Information Security: Internal Revenue Service Needs to Remedy	 
Serious Weaknesses over Taxpayer and Bank Secrecy Act Data	 
(15-APR-05, GAO-05-482).					 
                                                                 
The Internal Revenue Service (IRS) relies extensively on	 
computerized systems to support its financial and mission-related
operations. In addition, IRS provides computer processing support
to the Financial Crimes Enforcement Network (FinCEN)--another	 
Treasury bureau. As part of IRS's fiscal year 2004 financial	 
statements, GAO assessed (1) the status of IRS's actions to	 
correct or mitigate previously reported weaknesses at one of its 
critical data processing facilities and (2) the effectiveness of 
IRS's information security controls in protecting the		 
confidentiality, integrity, and availability of key financial and
tax processing systems. 					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-05-482 					        
    ACCNO:   A21778						        
  TITLE:     Information Security: Internal Revenue Service Needs to  
Remedy Serious Weaknesses over Taxpayer and Bank Secrecy Act Data
     DATE:   04/15/2005 
  SUBJECT:   Computer security					 
	     Data integrity					 
	     Financial statement audits 			 
	     Information resources management			 
	     Internal controls					 
	     Systems analysis					 
	     Tax administration systems 			 
	     Corrective action					 
	     Treasury Financial Crimes Enforcement		 
	     Network						 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-05-482

United States Government Accountability Office

     GAO	Report to the Committee on the Judiciary House of Representatives

April 2005

INFORMATION SECURITY

 Internal Revenue Service Needs to Remedy Serious Weaknesses over Taxpayer and
                             Bank Secrecy Act Data

                                       a

GAO-05-482

[IMG]

April 2005

INFORMATION SECURITY

Internal Revenue Service Needs to Remedy Serious Weaknesses over Taxpayer and
Bank Secrecy Act Data

  What GAO Found

IRS has made progress in correcting or mitigating previously reported
information security weaknesses and in implementing controls over key
financial and tax processing systems that are located at one of its
critical data processing facilities. It has corrected or mitigated 32 of
the 53 weaknesses that GAO reported as unresolved at the time of our prior
review in 2002.

However, in addition to the remaining 21 previously reported weaknesses
for which IRS has not completed actions, 39 newly identified information
security control weaknesses impair IRS's ability to ensure the
confidentiality, integrity, and availability of its sensitive financial
and taxpayer data and FinCEN's Bank Secrecy Act data. For example, IRS has
not implemented effective electronic access controls over its mainframe
computing environment to logically separate its taxpayer data from
FinCEN's Bank Secrecy Act data-two types of data with different security
requirements. In addition, IRS has not effectively implemented certain
other information security controls relating to physical security,
segregation of duties, and service continuity at the facility.
Collectively, these weaknesses increase the risk that sensitive taxpayer
and Bank Secrecy Act data will be inadequately protected from unauthorized
disclosure, modification, use, or destruction. Moreover, weaknesses in
service continuity and business resumption plans heighten the risk that
assets will be inadequately protected and controlled to ensure the
continuity of operations when unexpected interruptions occur.

An underlying cause of these information security control weaknesses is
that IRS has not fully implemented certain elements of its agencywide
information security program. Until IRS fully implements a comprehensive
agencywide information security program, its facilities and computing
resources and the information that is processed, stored, and transmitted
on its systems will remain vulnerable.

                 United States Government Accountability Office

Contents

     Letter                                                                 1 
                                          Results in Brief                  2 
                                             Background                     3 
                                 Objectives, Scope, and Methodology         7 
                           IRS Has Made Progress in Correcting Previously  
                                              Reported                     
                                             Weaknesses                     8 
                             Serious Weaknesses Place Taxpayer and Bank    
                                         Secrecy Act Data at               
                                                Risk                        9 
                              Information Security Program Is Not Fully    15 
                                         Implemented at IRS                
                                             Conclusions                   19 
                                Recommendations for Executive Action       19 
                                           Agency Comments                 20 
Appendixes                                                              
               Appendix I:   Comments from the Secretary of the Treasury   23 
              Appendix II:      GAO Contact and Staff Acknowledgments      26 
                                             GAO Contact                   26 
                                        Staff Acknowledgments              26 

Abbreviations

BSA Bank Secrecy Act
CIO chief information officer
FinCEN Financial Crimes Enforcement Network
FISMA Federal Information Security Management Act of 2002
IRS Internal Revenue Service
MASS Mission Assurance and Security Services
RACF Resource Access Control Facility

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

A

United States Government Accountability Office Washington, D.C. 20548

April 15, 2005

The Honorable F. James Sensenbrenner Jr.
Chairman
The Honorable John Conyers Jr.
Ranking Minority Member
Committee on the Judiciary
House of Representatives

As part of our audit of the Internal Revenue Service's (IRS) fiscal year
2004
financial statements,1 we assessed the effectiveness of IRS's information
security controls 2 over key financial systems, data, and interconnected
networks at one of IRS's critical data processing facilities that support
the
processing, storage, and transmission of sensitive financial and taxpayer
data. In addition, the facility maintains Bank Secrecy Act data on behalf
of
the Financial Crimes Enforcement Network (FinCEN). These data are used
by federal law enforcement and regulatory agencies, as well as IRS, to
support their investigations of financial crimes, including terrorist
financing and money laundering.

This report describes (1) the status of IRS's actions to correct or
mitigate
previously reported weaknesses at the facility and (2) whether controls
over key financial and tax processing systems have been effective in
ensuring the confidentiality, integrity, and availability of financial and
sensitive taxpayer data. In response to your request, we are addressing
this
report to you.

Separately, we issued a Limited Official Use Only report to you detailing
the
results of our review. This version of the report, for public release,
provides
a general summary of the vulnerabilities identified and our
recommendations to help strengthen and improve IRS's information
security controls.

1GAO, Financial Audit: IRS's Fiscal Years 2004 and 2003 Financial
Statements, GAO-05-103 (Washington, D.C.: Nov. 10, 2004).

2Information security controls include electronic access controls,
software change control, physical security, segregation of duties, and
service continuity. These controls are designed to ensure that access to
data is appropriately restricted, that only authorized changes to computer
programs are made, that physical access to sensitive computing resources
and facilities is protected, that computer security duties are segregated,
and that back-up and recovery plans are adequate to ensure the continuity
of essential operations.

Results in Brief	IRS has made progress in correcting or mitigating
previously reported information security weaknesses and implementing
controls over key financial and tax processing systems that are located at
a critical data processing facility. The agency has corrected or mitigated
32 of the 53 weaknesses that we reported as unresolved at the time of our
prior review in 2002. For example, IRS improved perimeter security by
installing barriers at the facility's entrance and implemented procedures
to ensure that up-to-date copies of disaster recovery plans would be
maintained at an off-site storage facility.

However, IRS has not effectively implemented controls over key financial
and tax processing systems located at the facility. In addition to the
remaining 21 previously reported weaknesses, for which IRS has not
completed actions, 39 newly identified information security control
weaknesses impair IRS's ability to ensure the confidentiality, integrity,
and availability of its sensitive financial and taxpayer data and FinCEN's
Bank Secrecy Act data. IRS has not implemented effective electronic access
controls to prevent, limit, or detect unauthorized access to computing
resources from the internal IRS computer network. For example, access
controls over the mainframe computing environment did not logically
separate IRS's taxpayer data from FinCEN's Bank Secrecy Act data-two types
of data with different security requirements. As a result, all mainframe
users could read or copy Bank Secrecy Act data, and law enforcement users
could read or copy taxpayer data. In addition, IRS had not effectively
implemented certain other information security controls relating to
physical security, segregation of duties, and service continuity at the
facility. Collectively, these weaknesses increase the risk that sensitive
taxpayer and Bank Secrecy Act data will not be adequately protected from
unauthorized disclosure, modification, use, or loss. Moreover, weaknesses
in service continuity and business resumption plans heighten the risk that
assets will not be adequately protected and controlled to ensure the
continuity of operations when unexpected interruptions occur.

These information security control weaknesses exist primarily because IRS
has not fully implemented an agencywide information security program to
effectively protect the information and information systems that support
the operations and assets of the agency. Although IRS has taken some
action, including establishing the office of Mission Assurance and
Security Services, appointing a senior information security officer to
manage the program, and establishing a task force for conducting risk
assessments and security test and evaluations, as part of activities
required for certification

and accreditation, it has not fully implemented key elements of an
effective information program. For example, it has not (1) fully
implemented established security policies and procedures, (2) provided
specialized training to employees with significant security
responsibilities, and (3) effectively instituted a process for performing
periodic test and evaluation of its systems. Until IRS fully implements a
comprehensive agencywide information security program, its facilities,
computing resources, and the information that is processed, stored, and
transmitted on its systems will remain vulnerable.

We are making recommendations to the Secretary of the Treasury to direct
the IRS Commissioner to take several actions to fully implement a
comprehensive agencywide information security program and to determine
whether taxpayer information has been disclosed to unauthorized
individuals. We further recommend that the Secretary of the Treasury
direct the FinCEN Director to perform an assessment to determine whether
Bank Secrecy Act data have been disclosed to unauthorized users. The IRS
Chief of Mission Assurance and Security Services informed us that certain
corrective actions have been completed subsequent to the completion of our
fieldwork.

In providing written comments on a draft of this report, the Acting Deputy
Secretary of the Treasury generally agreed with our recommendations,
identified specific corrective actions that IRS has taken or plans to take
to address the recommendations, and provided other comments.

Background	Information security is a critical consideration for any
organization that depends on information systems and computer networks to
carry out its mission or business. It is especially important for
government agencies, where the public's trust is essential. The dramatic
expansion in computer interconnectivity and the rapid increase in the use
of the Internet are changing the way our government, the nation, and much
of the world communicate and conduct business. Without proper safeguards
they also pose enormous risks that make it easier for individuals and
groups with malicious intent to intrude into inadequately protected
systems and use such access to obtain sensitive information, commit fraud,
disrupt operations, or launch attacks against other computer systems and
networks.

Protecting the computer systems that support critical operations and
infrastructures has never been more important because of the concern

about attacks from individuals and groups, including terrorists. These
concerns are well founded for a number of reasons, including the dramatic
increase in reports of security incidents, the ease of obtaining and using
hacking tools, the steady advance in the sophistication and effectiveness
of attack technology, and the dire warnings of new and more destructive
attacks to come.

Computer-supported federal operations are likewise at risk. Our previous
reports, and those of agency inspectors general, describe persistent
information security weaknesses that place a variety of critical federal
operations, including those at IRS, at risk of disruption, fraud, and
inappropriate disclosure. We have designated information security as a
governmentwide high-risk area since 19973-a designation that remains
today.4

In December 2002, Congress enacted the Federal Information Security
Management Act of 2002 (FISMA) to strengthen security of information and
systems within federal agencies.5 FISMA requires each agency to develop,
document, and implement an agencywide information security program to
provide information security for the information and systems that support
the operations and assets of the agency, using a risk-based approach to
information security management. In addition, FISMA requires that the
Secretary of the Treasury be responsible for, among other things, (1)
providing information security protections commensurate with the risk and
magnitude of the harm resulting from unauthorized access, use, disclosure,
disruption, modification, or destruction of the agency's information
systems and information; (2) ensuring that senior agency officials provide
information security for the information and information systems that
support the operations and assets under their control; and (3) delegating
to the agency chief information officer (CIO) the authority to ensure
compliance with the requirements imposed on the agency under the act.

3GAO, High-Risk Series: Information Management and Technology, GAO/HR-97-9
(Washington, D.C.: February 1997).

4GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January
2005).

5FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No.
107-347, 116 Stat. 2946 (Dec. 17, 2002).

Treasury's CIO is responsible for developing and maintaining a
departmentwide information security program and for developing and
maintaining information security policies, procedures, and control
techniques that address all applicable requirements. Each Treasury bureau,
including the IRS, is responsible for implementing Treasury-mandated
security policies within its domain. In order to implement departmentwide
security policies, IRS is required to develop its own information security
program, including its own security compliance functions.

  IRS Is a Key Steward of Personal Taxpayer Information

As the nation's tax collector, IRS has the demanding responsibility of
collecting taxes, processing tax returns, and enforcing the nation's tax
laws. In fiscal years 2004 and 2003, IRS collected about $2 trillion in
tax payments, processed hundreds of millions of tax and information
returns, and paid about $278 billion and $300 billion, respectively, in
refunds to taxpayers. IRS employs tens of thousands of people in its 10
service campuses,6 three computing centers, and numerous field offices
throughout the United States. To efficiently fulfill its tax processing
responsibilities, IRS relies extensively on interconnected networks of
computer systems to perform various functions, such as collecting and
storing taxpayer data, processing tax returns, calculating interest and
penalties, generating refunds, and providing customer service.

Because of the nature of its mission, IRS also collects and maintains a
significant amount of personal and financial data on each American
taxpayer. The confidentiality of this sensitive information must be
protected; otherwise, taxpayers could be exposed to loss of privacy and to
financial loss and damages resulting from identity theft or other
financial crimes.

To help provide information security for its operations and assets
(including computing resources and taxpayer information), IRS has
developed and is implementing an agencywide information security program.
The Commissioner of Internal Revenue has overall responsibility for
ensuring the confidentiality, availability, and integrity of information
and information systems supporting the agency and its operations. The
Chief of MASS is responsible for developing policies and procedures

6IRS campuses perform functions such as customer service, account
management, and tax examination services, whereas computing centers focus
primarily on data processing and software development activities.

regarding information technology security; providing assurance services to
improve physical, data, and personnel security; conducting independent
testing; and ensuring security is integrated into its modernization
activities. To help accomplish these goals, IRS has developed and
published information security policies, guidelines, standards, and
procedures in the Internal Revenue Manual, Law Enforcement Manual, and
other documents.

  IRS Also Provides Processing Support for FinCEN

In addition to processing its own financial and tax information, IRS
provides information processing support to FinCEN, another Treasury
bureau. FinCEN administers and enforces the Bank Secrecy Act (BSA)7 and
its implementing provisions. Congress enacted the BSA to prevent banks and
other financial service providers from being used as intermediaries for,
or to hide the transfer or deposit of money derived from, criminal
activity. Since its passage, Congress has amended the BSA to enhance law
enforcement effectiveness. Today, more than 170 crimes are listed in
federal money-laundering statutes. They cover a broad range, including
drug trafficking, gunrunning, murder for hire, fraud, acts of terrorism,
and the illegal use of wetlands. The list also includes certain foreign
crimes. The reporting and record keeping requirements of the BSA
regulations create a paper trail for law enforcement to investigate money
laundering schemes and other illegal activities. This paper trail operates
to deter illegal activity and provides a means to trace the movements of
money through the financial system.

FinCEN relies on IRS to operate and maintain computer systems that process
and store a significant amount of FinCEN's sensitive information. This
information includes reports and filings from banks and other financial
institutions that are required under BSA, such as currency transactions,
foreign bank and financial accounts, international transportation of
currency or monetary instruments, and criminal referrals of suspicious
activities reports. This information is determined by FinCEN to have a
high degree of usefulness in criminal, tax, regulatory, intelligence, and
counterterrorism investigations, and in implementing counter money
laundering programs and compliance procedures. This network supports

7Titles I and II of Public Law 91-508 and 31 U.S.C. sections 5311-5330, as
amended by the USA PATRIOT Act and the Intelligence Reform and Terrorism
Prevention Act of 2004, are known as the Bank Secrecy Act. Regulations
implementing the Bank Secrecy Act appear at 31 C.F.R. Part 103.

federal, state, and local law enforcement, and intelligence and
investigative agencies as part of the federal government's effort to
combat terrorism and to investigate and prosecute crime.

  Objectives, Scope, and Methodology

The objectives of our review were to determine (1) the status of IRS's
actions to correct or mitigate previously reported weaknesses and (2)
whether controls over key financial and tax processing systems located at
the facility have been effective in ensuring the confidentiality,
integrity, and availability of sensitive financial and taxpayer data. We
concentrated our evaluation primarily on threats emanating from internal
sources on IRS's computer networks. To guide our work, we used the audit
methodology described in our Federal Information System Controls Audit
Manual,8 which discusses the scope of such reviews and the type of testing
required for evaluating general controls. We also used FISMA to guide our
review of IRS's implementation of its information security program.
Specifically, we evaluated information system controls intended to

o 	limit, detect, and monitor logical and physical access to sensitive
computing resources and facilities, thereby safeguarding them from misuse
and protecting them from unauthorized disclosure and modification;

o 	maintain operating system integrity through effective administration
and control of powerful computer programs and utilities that execute
privileged instructions;

o 	prevent the introduction of unauthorized changes to application
software in the existing software environment;

o 	ensure that work responsibilities are segregated, so that one
individual does not perform or control all key aspects of computer-related
operations and thereby have the ability to conduct unauthorized actions or
gain unauthorized access to assets or records;

o 	minimize the risk of unplanned interruptions and recover critical
computer processing operations in the case of disaster or other unexpected
interruptions; and

8GAO, Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6
(Washington, D.C.: January 1999).

o 	implement an agencywide information security program that includes a
continuing cycle of assessing risk, implementing and promoting policies
and procedures to reduce such risk, and monitoring the effectiveness of
those activities.

To evaluate these controls, we identified and reviewed pertinent IRS
information security policies and procedures, guidance, security plans,
relevant reports, and other documents, and we tested the effectiveness of
these controls. We also discussed with key security representatives and
management officials whether information security controls were in place,
adequately designed, and operating effectively.

We performed our review at the IRS facility, at IRS's National Office in
New Carrollton, Maryland, and at our headquarters in Washington, D.C., in
accordance with generally accepted government auditing standards from
August through December 2004. We discussed the results of our review with
IRS, Treasury, and FinCEN officials.

  IRS Has Made Progress in Correcting Previously Reported Weaknesses

IRS has made progress in correcting previously reported information
security weaknesses. The agency has corrected or mitigated 32 of the 53
weaknesses that we reported as unresolved at the time of our last review
in 2002. For example, IRS has

o 	improved perimeter security by installing barriers at the facility's
entrance to prevent unauthorized vehicles from entering the premises,

o 	implemented policies and procedures to ensure that system software
products are tested and evaluated prior to installation,

o 	discontinued the practice of using shared accounts and passwords to
administer its network authentication server and firewall, and

o 	implemented procedures to ensure that disaster recovery plans are
upto-date and maintained at the off-site storage facility.

While IRS has taken steps to strengthen its information security controls,
it had not completed actions to correct or mitigate the remaining 21
previously reported weaknesses. These weaknesses include granting and
authorizing inappropriate access permissions over Unix system files,
permitting remote access capabilities that expose passwords and user
identifications, allowing users to implement easily guessed passwords, and

permitting unrestricted physical access to sensitive computing areas.
Failure to resolve these issues will leave IRS facilities and sensitive
data vulnerable to unauthorized access, manipulation, and destruction.

  Serious Weaknesses Place Taxpayer and Bank Secrecy Act Data at Risk

IRS has not effectively implemented information security controls to
properly protect the confidentiality, integrity, and availability of data
processed by the facility's computers and networks. In addition to the 21
previously reported weaknesses that remain uncorrected, we identified 39
new information security weaknesses during this review. Serious weaknesses
related to electronic access to computing resources from sources located
on IRS's internal computer network place sensitive taxpayer and Bank
Secrecy Act data-including information related to financial crimes,
terrorist financing, money laundering, and other illicit activities-at
significant risk of unauthorized disclosure, modification, or destruction.
In addition, information security weaknesses that exist in other control
areas, such as physical security, segregation of duties, and service
continuity, further increase risk to the computing environment.

Collectively, these weaknesses threaten IRS's ability to perform its
operational missions, such as processing tax returns and law enforcement
information, both of which rely on IRS's computer systems and networks to
process, store, and transmit data.

  Electronic Access Controls Were Inadequate

A basic management objective for any organization is to protect the data
supporting its critical operations from unauthorized access. Organizations
accomplish this objective by designing and implementing electronic
controls that are intended to prevent, limit, and detect unauthorized
access to computing resources, programs, and data. Electronic access
controls include user accounts and passwords, access rights and
permissions, network services and security, and audit and monitoring of
security-related events. Inadequate electronic access controls diminish
the reliability of computerized data and increase the risk of unauthorized
disclosure, modification, and destruction of these data.

Electronic access controls were not effectively implemented to prevent,
limit, and detect unauthorized access to the facility's computer systems
and data. Numerous vulnerabilities existed in IRS's computing environment
because of the cumulative effects of control weaknesses in the areas of

user accounts and passwords, access rights and permissions, network
services and security, and audit and monitoring of security-related
events.

User Accounts and Passwords	A computer system must be able to identify and
differentiate among users so that activities on the system can be linked
to specific individuals. Unique user accounts assigned to specific users
allow systems to distinguish one user from another-a process called
identification. The system must also establish the validity of a user's
claimed identity through some means of authentication, such as a password,
known only to its owner. The combination of identification and
authentication, such as user account/password combinations, provides the
basis for establishing individual accountability and controlling access to
the system. Accordingly, agencies should (1) implement procedures to
control the creation, use, and removal of user accounts and (2) establish
password parameters, such as length, life, and composition, to strengthen
the effectiveness of account/password combinations for authenticating the
identity of users.

IRS did not adequately control user accounts and passwords to ensure that
only authorized individuals were granted access to its systems and data.
For example, it did not adequately protect mainframe systems files that
contain embedded user accounts and passwords. Access to these files was
not adequately restricted, and user account and password combinations
could have been read by any authorized user-IRS, law enforcement, and
contractors-of the system. In addition, IRS did not adequately control
user accounts and passwords to ensure that only authorized individuals
were allowed access to its servers and networks. As a result, increased
risk exists that unauthorized users could gain authorized user ID and
password combinations to claim a user identity and then use that identity
to gain access to sensitive taxpayer or Bank Secrecy Act data.

Access Rights and Permissions	A basic underlying principle for securing
computer systems and data is the concept of least privilege. This means
that users are granted only those access rights and permissions they need
to perform their official duties. Organizations establish access rights
and permissions to restrict the access of legitimate users to only the
specific programs and files that they need to do their work. User rights
are allowable actions that can be assigned to users or groups. File and
directory permissions are rules associated with a file or directory; they
regulate which users can access them and in what manner. Assignment of
rights and permissions must be carefully considered to avoid giving users
unnecessary access to sensitive files and directories.

IRS routinely permitted excessive access to the facility's computer
systems-mainframes, Unix, and Windows-that support sensitive taxpayer and
Bank Secrecy Act data and to critical datasets and files. Access controls
over the mainframe computing environment did not logically separate IRS's
data from FinCEN's data. For example, IRS granted all 7,460 mainframe
users-IRS employees, non-IRS employees, contractors-regardless of their
official duties, the ability to read and modify sensitive taxpayer and
Bank Secrecy Act data, including information about citizens, law
enforcement personnel, and individuals subject to investigation. In
addition, IRS also did not adequately restrict access rights and
permissions on its Windows servers. For example, it did not adequately
restrict access to Windows accounts with powerful rights over the
operating system. Inappropriate access to accounts with powerful rights
can compromise the integrity of the operating system and the privacy of
the data that reside on the servers.

Network Services and Security	Networks are series of interconnected
devices and software that allow individuals to share data and computer
programs. Because sensitive programs and data are stored on or transmitted
along networks, effectively securing networks is essential to protecting
computing resources and data from unauthorized access, manipulation, and
use. Organizations secure their networks, in part, by installing and
configuring network devices that permit authorized network service
requests and deny unauthorized requests and by limiting the services that
are available on the network. Network devices include (1) firewalls
designed to prevent unauthorized access into the network, (2) routers that
filter and forward data along the network, (3) switches that forward
information among parts of a network, and (4) servers that host
applications and data. Network services consist of protocols for
transmitting data between computers. Insecurely configured network
services and devices can make a system vulnerable to internal or external
threats, such as denial-of-service attacks. Since networks often provide
the entry point for access to electronic information assets, failure to
secure those networks increases the risk of unauthorized use of sensitive
data and systems.

IRS did not securely control network services to prevent unauthorized
access to and ensure the integrity of IRS's computer networks and systems
at the facility. For example, IRS did not adequately secure its network
against known vulnerabilities or misconfigured network services on several
of its infrastructure devices. As a result, an unauthorized user could
gain access to these network devices and gain control of the facility's

network, placing IRS and FinCEN data at risk. Further, this unauthorized
control could seriously disrupt computer operations.

Audit and Monitoring of Determining what, when, and by whom specific
actions were taken on a

Security-Related Events	system is crucial to establishing individual
accountability, monitoring compliance with security policies, and
investigating security violations. Organizations accomplish this by
implementing system or security software that provides an audit trail for
determining the source of a transaction or attempted transaction and for
monitoring users' activities. How organizations configure the system or
security software determines the nature and extent of audit trail
information that is provided. To be effective, organizations should (1)
configure the software to collect and maintain sufficient audit trails for
security-related events; (2) generate reports that selectively identify
unauthorized, unusual, and sensitive access activity; and (3) regularly
monitor and take action on these reports. Without sufficient auditing and
monitoring, organizations increase the risk that they may not detect
unauthorized activities or policy violations.

The risks created by the serious electronic access control weaknesses
discussed above were heightened because IRS did not effectively audit and
monitor system activity on its servers. For example, not all Windows
servers at the facility were configured to ensure sufficient retention of
security logs. As a result, there was a higher risk of unauthorized system
activity going undetected.

  IRS and FinCEN Data Are at Significant Risk

The cumulative effect of inadequate electronic access controls specific to
user accounts and passwords, access rights and permissions, network
services and security, and audit and monitoring places sensitive taxpayer
and Bank Secrecy Act data at risk of unauthorized disclosure, use,
modification, or destruction, possibly without detection. More
specifically, electronic access controls over authorized users-IRS
employees, contractors, and law enforcement officials-were not effectively
implemented to restrict these users to the data they needed in order to
perform their official duties and to protect sensitive programs and data
from unauthorized access, manipulation, and use.

As a result, we were able to view and print Bank Secrecy Act data from
datasets containing Suspicious Activity Reports that have been filed under
the Bank Secrecy Act. The information we were able to capture included,
among other things, dates of the investigation, the name, Social Security
number, and driver's license number of the individual under investigation,

the number and total dollar amount of financial transactions, and
suspected terrorist activity, if any. Moreover, the weaknesses in
electronic access controls also allowed FinCEN users, who include federal,
state, and local law enforcement officials, the capability to access
sensitive IRS systems and view taxpayer information. The Internal Revenue
Code9 prohibits disclosure of taxpayer data generally, and the Taxpayer
Browsing Protection Act10 prohibits unauthorized browsing of taxpayer
returns or information by federal, state, and local employees. We have
previously reported violations of IRS employees browsing taxpayer
information and on IRS's efforts to monitor employee browsing.11 Given the
weaknesses with its audit and monitoring controls, it is unlikely that IRS
would be able to detect any illegal browsing of taxpayer information with
the systems currently in use.

Unless these weaknesses are corrected, sensitive taxpayer and Bank Secrecy
Act data will remain at risk of unauthorized disclosure, use,
modification, or destruction, possibly without detection.

  Other Information Security Weaknesses Exist

Physical Security

In addition to the electronic access security controls, other information
security controls should be in place to ensure the confidentiality,
integrity, and availability of an organization's systems and data. These
controls include policies, procedures, and control techniques that
physically secure an organization's computer resources and systems,
provide proper segregation of incompatible duties and computer functions
among computer users, and ensure continuity of computer processing
operations in the event of a disaster or unexpected interruption.

Physical security controls are important for protecting computer
facilities and resources from vandalism and sabotage, theft, accidental or
deliberate alteration or destruction of information or property, attacks
on personnel, and unauthorized access to computing resources. Physical
security

926 U.S.C. S: 6103.

1026 U.S.C. S: 7213A.

11GAO, IRS Systems Security and Funding: Additional Information on
Employee Browsing and Tax Systems Modernization, GAO/AIMD/GGD-97-140R
(Washington, D.C.: June 23, 1997); IRS Systems Security and Funding:
Employee Browsing Not Being Addressed Effectively and Budget Requests for
New Systems Development Not Justified, GAO/T-AIMD-97-82 (Washington, D.C.:
Apr. 15, 1997).

controls should prevent, limit, and detect access to facility grounds,
buildings, and sensitive work areas and the agency should periodically
review the access granted to computer facilities and resources to ensure
that this access continues to be appropriate. Examples of physical
security controls include perimeter fencing, surveillance cameras,
security guards, and locks. Inadequate physical security could lead to the
loss of life and property, the disruption of functions and services, and
the unauthorized disclosure of documents and information.

Although IRS has implemented physical security controls, certain
weaknesses reduce the effectiveness of these controls in protecting and
controlling physical access to assets at the facility. For example, guards
did not always verify employees' identities as they entered the facility.
Failure to check IRS photo identifications increases the risk that
unauthorized individuals could gain access to the facility. In addition,
IRS did not always maintain effective control over the issuance of master
keys. The lack of accountability over master keys increases the likelihood
that an unauthorized person could gain possession of a master key and use
it to access sensitive areas.

Segregation of Duties	Controls that segregate duties are the policies,
procedures, and organizational structure that prevent one individual from
controlling key aspects of computer-related operations and thereby having
the capability to conduct unauthorized actions or gain unauthorized access
to assets or records without being promptly detected. Inadequately
segregated duties increase the risk that erroneous or fraudulent
transactions could be processed, improper program changes implemented, or
computer resources damaged or destroyed.

We identified instances in which duties were not adequately segregated to
ensure that no individual had complete authority or system access, which
could result in fraudulent activity. For example, developers were
routinely granted production level access on the facility's mainframe
processing environment by individuals other than those responsible for the
security administration of the mainframe. A review of one month of audit
logs showed that 24 users (including 5 contractors) who were only granted
access to the development mainframe environment had their access
privileges elevated to production-several of them on a daily basis.
Although user access was being logged, MASS employees neither controlled
the action that elevated the developers' access permissions nor routinely
monitored audit logs. As a result, MASS employees did not detect that
users' access had been elevated. Granting developers access to

production systems creates the potential for those individuals to perform
incompatible functions.

Service Continuity	Service continuity controls should be designed to
ensure that when unexpected events occur, critical operations continue
without interruption or are promptly resumed and that critical and
sensitive data are protected. These controls include (1) environmental
controls and procedures designed to protect information resources and
minimize the risk of unplanned interruptions and (2) a well-tested plan to
recover critical operations should interruptions occur. If service
continuity controls are inadequate, even relatively minor interruptions
can result in lost or incorrectly processed data, which can cause
financial losses, expensive recovery efforts, and inaccurate or incomplete
financial or management information.

IRS has in place environmental controls designed to protect computing
resources and personnel; it also has a program for periodic testing of
disaster recovery plans. However, IRS's disaster recovery and business
resumption plans for resuming operations following a disruption did not
include procedures for Unix and Windows systems. In the event of a
disaster, the facility may not be able to coordinate appropriate measures
to restore critical Unix and Windows systems.

                              Information Security
                              Program Is Not Fully
                               Implemented at IRS

The weaknesses described in this report are symptomatic of an agencywide
information security program that is not fully implemented across IRS.
Implementing an information security program is essential to ensuring that
controls over information and information systems work effectively on a
continuing basis, as described in our May 1998 study of security
management best practices.12

We previously recommended to the IRS Commissioner that IRS complete its
implementation of an effective agencywide information security program.13
Since our last review, IRS has made important progress toward improving
information security management. For example, as part of

12GAO, Executive Guide: Information Security Management-Learning from
Leading Organization, GAO/AIMD-98-68 (Washington, D.C.: May 1998).

13GAO, Information Security: Progress Made, but Weaknesses at the Internal
Revenue Service Continue to Pose Risks, GAO-03-44 (Washington, D.C.: May
30, 2003).

activities required for certification and accreditation of all IRS general
support systems,14 it established MASS, appointed a senior information
security officer to manage the program, and established a task force for
conducting risk assessments and security test and evaluations. However,
the recurring and newly identified weaknesses discussed in this report, as
well as the similarity of these weaknesses to those we have previously
identified at other IRS facilities, are indicative of an information
security program that is not fully implemented across the agency.

FISMA, consistent with our security management best practices guide,
requires key elements of an agency's information security program to
strengthen information security and to adequately protect the information
and systems that support its operations. These elements include

o 	policies and procedures that (1) are based on risk assessments, (2)
cost-effectively reduce risks, (3) ensure that information security is
addressed throughout the life cycle of each system, and (4) ensure
compliance with applicable requirements;

o 	security awareness training to inform personnel, including contractors
and other users of information systems, of information security risks and
their responsibilities in complying with agency policies and procedures;
and

o 	at least annual testing and evaluation of the effectiveness of
information security policies, procedures, and practices relating to the
management, operational, and technical controls of every major information
system that is identified in the agencies' inventories.

Establishing and Implementing A key element of an effective information
security program is establishing

Policies	and implementing appropriate policies, procedures, and technical
standards to govern security over an agency's computing environment. Such
policies and procedures should integrate all security aspects of an
organization's interconnected environment, including local and wide area
networks and interconnections to contractor and other federal agencies
that support critical mission operations. In addition, technical security

14General support systems are sets of resources that provide necessary
information technology infrastructure support to applications and business
functionality such that compromise would have a severe adverse effect on
the IRS mission, tax administration functions, or employee welfare.

standards are needed to provide consistent implementing guidance for each
computing environment. Establishing and documenting security policies is
important because they are the primary mechanism by which management
communicates its views and requirements; these policies also serve as the
basis for adopting specific procedures and technical controls. In
addition, agencies need to take the actions necessary to effectively
implement or execute these procedures and controls. Otherwise, agency
systems and information will not receive the protection that should be
provided by the security policies and controls.

Although IRS has established and documented policies and procedures for
specific security areas, including password standards and disaster
recovery planning, it frequently has not implemented them. We continue to
report that the facility has not implemented policies and procedures
contained in IRS's Law Enforcement Manual and Internal Revenue Manual
pertaining to user accounts and passwords, access rights and permissions,
network services and security, audit and monitoring, and other information
system controls. Of the new weaknesses identified, 33 of 39 resulted from
IRS not implementing its established security policies and procedures. As
a result, IRS is at increased risk that sensitive financial, taxpayer, and
Bank Secrecy Act data could be exposed to unauthorized access without
detection.

Promoting Security Awareness Another key element of an information
security program involves

and Training	promoting awareness and providing required training so that
users understand the risks and their role in implementing related policies
and controls to mitigate those risks. Computer intrusions and security
breakdowns often occur because computer users fail to take appropriate
security measures. For this reason, it is vital that employees who use
computer resources in their day-to-day operations be made aware of the
importance and sensitivity of the information they handle, as well as the
business and legal reasons for maintaining its confidentiality, integrity,
and availability. FISMA mandates that all federal employees and
contractors involved in the use of agency information systems be provided
periodic training in information security awareness and accepted
information security practice. Further, FISMA requires agency heads to
ensure employees with significant information security responsibilities
are provided sufficient training.

IRS has established information security awareness programs for its
employees and contractors. These programs include distributing security
awareness bulletins and brochures and creating information security poster
boards. As reported by Treasury's OIG in its 2004 FISMA report, 100

percent of IRS employees received security awareness training; however,
only 28 percent of IRS government and contractor employees with
significant security responsibilities received specialized training.
Security administration staff at the facility stated that they were
largely self-taught in security software and that only one staff member in
the past 2 years had received technical mainframe security training.
Consequently, the staff was not knowledgeable about some of the more
recent technical advances relating to the mainframe operating system and
security software.

Subsequent to the completion of our fieldwork, the Chief of MASS informed
us that he formally assigned information system security officers for each
of the IRS campuses and computing centers, and the IRS network and held
specialized training for these officers.

Testing and Evaluating the The final key element of an information
security program is ongoing testing

Effectiveness of Controls	and evaluation to ensure that systems are in
compliance with policies, and that policies and controls are both
appropriate and effective. This type of oversight is a fundamental element
because it demonstrates management's commitment to the security program,
reminds employees of their roles and responsibilities, and identifies and
mitigates areas of noncompliance and ineffectiveness. Although control
tests and evaluations may encourage compliance with security policies, the
full benefits of such activities will not be achieved unless the results
improve the security program. Analyzing the results of monitoring
efforts-as well as security reviews performed by external audit
organizations-provides security specialists and business managers with a
means of identifying new problem areas, reassessing the appropriateness of
existing controls, and identifying the need for new controls.

IRS performs periodic testing and evaluation of its Unix, Windows, and
Mainframe systems. Specifically, IRS uses software tools and monitoring
reports to determine if its systems are in compliance with agency
information security policies, procedures, and practices. However, output
from these tools was not always reliable and accurate. Further, IRS did
not effectively audit and monitor the facility's information security
systems. Specifically, user activity on critical Unix systems were not
being logged, full auditing of system user rights was not always
occurring, audit logs on Windows servers were not always retained, and
monitoring reports detailing security-related events on mainframe
computers were not always complete.

Until IRS fully implements an effective program, it will not be able to
ensure the security of its highly interconnected computer environment,
facilities, and resources. Moreover, IRS will not be able to ensure the
confidentiality, integrity, or availability of the sensitive financial,
taxpayer, and Bank Secrecy Act data that it processes, stores, and
transmits. As a result, IRS's operations and assets remain vulnerable to
unauthorized disclosure, manipulation, use, or destruction.

Conclusions	Significant information security weaknesses exist at IRS that
place sensitive financial, taxpayer, and Bank Secrecy Act data at risk of
disclosure, modification, or loss, possibly without detection, and place
IRS's operations at risk of disruption. Specifically, IRS has not
consistently implemented effective electronic access controls, including
user accounts and passwords, access rights and permissions, and network
security, or fully implemented a program to audit and monitor access
activity. In addition, weaknesses in physical security, segregation of
duties, and service continuity increase the level of risk. Although IRS
continues to make progress in mitigating previously reported information
security weaknesses and implementing general controls over key financial
and tax processing systems at the facility, it has not taken all the
necessary steps to mitigate known information security control weaknesses
and to ensure the confidentiality, integrity, and availability of taxpayer
and Bank Secrecy Act data. Consequently, taxpayer and Bank Secrecy Act
data may have been disclosed to unauthorized individuals. Ensuring that
known weaknesses affecting IRS's computing resources are promptly
mitigated and that general controls are effective to protect the
facility's computing environment require top management support and
leadership, disciplined processes, and consistent oversight. Until IRS
takes steps to mitigate these weaknesses and fully implements its
agencywide information security program, limited assurance exists that
taxpayers' personal information and IRS-processed law enforcement
information will be adequately safeguarded against unauthorized
disclosure, modification, or destruction.

Recommendations for 	To help fully implement IRS's information security
program, we recommend that Secretary of the Treasury direct the IRS
Commissioner to

Executive Action take the following three actions:

o 	Ensure that established security policies and procedures are
consistently followed and implemented.

o 	Ensure that employees with significant information security
responsibilities are provided the sufficient training and understand their
role in implementing security related policies and controls.

o 	Implement an ongoing process of testing and evaluating IRS's
information systems to ensure compliance with established policies and
procedures.

In addition, we recommend that the Secretary of the Treasury direct the
IRS Commissioner to perform an assessment to determine whether taxpayer
data has been disclosed to unauthorized individuals.

Further, we recommend that the Secretary of the Treasury direct the FinCEN
Director to perform an assessment to determine whether Bank Secrecy Act
data have been disclosed to unauthorized individuals.

We are also making recommendations in a separate report designated for
"Limited Official Use Only." These recommendations address actions needed
to correct the specific information security weaknesses related to
electronic access controls and other information system controls at the
facility.

Agency Comments	In providing written comments on a draft of this report
(reprinted in app. I), the Acting Deputy Secretary of the Treasury
generally concurred with our recommendations in both the public and
Limited Official Use Only reports and identified specific corrective
actions that IRS has taken or plans to take to address the
recommendations.

The Acting Deputy Secretary of the Treasury concurred with our
recommendation to take several actions to fully implement an effective
agencywide information security program. The Acting Deputy stated that IRS
continues to make progress in addressing the computer security
deficiencies throughout the agency, as noted in our public and Limited
Official Use Only reports. The Acting Deputy stated that in mid-2004, IRS
began an agencywide initiative to complete required security activities,
such as the development of security plans and security testing by fiscal
year 2005.

The Acting Deputy's comments also addressed several completed corrective
actions, including properly configuring access rights to the mainframe
computing environment, auditing the activity of high-level user

access on the mainframe environment, capturing and pursuing all security
violations, designating Information Systems Security Officers at all IRS
locations, and establishing the position of Director, Information
Technology Security to ensure that the overall design of new applications
and the operation of current systems adhere to security requirements.

The Acting Deputy Secretary also concurred with our recommendation to
direct the IRS Commissioner to perform an assessment to determine whether
taxpayer data have been disclosed to unauthorized individuals.

Regarding our recommendation to direct the FinCEN Director to perform an
assessment to determine whether Bank Secrecy Act data have been disclosed
to unauthorized individuals, the Acting Deputy stated that it is more
appropriate to have IRS conduct this review because FinCEN does not have
the legal authority to conduct such an assessment of IRS tax information.
This alternative approach meets the intent of our recommendation as long
as IRS reports the results of its assessment to the Director of FinCEN.

We are sending copies of this report to the Chairmen and Ranking Minority
Members of the House Committee on Government Reform; House and Senate
Committees on Appropriations; House and Senate Committees on Budget;
Secretary of the Treasury; Commissioner of Internal Revenue; and
Treasury's Director, Financial Crimes Enforcement Network. We also will
make copies available to others upon request. In addition, this report
will be available at no charge on the GAO Web site at http://www.gao.gov.

If you or your office have any questions about this report, please contact
Gregory C. Wilshusen at (202) 512-3317 or Keith A. Rhodes at (202)
5126412; we can also be reached by e-mail at [email protected] or
[email protected]. Other contacts and key contributors to this report are
listed in appendix II.

Gregory C. Wilshusen Director, Information Security Issues

Keith A. Rhodes Chief Technologist

                                   Appendix I

                  Comments from the Secretary of the Treasury

Appendix I
Comments from the Secretary of the
Treasury

Appendix I
Comments from the Secretary of the
Treasury

Appendix II

                     GAO Contact and Staff Acknowledgments

GAO Contact Jenniffer Wilson, (202) 512-9192

  Staff Acknowledgments

(310555)

In addition to the individual named above, Gerald Barnes, Bruce Cain,
Joseph Cruz, Joanne Fiorino, Denise Fitzpatrick, Ed Glagola, David Hayes,
Myong Suk Kim, Harold Lewis, Mary Marshall, Duc Ngo, Ron Parker, Charles
Roney, Eugene Stevens, and Henry Sutanto made key contributions to this
report.

  GAO's Mission

Obtaining Copies of GAO Reports and Testimony

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone 	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: 	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

  To Report Fraud, Contact:

Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470

Gloria Jarmon, Managing Director, [email protected] (202)
512-4400Congressional U.S. Government Accountability Office, 441 G Street
NW, Room 7125 Relations Washington, D.C. 20548

Public Affairs 	Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

                           PRINTED ON RECYCLED PAPER
*** End of document. ***