IRS Systems Security: Tax Processing Operations and Data Still at Risk
Due to Serious Weaknesses (Testimony, 04/10/97, GAO/T-AIMD-97-76).
GAO discussed the Internal Revenue Service's (IRS) computer security
weaknesses. GAO stated that neither this testimony or the report just
released quantifies the total number of weaknesses that GAO found or the
number of weaknesses found in each of the eight functional categories of
security that GAO reviewed, or details the most serious weaknesses that
GAO found.
GAO noted that: (1) GAO's on-site reviews of security at five facilities
disclosed many weaknesses in eight functional areas; (2) these areas are
physical security, logical security, data communications management,
risk analysis, quality assurance, internal audit and security, security
awareness, and contingency planning; (3) of these eight, the primary
weaknesses were in the areas of physical and logical security; (4)
collectively, the five facilities could not account for approximately
6,400 units of magnetic storage media which could contain taxpayer data;
(5) printouts containing taxpayer data were left unprotected and
unattended in open areas of two facilities where they could be
compromised; (6) tapes containing taxpayer data were not overwritten
prior to reuse, providing the potential for unauthorized disclosure; (7)
access to system software was not limited to individuals with a need to
know; (8) application programmers were allowed to move development
software into the production environment without adequate controls and
these programmers were allowed to use taxpayer data for testing
purposes, which places these data at unnecessary risk of unauthorized
disclosure and modification; (9) two facilities had not performed an
audit of operations within the last 5 years; (10) three of the five
facilities did not have an adequate security awareness program; (11)
none of the five facilities visited had comprehensive disaster recovery
plans or completed business resumption plans, which should specify the
disaster recovery goals and milestones required to meet the business
needs of their customers; (12) to address the threat of IRS employee
browsing of taxpayer information, IRS developed the Electronic Audit
Research Log (EARL) and has taken legal and disciplinary actions against
employees caught browsing; (13) IRS does not have reliable, objective
measures for determining whether or not IRS is making progress in
reducing browsing; (14) IRS facilities inconsistently review and refer
incidents of employee browsing, apply penalties for browsing violations,
and publicize the outcome of browsing cases to deter other employees
from browsing; and (15) EARL cannot detect all instances of browsing
because it only monitors employees using the Integrated Data Retrieval
System.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: T-AIMD-97-76
TITLE: IRS Systems Security: Tax Processing Operations and Data
Still at Risk Due to Serious Weaknesses
DATE: 04/10/97
SUBJECT: Computer security
Tax information confidentiality
Federal employees
Confidential communication
Internal controls
Facility security
Personnel management
Electronic forms
Data storage
Tax returns
IDENTIFIER: IRS Electronic Audit Research Log System
IRS Integrated Data Retrieval System
IRS Distribution Input System
IRS Integrated Collection System
IRS Totally Integrated Examination System
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
Before the Committee on Governmental Affairs
U.S. Senate
For Release on Delivery
Expected at
10 a.m.
Thursday,
April 10, 1997
IRS SYSTEMS SECURITY - TAX
PROCESSING OPERATIONS AND DATA
STILL AT RISK DUE TO SERIOUS
WEAKNESSES
Statement of Dr. Rona B. Stillman
Chief Scientist, Computers and Telecommunications
Accounting and Information Management Division
GAO/T-AIMD-97-76
GAO/AIMD-97-76t
(511537)
Abbreviations
=============================================================== ABBREV
EARL - Electronic Audit Research Log
IDRS - Integrated Data Retrieval System
IRS - Internal Revenue Service
============================================================ Chapter 0
Mr. Chairman and Members of the Committee:
We appreciate the opportunity to participate in this hearing on
Internal Revenue Service (IRS) computer security weaknesses.
Computer security problems are not unique to IRS. In fact, since
June 1993, we have issued over 30 reports describing serious
information security weaknesses at major federal agencies. Moreover,
we reported in September 1996 that in the previous 2 years, serious
information security control weaknesses had been reported for 10 of
the 15 largest federal agencies.\1 This means that literally billions
of dollars worth of assets are at risk of loss and vast amounts of
sensitive data are at risk of unauthorized disclosure, modification,
and destruction. Accordingly, we designated information security as
a governmentwide high-risk issue in our 1997 report series on
high-risk programs.\2
Over the past several years, we have reported that IRS' management of
computer security is ineffective and have made recommendations to
strengthen computer security. Nevertheless, the GAO report that
Senator Glenn has just released shows that IRS continues to have
serious weaknesses in the controls used to safeguard IRS computer
systems, facilities, and taxpayer data. These weaknesses could
result in the disruption of tax processing operations or in the
improper use, modification, or destruction of taxpayer data.
Computer security control weaknesses make IRS' computer resources and
taxpayer data unnecessarily vulnerable to external threats, such as
natural disasters and individuals or organizations with malicious
intentions. They also increase IRS' vulnerability to internal
threats, such as IRS employees accessing taxpayer files for purposes
unrelated to their jobs (e.g., reading the files of celebrities or
neighbors) or making unauthorized changes to taxpayer data, either
inadvertently or deliberately for personal gain (e.g., to initiate
unauthorized refunds or abatements of tax). These unauthorized and
improper activities by IRS employees, which are commonly referred to
as browsing, have been the focus of considerable attention in recent
years, and have been of particular interest to this Committee. We
found that despite this attention and interest, IRS is still not
effectively addressing its browsing problem. IRS still does not
effectively monitor employee activity, accurately record browsing
violations, consistently punish offenders, or widely publicize
reports of incidents detected and penalties imposed.
Before discussing each of these areas in greater detail, it is
important to note that neither my statement nor our report that
Senator Glenn just released quantifies the total number of weaknesses
that we found or the number of weaknesses found in each of the eight
functional categories of security that we reviewed. Additionally,
neither my statement nor the report details the most serious
weaknesses that we found. IRS officials were concerned that public
disclosure of this information would increase the risks to their
operations and employees. All of our findings have been reported in
detail to the appropriate congressional committees.
--------------------
\1 Information Security: Opportunities for Improved OMB Oversight of
Agency Practices (GAO/AIMD-96-110, Sept. 24, 1996).
\2 High-Risk Series: Information Management and Technology
(GAO/HR-97-9, February 1997).
BACKGROUND
---------------------------------------------------------- Chapter 0:1
IRS relies on automated information systems to process over 200
million taxpayer returns and collect over $1 trillion in taxes
annually. IRS operates 10 facilities throughout the United States to
process tax returns and other information supplied by taxpayers.
These data are then electronically transmitted to a central computing
facility, where master files of taxpayer information are maintained
and updated. A second computing facility processes and stores
taxpayer data used by IRS in conducting certain compliance functions.
There are also hundreds of other IRS facilities (e.g., regional and
district offices) that use information systems to support tax
administration.
IRS COMPUTER SECURITY
REQUIREMENTS
-------------------------------------------------------- Chapter 0:1.1
The Department of the Treasury requires IRS to have C2-level
safeguards to protect the confidentiality of taxpayer data.\3
C2-level safeguards ensure "need-to-know" protection and controlled
access to data. Similarly, IRS' Tax Information Security Guidelines
require that all computer and communication systems that process,
store, or transmit taxpayer data adequately protect these data, and
the Internal Revenue Code prohibits the unauthorized disclosure of
federal returns and return information.
--------------------
\3 The Department of Defense defines a hierarchy of security levels
(i.e., A1, B3, B2, B1, C2, C1, and D), with A1 currently being the
highest level of protection and D being the minimum level of
protection.
PRIOR GAO WORK ON IRS
COMPUTER SECURITY
-------------------------------------------------------- Chapter 0:1.2
Over the past 3 years, we testified and reported numerous times on
serious weaknesses in security and other internal controls used to
safeguard IRS computer systems and facilities. For instance, in
August 1993, we identified weaknesses in IRS systems that hampered
the Service's ability to effectively protect and control taxpayer
data.\4
Subsequently, in December 1993, IRS identified taxpayer data security
as a material weakness in its Federal Managers' Financial Integrity
Act report.
In 1994, we reported, and IRS acknowledged, that while IRS had made
some progress in correcting computer security weaknesses, IRS still
faced serious and long-standing control weaknesses over automated
taxpayer data. Moreover, we reported that these long-standing
weaknesses were symptomatic of broader computer security management
issues.
With respect to employee browsing, we reported in September 1993 that
IRS did not adequately (1) restrict access by computer support staff
to computer programs and data files or (2) monitor the use of these
resources by computer support staff and users.\5 As a result,
personnel who did not need access to taxpayer data could read and
possibly use this information for fraudulent purposes. Also,
unauthorized changes could be made to taxpayer data, either
inadvertently or deliberately for personal gain (for example, to
initiate unauthorized refunds or abatements of tax). In August 1995,
we reported that the Service still lacked sufficient safeguards to
prevent or detect unauthorized browsing of taxpayer information.\6
--------------------
\4 Financial Management: First Financial Audits of IRS and Customs
Revealed Serious Problems (GAO/T-AIMD-93-3, Aug. 4, 1993).
\5 IRS Information Systems: Weaknesses Increase Risk of Fraud and
Impair Reliability of Management Information (GAO/AIMD-93-34, Sept.
22, 1993).
\6 Financial Audit: Examination of IRS' Fiscal Year 1994 Financial
Statements (GAO/AIMD-95-141, Aug. 4, 1995).
SERIOUS COMPUTER SECURITY
WEAKNESSES PERSIST
---------------------------------------------------------- Chapter 0:2
Our on-site reviews of security at five facilities disclosed many
weaknesses in eight functional areas. These areas are (1) physical
security, (2) logical security,\7 (3) data communications management,
(4) risk analysis, (5) quality assurance, (6) internal audit and
security,\8 (7) security awareness, and (8) contingency planning. Of
these eight, the primary weaknesses were in the areas of physical and
logical security. Examples of weaknesses are discussed below.
--------------------
\7 Logical security measures are safeguards incorporated in computer
hardware and software.
\8 The phrases "internal audit" and "internal security" refer to
functional disciplines, not IRS organizational entities.
PHYSICAL SECURITY
-------------------------------------------------------- Chapter 0:2.1
Physical security and access control measures, such as locks, guards,
fences, and surveillance equipment, are critical to safeguarding
taxpayer data and computer operations from internal and external
threats. We found many serious weaknesses in physical security at
the facilities visited. IRS has approved for public release only the
following examples of physical security weaknesses:
-- Collectively, the five facilities could not account for
approximately 6,400 units of magnetic storage media, such as
tapes and cartridges, which could contain taxpayer data. The
number per facility ranged from a low of 41 to a high of 5,946.
-- Fire suppression trash cans were not used in several facilities.
-- Printouts containing taxpayer data were left unprotected and
unattended in open areas of two facilities where they could be
compromised.
LOGICAL SECURITY
-------------------------------------------------------- Chapter 0:2.2
Logical security controls limit access to computing resources to
those personnel and programs with a need to know. Logical security
control measures include the use of safeguards incorporated in
computer hardware, system and application software, communication
hardware and software, and related devices. We found numerous
weaknesses in logical security at the facilities visited. Again, IRS
has approved public disclosure of only the following examples:
-- Tapes containing taxpayer data were not overwritten prior to
reuse, providing the potential for unauthorized disclosure.
-- Access to system software was not limited to individuals with a
need to know. For example, at two facilities, we found that
data base administrators\9 had access to system software,
although their job functions and responsibilities did not
require it.
-- Application programmers were allowed to move development
software into the production environment without adequate
controls. In addition, these programmers were allowed to use
taxpayer data for testing purposes, which places these data at
unnecessary risk of unauthorized disclosure and modification.
--------------------
\9 The data base administrator is responsible for overall control of
the data base, including its content, storage structure, access
strategy, security and integrity checks, and backup and recovery.
EXAMPLES OF WEAKNESSES IN
OTHER FUNCTIONAL AREAS
-------------------------------------------------------- Chapter 0:2.3
Weaknesses were also found in the remaining six functional areas.
For example, none of the facilities visited had conducted a complete
risk analysis to identify and determine the severity of all the
security threats to which they were vulnerable. Without these
analyses, systems' vulnerabilities may not be identified and
appropriate controls may not be implemented to correct them.
Also, we found that two of the facilities had not performed an audit
of operations within the last 5 years. Such internal audit and
security reviews are needed to ensure that safeguards are adequate
and to alert management to potential security problems.
Additionally, three of the five facilities did not have an adequate
security awareness program. For example, one site had no process in
place to ensure that management was made aware of security violations
and security-related issues. An effective security awareness program
is the means through which management communicates to employees the
importance of security policies, procedures, and responsibilities for
protecting taxpayer data.
Last, none of the five facilities visited had comprehensive disaster
recovery plans. Specifically, we found that disaster recovery
procedures at two of the five facilities had not been tested, while
plans for the remaining locations were incomplete--i.e., they failed
to include instructions for restoring all mission-critical
applications and reestablishing telecommunications. Further, none
had completed business resumption plans, which should specify the
disaster recovery goals and milestones required to meet the business
needs of their customers.
ELECTRONIC BROWSING IS NOT
BEING ADDRESSED EFFECTIVELY
---------------------------------------------------------- Chapter 0:3
IRS employee browsing of taxpayer information is another security
threat that requires effective counter measures. To address this
threat, IRS developed the Electronic Audit Research Log (EARL), an
automated tool to monitor and detect browsing on the Integrated Data
Retrieval System (IDRS).\10 IRS has also taken legal and disciplinary
actions against employees caught browsing. However, EARL has
shortcomings that limit its ability to detect browsing. In addition,
IRS does not have reliable, objective measures for determining
whether or not the Service is making progress in reducing browsing.
Further, IRS facilities inconsistently (1) review and refer incidents
of employee browsing, (2) apply penalties for browsing violations,
and (3) publicize the outcomes of browsing cases to deter other
employees from browsing.
--------------------
\10 IDRS is the primary computer system IRS employees use to access
and adjust taxpayer accounts.
EARL'S ABILITY TO DETECT
BROWSING IS LIMITED
-------------------------------------------------------- Chapter 0:3.1
EARL cannot detect all instances of browsing because it only monitors
employees using IDRS. EARL does not monitor the activities of IRS
employees using other systems, such as the Distributed Input System,
the Integrated Collection System, and the Totally Integrated
Examination System, which are also used to create, access, or modify
taxpayer data. In addition, information systems personnel
responsible for systems development and testing can browse taxpayer
information on magnetic tapes, cartridges, and other files using
system utility programs, such as the Spool Display and Search
Facility,\11 which also are not monitored by EARL.
Further, EARL has some weaknesses that limit its ability to identify
browsing by IDRS users. For example, because EARL is not effective
in distinguishing between browsing activity and legitimate work
activity, it identifies so many potential browsing incidents that a
subsequent manual review to find incidents of actual browsing is
time-consuming and difficult. IRS is evaluating options for
developing a newer version of EARL that may better distinguish
between legitimate activity and browsing.
--------------------
\11 This utility enables a programmer to view a system's output,
which may contain investigative or taxpayer information.
IRS PROGRESS IN REDUCING AND
DISCIPLINING BROWSING CASES
IS UNCLEAR
-------------------------------------------------------- Chapter 0:3.2
IRS' management information systems do not provide sufficient
information to describe known browsing incidents precisely or to
evaluate their severity consistently. IRS personnel refer potential
browsing cases to either the Labor Relations or Internal Security
units, each of which records information on these potential cases in
its own case tracking system. However, neither system captures
sufficient information to report on the total number of unauthorized
accesses. For example, neither system contains enough information on
each case to determine how many taxpayer accounts were
inappropriately accessed or how many times each account was accessed.
Without such information, IRS cannot measure whether it is making
progress from year to year in reducing browsing.
A recent report by the IRS EARL Executive Steering Committee\12 shows
that the number of browsing cases closed has fluctuated from a low of
521 in fiscal year 1991 to a high of 869 in fiscal year 1995.\13
However, the report concluded that the Service does not consistently
count the number of browsing cases and that "it is difficult to
assess what the detection programs are producing . . . or our
overall effectiveness in identifying IDRS browsing."
Further, the committee reported that "the percentages of cases
resulting in discipline has remained constant from year to year in
spite of the Commissioner's 'zero tolerance' policy." IRS browsing
data for fiscal years 1991 to 1995 show that the percentage of
browsing cases resulting in IRS' three most severe categories of
penalties (i.e., disciplinary action, separation, and
resignation/retirement) has ranged between 23 and 34 percent, with an
average of 29 percent.\14
--------------------
\12 Electronic Audit Research Log (EARL) Executive Steering Committee
Report, (Sept. 30, 1996).
\13 We did not verify the accuracy and reliability of these data.
\14 The mix among these three categories has remained relatively
constant each year with disciplinary action accounting for the vast
majority of penalties.
BROWSING INCIDENTS ARE
REVIEWED, REFERRED,
DISCIPLINED, AND PUBLICIZED
INCONSISTENTLY
-------------------------------------------------------- Chapter 0:3.3
IRS processing facilities do not consistently review and refer
potential browsing cases. The processing facilities responsible for
monitoring browsing had different policies and procedures for
identifying potential violations and referring them to the
appropriate unit within IRS for investigation and action. For
example, at one facility, the analysts who identify potential
violations referred all of them to Internal Security, while staff at
another facility sent some to Internal Security and the remainder to
Labor Relations.
IRS has taken steps to improve the consistency of its review and
referral process. In June 1996, it developed specific criteria for
analysts to use when making referral decisions. A recent report by
the EARL Executive Steering Committee stated that IRS had implemented
these criteria nationwide. Because IRS was in the process of
implementing these criteria during our work, we could not validate
their implementation or effectiveness.
IRS facilities are not consistently disciplining employees caught
browsing. After several IRS directors raised concerns that field
offices were inconsistent in the types of discipline imposed in
similar cases, IRS' Western Region analyzed fiscal year 1995 browsing
cases for all its offices and found inconsistent treatment for
similar types of offenses. For example, one employee who attempted
to access his own account was given a written warning, while other
employees in similar situations, from the same division, were not
counseled at all.
The EARL Executive Steering Committee reported widespread
inconsistencies in the penalties imposed in browsing cases. For
example, the committee's report showed that for fiscal year 1995, the
percentage of browsing cases resulting in employee counseling ranged
from a low of 0 percent at one facility to 77 percent at another.
Similarly, the report showed that the percentage of cases resulting
in removal ranged from 0 percent at one facility to 7 percent at
another. For punishments other than counseling or removal (e.g.,
suspension), the range was between 10 percent and 86 percent.
IRS facilities did not consistently publicize the penalties assessed
in browsing cases to deter such behavior. For example, we found that
one facility never reported disciplinary actions. However, another
facility reported the disciplinary outcomes of browsing cases in its
monthly newsletter. By inconsistently and incompletely reporting on
penalties assessed for employee browsing, IRS is missing an
opportunity to more effectively deter such activity.
-------------------------------------------------------- Chapter 0:3.4
In conclusion, IRS' approach to computer security has not been
effective. Serious weaknesses persist in security controls intended
to safeguard IRS computer systems, data, and facilities. These
weaknesses expose tax processing operations to the risk of disruption
and taxpayer data to the risk of unauthorized use, modification, and
destruction. Further, although IRS has taken some action to detect
and deter browsing, it is still not effectively addressing this area
of continuing concern because (1) it does not know the full extent of
browsing and (2) it is addressing cases of browsing inconsistently.
Because of this, our report contains a series of specific
recommendations, which if implemented, should greatly strengthen IRS
computer security and effectively address its security risks. In
summary, the report recommends that the IRS Commissioner (1) prepare
a plan by April 30, 1997, for correcting all the weaknesses we
identified at the five facilities we visited and for identifying and
correcting security weaknesses at the other IRS facilities, (2)
provide this plan to selected congressional committees, including the
Senate Committee on Governmental Affairs, (3) report IRS' progress
against this plan in its fiscal year 1999 budget submissions, (4)
until corrected, report the security control weaknesses that we
identified as material weaknesses in Treasury's Federal Managers'
Financial Integrity Act reports, (5) by June 1997, reevaluate IRS'
approach to computer security and report the results to selected
congressional committees, including the Senate Committee on
Governmental Affairs, (6) ensure that IRS completely and consistently
monitors, records, and reports the full extent of electronic
browsing, and (7) report IRS' progress in eliminating browsing in
IRS' annual budget submission.
IRS has concurred with these recommendations and stated that it will
implement them. We plan to monitor its progress in doing so to
ensure that security weaknesses are corrected and security management
is strengthened.
Mr. Chairman, this concludes my statement. Lynda Willis, Director,
Tax Policy and Administration Issues, and I will be happy to respond
to any questions you or Members of the Committee might have at this
time.
*** End of document. ***