to, among other things,
process tax returns, maintain taxpayer data, calculate interest and
penalties, and generate refunds. IRS operates facilities throughout
the United States that process tax returns and other information
supplied by taxpayers. The data are then electronically transmitted
to master files of taxpayer information that are maintained and
updated. Because of IRS' heavy reliance on its facilities, effective
security controls are critical to IRS' ability to maintain the
confidentiality of sensitive taxpayer data, safeguard assets, and
ensure the reliability of financial management information.
COMPUTER SECURITY
REQUIREMENTS
---------------------------------------------------------- Letter :2.1
Federal law, Department of the Treasury directives, and IRS' own
internal policies and procedures require the implementation of sound
security practices and standards. The Computer Security Act\2 and
the Clinger-Cohen Act\3 require, among other things, the
establishment of standards and guidelines for ensuring the security
and privacy of sensitive information in federal computer systems.
Similarly, IRS' tax information security guidelines require that all
computer and communications systems that process, store, or transmit
taxpayer data adequately protect these data, and the Internal Revenue
Code prohibits the unauthorized disclosure of federal returns and
return information outside IRS. To adequately comply with these
guidelines, IRS must ensure that (1) access to computer data,
systems, and facilities is properly restricted and monitored, (2)
changes to computer systems software are properly authorized and
tested, (3) backup and recovery plans are prepared, tested, and
maintained to ensure continuity of operations in the case of a
disaster, and (4) data communications are adequately protected from
unauthorized intrusion and interception.
The need for strong and effective computer security over taxpayer
information is clear. IRS computer systems contain sensitive
taxpayer information such as name, address, social security number,
and details on each taxpayer's financial holdings. As we previously
reported,\4 these and similar types of information have been used to
commit financial crimes and identity fraud nationwide. Commonly
reported financial crimes include using someone's personal
information to fraudulently establish credit, run up debt, or take
over and deplete existing financial accounts. Taxpayers can suffer
injury to their reputations when credit is fraudulently established
and debts incurred in their names. Bad credit could in turn lead to
difficulties in obtaining loans or jobs and require a lengthy and
expensive process to clear one's personal records.
--------------------
\2 Public Law 100-235, 101 Stat. 1724 (1988).
\3 Public Law 104-106, 110 Stat. 186 (1996).
\4 Identity Fraud: Information on Prevalence, Cost, and Internet
Impact is Limited (GAO/GGD-98-100BR, May 1, 1998).
PRIOR GAO WORK ON IRS
COMPUTER SECURITY
---------------------------------------------------------- Letter :2.2
Over the past 5 years, we have reviewed the effectiveness of IRS
security and general controls as part of our annual audit of IRS'
financial statements. During this period, we testified and reported
numerous times on the ineffectiveness of these controls in
safeguarding IRS computer systems and facilities.\5 In April 1997, we
reported on serious weaknesses at five IRS facilities that we
visited. These weaknesses were in eight functional areas, which are
(1) physical security, (2) logical security,\6 (3) data
communications management, (4) risk analysis, (5) quality assurance,
(6) internal audit and security,\7 (7) security awareness, and (8)
contingency planning. We also noted that IRS' ability to monitor and
detect the unauthorized access and perusal of electronic taxpayer
records by IRS employees, also known as browsing, was limited. We
reported that until these weaknesses are corrected, IRS runs the risk
of its tax processing operations being disrupted and taxpayer data
being improperly used, modified, or destroyed. Because of the
seriousness of the weaknesses, we recommended, among other things,
that IRS (1) reevaluate its current approach to computer security and
report its plans for improving computer security to the Congress and
(2) prepare and submit a plan to the Congress for correcting all the
weaknesses identified at the five facilities and for identifying and
correcting security weaknesses at the other IRS facilities.
In 1997, the Congress passed the Taxpayer Browsing Protection Act\8
which amended the Internal Revenue Code of 1986 to make unlawful
unauthorized access and inspection of taxpayer records a crime and to
establish penalties for unlawful access and inspection of taxpayer
records.
--------------------
\5 IRS Systems Security: Progress Made to Secure Taxpayer Data But
Serious Risk of Improper Access Remains (GAO/AIMD-95-17, December 27,
1994); IRS Information Systems: Weaknesses Increase Risk of Fraud
and Impair Reliability of Management Information (GAO/AIMD-93-34,
September 22, 1993); and Financial Audit: Examination of IRS' Fiscal
Year 1994 Financial Statements GAO/AIMD-95-141, August 4, 1995).
\6 Logical security measures include safeguards incorporated in
computer hardware and software.
\7 The phrases "internal audit" and "internal security" refer to
functional disciplines, not IRS organizational entities.
\8 Public Law 105-35.
OBJECTIVES, SCOPE, AND
METHODOLOGY
------------------------------------------------------------ Letter :3
The objectives of our review were to determine and summarize the
status of the computer-related general control weaknesses identified
at the five IRS facilities discussed in our April 1997 report and to
assess the effectiveness of computer controls at a sixth facility.
To determine the effectiveness of IRS' corrective actions taken to
resolve these weaknesses, we interviewed agency officials responsible
for correcting them, reviewed these officials' action plans and
status reports, and conducted on-site evaluations to verify the
effectiveness of corrective actions taken. Our on-site evaluations
of IRS computer-related general controls were conducted in
conjunction with our audit of IRS' fiscal year 1997 custodial
financial statements\9
and with the assistance of the independent public accounting firm
which also participated in the review supporting our April 1997
report. Our evaluations included the review of related IRS policies
and procedures; on-site tests and observations of computer-related
controls; and discussions with IRS headquarters and facility
personnel, security representatives, and other pertinent officials at
the locations visited. Our evaluation did not include external
penetration testing of IRS computer facilities.
We performed evaluations at six IRS facilities--the five facilities
visited during our previous review and one additional facility. We
requested and received IRS comments on the results of our on-site
evaluations from the Director of the Office of Systems Standards and
Evaluation, who has servicewide responsibility for computer security.
We did not verify IRS' statements regarding corrective actions taken
subsequent to our site visits but plan to do so during future
reviews.
To evaluate IRS' computer security management, we assessed
information pertaining to computer controls in place at headquarters
and field locations and held discussions with headquarters officials.
We did not assess the computer-related controls that IRS plans to
incorporate under any of its long-term plans to modernize its tax
processing systems. We also did not assess IRS efforts to resolve
the Year 2000 computing crisis.
Our work was performed at IRS headquarters in Washington, D.C., and
at six facilities located throughout the United States from November
1997 through July 1998. We performed our work in accordance with
generally accepted government auditing standards.
--------------------
\9 Financial Audit: Examination of IRS' Fiscal Year 1997 Custodial
Financial Statements (GAO/AIMD-98-77, February 26, 1998).
IRS IS TAKING ACTION TO IMPROVE
SECURITY
------------------------------------------------------------ Letter :4
IRS has taken and is taking action to implement the recommendations
contained in our April 1997 report to improve computer security. For
example, IRS designated computer security as a material weakness in
its fiscal year 1997 Federal Managers' Financial Integrity Act\10
report, acknowledging the seriousness of these computer-related
general control weaknesses and the risk they pose to the agency's
operations.
--------------------
\10 The Federal Managers' Financial Integrity Act of 1982 (Public Law
97-255) requires the head of each agency to annually prepare a
statement that identifies material weaknesses in the agency's systems
of internal accounting and administrative control and the plans and
schedule for correcting these weaknesses.
IRS HAS CONSOLIDATED
RESPONSIBILITY FOR COMPUTER
SECURITY
---------------------------------------------------------- Letter :4.1
IRS has established the Office of Systems Standards and Evaluation to
centralize responsibility for IRS security and privacy issues. The
office is staffed with over 60 security, privacy, systems life-cycle,
and administrative specialists led by two senior executives who
report to the Chief Information Officer. The office is responsible
for establishing and enforcing standards and policies for all major
security programs including, but not limited to, physical security,
data security, and systems security. IRS has acted to address
recommendations made in our April 1997 report by
-- preparing and transmitting to the Congress a high-level action
plan for identifying and correcting the security weaknesses at
all of its facilities including the five facilities discussed in
our prior report;
-- reevaluating and establishing a new approach to managing
computer security that involves the resolution of security
weaknesses and issues by facility type, including computing
centers, service centers, district offices, and others; and
-- submitting to the Congress its plan for improving the service's
management approach to computer security.
In addition, the Office of Systems Standards and Evaluation has
developed computer security awareness briefings on unauthorized
access to taxpayers' records, conducted computer security reviews at
IRS facilities, and developed a tracking system for reporting the
status of actions planned or taken to correct the weaknesses
identified in our April 1997 report.
IRS HAS MITIGATED MANY OF
THE COMPUTER SECURITY
WEAKNESSES
---------------------------------------------------------- Letter :4.2
We confirmed that IRS has corrected or has implemented compensating
controls that mitigated the risks associated with 63 percent of the
total weaknesses identified in our April 1997 report. Each facility
had varying degrees of success resolving the weaknesses previously
reported. The actual rate of resolution ranged from 42 percent to 80
percent. Corrective actions taken by one or more of the five
facilities include strengthening the overall controls over physical
access to IRS facilities, reducing the number of IRS employees
authorized to read or change sensitive system files and/or taxpayer
data, conducting risk analyses of the facilities and of locally
developed computer programs, updating and testing some disaster
recovery plans, and improving overall security awareness.
IRS HAS NOT YET FULLY
INSTITUTIONALIZED ITS
SERVICEWIDE COMPUTER SECURITY
MANAGEMENT PROGRAM
------------------------------------------------------------ Letter :5
Although IRS has made significant strides in improving computer
security at certain facilities, an effective servicewide computer
security management program has not yet been fully implemented. Our
study\11 of the security management practices of leading
organizations found that these organizations successfully managed
their information security risks through an ongoing cycle of risk
management activities. As shown in figure 1, each of these
activities is linked in a cycle to help ensure that business risks
are continually monitored, policies and procedures are regularly
updated, and controls are in effect.
Figure 1: Risk Management
Cycle
(See figure in printed
edition.)
The risk management cycle begins with an assessment of risks and a
determination of needs. This assessment includes identifying
cost-effective policies and related controls. The policies and
controls, as well as the risks that prompted their adoption, must be
communicated to those responsible for complying with them and
implemented. Finally, and perhaps most important, there must be
procedures for evaluating the effectiveness of policies and related
controls and reporting the resulting conclusions to those who can
take appropriate corrective action. In addition, our study found
that a strong central security management focal point can help ensure
that the major elements of the risk management cycle are carried out
and can serve as a communications link among organizational units.
Since our April 1997 report, IRS has taken several actions consistent
with the risk management cycle described above to improve its
servicewide computer security management program. For example, IRS
created the Office of Systems Standards and Evaluation as the central
focal point for computer security within IRS, published revised
computer security policies and procedures, promoted security
awareness, and is evaluating controls at many of its facilities.
However, several actions have not yet been completed or performed.
For example, IRS has not fully (1) assessed risks for all of its
facilities, networks, major systems, and data, (2) evaluated controls
over key computing resources, and (3) implemented actions to
eliminate or mitigate all of the weaknesses identified during
computer control evaluations. IRS is planning or taking actions to
implement these elements as part of its new strategy for its
servicewide computer security management program. Until IRS fully
implements an effective computer security management program, IRS is
exposed to the risk that other computer control weaknesses could
occur and not be detected promptly enough to prevent unnecessary
losses or disruptions.
--------------------
\11 Information Security Management: Learning From Leading
Organizations (GAO/AIMD-98-68, May 1998).
EXISTING WEAKNESSES STILL POSE
SIGNIFICANT RISK TO TAXPAYER
DATA
------------------------------------------------------------ Letter :6
Although IRS has mitigated many computer security weaknesses,
weaknesses in IRS' computer security controls continue to place IRS'
automated systems and taxpayer data at serious risk to both internal
and external threats that could result in the denial of computer
services or in the unauthorized disclosure, modification, or
destruction of taxpayer data. Serious weaknesses still persist at
all five of the facilities included in our April 1997 report and at a
sixth facility reviewed in conjunction with this audit. Our current
review identified weaknesses that remain uncorrected at the five
facilities visited during our prior audit and additional weaknesses
we identified at those locations and at a sixth facility included in
this review. The weaknesses primarily pertained to the following six
functional areas: physical security, logical security, data
communications, risk analysis, quality assurance, and contingency
planning. These weaknesses expose taxpayers to an increased risk of
loss and damages due to identity theft and other financial crimes
resulting from the unauthorized disclosure and use of information
they provide to IRS. A synopsis of these weaknesses by functional
area follows.
PHYSICAL SECURITY
---------------------------------------------------------- Letter :6.1
Physical security involves restricting physical access to computer
resources, usually by limiting access to the buildings and rooms
where these resources are housed to protect them from intentional or
unintentional loss or impairment. Physical access control measures
such as locks, guards, fences, and surveillance equipment are
critical to safeguarding taxpayer data and computer operations from
internal and external threats. We found continuing and new physical
security weaknesses at the facilities visited. The following are
examples of weaknesses that have not yet been corrected.
-- Access to sensitive computing areas, such as computer rooms,
data communications areas, and tape libraries was not adequately
controlled. For example, non-librarians without a legitimate
business need could gain unauthorized access to sensitive tape
libraries because there were no additional control measures
restricting access to tape libraries from other controlled
areas.
-- Facilities visited could not account for a total of 397 missing
computer tapes, some of which contain sensitive taxpayer data or
privacy information.
LOGICAL SECURITY
---------------------------------------------------------- Letter :6.2
Logical security controls are designed to limit or detect access to
computer programs, data, and other computing resources to protect
these resources from unauthorized modification, loss, and disclosure.
Logical security control measures include the use of safeguards
incorporated in computer hardware, system and application software,
communication hardware and software, and related devices. These
safeguards include user identification codes, passwords, access
control lists, and security software programs. Logical controls
restrict the access of legitimate users to the specific systems,
programs, and files they need to conduct their work and prevent
unauthorized users from gaining access to computing resources.
Controls over access to and modification of system software are
essential to protect the overall integrity and reliability of
information systems.
We identified weaknesses relating to logical security controls at the
six sites reviewed. Examples of uncorrected vulnerabilities include
the following.
-- Computer support personnel whose job responsibilities did not
require it were given the ability to change, alter, or delete
taxpayer data and associated programs.
-- Access to system software was not limited to individuals with a
need to know. For example, we found that database
administrators\12 had access to system software, although their
job functions and responsibilities did not require it.
-- The powerful "root" authority, which allows users to read,
modify, and delete any data file, execute any program, and
activate or deactivate audit logs, had been granted to 12
computer systems analysts at one facility whose assigned duties
did not require such capabilities.
-- Individuals without a need to know had access to key system logs
that provided the capability to perform unauthorized system
activities and then alter the audit trail to avoid detection.
-- Tapes and disks containing taxpayer data were not overwritten
prior to reuse, thus potentially allowing unauthorized access to
sensitive data and computer programs.
-- Security software was not configured to provide optimum security
over tape media.
In addition, IRS' ability to detect and monitor unauthorized access
by employees remains limited. The information system, Electronic
Audit Research Log, developed by IRS to monitor and detect browsing
can not detect all instances of browsing or unauthorized access to
taxpayer records because it only monitors employees using the
Integrated Data Retrieval System, the primary computer system IRS
employees use to access and adjust taxpayer accounts. The Electronic
Audit Research Log does not monitor the activities of IRS employees
using other systems, such as the Distributed Input System and Totally
Integrated Examination System, which are also used to create, access,
or modify taxpayer data. In addition, the Electronic Audit Research
Log does not adequately distinguish potential unauthorized accesses
to taxpayer data from legitimate activity. As a result, the effort
to investigate potential unauthorized accesses is time-consuming and
difficult. IRS is developing a new system, the Audit Trail Lead
Analysis System, which is intended to improve its capability to
distinguish between unauthorized accesses and legitimate activity.
If properly implemented, this system would improve IRS' capability to
detect unauthorized accesses to taxpayer data. However, the Audit
Trail Lead Analysis System is not scheduled to be implemented until
January 1999 and will only monitor the activities of IRS employees
using the Integrated Data Retrieval System and not other systems used
to create, access, or modify taxpayer data.
As a result of these logical security weaknesses, taxpayer and other
sensitive data and programs were placed at unnecessary risk of
unauthorized modification, loss, and disclosure without detection.
--------------------
\12 The database administrator is responsible for overall control of
the database, including its content, storage structure, access
strategy, security and integrity checks, and backup and recovery.
DATA COMMUNICATIONS
---------------------------------------------------------- Letter :6.3
Data communications management is the function of monitoring and
controlling communications networks to ensure that they operate as
intended and securely transmit timely, accurate, and reliable data.
Without adequate data communications security, the data being
transmitted can be destroyed, altered, or diverted, and the equipment
itself can be damaged. We identified data communications weaknesses
at IRS facilities. Examples of the weaknesses existing at the time
of our review include the following.
-- Telecommunications equipment was still not physically protected,
thus increasing the risk of improper use, modification, or
destruction of data, as well as potential equipment damage. For
example, telecommunications patch panels were not placed in a
locked closet or enclosure, thereby increasing the risk of
unauthorized tampering with these telecommunication connections.
-- Dial-in access was not adequately protected. For example, data
transmitted over telecommunications lines were not encrypted.
Because plain text was transmitted, sensitive taxpayer data
remained vulnerable to unauthorized access and disclosure.
RISK ANALYSIS
---------------------------------------------------------- Letter :6.4
The purpose of a risk analysis is to identify security threats,
determine their magnitude, and identify areas needing additional
safeguards. Without these analyses, systems' vulnerabilities may not
be identified and appropriate controls may not be implemented to
correct them. We found weaknesses in this area at the facilities
visited. For example, we found that risk analyses of the facilities'
local networks had not been performed or were not available. Without
these analyses, IRS system vulnerabilities may go undetected, thereby
jeopardizing IRS processing operations and sensitive taxpayer data.
QUALITY ASSURANCE
---------------------------------------------------------- Letter :6.5
Controls over the design, development, and modification of computer
software help to ensure that all programs and program modifications
are properly authorized, tested, and approved. An effective quality
assurance program requires reviewing software products and software
change control activities to ensure that they comply with the
applicable processes, standards, and procedures and satisfy the
control and security requirements of the organization. One aspect of
a quality assurance program is validating that software changes are
adequately tested and will not introduce vulnerabilities into the
system. We identified weaknesses at IRS facilities. Examples of
these weaknesses follow.
-- There was no independent quality assurance review or testing of
locally developed programs.
-- Application programmers have the capability to access or modify
production computer software programs after the programs have
been reviewed or tested, increasing the risk of unauthorized
changes to production programs.
-- Application programmers use real taxpayer data for software
testing purposes, increasing the risk that sensitive taxpayer
data could be disclosed to unauthorized individuals.
Without adequate quality assurance and control over the software
development and change process, IRS runs a greater risk that software
supporting its operations will not (1) produce reliable data, (2)
execute transactions in accordance with applicable laws, regulations,
and management policies, or (3) effectively meet operational needs.
CONTINGENCY PLANNING
---------------------------------------------------------- Letter :6.6
An organization's ability to accomplish its mission can be
significantly affected if it loses the ability to process, retrieve,
and protect information that is maintained electronically. For this
reason, organizations should have (1) established procedures for
protecting information resources and minimizing the risk of unplanned
interruptions, (2) a disaster recovery plan for restoring critical
data processing capabilities, and (3) a business resumption plan for
resuming business operations should interruptions occur.
Disaster recovery and business resumption plans specify emergency
response procedures, backup operations, and postdisaster recovery
procedures to ensure the availability of critical resources and
facilitate the continuity of operations in an emergency. These plans
address how an organization will deal with a full range of
contingencies, from electrical power failures to catastrophic events,
such as earthquakes, floods, and fires. The plans also identify
essential business functions and rank resources in order of
criticality. To be most effective, disaster recovery and business
resumption plans should be periodically tested and employees should
be trained in and familiar with the use of these plans.
We found weaknesses relating to contingency planning at the
facilities reviewed, as the following examples illustrate.
-- Disaster recovery plans had not been completed or lacked
essential information, such as designation of an alternate
computer processing site, telecommunications requirements, and
procedures for restoring mission-critical processes and
applications.
-- Disaster recovery procedures were not adequately tested to
determine IRS' ability to restore and operate all
mission-critical applications.
-- Disaster recovery goals and milestones were not developed based
on users' business needs, which provides little assurance that
users' processing needs will be met in the event of a disaster.
-- Business resumption plans had not been developed or were
incomplete.
-- Backup generator capacity or the alternate electrical power
source did not effectively meet the needs of the facilities.
Due to the nature of these and other weaknesses, IRS facilities may
not be able to recover their data processing capabilities, resume
business operations, and restore critical data promptly in the event
of a disaster or disruption of service. Consequently, IRS has little
assurance that during a crisis (1) the cost of recovery efforts or
the reestablishment of operations at a remote location will be kept
to a minimum, (2) taxpayer data will not be lost, (3) transactions
will be processed accurately and correctly, and (4) complete and
accurate taxpayer, financial, or management information will be
readily available.
CONCLUSIONS
------------------------------------------------------------ Letter :7
IRS has made significant progress in correcting its serious
weaknesses in computer security controls intended to safeguard IRS
computer systems, data, and facilities. However, serious weaknesses
remain uncorrected and IRS has not yet fully assessed all of the
risks to its computer processing operations nor has it evaluated the
effectiveness of computer controls over key computing resources,
which indicates that the service does not know the full extent of its
computer security vulnerabilities. Until IRS identifies and corrects
all of its critical computer security weaknesses and fully
institutionalizes an effective servicewide computer security
management program, the service will continue to expose its tax
processing operations to the risk of disruption; taxpayer data to the
risk of unauthorized use, modification, and destruction; and
taxpayers to loss and damages resulting from identity fraud and other
financial crimes.
RECOMMENDATIONS
------------------------------------------------------------ Letter :8
We recommend that the Commissioner of Internal Revenue direct the
Chief Information Officer and Director of the Office of Systems
Standards and Evaluation to work in conjunction with the facility
directors as appropriate to continue efforts to
-- implement appropriate control measures to limit physical access
to facilities, computer rooms, and computing resources based on
job responsibility;
-- limit access authority to only those computer programs and data
needed to perform job responsibilities and review access
authority regularly to identify and correct inappropriate
access;
-- configure security software to provide optimum security over
tape media;
-- establish adequate safeguards over telecommunications equipment
and remote access to IRS systems;
-- ensure that all computer programs and program modifications are
authorized, tested, and independently reviewed and that real
taxpayer data is not used for software testing; and
-- establish controls that ensure that disaster recovery plans and
business resumption plans are comprehensive, current, and fully
tested.
We also recommend that the Commissioner of Internal Revenue ensure
that IRS completes the implementation of an effective servicewide
computer security management program. This program should include
procedures for
-- assessing risks for all of IRS' facilities, networks, major
systems, and taxpayer data on a regular, ongoing basis to ensure
that controls are adequate;
-- periodically evaluating the effectiveness of controls over key
computing resources at IRS facilities; and
-- implementing actions to correct or mitigate weaknesses
identified during such computer control evaluations.
AGENCY COMMENTS AND OUR
EVALUATION
------------------------------------------------------------ Letter :9
In commenting on a draft of this report, IRS agreed with our
recommendations and stated that the report's conclusions and
recommendations are consistent with its ongoing actions to improve
systems security. IRS specified the actions it has taken or plans to
take to adequately mitigate the remaining weaknesses and stated that
an additional 12 percent of the weaknesses have been corrected since
the completion of our review. We will review the actions taken by
IRS to mitigate the remaining weaknesses as part of our audit of IRS'
fiscal year 1998 financial statements.
---------------------------------------------------------- Letter :9.1
As agreed with your office, unless you publicly announce the contents
of this report earlier, we will not distribute it until 30 days from
the date of this letter. At that time, we will send copies to the
Chairman and Ranking Minority Members of the Subcommittee on
Treasury, Postal Service, and General Government, House Committee on
Appropriations; Subcommittee on Treasury, General Government, and
Civil Service, Senate Committee on Appropriations; Senate Committee
on Finance; House Committee on Ways and Means; and House Committee on
Government Reform and Oversight. We will also send copies to the
Secretary of the Treasury, Commissioner of Internal Revenue, and
Director of the Office of Management and Budget. Copies will be made
available to others upon request.
If you have questions about this report, please contact me at (202)
512-3317. Major contributors to this report are listed in appendix
II.
Robert F. Dacey
Director, Consolidated Audits and
Computer Security Issues
(See figure in printed edition.)Appendix I
COMMENTS FROM THE INTERNAL REVENUE
SERVICE
============================================================== Letter
(See figure in printed edition.)
MAJOR CONTRIBUTORS TO THIS REPORT
========================================================== Appendix II
ACCOUNTING AND INFORMATION
MANAGEMENT DIVISION,
WASHINGTON, D.C.
-------------------------------------------------------- Appendix II:1
Gregory C. Wilshusen, Assistant Director, (202) 512-6244
Ronald E. Parker, Senior Information Systems Analyst
Walter P. Opaska, Senior Information Systems Auditor
*** End of document. ***