Information Security: Progress Made, but Weaknesses at the
Internal Revenue Service Continue to Pose Risks (30-MAY-03,
GAO-03-44).
As part of its annual audits of IRS's financial statements, GAO
assessed the effectiveness of information security controls at
certain IRS facilities and over certain specific
applications--controls meant to protect IRS's information systems
and taxpayer data. Because the detailed reports that followed
these reviews contained sensitive information and could be
detrimental to the government if released to the public, they
were issued only to IRS and congressional requesters. This public
report is based on 18 such reports issued during the 3-year
period ending July 31, 2002. Although it does not identify
specific IRS facilities or applications, the report does provide
GAO's assessment of the overall effectiveness of IRS's
information security.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-03-44
ACCNO: A06898
TITLE: Information Security: Progress Made, but Weaknesses at
the Internal Revenue Service Continue to Pose Risks
DATE: 05/30/2003
SUBJECT: Computer security
Data integrity
Financial statement audits
Internal controls
Strategic planning
Information systems
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-03-44
Report to the Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census, Committee on Government
Reform, House of Representatives
United States General Accounting Office
GAO
May 2003 INFORMATION SECURITY
Progress Made, but Weaknesses at the Internal Revenue Service Continue to
Pose Risks GAO- 03- 44
IRS has made and continues to make important progress toward improving its
information security and implementing a comprehensive information security
program. Nonetheless, weaknesses continue to threaten the confidentiality,
integrity, and availability of sensitive systems and taxpayer data. IRS*s
implementation of logical access controls* those designed to
ensure that only authorized individuals can read, alter, or delete data*
has been inconsistent and accounts for three quarters of the 765 general
control weaknesses found at the 11 facilities reviewed. Weaknesses in the
other four control categories (see breakdown below) have further reduced
IRS*s effectiveness in physically securing its assets, separating
incompatible duties among individuals, preventing unauthorized changes to
software programs, and ensuring the agency*s ability to continue
operations after an unexpected
interruption. In addition, 112 application control weaknesses hindered
IRS*s ability to limit access to 5 key applications to authorized persons
for authorized purposes. The extent of these weaknesses demonstrates that
information security is an agencywide challenge.
An underlying cause of these weaknesses is that IRS had not yet fully
implemented certain elements of its agencywide information security
program. As a result, it had not adequately identified or assessed risks
in order to determine needed security measures, implemented or complied
with policies to meet those needs, promoted adequate security awareness
and training, and monitored the effectiveness of policies or mitigated
known security vulnerabilities.
IRS management is committed to completing such an agencywide program.
Until it does, however, IRS will remain at heightened risk of access to
critical data by unauthorized persons* individuals who could obtain
personal
taxpayer data to perpetrate identity theft and commit financial crimes.
Breakdown of Weaknesses by General Control Category
As part of its annual audits of IRS*s financial statements, GAO assessed
the effectiveness of information security controls at certain IRS
facilities and over certain specific applications* controls meant to
protect IRS*s information systems
and taxpayer data. Because the detailed reports that followed these
reviews contained sensitive information and could be detrimental to the
government if
released to the public, they were issued only to IRS and congressional
requesters. This public report is based on 18 such reports issued during
the 3- year period ending July 31, 2002. Although it does not identify
specific IRS facilities or
applications, the report does provide GAO*s assessment of the overall
effectiveness of IRS*s information security.
To assist IRS in implementing an effective agencywide information security
program, GAO is recommending that the Commissioner of Internal Revenue
direct the chief information officer and the senior management official
for each operating division to assess risks and evaluate security
needs, establish and implement adequate policies and controls, enhance
security awareness and training, and monitor the effectiveness of controls
and mitigate known weaknesses, as detailed in this report. IRS generally
agreed with the report and recommendations.
www. gao. gov/ cgi- bin/ getrpt? GAO- 03- 44. To view the full report,
including the scope and methodology, click on the link above. For more
information, contact Robert F. Dacey at (202) 512- 3317 or daceyr@ gao.
gov. Highlights of GAO- 03- 44, a report to the
Chairman and Ranking Minority Member of the Subcommittee on Technology,
Information Policy, Intergovernmental Relations, and the Census, Committee
on Government Reform, House of Representatives
May 2003
INFORMATION SECURITY
Progress Made, but Weaknesses at the Internal Revenue Service Continue to
Pose Risks
24%
Page i GAO- 03- 44 IRS Computer Controls Letter 1 Results in Brief 1
Background 3 Objectives, Scope, and Methodology 7 Although Improvements
Made, Information Security Weaknesses Still Pose Risks 9 IRS Has Not Fully
Implemented Elements of Its Agencywide Security Program 21 Conclusions 29
Recommendations for Executive Action 30 Agency Comments 31 Appendix I
Comments from the Internal Revenue Service 32
Figures
Figure 1: Number of Control Weaknesses Found at IRS Facilities 10 Figure
2: Breakdown of Weaknesses by General Control Category 11 Abbreviations
CIO Chief Information Officer IRS Internal Revenue Service GISRA
Government Information Security Reform Act NIST National Institute of
Standards and Technology NSA National Security Agency OMB Office of
Management and Budget Contents
This is a work of the U. S. Government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. It may contain
copyrighted graphics, images or other materials. Permission from the
copyright holder may be necessary should you wish to reproduce copyrighted
materials separately from GAO*s product.
Page 1 GAO- 03- 44 IRS Computer Controls May 30, 2003 The Honorable Adam
H. Putnam Chairman
The Honorable William Lacy Clay, Jr. Ranking Minority Member Subcommittee
on Technology, Information Policy,
Intergovernmental Relations, and the Census Committee on Government Reform
House of Representatives
As part of our annual audits of the Internal Revenue Service*s (IRS)
financial statements, we assessed the effectiveness of computer- related
general controls at certain IRS facilities and computer controls over
certain applications. 1 For each facility or application assessed, we
issued a detailed report to the IRS Chief Information Officer (CIO) that
discusses facility- specific or application- specific results,
conclusions, and recommendations. These reports are designated for
*Limited Official Use Only* because of the sensitive nature of the
information they contain and because release to the public could be
detrimental to the government. During the 3- year period ending July 31,
2002, we issued 14 facility- specific reports and 4 application- specific
reports.
This report summarizes our analysis of the information contained in those
18 reports and provides our assessment of the overall effectiveness of
IRS*s computer controls intended to protect the confidentiality,
integrity, and availability of systems and taxpayer data. It also
identifies key issues
affecting IRS*s ability to effectively implement an agencywide information
security program and the status of its actions to do so. We are addressing
this report to you in response to your request.
IRS has made important progress toward improving information security
controls and implementing an agencywide information security program. It
has implemented various safeguards designed to help protect its systems
from external attack and has established information security policies,
1 General controls are the structure, policies, and procedures that apply
to an organization*s overall computer operations. They establish the
environment in which application systems and controls operate. Application
controls are the structure, policies, and procedures that apply to
separate individual application systems. United States General Accounting
Office Washington, DC 20548
Results in Brief
Page 2 GAO- 03- 44 IRS Computer Controls standards, and guidelines that,
if effectively implemented, would protect its information systems from
many threats. Nonetheless, computer control weaknesses continued to
threaten the confidentiality, integrity, and
availability of sensitive systems and taxpayer data. IRS*s inconsistent
implementation of logical access controls at its facilities did not
effectively prevent, limit, or detect access to computing resources. In
addition, weaknesses in other information system controls (including
physical security, segregation of duties, software change controls, and
service continuity) reduced IRS*s effectiveness in protecting and
controlling physical access to assets, minimizing the risk of errors or
fraud, mitigating the risk of unauthorized or inappropriate software
programs, and ensuring the continuity of data processing operations when
unexpected
interruptions occur. Further, access to key computer applications was not
always limited to authorized persons for authorized purposes. These
weaknesses increased the vulnerability of data processed by IRS*s
information systems and continued to expose IRS*s tax processing
operations to disruption.
An underlying cause for these weaknesses was that, although it had made
important progress, IRS had not yet fully implemented certain elements of
its agencywide information security program. As a result, the agency was
not adequately (1) identifying and assessing risks to determine needed
security measures; (2) establishing and implementing policies and controls
to meet those needs; (3) promoting awareness and providing securityrelated
training so that employees understand the risks and the policies and
controls that mitigate them; or (4) monitoring and evaluating established
policies and controls, and mitigating known security vulnerabilities. IRS
has acknowledged the seriousness of its information security weaknesses
and has revised its approach to implementing the agencywide information
security program. Until IRS can fully implement an effective program and
adequately mitigate these weaknesses, it will remain at heightened risk of
access to critical hardware and software by unauthorized individuals, who
could intentionally or inadvertently add, alter, or delete sensitive data
or computer programs. Such individuals
could possibly obtain personal taxpayer information and use it to commit
financial crimes in the taxpayer*s name (identity fraud), such as
establishing credit and incurring debt.
To assist IRS in implementing an effective agencywide information security
program, we are making recommendations to the IRS Commissioner that
address these issues.
Page 3 GAO- 03- 44 IRS Computer Controls In providing written comments on
a draft of this report, the Commissioner of Internal Revenue generally
agreed with the report, and indicated that
IRS is acting to implement our recommendations. Information security is a
critical consideration for any organization that depends on information
systems and computer networks to carry out its mission or business. It is
especially important for government agencies, where the public*s trust is
essential. The dramatic expansion in computer interconnectivity and the
rapid increase in the use of the Internet are changing the way our
government, the nation, and much of the world communicate and conduct
business. Without proper safeguards these changes pose enormous risks that
make it easier for individuals and groups with malicious intent to intrude
into inadequately protected systems and use such access to obtain
sensitive information, commit fraud, disrupt operations, or launch attacks
against other computer systems and networks.
Protecting the computer systems that support critical operations and
infrastructures has never been more important because of the concern about
attacks from individuals and groups with such malicious intent, including
terrorists. These concerns are well founded for a number of reasons,
including the dramatic increases in reported information security
incidents, the ease of obtaining and using hacking tools, the steady
advance in the sophistication and effectiveness of attack technology, and
the dire warnings of new and more destructive attacks to come.
Computer- supported federal operations are likewise at risk. Our previous
reports, and those of agency inspectors general, describe persistent
information security weaknesses that place a variety of critical federal
operations, including those at IRS, at risk of disruption, fraud, and
inappropriate disclosure. 2 This body of audit evidence led us, in 1997,
to
2 U. S. General Accounting Office, Information Security: Serious and
Widespread Weaknesses Persist at Federal Agencies, GAO/ AIMD- 00- 295
(Washington, D. C.: Sept. 6, 2000). Background
Page 4 GAO- 03- 44 IRS Computer Controls designate information security as
a governmentwide high- risk area in reports to the Congress. 3 It remains
so today. 4 How well federal agencies are addressing these risks is a
topic of
increasing interest in both the Congress and the executive branch. This is
evidenced by recent hearings on information security 5 and recent
legislation intended to strengthen information security. 6 In addition,
the administration undertook other important actions to improve
information security, such as integrating information security into the
President*s Management Agenda Scorecard. Moreover, the Office of
Management and Budget (OMB) and the National Institute of Standards and
Technology (NIST) have issued security guidance to agencies. In its role
as the nation*s tax collector, IRS is responsible for collecting
taxes, processing tax returns, and enforcing the nation*s tax laws. In
fiscal year 2002, it processed about 200 million tax returns, accounted
for approximately $2 trillion in collections, and paid about $281 billion
in refunds to taxpayers. To efficiently fulfill its tax processing
responsibilities, IRS relies extensively on interconnected computer
systems to perform various functions, such as collecting and storing
taxpayer data, processing tax returns, calculating interest and penalties,
generating refunds, and providing customer service.
Due to the nature of its mission, IRS collects and maintains a significant
amount of personal and financial data on each American taxpayer. These
3 U. S. General Accounting Office, High- Risk Series: Information
Management and Technology, GAO/ HR- 97- 9 (Washington, D. C.: February
1997). 4 U. S. General Accounting Office, High- Risk Series: Protecting
Information Systems Supporting the Federal Government and the Nation*s
Critical Infrastructures, GAO- 03- 121 (Washington, D. C.: January 2003).
5 U. S. General Accounting Office, Information Security: Progress Made,
but Challenges Remain to Effectively Protect Federal Systems and the
Nation*s Critical Infrastructures,
GAO- 03- 564T (Washington, D. C.: Apr. 8, 2003); Computer Security:
Progress Made, but Critical Federal Operations and Assets Remain at Risk,
GAO- 03- 303T (Washington, D. C.: Nov. 19, 2002); Information Security:
Comments on the Proposed Federal Information Security Management Act of
2002, GAO- 02- 677T (Washington, D. C.: May 2, 2002); and
Information Security: Additional Actions Needed to Implement Reform
Legislation,
GAO- 02- 470T (Washington, D. C.: Mar. 6, 2002). 6 E- Government Act of
2002 (P. L. 107- 347, Title III, Section 301, Dec. 17, 2002); and
Government Information Security Reform Provisions in Fiscal Year 2001
Defense Authorization Act (P. L. 106- 398, Division A, Title X, Subtitle
G, Section 1061, Oct. 30, 2000). IRS Is a Major Steward of
Personal Taxpayer Information
Page 5 GAO- 03- 44 IRS Computer Controls data typically include the
taxpayer*s name, address, Social Security number, dependents, income,
sources of certain types of income, and
certain deductions and expenses. The confidentiality of this sensitive
information is important because if this information is disclosed to
unauthorized individuals, taxpayers could be exposed to a loss of privacy
and to financial loss and damages resulting from identity theft and
financial crimes.
To help provide information security for its operations and assets
(including computing resources and taxpayer information), IRS has
developed and is implementing an agencywide information security program.
According to IRS, this program will, among other things, (1) ensure the
confidentiality, integrity, and availability of information; (2) assign
management responsibility for certifying the adequacy of security controls
to protect information; (3) establish individual accountability for the
data, information, and other information technology resources to which
individuals have access; (4) ensure the audit capability of all
information systems; and (5) provide the ability to maintain processing
during and following an emergency. To accomplish these goals, IRS has
developed and published information security policies, guidelines,
standards, and procedures in the Internal Revenue Manual, Law Enforcement
Manual, and other documents.
IRS*s CIO is responsible for developing and maintaining this agencywide
information security program and ensuring that (1) it provides information
security for the operations and assets of the agency and (2) the agency
effectively implements and maintains prescribed information security
policies, procedures, and control techniques. The senior management
official in each of IRS*s operating divisions, 7 with the assistance of
the CIO, is responsible for (1) assessing the information security risks
associated
with the operations and systems over which the official has control, (2)
determining the levels of information security appropriate to protect such
operations and systems, and (3) periodically testing and evaluating the
effectiveness of information security controls and techniques. IRS*s Chief
of Security Services is the agency*s senior agency information security
official, responsible for ensuring that IRS has effective security
programs
7 IRS has reorganized itself into four major operating divisions, aligned
by types of taxpayers: Wage and Investment, Small Business and Self-
Employed, Large and Mid- Size Business, and Tax Exempt and Government
Entities. The senior management official for each of these major divisions
is a commissioner. Other operating divisions include Appeals, Chief
Counsel, Communications and Liaison, and Criminal Investigation.
Page 6 GAO- 03- 44 IRS Computer Controls in place to adequately safeguard
taxpayer records, employees, facilities, systems, and other resources.
According to IRS, the operating budget for
Security Services is about $24.5 million for fiscal year 2003. Since 1992,
we have reviewed the effectiveness of IRS information security in
connection with our annual audit of IRS*s financial statements. 8 The
results of these reviews have led us each year to designate information
security as a material weakness. 9 We have also evaluated information
security at IRS as a result of congressional requests. For example, in
1998, at the request of the Chairman and Ranking Minority Member of the
Senate Committee on Governmental Affairs, we evaluated IRS*s progress in
correcting previously reported information security weaknesses. 10 We
determined that although IRS had made significant progress in improving
information security, serious weaknesses continued to exist at its
facilities because the agency had not yet fully institutionalized its
information security program. We recommended that IRS continue its actions
to implement certain controls and to complete the implementation of an
effective agencywide information security program.
We have also evaluated information security controls for IRS*s electronic
filing systems. The Chairman of the Senate Committee on Governmental
Affairs requested that we assess the effectiveness of key computer
controls designed to ensure the security, privacy, and reliability of
IRS*s electronic filing systems and electronically filed taxpayer
information. In 2001, we reported that IRS had not adequately secured
access to its electronic filing systems or to the electronically
transmitted tax return information those systems contained during the 2000
tax filing season because IRS had not taken adequate steps to assess
security risks and monitor the effectiveness of security controls on an
ongoing basis. 11 We
8 U. S. General Accounting Office, Financial Audit: Examination of IRS*s
Fiscal Year 1992 Financial Statements, GAO/ AIMD- 93- 2 (Washington, D.
C.: June 30, 1993). 9 A material weakness is a condition that precludes
the agency*s internal controls from providing reasonable assurance that
material misstatements in the financial statements
would be prevented or detected on a timely basis. 10 U. S. General
Accounting Office, IRS Systems Security: Although Significant Improvements
Made, Tax Processing Operations and Data Still at Serious Risk,
GAO/ AIMD- 99- 38 (Washington, D. C.: Dec. 14, 1998). 11 U. S. General
Accounting Office, Information Security: IRS Electronic Filing Systems,
GAO- 01- 306 (Washington, D. C.: Feb. 16, 2001). We Have Previously
Reviewed IRS Information
Security
Page 7 GAO- 03- 44 IRS Computer Controls provided technical
recommendations that addressed specific access control weaknesses and also
recommended, among other things, that IRS
implement procedures to assess risks and monitor the effectiveness of
security controls over electronic filing systems on an ongoing basis. Last
year, we again evaluated IRS*s actions to resolve the information security
weaknesses affecting its electronic filing systems and provided
congressional testimony disclosing that IRS had substantially improved
safeguards that controlled external access to its electronic filing
systems and to the electronically transmitted tax return data those
systems contained. 12 However, additional improvements were still needed
to protect the electronically transmitted data on those systems from
unauthorized access attempts by users of IRS*s internal network.
The objectives of our review were to (1) determine whether IRS has
implemented effective computer controls to protect the confidentiality,
integrity, and availability of sensitive systems and taxpayer data, and
(2)
determine whether IRS has fully implemented its agencywide information
security program.
To determine the effectiveness of IRS computer controls and whether IRS
had fully implemented its agencywide information security program, we
considered the results of the 14 facility- specific general control
reviews at 11 IRS facilities and 5 application control reviews 13 that we
performed in connection with our audits of IRS*s financial statements for
fiscal years 1998 through 2001. We performed those reviews using the audit
methodology described in our Federal Information System Controls Audit
Manual, 14 which discusses the scope of such reviews and the type of
testing required for evaluating computer controls intended to
limit, detect, or monitor logical and physical access to sensitive
computing resources and facilities, thereby protecting them from
unauthorized disclosure, modification, and use;
12 U. S. General Accounting Office, Tax Administration: IRS Continues to
Face Management Challenges in its Business Practices and Modernization
Efforts, GAO- 02- 619T (Washington, D. C.: Apr. 15, 2002).
13 Although five applications were reviewed, only four application-
specific reports were issued. One report contained the results of two
application control reviews. 14 U. S. General Accounting Office, Federal
Information System Controls Audit Manual,
GAO/ AIMD- 12.19.6 (Washington, D. C.: January 1999). Objectives, Scope,
and Methodology
Page 8 GAO- 03- 44 IRS Computer Controls ensure that work
responsibilities are segregated so that one individual does not perform or
control key aspects of computer- related operations
and thereby have the ability to conduct unauthorized actions or gain
unauthorized access to assets or records;
prevent unauthorized programs or modifications to existing programs from
being implemented; minimize the risk of unplanned interruptions and
recover critical
computer processing operations if interruptions occur; and implement an
agencywide information security program that includes a
continuing cycle of assessing risk, implementing and promoting policies
and procedures to increase awareness and reduce such risk, monitoring the
effectiveness of those measures, and effectively coordinating those
activities.
We consolidated and analyzed the information contained in reports of those
reviews to determine, on an agencywide basis, the nature and extent of
information security weaknesses affecting IRS systems and taxpayer data.
We also assessed the sufficiency of IRS*s information security policies
and guidance by reviewing and comparing them with guidance issued by NIST,
OMB, the National Security Agency (NSA), and certain
vendors of software products used by IRS. In addition, we obtained and
reviewed information- security- related documents and met with IRS
security officials to discuss the status of efforts to correct reported
weaknesses and fully implement the IRS information security program. We
also tested and observed controls over certain network devices to
determine whether IRS securely configured them to minimize the risk of
unauthorized access.
Further, we determined the status of IRS actions to resolve reported
information security weaknesses. We requested and evaluated written
statements from IRS on actions taken to address recommendations made in
the 14 facility- specific and 4 application- specific reports. We also
conducted follow- up visits at four facilities to test the effectiveness
of IRS*s actions to resolve general control weaknesses identified in five
reports.
Our review was performed at IRS headquarters and our headquarters in
Washington, D. C., from September 2002 through March 2003, in accordance
with generally accepted government auditing standards.
Page 9 GAO- 03- 44 IRS Computer Controls IRS has made important progress
toward improving information security controls. It has acknowledged the
seriousness of its information security
weaknesses and the risks they pose to its operations, and has again
designated information security as a material weakness in the Department
of the Treasury*s fiscal year 2002 accountability report. 15 It has also
developed a plan of action and milestones to resolve the material weakness
by March 31, 2004.
IRS has increased the resources devoted to securing its systems and data*
increasing, for example, the number of specialists assigned to Security
Services (formerly the Office of Systems Standards and Evaluation) from
about 60 in 1998 to 97 in 2003. It has also implemented and improved
control measures that limit physical access to facilities and computing
resources, and has established a virus protection and eradication program,
including regular updates from its software suppliers. Further, IRS now
has a 24- hour- a- day, 7- day- a- week Computer Security Incident
Response Capability team, which provides safeguards against various cyber
threats. For example, IRS has installed firewalls and intrusion detection
systems on its network, which the team monitors for security- related
events. The agency also asserts that it has upgraded its headquarters
continuity of operations plan and enhanced its master files disaster
recovery capability. 16 In addition, IRS is acquiring redundant
communications capabilities to
ensure that its executives have connectivity with the Department of the
Treasury, law enforcement, and staff affected by incidents. It is also
consolidating several of its geographically dispersed computer systems and
centralizing responsibility for their operation and maintenance.
Although IRS has made important progress, it has not consistently
implemented effective computer controls. Organizations can implement a
number of different types of controls to protect computing resources.
These include logical access controls* which ensure that only authorized
individuals can read, alter, or delete data* and other information system
15 The Federal Managers* Financial Integrity Act of 1982 (Public Law 97-
255) requires the head of each agency to annually prepare a statement that
identifies material weaknesses in the agency*s systems of internal
accounting and administrative control and its plans and schedule for
correcting them. 16 Master files are the large central databases that
contain historical and current detailed
information on taxpayers* personal data, filing status, tax returns, and
return- related documents. Although
Improvements Made, Information Security Weaknesses Still Pose Risks
Page 10 GAO- 03- 44 IRS Computer Controls controls. Such other controls
include (1) physical security; (2) software change controls, which ensure
that only authorized software programs are
implemented; (3) segregation of duties, which reduces the risk that one
individual can independently perform inappropriate actions without
detection; and (4) service continuity, which ensures that
computerdependent operations experience no significant disruptions.
However, computer- related weaknesses in these areas continued to pervade
the IRS facilities we reviewed between 1999 and 2002. As figure 1
illustrates, many control weaknesses were found at each of the 11
facilities.
Figure 1: Number of Control Weaknesses Found at IRS Facilities
a We performed multiple reviews at these sites. The number of general
control weaknesses indicated in this chart represents the total number of
new weaknesses identified at each site during those reviews. Weaknesses
were counted only once at each site. If a weakness was identified in a
prior review but was not corrected and still existed during a subsequent
review at the same site, it was not counted again.
Page 11 GAO- 03- 44 IRS Computer Controls Of the 14 general control
reviews performed at the 11 facilities depicted in figure 1, 3 were done
at site B, 2 at site E, and 1 at each of the remaining 9 sites. These
reviews identified a total of 765 general control weaknesses at the 11
facilities. The number of new weaknesses identified in individual
reviews ranged from 14 to 80, and averaged about 54. The large number of
weaknesses at each IRS facility reviewed demonstrates that addressing
information security is an agencywide challenge. Moreover, weaknesses
appeared in all general control categories, as
illustrated in figure 2.
Figure 2: Breakdown of Weaknesses by General Control Category
The majority of the weaknesses appear in logical access controls. Although
not as numerically significant as logical access controls, weaknesses in
other information system controls were found at each IRS facility reviewed
and also presented significant risk to IRS systems and taxpayer data.
IRS*s implementation of logical access controls at its facilities does not
effectively prevent, limit, or detect access to computing resources. A
basic management objective for any organization is to protect its
information
systems and critical data from unauthorized access. Organizations
accomplish this by designing and implementing logical access controls that
are intended to prevent, limit, and detect unauthorized access to
computing resources. These controls include user accounts and Logical
Access Controls
Were Often Inadequate
Page 12 GAO- 03- 44 IRS Computer Controls passwords, access rights and
permissions, network services and security, and audit and monitoring.
Inadequate logical access controls diminish the
reliability of computerized data and increase the risk of unauthorized
disclosure, modification, and use of sensitive systems and taxpayer data.
A computer system must be able to identify and differentiate among users
so that activities on the system can be linked to specific individuals.
Unique user accounts assigned to specific users allow systems to
distinguish one user from another, a process called identification. The
system must also establish the validity of a user*s claimed identity
through some means of authentication, such as a secret password, known
only to its owner. The combination of identification and authentication,
such as user account and password combinations, provides the basis for
establishing individual accountability and controlling access to the
system. Accordingly, agencies (1) implement procedures to control the
creation, use, and removal of user accounts, and (2) establish password
parameters,
such as length, life, and composition, to strengthen the effectiveness of
account and password combinations for authenticating the identity of
users.
IRS did not adequately control user accounts and passwords to ensure that
only authorized individuals were allowed access to computer systems.
Weaknesses with the administration of user accounts and the configuration
of password parameters created opportunities for individuals to masquerade
as other users and potentially gain inappropriate access to computing
resources, as the following examples illustrate.
IRS did not always promptly remove inactive or unused accounts at any of
the 11 facilities. Inactive accounts indicate that owners no longer need
the access privileges provided by the accounts and may be attractive
targets for individuals attempting to gain unauthorized access since the
account owners may not notice illicit activity on the accounts.
Users often created passwords that were common words or contained only
alphabetic characters at eight facilities. The use of such passwords
increases the possibility that someone could guess or crack the passwords
based on personal knowledge of the users or through password- cracking
software. User Accounts and Passwords
Page 13 GAO- 03- 44 IRS Computer Controls IRS did not require passwords
for certain accounts at eight facilities, significantly increasing the
risk that unauthorized users could
inappropriately utilize the access privileges provided by these accounts.
IRS did not consistently configure certain password parameters securely,
such as required password length and expiration, thereby increasing the
risk that someone could guess the password and be able to use the
compromised password for an extended period of time.
Weaknesses in controls over user accounts and passwords diminish the
overall effectiveness of these controls in preventing individuals from
gaining unauthorized access to computing resources and in tracing system
activity back to the correct individual. A basic underlying principle for
securing computer systems and data is the concept of least privilege. This
means that users are granted only those access rights and permissions
needed to perform their official duties. Organizations establish access
rights and permissions to restrict the access of legitimate users to the
specific programs and files that they need to do their work. User rights
are allowable actions that can be assigned to
users or groups. File and directory permissions are rules associated with
a file or directory that regulate which users can access them and in what
manner. Assignment of rights and permissions must be carefully considered
to avoid giving users unintentional and unnecessary access to sensitive
files and directories.
However, IRS did not sufficiently restrict user rights and file
permissions on its computer systems. The agency sometimes granted access
rights to users above and beyond those needed to perform their computer-
related job responsibilities and created files with excessive file
permissions, as the following examples illustrate.
IRS inappropriately established excessive permissions for certain files
at seven facilities. Files with these permissions can be modified by any
user on the system, greatly increasing the risk that a user may,
intentionally or inadvertently, make unauthorized changes to the file
contents.
IRS granted powerful operating system privileges to users who had no
documented need for such rights at 10 facilities.
Inappropriate access to sensitive files and directories can enable a
successful intruder or legitimate user to gain privileged administrator
access to the system. This access also creates the possibility that users
Access Rights and Permissions
Page 14 GAO- 03- 44 IRS Computer Controls might unintentionally modify or
destroy system files. Such lapses can compromise the integrity of the
operating system and the privacy of the
data that reside on these systems. Networks are series of interconnected
devices and software that allow individuals to share data and computer
programs. Because sensitive programs and data are stored on or transmitted
along networks, effectively securing networks is essential to protecting
computing resources and data from unauthorized access, manipulation, and
use. Organizations secure their networks, in part, by limiting the
services that are available on the network and by installing and
configuring network devices that permit authorized network service
requests and deny unauthorized requests. Network services consist of
protocols for transmitting data between computers. Network devices include
(1) firewalls designed to prevent unauthorized access into the network,
(2) routers that forward data along the network, (3) switches that filter
and forward information among parts of a network, and (4) servers that
host applications and data. Insecurely configured network services and
devices can make a system vulnerable to internal or external threats, such
as denial- of- service attacks. 17 Since networks provide the entry point
for access to electronic information assets, failure to secure them
increases the risk of unauthorized use of sensitive data and systems.
IRS did not always securely control network services or configure devices
to prevent unauthorized access to and ensure the integrity of computer
systems operating on its networks. The agency enabled unnecessary,
outdated, and misconfigured network services on certain servers and
sometimes configured certain network devices in such a manner that it did
not effectively reduce the risk of misuse or unauthorized access to
computing resources on its networks, as the following examples
demonstrate.
Intruders could have gained valuable information about systems without
logging in at 9 facilities.
Insecure remote access existed on its systems at 10 facilities. 17 A
denial- of- service attack is an attack on a network that sends a flood of
useless traffic that prevents legitimate use of the network. Network
Services and Security
Page 15 GAO- 03- 44 IRS Computer Controls IRS was running easily
exploitable and unnecessary services on servers at 10 facilities.
Running vulnerable network services and insecurely configuring network
devices increase the risk of system compromise, such as unauthorized
access to and manipulation of sensitive system data, disruption of
services, and denial of service.
Determining what, when, and by whom specific actions were taken on a
system is crucial to establishing individual accountability, monitoring
compliance with security policies, and investigating security violations.
Organizations accomplish this by implementing system or security software
that provides an audit trail for determining the source of a transaction
or attempted transaction and monitoring users* activities. How
organizations configure the system or security software determines the
nature and extent of audit trail information that is provided. To be
effective, organizations (1) configure the software to collect and
maintain sufficient audit trail information 18 for security- relevant
events; 19 (2)
generate reports that selectively identify unauthorized, unusual, and
sensitive access activity; and (3) regularly monitor and take action on
these reports. Without sufficient auditing and monitoring, organizations
increase the risk that they may not detect unauthorized activities or
policy violations.
IRS did not consistently audit or monitor computer system activity. The
agency did not (1) establish audit trails on some systems, (2) collect
sufficient audit trail information on other systems, or (3) routinely
review audit trail reports to monitor user activities on some systems to
ensure that users were performing only authorized actions, as the
following examples illustrate.
IRS did not activate the system feature to collect audit trail
information on key systems at 4 facilities. 18 Audit trail information
generally includes the (1) date and time the event occurred, (2)
user ID associated with the event, (3) type of event, and (4) result of
the event. 19 Security- relevant events include (1) successful and
unsuccessful log- on attempts; (2) logoffs; (3) change of password; (4)
creation, deletion, opening, and closing of files; (5) all actions of
users with privileged authority; and (6) program initiation. Audit and
Monitoring
Page 16 GAO- 03- 44 IRS Computer Controls IRS did not capture all
security- relevant events in audit logs on certain systems at 10
facilities.
IRS did not adequately review audit information or monitor system
activity on certain systems at 7 facilities. For example, agency personnel
had not reviewed the audit configuration settings on certain systems to
ensure that
they produced complete audit records. Where records existed, they were not
reviewed to determine if violations had occurred.
As a result, increased risk exists that IRS may not detect unauthorized
system activity or determine which users are responsible.
In addition to logical access controls, other important information system
controls help ensure the confidentiality, integrity, and availability of
systems and data at IRS facilities. These controls include policies,
procedures, and techniques that physically secure data processing
facilities and resources, properly segregate computing resources and
incompatible duties among computer personnel, prevent unauthorized
software changes, and effectively ensure the continuation of computer
processing service if an unexpected interruption occurs. Despite the many
information system controls that IRS has implemented, weaknesses in
these areas increase the risk of unauthorized access, disclosure, and
modification of data.
Physical security controls should be designed to prevent vandalism and
sabotage, theft, accidental or deliberate alteration or destruction of
information or property, attacks on personnel, and unauthorized access to
computing resources. These controls include those that prevent, limit, and
detect access to facility grounds, buildings, and sensitive work areas.
Examples of physical security controls include perimeter fencing,
surveillance cameras, security guards, and locks. On occasion, persons
other than regularly authorized personnel may be granted access to
facilities. An agency should control visitors using a variety of
techniques, such as providing escorts, checking identification, requiring
prior notice, and identifying visitors to staff by means of badges.
Inadequate physical security could lead to the loss of life and property,
the disruption of service and functions, and the unauthorized disclosure
of documents and information.
Although IRS has implemented many physical security controls, certain
weaknesses reduced their effectiveness in protecting and controlling Other
Information System
Controls Were Also Inadequate Physical Security
Page 17 GAO- 03- 44 IRS Computer Controls physical access to facility
grounds, buildings, and sensitive work areas, as the following examples
illustrate. Inadequate physical barriers, unlocked doors, or other
control issues
weakened perimeter security at 10 facilities. IRS did not always
effectively screen visitors seeking access to certain
facilities. At 8 facilities, as visitors left the premises, IRS did not
consistently collect
visitor badges to prevent subsequent unauthorized entry. As a result,
increased risk exists that unauthorized individuals could gain access to
facility grounds, buildings, sensitive computing resources, and taxpayer
data without detection.
Segregation of duties refers to the policies, procedures, and
organizational structure that help ensure that one individual cannot
independently control all key aspects of a process or computer- related
operation and thereby conduct unauthorized actions or gain unauthorized
access to assets or records. Often, segregation of duties is achieved by
dividing responsibilities among two or more organizational groups.
Dividing duties among two or more individuals or groups diminishes the
likelihood that errors and wrongful acts will go undetected because the
activities of one individual or group will serve as a check on the
activities of the other. Inadequate segregation of duties increases the
risk that erroneous or fraudulent transactions could be processed,
improper program changes implemented, and computer resources damaged or
destroyed.
IRS did not consistently separate incompatible computer- related
activities among individuals. For example, it did not sufficiently
separate incompatible system administration and security administration
duties at its facilities. To illustrate, it did not always divide among
individuals the responsibility for adding and deleting systems users from
the responsibility for maintaining system audit logs. IRS also assigned
incompatible operating system privileges to users, such as granting
auditing privileges to system administrators at 10 facilities. As a
result, increased risk exists that errors or fraud could occur. For
example, these individuals could add fictitious users with elevated access
privileges and
perform unauthorized system activity without detection. Segregation of
Duties
Page 18 GAO- 03- 44 IRS Computer Controls Also important for an
organization*s information security is ensuring that only authorized
software programs are placed in operation. This is
accomplished by instituting policies, procedures, and techniques that help
make sure that all programs and program modifications are properly
authorized, tested, and approved. To protect approved software programs
from unauthorized changes, software development and test activities should
not be performed on the same systems used to process production data and
transactions. Moreover, access to programs should be restricted to
authorized individuals only. Failure to do so increases the risk that
unauthorized programs or changes could be, inadvertently or deliberately,
placed into operation.
IRS did not institute sufficient controls over its software change
procedures at some of the facilities reviewed to ensure that only
authorized or current software programs were placed in operation. It also
did not consistently protect software programs in the operating
environment from the risk of unauthorized modification, as the following
examples illustrate. IRS had not established sufficient control
mechanisms at two facilities to
ensure that the facilities received all of the program updates sent by the
IRS national office.
IRS personnel at one facility did not routinely perform
postimplementation reviews of emergency software changes, as is required,
to determine the propriety and effectiveness of the changes, thereby
increasing the risk that unnecessary or unauthorized software was
installed as emergency changes.
Software developer accounts and/ or software development tools were
placed on production servers at five facilities. Such accounts and tools
increase the risk that individuals could make unauthorized changes to the
production software on these servers.
These software change control weaknesses at IRS facilities reduced the
integrity and reliability of data processed by IRS systems.
Service continuity controls should be designed to ensure that when
unexpected events occur, critical operations continue without interruption
or are promptly resumed and critical and sensitive data are protected.
These controls include (1) environmental controls and procedures designed
to protect information resources and minimize the risk of unplanned
interruptions and (2) a well- tested plan to recover critical Software
Change Control Service Continuity
Page 19 GAO- 03- 44 IRS Computer Controls operations should interruptions
occur. If service continuity controls are inadequate, even relatively
minor interruptions can result in lost or
incorrectly processed data, which can cause financial losses, expensive
recovery efforts, and inaccurate or incomplete financial or management
information.
Although progress has been made, weaknesses in service continuity controls
limit IRS*s ability to restore and continue data processing service after
a service disruption or emergency occurs. For example:
IRS had not developed disaster recovery plans for certain key systems at
seven facilities, thereby increasing the risk that IRS employees at these
facilities would not know how to recover these systems and resume
operations if unexpected disruptions occur.
IRS had not adequately tested certain service continuity plans at five
facilities, thereby reducing assurance that employees are adequately
trained and planned procedures are sufficient to promptly recover and
restore essential information systems and business operations.
As a result, IRS has diminished assurance that, in case of an unexpected
interruption, it will be able to protect or recover essential information
and critical business processes, potentially affecting its ability to
accomplish its mission and serve taxpayers.
Application controls help ensure that transactions are valid, properly
authorized, and completely and accurately processed by the computer. An
application is a program, or group of programs, utilized by end- users to
complete specific tasks, such as financial recording or payroll.
Application controls include authorization controls that ensure that only
authorized
transactions by authorized users are entered into the system.
Authorization controls are similar to logical access controls in that they
help to ensure that (1) individual accountability is maintained, (2) only
authorized transactions are processed, (3) the rights and privileges of
users are limited to what is required for completing job- related duties,
and (4) inappropriate or unauthorized activities are prevented or
detected. For example, requiring users to enter account name/ password
combinations during log- on to the application helps ensure that only
authorized users are accessing the application. Lack of such controls
increases the risk that inaccurate or unauthorized transactions will be
processed. Application Controls Were
Insufficient to Mitigate Risk
Page 20 GAO- 03- 44 IRS Computer Controls IRS did not consistently ensure
that access to key computer applications was limited to authorized persons
for authorized purposes. We reported 112 application control weaknesses
during our reviews of five applications. Authorization control weaknesses,
including those related to password controls, assigning access privileges,
and monitoring user
accounts, increased the risk of unauthorized disclosure, modification, or
use of the applications and taxpayer data, as the following examples
illustrate.
Users created weak passwords on two of the five applications reviewed,
thereby increasing the likelihood that someone could guess or crack their
passwords.
IRS granted certain employees rights and privileges that exceeded what
their duties required on four applications reviewed.
IRS did not always promptly revoke access rights of terminated employees
to an application used for accessing taxpayer records.
As a result, increased risk exists that someone could gain unauthorized
access to application and taxpayer data.
IRS has made important progress in correcting the general and application
control weaknesses that we reported on during the 3- year period ending
July 31, 2002. We performed follow- up general control reviews for 5 of
the 14 facility- specific reports issued during this period. On the basis
of these follow- up reviews, we determined that IRS had corrected or
mitigated the risk of just over half of the weaknesses (about 57 percent;
137 of 242). In addition, IRS asserts that it has corrected about a
quarter of the
weaknesses (about 23 percent; 122 of 523) identified in the remaining 9
reports. These corrective actions include (1) enhancing the effectiveness
of IRS*s network security controls that protect against external attempts
to gain unauthorized access to IRS*s internal systems and (2) enhancing,
implementing, and testing the disaster recovery capability for the
missioncritical
master files. IRS has also corrected or mitigated the risk of over half
(about 55 percent; 62 of 112) of the application control weaknesses
reported for the 4 applications in the four application reports.
In addition, IRS has developed a plan of actions and milestones for
resolving its material weakness in information security. The plan
addresses the remaining work to be accomplished, which includes IRS Has
Corrected Many
Reported Weaknesses
Page 21 GAO- 03- 44 IRS Computer Controls reexamining its security roles
and responsibilities; analyzing security roles and responsibilities to
assist it in developing
implementation processes and improve accountability; improving its
security criteria; mapping its policies and procedures to governmentwide
security guidance
to ensure the development of robust security criteria; and identifying,
prioritizing, and certifying its sensitive systems.
The plan identifies (1) corrective actions, (2) the agency organization
responsible for correcting the weakness, (3) key milestones with
completion dates, and (4) the status of actions. It indicates that the
planned completion date for resolving the material weakness is March 31,
2004, when IRS executives are scheduled to meet to validate the
effectiveness of the corrective actions.
An underlying cause for the numerous weaknesses in information system
controls at IRS facilities is that, although IRS has made progress, it has
not fully implemented certain elements of its agencywide information
security program. Our study of strong security management practices, as
summarized in our 1998 Executive Guide, 20 found that leading
organizations handle their information security risks through an ongoing
cycle of risk management. This process involves (1) establishing a
centralized management function to coordinate the continuous cycle of
activities while providing guidance and oversight for the security of the
organization as a whole; (2) assessing risks and determining what security
measures are needed; (3) establishing and implementing policies and
controls that meet those needs; (4) promoting security awareness so that
users understand the risks and the related policies and controls in place
to mitigate those risks; and (5) monitoring policies and controls to
ensure that they are appropriate and effective and that known weaknesses
are promptly mitigated.
20 U. S. General Accounting Office, Information Security Management:
Learning from Leading Organizations, GAO/ AIMD- 98- 68 (Washington, D. C.:
May 1998). IRS Has Not Fully
Implemented Elements of Its Agencywide Security Program
Page 22 GAO- 03- 44 IRS Computer Controls IRS has effectively implemented
the first key element of the program: the Office of Security Services
serves as the central focal point for
coordinating, guiding, evaluating, and overseeing information security
program activities. It has also taken steps to implement its agencywide
program. For example, IRS has revised its information technology security
policies and guidance to include the latest guidance on information
security issued by OMB and NIST. It has also updated the specific security
roles and responsibilities for its senior officials, managers, security
personnel, and system users. In addition, IRS routinely reviews the
effectiveness of information security at its facilities and is
implementing automated tools to assist with the monitoring and auditing of
the agency*s computer systems. However, IRS has not yet fully or
effectively implemented other elements of the program. These shortcomings
undermine the agency*s efforts to secure its facilities, systems, and
sensitive data.
Understanding the risks associated with information systems is a key
element of an information security program. The Federal Information
Security Management Act of 2002 and its predecessor, the Government
Information Security Reform provisions, 21 require all federal agencies to
develop comprehensive information security programs based on assessing and
managing risks. 22 To help ensure that information systems are adequately
protected from associated risks, federal organizations can perform risk
assessments, develop system security plans, and formally authorize the use
of each system before it becomes operational.
21 When we performed our audit work, the two major laws related to federal
computer information security that were in effect were the Computer
Security Act, P. L. No. 100- 235, January 8, 1988, and the Government
Information Security Reform provisions (GISRA), Title X, Subtitle G, P. L.
106- 398, October 30, 2000. Effective December 17, 2002, the Federal
Information Security Management Act of 2002, Title III, P. L. 107- 347,
repealed GISRA and the Computer Security Act and replaced them with
similar, but strengthened provisions.
22 The February 1996 revision to OMB Circular A- 130, Appendix III,
Security of Federal Automated Information Resources, directs agencies to
use a risk- based approach to determine adequate security, including a
consideration of the major factors in risk management: the value of the
system or application, threats, vulnerabilities, and the effectiveness of
current or proposed safeguards. Additional guidance on effective risk
assessment is available in NIST publications and in our Information
Security Risk Assessment: Practices of Leading Organizations, GAO/ AIMD-
00- 33 (Washington, D. C.: November 1999). Assessing Risks and
Determining Needs
Page 23 GAO- 03- 44 IRS Computer Controls Identifying and assessing
information security risks are essential steps in determining what
controls are required and what level of resources should
be expended on controls. IRS policy requires that a risk assessment be
performed at periodic intervals, commensurate with the sensitivity and
criticality of data processed, but no less frequently than every 3 years
if no assessment has been performed during that period.
However, at the time of our reviews, IRS had not assessed risks for many
of its systems. According to the Treasury Inspector General for Tax
Administration*s Report on the Government Information Security Reform
provisions for IRS for Fiscal Year 2002, only 34 percent of IRS*s reported
305 sensitive systems had been assessed for risk. The lack of risk
assessments indicates that IRS had not done all it was required to do to
understand and manage risks to its systems. Inadequate assessment of risks
can lead to the implementation of inadequate or inappropriate security
controls that do not address the system*s true risks and costly efforts to
subsequently implement effective controls. According to IRS officials,
they recognized the predicament caused by the long- standing practice of
not assessing risks for individual systems. Until the risk assessments are
complete, IRS officials stated that other risk management activities, such
as on- site information security reviews and network scans to identify
vulnerable systems, would assist in identifying risks. Also, under its
information security plan of actions and milestones, IRS has an emphasis
on certification and accreditation and is committed to have all its
sensitive systems certified by 2004. Once a risk assessment has been
performed, it can serve as a basis for
defining system security requirements and identifying and selecting
appropriate and cost- effective security controls. Federal information
security laws and OMB Circular A- 130, Appendix III, require that system
security plans be prepared for all federal systems that contain sensitive
information. The purpose of these plans is to (1) provide an overview of
the security requirements of the system and describe the controls in place
or planned for meeting those requirements; (2) delineate responsibilities
and expected behavior of all individuals who access the system; and (3)
serve as documentation of the structured process of planning adequate,
cost- effective security protection for a system. IRS policy requires that
all its applications and general support systems be covered by system
security plans and that the plans be updated at least every 3 years or
when significant changes to the systems occur. To facilitate consistency
and ease in preparing system security plans, IRS has developed a
comprehensive template that includes the required elements for a security
plan. Risk Assessments
System Security Plans
Page 24 GAO- 03- 44 IRS Computer Controls IRS had not developed or updated
system security plans for many of its systems. According to the Treasury
Inspector General for Tax
Administration*s Report on the Government Information Security Reform
provisions for IRS for Fiscal Year 2002, only 34 percent of IRS*s reported
305 sensitive systems had an up- to- date security plan. Without current,
comprehensive security plans, IRS has no assurance that all aspects of
security have been considered in determining the security requirements of
its sensitive systems and that adequate protection has been provided to
meet those requirements.
OMB and IRS also require management officials to formally authorize the
use of each general support system and major application before it becomes
operational, when a significant change occurs, and at least every 3 years
thereafter. 23 IRS employs a certification and accreditation process for
authorizing the use of its systems and applications. System certification
is based on a technical evaluation of an information system to see how
well it meets its security requirements, including all applicable federal
laws, policies, regulations, and standards. System accreditation is
the written management authorization for a system to operate and/ or
process information. IRS requires that this authorization be based on a
complete and reliable assessment of the management, operational, and
technical controls that are in place to mitigate the vulnerabilities to
which
the system is exposed, and assurance that the controls function as
intended. In addition, IRS requires that a risk assessment, contingency
plan, system security plan, and rules of behavior have been developed and
are in place before a system can be authorized for processing.
However, IRS managers had not authorized the use of many of IRS*s systems.
According to the Department of the Treasury*s 2002 annual program review
required by the Government Information Security Reform provisions (P. L.
106- 398), only about 35 percent of IRS*s sensitive systems
have been authorized for processing following the completion of system
certification and accreditation. Thus, about 65 percent of IRS*s sensitive
systems were deployed and operating without written management
authorization and, potentially, without the benefit of a comprehensive
assessment of their security controls. The lack of authorization indicates
that systems* managers have not reviewed and accepted responsibility for
the adequacy of the security controls implemented on their systems and
23 Authorization is sometimes referred to as accreditation. System
Authorization
Page 25 GAO- 03- 44 IRS Computer Controls increases the risk that systems
will be deployed with security vulnerabilities.
The risks associated with not certifying and accrediting systems are
particularly significant for IRS since many of its systems are designed
and developed centrally at one facility and then deployed for operation at
multiple facilities. Thus, the deployment of a centrally developed,
insecurely configured system may introduce security vulnerabilities at
multiple facilities. Indeed, personnel at the IRS facilities reviewed
stated that information systems were deployed with some of the insecure
system configurations identified during our tests.
Another key element of an effective information security program, as
identified during our study of information security management practices
at leading organizations, is establishing and implementing appropriate
policies and related controls. Establishing or documenting security
policies is important because they are the primary mechanism by which
management communicates its views and requirements and serve as the basis
for adopting specific procedures and technical controls. In addition,
agencies need to take the actions necessary to effectively implement or
execute these procedures and controls. Otherwise, agency systems and
information will not receive the protection provided by the security
policies and controls.
IRS has established a substantial set of information security policies,
standards, and guidelines that generally provides appropriate guidance to
personnel responsible for securing IRS information systems and data. Yet,
there were instances in which security policies or implementing guidelines
for certain systems either did not address certain security controls or
were not consistent with strong security practices. These shortcomings
pertained to the configuration and use of certain network services and
devices, password parameters (such as password age and length), and the
assignment of certain operating system rights. Overall, though, IRS has
established information security policies, standards, and guidelines that,
if effectively implemented, would protect its information systems from
many
threats. Effective implementation and compliance have, however, been a
problem. IRS routinely did not effectively implement or comply with its
policies, standards, and guidelines for securing information systems.
About 30 percent of all weaknesses we reported during the 3- year period
existed because IRS personnel did not perform procedures, configure
systems, or Establishing and
Implementing Policies and Controls
Page 26 GAO- 03- 44 IRS Computer Controls implement controls in accordance
with IRS policies and guidelines. Moreover, about half of the weaknesses
identified during our three most
recent information security reviews were the result of IRS personnel not
implementing established policies and guidelines. Implementing and
complying with appropriate information security policies, standards, and
guidelines are essential elements of an effective security program. Two
factors contributed to the creation of these security weaknesses.
First, the procedures IRS established to certify and accredit its systems
are designed to ensure that the systems comply with established security
policies and standards. However, as discussed, IRS*s historically
inconsistent performance in certifying and accrediting its information
systems may have resulted in the deployment of systems that were not
configured in accordance with agency policies and standards. Second, the
agency has not established sufficient methods for holding personnel
accountable for implementing security policies and controls. According to
an IRS official, performance standards and measures that address
compliance with information security policies have not been incorporated
into performance appraisal mechanisms for IRS executives, managers, and
users. Until such performance standards and measures are developed and
incorporated into the appraisal process, agency personnel may not devote
sufficient attention and effort to implementing effective security
controls. The inconsistent application of security policies and controls
increases the risk that unauthorized access, loss, or manipulation of
sensitive systems and data may occur.
Another important element of an information security program involves
promoting awareness and providing required training so that users
understand the risks and their role in implementing related policies and
controls to mitigate those risks. Computer intrusions and security
breakdowns often occur because computer users fail to take appropriate
security measures. For this reason, it is vital that employees who use
computer systems in their day- to- day operations be aware of the
importance and sensitivity of the information they handle, as well as the
business and legal reasons for maintaining its confidentiality, integrity,
and availability. OMB Circular A- 130, Appendix III, provides that
employees be trained on how to fulfill their security responsibilities
before being
allowed access to sensitive systems. Federal information security laws
mandate that all federal employees and contractors involved with the
management, use, or operation of federal computer systems be provided
periodic training in information security awareness and accepted
information security practice. Promoting Security
Awareness and Training
Page 27 GAO- 03- 44 IRS Computer Controls IRS has developed and
implemented several methods for notifying employees of their security-
related responsibilities. These include
specifying security roles and responsibilities in various policy manuals
and documents available to employees, requiring computer users to certify
that they understand the system security rules for all information systems
to
which they have been granted access, and requiring each employee to
receive a mandatory annual awareness briefing that focuses on the
protection against and prevention of willful unauthorized access and
inspection of taxpayer returns or tax return information.
However, the extent of noncompliance with IRS security policies and
guidelines suggests that some IRS employees are either unaware of their
responsibilities or insensitive to the need for implementing important
information system controls. Although IRS had specified security roles and
responsibilities in policy manuals, it had not, at the time of our
reviews, linked them to executive, manager, and user positions in IRS*s
operating divisions. According to IRS security officials, some operating
division managers had inappropriately believed that implementing security
controls on their systems was not their responsibility but, rather, was
the responsibility of Security Services personnel. In addition, IRS did
not consistently provide sufficient security- related training to key
security personnel. For example, security administrators at four IRS
facilities possessed limited knowledge, and had not received training,
about certain technical controls of system software they monitored.
Insufficient
technical security knowledge among key security personnel increases the
risk that they will not promptly detect and mitigate security weaknesses.
The final key element of an information security program is ongoing
testing and evaluation to ensure that systems are in compliance with
policies, and that policies and controls are both appropriate and
effective. This type of oversight is a fundamental element because it
demonstrates
management*s commitment to the security program, reminds employees of
their roles and responsibilities, and identifies and mitigates areas of
noncompliance and ineffectiveness. For these reasons, OMB Circular A130,
Appendix III, directs that the security controls of major information
systems be independently reviewed or audited at least every 3 years.
Although monitoring in itself may encourage compliance with security
policies, the full benefits of monitoring are not achieved unless the
results improve the security program. Analyzing the results of monitoring
efforts, as well as security reviews performed by external audit
organizations, provides security specialists and business managers with a
means of (1) Monitoring the
Effectiveness of Controls and Mitigating Weaknesses
Page 28 GAO- 03- 44 IRS Computer Controls identifying new problem areas,
(2) reassessing the appropriateness of existing controls, and (3)
identifying the need for new controls.
The IRS Office of Security Services has established a program for
reviewing and evaluating controls over IRS*s information systems. During
fiscal year 2002, IRS reported that it performed 258 information security
reviews at key facilities, including computing centers, development
centers, campuses, and area offices. These included physical security
reviews, operations reviews, communications security reviews, disaster
recovery/ business resumption reviews, and technical control reviews over
its mainframe, Unix, and Windows NT systems.
However, IRS did not always take full advantage of review or audit results
to proactively improve security controls at its facilities. Specifically,
it did not take sufficient steps to ensure that weaknesses identified at
one facility were promptly considered and addressed at other facilities.
Our reviews have consistently identified weaknesses at IRS facilities that
were previously identified at other facilities. About 61 percent of the
weaknesses identified during the 3- year period covered by this report
were found at more than one facility. For example, nine facilities allowed
access to certain system information without requiring a log- on. We first
reported this weakness at a facility in 1999 and continued to report it at
other facilities through 2001. Further, IRS sometimes did not act to
ensure that weaknesses identified on one system were considered and
addressed on other similar systems at the same facility. For example,
during a follow- up review at one facility, an IRS official said he
believed that the facility had effectively corrected certain previously
reported vulnerabilities because facility employees had corrected the
vulnerabilities on the specific systems that were evaluated during the
prior review. However, they did not consider or correct the same
vulnerabilities on other similar systems that were not included in the
prior review.
As weaknesses are identified, it is important to determine whether those
weaknesses exist on similar systems at the same facility or at other
facilities because of the degree of standardization that exists among
similar systems and facilities. The lack of sufficient procedures to
proactively ensure that weaknesses found at an IRS facility or on a system
are considered and, if necessary, corrected at other facilities or on
similar systems could lead to a false sense of security and expose IRS
systems and data to increased, unnecessary risks.
Page 29 GAO- 03- 44 IRS Computer Controls IRS has acknowledged the
seriousness of its information security weaknesses and is taking action to
improve its agencywide information
security program. The program is in transition from a facility- based
approach to an enterprise- based approach, which is aligned with IRS*s
reorganized operating divisions and the centralized information management
within Modernization, Information Technology, and Security Services. This
approach, led by Security Services, depends on the support of various IRS
organizations to implement and monitor corrective actions. This includes
defining specific security roles and responsibilities for executive,
manager, and user positions throughout the agency, including those in the
operating divisions. Ongoing efforts to adequately mitigate
weaknesses are primarily focused on developing and implementing consistent
security procedures for all operating divisions, ensuring day- today
execution of these procedures, and certifying the backlog of uncertified
systems.
However, until IRS can fully implement an effective agencywide information
security program and adequately mitigate its information security
weaknesses, it will remain at heightened risk of access to critical
hardware and software by unauthorized individuals, who could intentionally
or inadvertently add, alter, or delete sensitive data or computer
programs. Such individuals could possibly obtain personal taxpayer
information and use it to commit financial crimes in the taxpayer*s name
(identity fraud), such as establishing credit and incurring debt.
IRS has made important progress toward improving information security
controls and implementing an agencywide information security program. Yet,
much work remains to be done to resolve significant control weaknesses
that continue to exist within its computing environment and to enable IRS
to promptly address new security threats and risks as they emerge. We have
previously provided IRS with many detailed recommendations for mitigating
the individual weaknesses summarized in this report. Ensuring that known
weaknesses affecting IRS*s computing resources are promptly mitigated and
that computer controls effectively protect its systems and data requires
support and leadership from senior management of IRS*s information
technology and operating divisions, disciplined processes, and consistent
oversight. Implementing an effective agencywide information security
program requires that IRS take a comprehensive approach that includes
assessing risks and evaluating needs, establishing and implementing
appropriate policies and controls, enhancing awareness and technical
skills, and monitoring the IRS Is Taking Action to
Improve Its Information Security Program
Conclusions
Page 30 GAO- 03- 44 IRS Computer Controls effectiveness of controls on an
ongoing basis. Further, a successful program will need the active and
accountable involvement of both (1)
operating division executives and managers who understand which aspects of
their missions and information systems are the most critical and sensitive
and (2) technical experts who know the agencies* systems and
understand the technical aspects of implementing security controls. Until
IRS effectively and fully implements its agencywide information security
program, assurance will remain limited that IRS*s financial information
and taxpayers* personal information are adequately safeguarded against
unauthorized use, disclosure, and modification, and its exposure to these
risks will remain unnecessarily high.
To implement an effective agencywide information security program, we
recommend that the IRS Commissioner direct the Chief Information Officer
and the senior management official of each operating division to do the
following:
Assess risks and evaluate security needs by performing risk
assessments for all systems; developing security plans for all systems;
and certifying and accrediting all systems before they become
operational,
upon significant change, and at least every 3 years thereafter.
Establish and implement adequate information security policies and
controls by updating security policies or implementing guidelines
pertaining to the
configuration and use of certain network services and devices, password
parameters, and the assignment of certain operating system rights, to be
consistent with strong security practices; testing and assessing
security controls and configurations of systems
before deployment for compliance with established security policies and
standards; and establishing and incorporating performance standards for
compliance
with security policies and procedures in the performance appraisal process
for IRS executives and managers in the information technology and
operating divisions.
Enhance information security awareness and training programs by
Recommendations for
Executive Action
Page 31 GAO- 03- 44 IRS Computer Controls providing training to IRS
employees and contractors, including executives, managers, and users, and
including those in the information
technology and operating divisions, on their security roles and
responsibilities; and providing security- related training commensurate
with job- related
responsibilities to security personnel. Monitor the effectiveness of
controls and mitigate known information security weaknesses by
establishing and implementing procedures to proactively ensure that
weaknesses found at an IRS facility or on a system are considered and, if
necessary, corrected at other facilities or on similar systems.
In providing written comments on a draft of this report (which are
reprinted in appendix I), the Commissioner of Internal Revenue generally
agreed with the report, and indicated that IRS is acting to implement our
recommendations. The Commissioner noted that safeguarding taxpayer
information is one of IRS*s highest priorities and that the agency
continues to strengthen its security controls. According to the
Commissioner, IRS is taking several steps to (1) assess risk and evaluate
its security needs, (2) establish and consistently implement information
security policies and controls, (3) implement a computer security training
program, and (4) develop executive- level feedback mechanisms to monitor
the effectiveness of controls to ensure that corrective actions are
implemented on an enterprisewide basis.
If you have any questions or need further information about the material
contained in this report, please contact Gregory C. Wilshusen, Assistant
Director, at (202) 512- 6244, or me at (202) 512- 3317. We can also be
reached by E- mail at wilshuseng@ gao. gov or daceyr@ gao. gov,
respectively. Other key contributors to this report include Ramnik
Dhaliwal, Suzanne Lightman, and Evelyn Logue. Robert F. Dacey
Director, Information Security Issues Agency Comments
Appendix I: Comments from the Internal Revenue Service
Page 32 GAO- 03- 44 IRS Computer Controls Appendix I: Comments from the
Internal Revenue Service
Appendix I: Comments from the Internal Revenue Service Page 33 GAO- 03- 44
IRS Computer Controls
Appendix I: Comments from the Internal Revenue Service Page 34 GAO- 03- 44
IRS Computer Controls
Appendix I: Comments from the Internal Revenue Service Page 35 GAO- 03- 44
IRS Computer Controls
Appendix I: Comments from the Internal Revenue Service
Page 36 GAO- 03- 44 IRS Computer Controls (310144)
The General Accounting Office, the audit, evaluation and investigative arm
of Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of
the federal government for the American people. GAO examines the use of
public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO*s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at no cost
is through the Internet. GAO*s Web site (www. gao. gov) contains abstracts
and fulltext files of current reports and testimony and an expanding
archive of older products. The Web site features a search engine to help
you locate documents using key words and phrases. You can print these
documents in their entirety, including charts and other graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as *Today*s Reports,* on its
Web site daily. The list contains links to the full- text document files.
To have GAO e- mail
this list to you every afternoon, go to www. gao. gov and select
*Subscribe to daily E- mail alert for newly released products* under the
GAO Reports heading.
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to: U. S. General Accounting Office 441 G Street NW, Room LM
Washington, D. C. 20548 To order by Phone: Voice: (202) 512- 6000
TDD: (202) 512- 2537 Fax: (202) 512- 6061
Contact: Web site: www. gao. gov/ fraudnet/ fraudnet. htm E- mail:
fraudnet@ gao. gov Automated answering system: (800) 424- 5454 or (202)
512- 7470 Jeff Nelligan, Managing Director, NelliganJ@ gao. gov (202) 512-
4800
U. S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.
C. 20548 GAO*s Mission Obtaining Copies of
GAO Reports and Testimony
Order by Mail or Phone To Report Fraud, Waste, and Abuse in Federal
Programs Public Affairs
*** End of document. ***