GAO takes IRS to task – again – over information security lapses

For a number of years, the GAO has identified numerous information security shortcomings at the tax agency, many of which have yet to be fixed.

Weaknesses in controls over key financial and tax-processing systems at the IRS “continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information”, the government watchdog warned in this year's audit.

The GAO said that the IRS has not fully (1) implemented controls for identifying and authenticating users, (2) restricted access to certain sensitive servers, (3) ensured that sensitive data were encrypted when transmitted, (4) audited and monitored systems to ensure that unauthorized activities would be detected, or (5) ensured management validation of access to restricted areas. In addition, the agency has been lax in patching vulnerable software and replacing outdated software.

The auditors criticized the IRS for conducting limited testing of information security controls. “In one case, testers concluded that encryption was in place by reviewing a diagram and interviewing key staff rather than performing system testing”, the report observed.

The GAO said that the continuing data control weaknesses at the IRS result from the agency’s inability to fully implement a comprehensive information security program. A disturbing 76 information security weaknesses out of 105 weaknesses identified in the GAO’s previous audit had not been fixed by this year’s audit. In addition, close to half of the weaknesses reported by the IRS as fixed “had not been fully addressed”, the watchdog concluded.

In his response to the GAO audit, IRS Commissioner Douglas Shulman said that the “integrity of our financial systems continues to be sound….The IRS has fully implemented a comprehensive information security program.”

It would seem that ‘Denial’ flows through Washington, DC, as well as Cairo.

What’s Hot on Infosecurity Magazine?