Information Security: IRS Needs to Address Pervasive Weaknesses
(08-JAN-08, GAO-08-211).
The Internal Revenue Service (IRS) relies extensively on
computerized systems to carry out its demanding responsibilities
to collect taxes (about $2.7 trillion in fiscal year 2007),
process tax returns, and enforce the nation's tax laws. Effective
information security controls are essential to ensuring that
financial and taxpayer information is adequately protected from
inadvertent or deliberate misuse, fraudulent use, improper
disclosure, or destruction. As part of its audit of IRS's fiscal
years 2007 and 2006 financial statements, GAO assessed (1) IRS's
actions to correct previously reported information security
weaknesses and (2) whether controls were effective in ensuring
the confidentiality, integrity, and availability of financial and
sensitive taxpayer information. To do this, GAO examined IRS
information security policies and procedures, guidance, security
plans, reports, and other documents; tested controls over key
financial applications at three IRS data centers; and interviewed
key security representatives and management officials.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-08-211
ACCNO: A79438
TITLE: Information Security: IRS Needs to Address Pervasive
Weaknesses
DATE: 01/08/2008
SUBJECT: Computer security
Data integrity
Financial institutions
Information classification
Information security
Information security management
Information security regulations
Internal controls
Tax returns
Taxes
Security standards
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-08-211
* [1]
* [2]Results in Brief
* [3]Background
* [4]Objectives, Scope, and Methodology
* [5]IRS Has Made Limited Progress in Correcting Previously Repor
* [6]Significant Weaknesses Continue to Place Financial and Taxpa
* [7]IRS Did Not Sufficiently Control Access to Information
Resou
* [8]Controls for Identifying and Authenticating Users
Were Not C
* [9]Users Were Routinely Given More System Access Than
Needed to
* [10]Sensitive Data Were Not Always Encrypted
* [11]Logging Procedures Did Not Effectively Capture
Changes to Ma
* [12]Weaknesses in Physical Security Controls Reduced
Their Effec
* [13]Weaknesses in Other Information Security Controls
Increased
* [14]Configuration Management Policies Were Not Fully
Implemented
* [15]Incompatible Duties Were Not Always Appropriately
Segregated
* [16]IRS Has Not Fully Implemented Its Information Security
Progr
* [17]Although a Risk Assessment Process Was Implemented,
Potentia
* [18]Although IRS Policies and Procedures Were Generally
Adequate
* [19]Security Plans Adequately Documented Management,
Operational
* [20]Although Training Was Provided, Employees with
Significant S
* [21]Although Controls Were Tested and Evaluated, Tests
Were Not
* [22]Remedial Action Plans Were Not Always Complete, and
Correcti
* [23]Contingency Plans Were Not Always Complete or
Tested
* [24]Conclusions
* [25]Recommendations for Executive Action
* [26]Agency Comments
* [27]Appendix I: Comments from the Internal Revenue Service
* [28]Appendix II: GAO Contacts and Staff Acknowledgments
* [29]GAO Contacts
* [30]Staff Acknowledgments
* [31]Order by Mail or Phone
Report to the Acting Commissioner of Internal Revenue
United States Government Accountability Office
GAO
January 2008
INFORMATION SECURITY
IRS Needs to Address Pervasive Weaknesses
GAO-08-211
Contents
Letter 1
Results in Brief 2
Background 3
Objectives, Scope, and Methodology 6
IRS Has Made Limited Progress in Correcting Previously Reported Weaknesses
8
Significant Weaknesses Continue to Place Financial and Taxpayer
Information at Risk 9
Conclusions 21
Recommendations for Executive Action 22
Agency Comments 22
Appendix I Comments from the Internal Revenue Service 25
Appendix II GAO Contacts and Staff Acknowledgments 27
Abbreviations
CIO: chief information officer:
FISMA: Federal Information Security Management Act:
IRS: Internal Revenue Service:
MA&SS: Mission Assurance and Security Services:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
TIGTA: Treasury Inspector General for Tax Administration:
This is a work of the U.S. government and is not subject to copyright
protection in the United States. The published product may be reproduced
and distributed in its entirety without further permission from GAO.
However, because this work may contain copyrighted images or other
material, permission from the copyright holder may be necessary if you
wish to reproduce this material separately.
United States Government Accountability Office
Washington, DC 20548
January 8, 2008
The Honorable Linda E. Stiff
Acting Commissioner of Internal Revenue
Dear Ms. Stiff:
The Internal Revenue Service (IRS) has a demanding responsibility in
collecting taxes, processing tax returns, and enforcing the nation's tax
laws. It relies extensively on computerized systems to support its
financial and mission-related operations. Effective information system
controls are essential to ensuring that financial and taxpayer information
are adequately protected from inadvertent or deliberate misuse, fraudulent
use, improper disclosure, or destruction. These controls also affect the
confidentiality, integrity, and availability of financial and sensitive
taxpayer information.
As part of our audit of IRS's fiscal years 2007 and 2006 financial
statements,^1 we assessed the effectiveness of the service's information
security controls^2 over key financial systems, information, and
interconnected networks at three locations. These systems support the
processing, storage, and transmission of financial and sensitive taxpayer
information. In our report on IRS's fiscal years 2007 and 2006 financial
statements, we reported that the new information security deficiencies we
identified in fiscal year 2007 and the unresolved deficiencies from prior
audits represent a material weakness^3 in internal controls over financial
and tax processing systems.
^1GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial
Statements, [32]GAO-08-166 (Washington, D.C.: Nov. 9, 2007).
^2Information security controls include logical and physical access
controls, configuration management, segregation of duties, and continuity
of operations. These controls are designed to ensure that access to data
is appropriately restricted, that physical access to sensitive computing
resources and facilities is protected, that only authorized changes to
computer programs are made, that computer security duties are segregated,
and that back-up and recovery plans are adequate to ensure the continuity
of essential operations.
^3A material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected.
We assessed (1) the status of IRS's actions to correct or mitigate
previously reported information security weaknesses and (2) whether
controls over key financial and tax processing systems are effective in
ensuring the confidentiality, integrity, and availability of financial and
sensitive taxpayer information. We performed the above audit work from
April 2007 through October 2007 in accordance with generally accepted
government auditing standards. Those standards require that we plan and
perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives.
Results in Brief
IRS made limited progress toward correcting previously reported
information security weaknesses. It has corrected or mitigated 29 of the
98 information security weaknesses that we reported as unresolved at the
time of our last review. For example, IRS implemented controls for user
IDs for certain critical servers, improved physical protection for its
procurement system, developed a security plan for a key financial system,
and upgraded servers that had been using obsolete operating systems. In
addition, IRS established enterprisewide objectives for improving
information security, including initiatives for protecting and encrypting
data, securing information technology assets, and building security into
new applications. However, about 70 percent of the previously identified
information security weaknesses remain unresolved. For example, IRS
continues to, among other things, use passwords that are not complex,
grant excessive access to individuals who do not need it, and install
patches in an untimely manner.
In addition to this limited progress, other significant weaknesses in
controls intended to restrict access to data and systems, as well as other
information security controls, continue to threaten the confidentiality
and availability of its financial and tax processing systems and
information, and limit assurance of the integrity and reliability of its
financial and taxpayer information. IRS has not consistently implemented
effective controls to prevent, limit, or detect unauthorized access to
computing resources from within its internal network. For example, IRS did
not always (1) enforce strong password management for properly identifying
and authenticating users, (2) authorize user access to permit only the
access needed to perform job functions, (3) encrypt sensitive data, (4)
effectively monitor changes on its mainframe, and (5) physically protect
its computer resources. In addition, IRS faces risks to its financial and
taxpayer information due to weaknesses in implementing its configuration
management policies, as well as appropriately segregating incompatible job
duties. A key reason for these weaknesses is that IRS has not yet fully
implemented its agencywide information security program to ensure that
controls are appropriately designed and operating effectively. Until these
weaknesses are corrected, the agency remains particularly vulnerable to
insider threats. As a result, IRS is at increased risk of unauthorized
access to and disclosure, modification, or destruction of financial and
taxpayer information, as well as inadvertent or deliberate disruption of
system operations and services. Further, IRS will not have assurance that
the proper resources are applied to known vulnerabilities or that those
vulnerabilities will be properly mitigated.
We are making recommendations to the Acting Commissioner of Internal
Revenue to take several actions to fully implement a comprehensive,
agencywide information security program. We also are making
recommendations in a separate report with limited distribution. These
recommendations consist of actions to be taken to correct the specific
information security weaknesses related to identification and
authentication, authorization, cryptography, audit and monitoring,
physical security, configuration management, and segregation of duties.
In providing written comments on a draft of this report, the Acting
Commissioner of Internal Revenue recognized that there is significant work
to be accomplished to address IRS's information security deficiencies, and
stated that the agency is taking aggressive steps to correct previously
reported weaknesses and improve its overall information security program.
She further stated that IRS would develop a detailed corrective action
plan addressing each of our recommendations.
Background
Information security is a critical consideration for any organization that
depends on information systems and computer networks to carry out its
mission or business. It is especially important for government agencies,
where maintaining the public's trust is essential. The dramatic expansion
in computer interconnectivity and the rapid increase in the use of the
Internet have revolutionized the way our government, our nation, and much
of the world communicate and conduct business. Although this expansion has
created many benefits for agencies such as IRS in achieving their missions
and providing information to the public, it also exposes federal networks
and systems to various threats. The Federal Bureau of Investigation has
identified multiple sources of threats, including foreign nation states
engaged in information warfare, domestic criminals, hackers, virus
writers, and disgruntled employees or contractors working within an
organization. In addition, the U.S. Secret Service and the CERT
Coordination Center^4 studied insider threats, and stated in a May 2005
report that "insiders pose a substantial threat by virtue of their
knowledge of, and access to, employer systems and/or databases."
Without proper safeguards, systems are unprotected from individuals and
groups with malicious intent who can intrude and use their access to
obtain sensitive information, commit fraud, disrupt operations, or launch
attacks against other computer systems and networks. These concerns are
well founded for a number of reasons, including the dramatic increase in
reports of security incidents, the ease of obtaining and using hacking
tools, and steady advances in the sophistication and effectiveness of
attack technology. For example, the Office of Management and Budget (OMB)
cited^5 a total of 5,146 incidents reported to the U.S. Computer Emergency
Readiness Team (US-CERT)^6 by federal agencies during fiscal year 2006, an
increase of 44 percent from the previous fiscal year.
Our previous reports, and those by inspectors general, describe persistent
information security weaknesses that place federal agencies, including
IRS, at risk of disruption, fraud, or inappropriate disclosure of
sensitive information. Accordingly, we have designated information
security as a governmentwide high-risk area since 1997,^7 a designation
that remains in force today.^8 Recognizing the importance of securing
federal agencies' information systems, Congress enacted the Federal
Information Security Management Act (FISMA) in December 2002^9 to
strengthen the security of information and systems within federal
agencies. FISMA requires each agency to develop, document, and implement
an agencywide information security program for the information and systems
that support the operations and assets of the agency, using a risk-based
approach to information security management. Such a program includes
developing and implementing security plans, policies, and procedures;
testing and evaluating the effectiveness of controls; assessing risk;
providing specialized training; planning, implementing, evaluating, and
documenting remedial action to address information security deficiencies;
and ensuring continuity of operations.
^4The CERT Coordination Center is a center of Internet security expertise
located at the Software Engineering Institute, a federally funded research
and development center operated by Carnegie Mellon University.
^5OMB, FY 2006 Report to Congress on Implementation of the Federal
Information Security Management Act of 2002 (Washington, D.C., March
2007).
^6US-CERT's mission is to protect the nation's Internet infrastructure.
US-CERT coordinates defense against and responses to cyber attacks by
analyzing and reducing cyber threats and vulnerabilities, disseminating
cyber threat warning information, and coordinating incident response
activities.
^7GAO, High-Risk Series: Information Management and Technology,
[33]GAO/HR-97-9 (Washington, D.C.: February 1997).
^8GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January
2007).
^9FISMA was enacted as title III, E-Government Act of 2002, Pub L. No.
107-347, 116 Stat. 2946 (Dec. 17, 2002).
IRS has demanding responsibilities in collecting taxes, processing tax
returns, and enforcing the nation's tax laws, and relies extensively on
computerized systems to support its financial and mission-related
operations. In fiscal years 2007 and 2006, IRS collected about $2.7
trillion and $2.5 trillion, respectively, in tax payments; processed
hundreds of millions of tax and information returns; and paid about $292
billion and $277 billion, respectively, in refunds to taxpayers. Further,
the size and complexity of IRS adds unique operational challenges. The
agency employs tens of thousands of people in 10 service center campuses,
3 computing centers, and numerous other field offices throughout the
United States.
IRS also collects and maintains a significant amount of personal and
financial information on each American taxpayer. The confidentiality of
this sensitive information must be protected; otherwise, taxpayers could
be exposed to loss of privacy and to financial loss and damages resulting
from identity theft or other financial crimes.
The Commissioner of Internal Revenue has overall responsibility for
ensuring the confidentiality, integrity, and availability of the
information and information systems that support the agency and its
operations. FISMA requires the chief information officers (CIO) at federal
agencies to be responsible for developing and maintaining an information
security program. Within IRS, this responsibility is delegated to the
Chief of Mission Assurance and Security Services (MA&SS). The Chief of
MA&SS is responsible for developing policies and procedures regarding
information technology security; establishing a security awareness and
training program; conducting security audits; coordinating the
implementation of logical access controls into IRS systems and
applications; providing physical and personnel security; and, among other
things, monitoring IRS security activities. To help accomplish these
goals, MA&SS has developed and published information security policies,
guidelines, standards, and procedures in the Internal Revenue Manual, the
Law Enforcement Manual, and other documents. The Modernization and
Information Technology Services organization, led by the CIO, is
responsible for developing security controls for systems and applications;
conducting annual tests of systems; implementing, testing, and validating
the effectiveness of remedial actions; ensuring that continuity of
operations requirements are addressed for all applications and systems it
owns; and mitigating technical vulnerabilities and validating the
mitigation strategy. In July 2007, IRS began undergoing an organizational
realignment that dissolved MA&SS and moved responsibilities for managing
the servicewide information security program to a newly created
position--the Associate CIO for Cybersecurity.
Objectives, Scope, and Methodology
The objectives of our review were to determine (1) the status of IRS's
actions to correct or mitigate previously reported information security
weaknesses and (2) whether controls over key financial and tax processing
systems were effective in ensuring the confidentiality, integrity, and
availability of financial and sensitive taxpayer information. This review
was performed in connection with our audit of IRS's financial statements
for the purpose of supporting our opinion on internal controls over the
preparation of those statements.
To determine the status of IRS's actions to correct or mitigate previously
reported information security weaknesses, we identified and reviewed its
information security policies, procedures, practices, and guidance. We
reviewed prior GAO reports to identify previously reported weaknesses and
examined IRS's corrective action plans to determine for which weaknesses
IRS reported corrective actions as being completed. For those instances
where IRS reported it had completed corrective actions, we assessed the
effectiveness of those actions. We evaluated IRS's implementation of these
corrective actions for two data centers, and one additional facility.
To determine whether controls over key financial and tax processing
systems were effective, we tested the effectiveness of information
security controls at three data centers. We concentrated our evaluation
primarily on threats emanating from sources internal to IRS's computer
networks and focused on three critical applications and their general
support systems that directly or indirectly support the processing of
material transactions that are reflected in the agency's financial
statements. Our evaluation was based on our Federal Information System
Controls Audit Manual, which contains guidance for reviewing information
system controls that affect the confidentiality, integrity, and
availability of computerized information.
Using National Institute of Standards and Technology (NIST) standards and
guidance, and IRS's policies, procedures, practices, and standards, we
evaluated controls by
o testing the complexity and expiration of passwords on servers to
determine if strong password management was enforced;
o analyzing users' system authorizations to determine whether they
had more permissions than necessary to perform their assigned
functions;
o observing data transmissions across the network to determine
whether sensitive data were being encrypted;
o observing whether system security software was logging
successful system changes;
o testing and observing physical access controls to determine if
computer facilities and resources were being protected from
espionage, sabotage, damage, and theft;
o inspecting key servers and workstations to determine whether
critical patches had been installed or were up-to-date; and
o examining access responsibilities to determine whether
incompatible functions were segregated among different
individuals.
Using the requirements identified by FISMA, which establish key
elements for an effective agencywide information security program,
we evaluated IRS's implementation of its security program by
o analyzing IRS's risk assessment process and risk assessments for
key IRS systems to determine whether risks and threats were
documented;
o analyzing IRS's policies, procedures, practices, and standards
to determine their effectiveness in providing guidance to
personnel responsible for securing information and information
systems;
o analyzing security plans to determine if management,
operational, and technical controls were in place or planned and
that security plans were updated;
o examining training records for personnel with significant
responsibilities to determine if they received training
commensurate with those responsibilities;
o analyzing test plans and test results for key IRS systems to
determine whether management, operational, and technical controls
were tested at least annually and based on risk;
o observing IRS's process to correct weaknesses and determining
whether remedial action plans complied with federal guidance; and
o examining contingency plans for key IRS systems to determine
whether those plans had been tested or updated.
We also reviewed or analyzed previous reports from the Treasury
Inspector General for Tax Administration (TIGTA) and GAO; and
discussed with key security representatives and management
officials whether information security controls were in place,
adequately designed, and operating effectively.
IRS Has Made Limited Progress in Correcting Previously Reported
Weaknesses
IRS has made limited progress toward correcting previously
reported information security weaknesses. It has corrected or
mitigated 29 of the 98 information security weaknesses that we
reported as unresolved at the time of our last review. IRS
corrected weaknesses related to access controls and personnel
security, among others. For example, it has
o implemented controls for user IDs for certain critical servers
by assigning each user a unique logon account and password and
removing unneeded accounts (guest-level);
o improved physical protection for its procurement system by
limiting computer room access to only those individuals needing it
to perform their duties;
o developed a security plan for a key financial system; and
o updated servers that had been running unsupportable operating
systems.
Significant Weaknesses Continue to Place Financial and Taxpayer
Information at Risk
In addition, IRS has made progress in improving its information
security program. For example, the agency is in the process of
completing an organizational realignment and has several
initiatives underway that are designed to improve information
security such as forming councils and committees to foster
coordination and collaboration on information technology security
policies, procedures, and practices. IRS also has established six
enterprisewide objectives for improving information security,
including initiatives for protecting and encrypting data, securing
information technology assets, and building security into new
applications.
Although IRS has moved to correct previously identified security
weaknesses, 69 of them--or about 70 percent--remain open or
unmitigated. For example, IRS continues to, among other things,
o use passwords that are not complex,
o grant excessive electronic access to individuals not warranting
such access,
o allow sensitive data to cross its internal network unencrypted,
o allow changes to occur on the mainframe that are not properly
monitored or recorded,
o ineffectively remove physical access authorizations into
sensitive areas,
o install patches in an untimely manner, and
o improperly segregate incompatible duties.
Such weaknesses increase the risk of compromise of critical IRS
systems and information.
In addition to this limited progress, other significant weaknesses
in controls intended to restrict access to data and systems, as
well as other information security controls continue to threaten
the confidentiality and availability of its financial and tax
processing systems and information, and limit assurance of the
integrity and reliability of its financial and taxpayer
information. Unresolved, previously reported weaknesses and newly
identified ones increase the risk of unauthorized disclosure,
modification, or destruction of financial and sensitive taxpayer
information.
IRS Did Not Sufficiently Control Access to Information Resources
A basic management objective for any organization is to protect
the resources that support its critical operations from
unauthorized access. Organizations accomplish this objective by
designing and implementing controls that are intended to prevent,
limit, and detect unauthorized access to computing resources,
programs, information, and facilities. Inadequate access controls
diminish the reliability of computerized information and increase
the risk of unauthorized disclosure, modification, and destruction
of sensitive information and disruption of service. Access
controls include those related to user identification and
authentication, authorization, cryptography, audit and monitoring,
and physical security. IRS did not ensure that it consistently
implemented effective access controls in each of these areas, as
the following sections in this report demonstrate.
Controls for Identifying and Authenticating Users Were Not
Consistently Enforced
A computer system must be able to identify and authenticate
different users so that activities on the system can be linked to
specific individuals. When an organization assigns unique user
accounts to specific users, the system is able to distinguish one
user from another--a process called identification. The system
also must establish the validity of a user's claimed identity by
requesting some kind of information, such as a password, that is
known only by the user--a process known as authentication. The
combination of identification and authentication--such as user
account/password combinations--provides the basis for establishing
individual accountability and for controlling access to the
system. The Internal Revenue Manual requires IRS to enforce strong
passwords for authentication (defined as a minimum of eight
characters, containing at least one numeric or special character,
and a mixture of at least one uppercase and one lower case
letter). In addition, IRS policy states that user accounts should
be removed from the system or application if users have not logged
on in 90 days. Furthermore, the Internal Revenue Manual requires
that passwords be protected from unauthorized disclosure when
stored.
IRS did not always enforce strong password management on systems
at the three sites reviewed. For example, several user account
passwords on UNIX systems did not meet password length or
complexity requirements. Allowing weak passwords increases the
likelihood that passwords will be compromised and used by
unauthorized individuals to gain access to sensitive IRS
information. In addition, user accounts for servers supporting the
administrative accounting system had not been used in
approximately 180 days, but still remained active at all three
sites. Allowing inactive user accounts to remain on the system
increases the likelihood of unauthorized individuals using these
dormant accounts to gain access to sensitive IRS data. Further,
password and associated user IDs were stored in clear text on an
intranet Web site which was accessible by unauthenticated users.
As a result, individuals accessing this Web site could view these
passwords and use them to gain unauthorized access to IRS systems.
Such access could be used to alter data flowing to and from the
agency's administrative accounting system.
Users Were Routinely Given More System Access Than Needed to
Perform Their Jobs
Authorization is the process of granting or denying access rights
and permissions to a protected resource, such as a network, a
system, an application, a function, or a file. A key component of
granting or denying access rights is the concept of "least
privilege." Least privilege is a basic principle for securing
computer resources and information. This principle means that
users are granted only those access rights and permissions they
need to perform their official duties. To restrict legitimate
users' access to only those programs and files they need to do
their work, organizations establish access rights and permissions.
"User rights" are allowable actions that can be assigned to users
or to groups of users. File and directory permissions are rules
that regulate which users can access a particular file or
directory and the extent of that access. To avoid unintentionally
authorizing users' access to sensitive files and directories, an
organization must give careful consideration to its assignment of
rights and permissions. IRS policy states that the configuration
and use of system utilities are based on least privilege and are
limited to those individuals that require them to perform their
assigned functions.
IRS permitted excessive access to systems by granting rights and
permissions that gave users more access than they needed to
perform their assigned functions. For example, one data center
allowed all mainframe users access to powerful system management
functions including storage management and mainframe hardware
configurations. In addition, the center did not tightly restrict
the ability to modify mainframe operating system configurations.
Approximately 60 persons had access to commands that could allow
them to make significant changes to the operating system,
increasing the risk of inadvertent or deliberate disruption of
system operations. Furthermore, IRS did not properly restrict file
permission privileges. Excessive file privileges were given to an
administrative accounting subsystem's file transfer account. As a
result, any user with access to accounts on this server could gain
unauthorized access to other servers within the administrative
accounting system infrastructure.
Sensitive Data Were Not Always Encrypted
Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive
information. A basic element of cryptography is encryption.
Encryption can be used to provide basic data confidentiality and
integrity by transforming plain text into cipher text using a
special value known as a key and a mathematical process known as
an algorithm. IRS policy requires the use of encryption for
transferring sensitive but unclassified information between IRS
facilities. The National Security Agency also recommends disabling
protocols that do not encrypt information, such as user ID and
password combinations, transmitted across the network.
IRS did not always ensure that sensitive data were protected by
encryption. Although IRS had an initiative underway to encrypt its
laptops, certain data were not encrypted. For example, at two data
centers, administrator access to a key IRS application contained
unencrypted data logins. These unencrypted logins could reveal
usernames, passwords, and other credentials. By not encrypting
data, IRS is at increased risk that an unauthorized individual
could gain unwarranted access to its systems and/or sensitive
information.
Logging Procedures Did Not Effectively Capture Changes to
Mainframe Datasets
To establish individual accountability, monitor compliance with
security policies, and investigate security violations, it is
crucial to determine what, when, and by whom specific actions have
been taken on a system. Organizations accomplish this by
implementing system or security software that provides an audit
trail--logs of system activity--that they can use to determine the
source of a transaction or attempted transaction and to monitor
users' activities. The way in which organizations configure system
or security software determines the nature and extent of
information that can be provided by the audit trail. To be
effective, organizations should configure their software to
collect and maintain audit trails that are sufficient to track
security-relevant events. IRS policy requires that audit records
be created, protected, and retained to enable the monitoring,
analysis, investigation, and reporting of unlawful, unauthorized,
or inappropriate information system activity.
Although IRS had implemented logging capabilities for the servers
reviewed, it did not effectively capture changes to datasets on
the mainframe, which supports the agency's general ledger for tax
administration. Specifically, it did not configure its security
software to log successful changes to datasets that contain
parameters and procedures on the mainframe used to support
production operations of the operating system, system utilities,
and user applications. By not recording changes to these datasets,
IRS is at increased risk that unapproved or inadvertent changes
that compromise security controls or disrupt operations are made
and not detected.
Weaknesses in Physical Security Controls Reduced Their Effectiveness
Physical security controls are essential for protecting computer
facilities and resources from vandalism and sabotage, theft,
accidental or deliberate destruction, and unauthorized access and
use. Physical security controls should prevent, limit, and detect
access to facility grounds, buildings, and sensitive work areas
and the agency should periodically review the access granted to
computer facilities and resources to ensure this access is still
appropriate. Examples of physical security controls include
perimeter fencing, surveillance cameras, security guards, and
locks. The absence of adequate physical security protections could
lead to the loss of life and property, the disruption of functions
and services, and the unauthorized disclosure of documents and
information. NIST requires that designated officials within the
organization review and approve the access list and authorization
credentials. Similarly, IRS policy requires that branch chiefs
validate the need of individuals to access a restricted area based
on authorized access lists, which are prepared monthly. To further
address physical security, the Internal Revenue Manual requires
periodic review of all mechanical key records.
Although IRS has implemented physical security controls, certain
weaknesses reduce the effectiveness of these controls in
protecting and controlling physical access to assets at IRS
facilities, such as the following:
o One data center allowed at least 17 individuals access to
sensitive areas without justifying a need based on their job
duties.
o The same data center did not always remove physical access
authorizations into sensitive areas in a timely manner for
employees who no longer needed it to perform their jobs. For
example, a manager reviewed an access listing dated March 2007 and
identified 54 employees whose access was to be removed; however,
at the time of our site visit in June 2007, 29 of the 54 employees
still had access.
o Another data center did not perform monthly reviews of an
authorized access list to verify that employees continued to
warrant access to secure computing areas; according to agency
officials, they perform a biannual review every 6 months or
whenever a change occurs instead.
o The same data center also did not perform a periodic review of
records accounting for mechanical keys used to gain access to
sensitive areas.
As a result, IRS is at increased risk of unauthorized access to,
and disclosure of, financial and taxpayer information, inadvertent
or deliberate disruption of services, and destruction or loss of
computer resources.
Weaknesses in Other Information Security Controls Increased Risk
In addition to access controls, other important controls should be
in place to ensure the confidentiality, integrity, and
availability of an organization's information. These controls
include policies, procedures, and techniques for securely
configuring information systems and segregating incompatible
duties. Weaknesses in these areas increase the risk of
unauthorized use, disclosure, modification, or loss of IRS's
information and information systems.
Configuration Management Policies Were Not Fully Implemented
The purpose of configuration management is to establish and
maintain the integrity of an organization's work products.
Organizations can better ensure that only authorized applications
and programs are placed into operation by establishing and
maintaining baseline configurations and monitoring changes to
these configurations. According to IRS policy, changes to baseline
configurations should be monitored and controlled. Patch
management, a component of configuration management, is an
important factor in mitigating software vulnerability risks.
Up-to-date patch installation can help diminish vulnerabilities
associated with flaws in software code. Attackers often exploit
these flaws to read, modify, or delete sensitive information;
disrupt operations; or launch attacks against other organizations'
systems. According to NIST, the practice of tracking patches
allows organizations to identify which patches are installed on a
system and provides confirmation that the appropriate patches have
been applied. IRS's patch management policy also requires that
patches be implemented in a timely manner and that critical
patches are applied within 72 hours to minimize vulnerabilities.
IRS did not always effectively implement configuration management
policies. For example, one data center did not ensure that its
change control system properly enforced change controls to two key
applications residing on the mainframe. The current configuration
could allow individuals to make changes without being logged by
the agency's automated configuration management system.
Furthermore, servers at these locations did not have critical
patches installed in a timely manner. For example, at the time of
our site visit in July 2007, one site had not installed critical
patches released in February 2007 on two servers. As a result, IRS
has limited assurance that only authorized changes are being made
to its systems and that they are protected against new
vulnerabilities.
Incompatible Duties Were Not Always Appropriately Segregated
Segregation of duties refers to the policies, procedures, and
organizational structures that help ensure that no individual can
independently control all key aspects of a process or
computer-related operation and thereby gain unauthorized access to
assets or records. Often, organizations segregate duties by
dividing responsibilities among two or more individuals or
organizational groups. This diminishes the likelihood that errors
and wrongful acts will go undetected, because the activities of
one individual or group will serve as a check on the activities of
the other. Inadequate segregation of duties increases the risk
that erroneous or fraudulent transactions could be processed,
improper program changes implemented, and computer resources
damaged or destroyed. The Internal Revenue Manual requires that
IRS divide and separate duties and responsibilities of
incompatible functions among different individuals, so that no
individual shall have all of the necessary authority and system
access to disrupt or corrupt a critical security process.
IRS did not always properly segregate incompatible duties. For
example, mainframe system administration functions were not
appropriately segregated. IRS configured a user group that granted
access to a broad range of system functions beyond the scope of
any single administrator's job duties. Granting this type of
access to individuals who do not require it to perform their
official duties increases the risk that sensitive information or
programs could be improperly modified, disclosed, or deleted. In
addition, at one data center, physical security staff who set user
proximity card access to sensitive areas were also allowed to
determine whether employees needed access or not, rather than
leaving the decision to cognizant managers. As a result, staff
could be allowed improper access to sensitive areas.
IRS Has Not Fully Implemented Its Information Security Program
A key reason for the information security weaknesses in IRS's
financial and tax processing systems is that it has not yet fully
implemented its agencywide information security program to ensure
that controls are effectively established and maintained. FISMA
requires each agency to develop, document, and implement an
information security program that, among other things, includes
o periodic assessments of the risk and magnitude of harm that
could result from the unauthorized access, use, disclosure,
disruption, modification, or destruction of information and
information systems;
o policies and procedures that (1) are based on risk assessments,
(2) cost-effectively reduce risks, (3) ensure that information
security is addressed throughout the life cycle of each system,
and (4) ensure compliance with applicable requirements;
o plans for providing adequate information security for networks,
facilities, and systems;
o security awareness training to inform personnel of information
security risks and of their responsibilities in complying with
agency policies and procedures, as well as training personnel with
significant security responsibilities for information security;
o periodic testing and evaluation of the effectiveness of
information security policies, procedures, and practices,
performed with a frequency depending on risk, but no less than
annually, and that include testing of management, operational, and
technical controls for every system identified in the agency's
required inventory of major information systems;
o a process for planning, implementing, evaluating, and
documenting remedial action to address any deficiencies in its
information security policies, procedures, or practices; and
o plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency.
Although IRS continued to make important progress in developing
and documenting a framework for its information security program,
key components of the program had not been fully or consistently
implemented.
Although a Risk Assessment Process Was Implemented, Potential
Risks Were Not Always Assessed
According to NIST, risk is determined by identifying potential
threats to the organization and vulnerabilities in its systems,
determining the likelihood that a particular threat may exploit
vulnerabilities, and assessing the resulting impact on the
organization's mission, including the effect on sensitive and
critical systems and data. Identifying and assessing information
security risks are essential to determining what controls are
required. Moreover, by increasing awareness of risks, these
assessments can generate support for the policies and controls
that are adopted in order to help ensure that these policies and
controls operate as intended. OMB Circular A-130, appendix III
prescribes that risk be reassessed when significant changes are
made to computerized systems--or at least every 3 years.
Consistent with NIST guidance, IRS requires its risk assessment
process to detail the residual risk assessed and potential
threats, and to recommend corrective actions for reducing or
eliminating the vulnerabilities identified.
Although IRS had implemented a risk assessment process, it did not
always effectively evaluate potential risks for the systems we
reviewed. The six risk assessments that we reviewed were current,
documented residual risk assessed and potential threats, and
recommended corrective actions for reducing or eliminating the
vulnerabilities they identified. However, IRS did not identify
many of the vulnerabilities that we identify in this report and
did not assess the risks associated with them. As a result,
potential risks to these systems may be unknown. We have
previously identified this weakness and recommended that the
agency update its risk assessments to include vulnerabilities we
identified. IRS is in the process of taking corrective action.
Although IRS Policies and Procedures Were Generally Adequate,
Guidance for Logging Mainframe Activity Was Unclear
Another key element of an effective information security program
is to develop, document, and implement risk-based policies,
procedures, and technical standards that govern security over an
agency's computing environment. If properly implemented, policies
and procedures should help reduce the risk that could come from
unauthorized access or disruption of services. Technical security
standards provide consistent implementation guidance for each
computing environment. Developing, documenting, and implementing
security policies are the important primary mechanisms by which
management communicates its views and requirements; these policies
also serve as the basis for adopting specific procedures and
technical controls. In addition, agencies need to take the actions
necessary to effectively implement or execute these procedures and
controls. Otherwise, agency systems and information will not
receive the protection that the security policies and controls
should provide.
IRS has developed and documented information security policies,
standards, and guidelines that generally provide appropriate
guidance to personnel responsible for securing information and
information systems; however, guidance for securing mainframe
systems was not always clear. For example, the Internal Revenue
Manual does not always specify when successful system changes
should be logged. Further, although IRS policy provides general
requirements for protection of audit logs, the manual for
mainframe security software does not provide detailed guidance on
what logs to protect and how to protect them. As a result, IRS has
reduced assurance that these system changes are being captured and
that its systems and the information they contain, including audit
logs, are being sufficiently protected.
Security Plans Adequately Documented Management, Operational, and
Technical Controls
An objective of system security planning is to improve the
protection of information technology resources. A system security
plan provides an overview of the system's security requirements
and describes the controls that are in place or planned to meet
those requirements. OMB Circular A-130 requires that agencies
develop system security plans for major applications and general
support systems, and that these plans address policies and
procedures for providing management, operational, and technical
controls. Furthermore, IRS policy requires that security plans
describing the security controls in place or planned for its
information systems be developed, documented, implemented,
reviewed annually, and updated a minimum of every 3 years or
whenever there is a significant change to the system.
The six security plans we reviewed documented the management,
operational, and technical controls in place at the time the plans
were written, and the more recent plans mapped those controls
directly to controls prescribed by NIST. According to IRS
officials, at the time of our review, they were in the process of
updating two of these plans to more accurately reflect the current
operating environment. The remaining four plans appropriately
reflected the current operating environment.
Although Training Was Provided, Employees with Significant Security
Responsibilities at One Center Did Not Receive the Needed Training
People are one of the weakest links in attempts to secure systems
and networks. Therefore, an important component of an information
security program is providing required training so that users
understand system security risks and their own role in
implementing related policies and controls to mitigate those
risks. IRS policy requires that personnel performing information
technology security duties meet minimum continuing professional
education hours in accordance with their roles. Personnel
performing technical security roles are required by IRS to have
12, 8, or 4 hours of specialized training per year, depending on
their specific role.
Although IRS has made progress in providing security personnel
with a job-related training curriculum, IRS did not ensure that
all employees with significant security responsibilities received
adequate training. For example, based on the documentation we
reviewed, all 40 employees selected at one data center met the
required minimum training hours; however, 6 of 10^10 employees
reviewed at another center did not. According to IRS officials,
these six employees with significant security responsibilities
were not identified by their managers for the required training.
Until managers identify individuals requiring specialized
training, IRS is at increased risk that individuals will not
receive the training necessary to perform their security-related
responsibilities.
^10Based on documentation provided, of the 10 employees we reviewed, 3
employees met the required minimum training hours and 6 did not. IRS
notified us that the remaining employee had separated from the agency.
Although Controls Were Tested and Evaluated, Tests Were Not Always
Comprehensive
Another key element of an information security program is to test
and evaluate policies, procedures, and controls to determine
whether they are effective and operating as intended. This type of
oversight is a fundamental element because it demonstrates
management's commitment to the security program, reminds employees
of their roles and responsibilities, and identifies and mitigates
areas of noncompliance and ineffectiveness. Although control tests
and evaluations may encourage compliance with security policies,
the full benefits are not achieved unless the results improve the
security program. FISMA requires that the frequency of tests and
evaluations be based on risks and occur no less than annually. IRS
policy also requires periodic testing and evaluation of the
effectiveness of information security policies and procedures, as
well as reviews to ensure that the security requirements in its
contracts are implemented and enforced.
IRS tested and evaluated information security controls for each of
the systems we reviewed. The more current tests and evaluations
had detailed methodologies, followed NIST guidance, and documented
the effectiveness of the tested controls. However, the scopes of
these tests were not sufficiently comprehensive to identify
significant vulnerabilities. For example, although IRS and GAO
examined controls over the same systems, we identified unencrypted
passwords on an internal Web site that IRS had not. Our test
results also showed that contractors did not always follow agency
security policies and procedures. To illustrate, contractors had
inappropriately stored clear-text passwords and sensitive
documents on internal agency Web sites. Although IRS had numerous
procedures to provide contractor oversight, it had not detected
its contractors' noncompliance with its policies. Because IRS had
not identified these weaknesses, it has limited assurance that
appropriate controls were being effectively implemented.
Remedial Action Plans Were Not Always Complete, and Corrective
Actions Were Not Effective
A remedial action plan is a key component described in FISMA. Such
a plan assists agencies in identifying, assessing, prioritizing,
and monitoring progress in correcting security weaknesses that are
found in information systems. In its annual FISMA guidance to
agencies, OMB requires agencies' remedial action plans, also known
as plans of action and milestones, to include the resources
necessary to correct an identified weaknesses. According to IRS
policy, the agency should document weaknesses found during
security assessments as well as document any planned, implemented,
and evaluated remedial actions to correct any deficiencies. The
policy further requires that IRS track the status of resolution of
all weaknesses and verify that each weakness is corrected.
IRS has developed and implemented a remedial action process to
address deficiencies in its information security policies,
procedures, and practices. However, this remedial action process
was not working as intended. For example, IRS had identified
weaknesses but did not always identify necessary resources to fix
them. Specifically, we reviewed remedial action plans for five of
the six systems^11 and found that plans for four of them had not
identified what, if any, resources were necessary to support the
corrective actions. Subsequent to our site visits, IRS provided
additional information on resources to support corrective actions
for three of them.
In addition, the verification process used to determine whether
remedial actions were implemented was not always effective. IRS
indicated that it had corrected or mitigated 39 of the 98
previously reported weaknesses. However, of those 39 weaknesses,
10 still existed at the time of our review. Furthermore, one
facility had actually corrected less than half of the weaknesses
reported as being resolved. We have previously identified a
similar weakness and recommended that IRS implement a revised
remedial action verification process that ensures actions are
fully implemented, but the condition continued to exist at the
time of our review. Without a sound remediation process, IRS will
not have assurance that the proper resources will be applied to
known vulnerabilities or that those vulnerabilities will be
properly mitigated.
Contingency Plans Were Not Always Complete or Tested
Continuity of operations planning, which includes contingency
planning, is a critical component of information protection. To
ensure that mission-critical operations continue, it is necessary
to be able to detect, mitigate, and recover from service
disruptions while preserving access to vital information. It is
important that these plans be clearly documented, communicated to
potentially affected staff, and updated to reflect current
operations. In addition, testing contingency plans is essential to
determine whether the plans will function as intended in an
emergency situation. FISMA requires that agencywide information
security programs include plans and procedures to ensure
continuity of operations. IRS contingency planning policy requires
that essential IRS business processes be identified and that
contingency plans be tested at least annually.
^11Based on IRS documentation, one of the systems did not require that a
remedial action be developed.
Although the systems reviewed had contingency plans, the plans
were not always complete or tested. For example, for three of the
six plans, IRS had not identified essential business processes.
Further, the agency had not annually tested two of the plans,
which were both dated September 2005. IRS informed us that these
issues will be addressed during current certifications and
accreditations for those systems. However, until IRS identifies
these essential processes and sufficiently tests the plans,
increased risk exists that it will not be able to effectively
recover and continue operations when an emergency occurs.
Conclusions
IRS has made only limited progress in correcting or mitigating
previously reported weaknesses, implementing controls over key
financial systems, and developing and documenting a framework for
its agencywide information security program. Information security
weaknesses--both old and new--continue to impair the agency's
ability to ensure the confidentiality, integrity, and availability
of financial and taxpayer information. These deficiencies
represent a material weakness in IRS's internal controls over its
financial and tax processing systems. A key reason for these
weaknesses is that the agency has not yet fully implemented
critical elements of its agencywide information security program.
The financial and taxpayer information on IRS systems will remain
particularly vulnerable to insider threats until the agency (1)
fully implements a comprehensive agencywide information security
program that includes enhanced policies and procedures,
appropriate specialized training, comprehensive tests and
evaluations, sufficient contractor oversight, updated remedial
action plans, and a complete continuity of operations process; and
(2) begins to address weaknesses across the service, its
facilities, and computing resources. As a result, financial and
taxpayer information is at increased risk of unauthorized
disclosure, modification, or destruction, and IRS management
decisions may be based on unreliable or inaccurate financial
information.
Recommendations for Executive Action
To help establish effective information security over key
financial processing systems, we recommend that you take the
following seven actions to implement an agencywide information
security program:
o Update policies and procedures for configuring mainframe
operations to ensure they provide the necessary detail for
controlling and logging changes.
o Identify individuals with significant security responsibilities
to ensure they receive specialized training.
o Expand scope for testing and evaluating controls to ensure more
comprehensive testing.
o Enhance contractor oversight to better ensure that contractors'
noncompliance with IRS information security policies is detected.
o Update remedial action plans to ensure that they include what,
if any, resources are required to implement corrective actions.
o Identify and prioritize critical IRS business processes as part
of contingency planning.
o Test contingency plans at least annually.
We are also making 46 detailed recommendations in a separate
report with limited distribution. These recommendations consist of
actions to be taken to correct specific information security
weaknesses related to user identification and authentication,
authorization, cryptography, audit and monitoring, physical
security, configuration management, and segregation of duties.
Agency Comments
In providing written comments (reprinted in app. I) on a draft of
this report, the Acting Commissioner of Internal Revenue agreed
that IRS has not yet fully implemented critical elements of its
agencywide information security program, and stated that the
security and privacy of taxpayer information is of great concern
to the agency. She recognized that there is significant work to be
accomplished to address IRS's information security deficiencies,
and stated that the agency is taking aggressive steps to correct
previously reported weaknesses and improve its overall information
security program. She also noted that IRS has taken many actions
to strengthen its information security program, such as installing
automatic disk encryption on its total deployed inventory of
approximately 52,000 laptops, and creating a team of security and
computer experts to improve mainframe controls. Further, she
stated that the agency is committed to securing its computer
environment, and will develop a detailed corrective action plan
addressing each of our recommendations.
This report contains recommendations to you. As you know, 31
U.S.C. 720 requires the head of a federal agency to submit a
written statement of the actions taken on our recommendations to
the Senate Committee on Homeland Security and Governmental Affairs
and to the House Committee on Oversight and Government Reform not
later than 60 days from the date of the report and to the House
and Senate Committees on Appropriations with the agency's first
request for appropriations made more than 60 days after the date
of this report. Because agency personnel serve as the primary
source of information on the status of recommendations, GAO
requests that the agency also provide it with a copy of your
agency's statement of action to serve as preliminary information
on the status of open recommendations.
We are sending copies of this report to interested congressional
committees and the Secretary of the Treasury. We will also make
copies available to others upon request. In addition, this report
will be available at no charge on the GAO Web site at
[34]http://www.gao.gov .
If you have any questions regarding this report, please contact
Gregory Wilshusen at (202) 512-6244 or Nancy Kingsbury at (202)
512-2700.
We can also be reached by e-mail at [email protected] and
[email protected]. Contact points for our Office of Congressional
Relations and Public Affairs may be found on the last page of this
report. Key contributors to this report are listed in appendix II.
Sincerely yours,
Gregory C. Wilshusen
Director, Information Security Issues
Nancy R. Kingsbury
Managing Director, Applied Research and Methods
Appendix I: Comments from the Internal Revenue Service
Appendix II: GAO Contacts and Staff Acknowledgments
GAO Contacts
Gregory C. Wilshusen, (202) 512-6244 or [35][email protected]
Nancy R. Kingsbury, (202) 512-2700 or [email protected]
Staff Acknowledgments
In addition to the persons named above, Gerard Aflague, Bruce
Cain, Larry Crosland, Mark Canter, Denise Fitzpatrick, David Hayes
(Assistant Director), Nicole Jarvis, Jeffrey Knott (Assistant
Director), George Kovachick, Kevin Metcalfe, Eugene Stevens, and
Amos Tevelow made key contributions to this report.
GAO's Mission
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in
meeting its constitutional responsibilities and to help improve
the performance and accountability of the federal government for
the American people. GAO examines the use of public funds;
evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at
no cost is through GAO's Web site ( [36]www.gao.gov ). Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of
newly posted products every afternoon, go to [37]www.gao.gov and
select "E-mail Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies
are $2 each. A check or money order should be made out to the
Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are
discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, DC 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax:
(202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [38]www.gao.gov/fraudnet/fraudnet.htm E-mail:
[39][email protected] Automated answering system: (800) 424-5454 or
(202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, j [40][email protected] , (202)
512-4400 U.S. Government Accountability Office, 441 G Street NW,
Room 7125 Washington, DC 20548
Public Affairs
Chuck Young, Managing Director, [email protected], (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548
(311000)
To view the full product, including the scope
and methodology, click on [41]GAO-08-211 .
For more information, contact Gregory Wilshusen at (202) 512-6244 or
[email protected], or Nancy Kingsbury at (202) 512-2700 or
[email protected].
Highlights of [42]GAO-08-211 , a report to the Acting Commissioner of
Internal Revenue
January 2008
INFORMATION SECURITY
IRS Needs to Address Pervasive Weaknesses
The Internal Revenue Service (IRS) relies extensively on computerized
systems to carry out its demanding responsibilities to collect taxes
(about $2.7 trillion in fiscal year 2007), process tax returns, and
enforce the nation's tax laws. Effective information security controls are
essential to ensuring that financial and taxpayer information is
adequately protected from inadvertent or deliberate misuse, fraudulent
use, improper disclosure, or destruction.
As part of its audit of IRS's fiscal years 2007 and 2006 financial
statements, GAO assessed (1) IRS's actions to correct previously reported
information security weaknesses and (2) whether controls were effective in
ensuring the confidentiality, integrity, and availability of financial and
sensitive taxpayer information. To do this, GAO examined IRS information
security policies and procedures, guidance, security plans, reports, and
other documents; tested controls over key financial applications at three
IRS data centers; and interviewed key security representatives and
management officials.
[43]What GAO Recommends
GAO is recommending that the Acting Commissioner take several actions to
fully implement an agencywide information security program. In commenting
on a draft of this report, IRS agreed to develop a detailed corrective
action plan addressing each of the recommendations.
IRS made limited progress toward correcting previously reported
information security weaknesses. It has corrected or mitigated 29 of the
98 information security weaknesses that GAO reported as unresolved at the
time of its last review. For example, IRS implemented controls for user
IDs for certain critical servers, improved physical protection for its
procurement system, developed a security plan for a key financial system,
and upgraded servers that had been using obsolete operating systems. In
addition, IRS established enterprisewide objectives for improving
information security, including initiatives for protecting and encrypting
data, securing information technology assets, and building security into
new applications. However, about 70 percent of the previously identified
information security weaknesses remain unresolved. For example, IRS
continues to, among other things, use passwords that are not complex,
grant excessive access to individuals who do not need it, and install
patches in an untimely manner.
In addition to this limited progress, other significant weaknesses in
various controls continue to threaten the confidentiality and availability
of IRS's financial processing systems and information, and limit assurance
of the integrity and reliability of its financial and taxpayer
information. IRS has not consistently implemented effective controls to
prevent, limit, or detect unauthorized access to computing resources from
within its internal network. For example, IRS did not always (1) enforce
strong password management for properly identifying and authenticating
users, (2) authorize user access to only permit access needed to perform
job functions, (3) encrypt sensitive data, (4) effectively monitor changes
on its mainframe, and (5) physically protect its computer resources. In
addition, IRS faces risks to its financial and taxpayer information due to
weaknesses in implementing its configuration management policies, as well
as appropriately segregating incompatible job duties. Accordingly, GAO has
reported a material weakness in IRS's internal controls over its financial
and tax processing systems. A key reason for the weaknesses is that the
agency has not yet fully implemented its agencywide information security
program to ensure that controls are effectively established and
maintained. As a result, IRS is at increased risk of unauthorized
disclosure, modification, or destruction of financial and taxpayer
information.
References
Visible links
32. http://www.gao.gov/cgi-bin/getrpt?GAO-08-166
33. http://www.gao.gov/cgi-bin/getrpt?GAO/HR-97-9
34. http://www.gao.gov/
35. mailto:[email protected]
36. http://www.gao.gov/
37. http://www.gao.gov/
38. http://www.gao.gov/fraudnet/fraudnet.htm
39. mailto:[email protected]
40. mailto:[email protected]
41. http://www.gao.gov/cgi-bin/getrpt?GAO-08-211
42. http://www.gao.gov/cgi-bin/getrpt?GAO-08-211
*** End of document. ***