Related Stories

Top 5 Stories


GAO takes IRS to task – again – over information security lapses

20 March 2012

The Government Accountability Office (GAO) is again chastising the Internal Revenue Service (IRS) for not fixing ongoing information security problems at the US tax agency.

For a number of years, the GAO has identified numerous information security shortcomings at the tax agency, many of which have yet to be fixed.

Weaknesses in controls over key financial and tax-processing systems at the IRS “continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information”, the government watchdog warned in this year's audit.

The GAO said that the IRS has not fully (1) implemented controls for identifying and authenticating users, (2) restricted access to certain sensitive servers, (3) ensured that sensitive data were encrypted when transmitted, (4) audited and monitored systems to ensure that unauthorized activities would be detected, or (5) ensured management validation of access to restricted areas. In addition, the agency has been lax in patching vulnerable software and replacing outdated software.

The auditors criticized the IRS for conducting limited testing of information security controls. “In one case, testers concluded that encryption was in place by reviewing a diagram and interviewing key staff rather than performing system testing”, the report observed.

The GAO said that the continuing data control weaknesses at the IRS result from the agency’s inability to fully implement a comprehensive information security program. A disturbing 76 information security weaknesses out of 105 weaknesses identified in the GAO’s previous audit had not been fixed by this year’s audit. In addition, close to half of the weaknesses reported by the IRS as fixed “had not been fully addressed”, the watchdog concluded.

In his response to the GAO audit, IRS Commissioner Douglas Shulman said that the “integrity of our financial systems continues to be sound….The IRS has fully implemented a comprehensive information security program.”

It would seem that ‘Denial’ flows through Washington, DC, as well as Cairo.

This article is featured in:
Application Security  •  Compliance and Policy  •  Internet and Network Security  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×