This is the accessible text file for GAO report number GAO-05-482 
entitled 'Information Security: Internal Revenue Service Needs to 
Remedy Serious Weaknesses over Taxpayer and Bank Secrecy Act Data' 
which was released on April 15, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Committee on the Judiciary: 

House of Representatives: 

April 2005: 

Information Security: 

Internal Revenue Service Needs to Remedy Serious Weaknesses over 
Taxpayer and Bank Secrecy Act Data: 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-482]: 

GAO Highlights: 

Highlights of GAO-05-482, a report to the Committee on the Judiciary, 
House of Representatives: 

Why GAO Did This Study: 

The Internal Revenue Service (IRS) relies extensively on computerized 
systems to support its financial and mission-related operations. In 
addition, IRS provides computer processing support to the Financial 
Crimes Enforcement Network (FinCEN)—another Treasury bureau. As part of 
IRS’s fiscal year 2004 financial statements, GAO assessed (1) the 
status of IRS’s actions to correct or mitigate previously reported 
weaknesses at one of its critical data processing facilities and (2) 
the effectiveness of IRS’s information security controls in protecting 
the confidentiality, integrity, and availability of key financial and 
tax processing systems. 

What GAO Found: 

IRS has made progress in correcting or mitigating previously reported 
information security weaknesses and in implementing controls over key 
financial and tax processing systems that are located at one of its 
critical data processing facilities. It has corrected or mitigated 32 
of the 53 weaknesses that GAO reported as unresolved at the time of our 
prior review in 2002.

However, in addition to the remaining 21 previously reported weaknesses 
for which IRS has not completed actions, 39 newly identified 
information security control weaknesses impair IRS’s ability to ensure 
the confidentiality, integrity, and availability of its sensitive 
financial and taxpayer data and FinCEN’s Bank Secrecy Act data. For 
example, IRS has not implemented effective electronic access controls 
over its mainframe computing environment to logically separate its 
taxpayer data from FinCEN’s Bank Secrecy Act data—two types of data 
with different security requirements. In addition, IRS has not 
effectively implemented certain other information security controls 
relating to physical security, segregation of duties, and service 
continuity at the facility. Collectively, these weaknesses increase the 
risk that sensitive taxpayer and Bank Secrecy Act data will be 
inadequately protected from unauthorized disclosure, modification, use, 
or destruction. Moreover, weaknesses in service continuity and business 
resumption plans heighten the risk that assets will be inadequately 
protected and controlled to ensure the continuity of operations when 
unexpected interruptions occur. 

An underlying cause of these information security control weaknesses is 
that IRS has not fully implemented certain elements of its agencywide 
information security program. Until IRS fully implements a 
comprehensive agencywide information security program, its facilities 
and computing resources and the information that is processed, stored, 
and transmitted on its systems will remain vulnerable. 

What GAO Recommends:

GAO recommends that the Secretary of the Treasury direct the IRS 
Commissioner to take several actions to fully implement an effective 
agencywide information security program and to assess whether taxpayer 
data have been disclosed to unauthorized individuals. GAO also 
recommends that the Secretary of the Treasury direct the FinCEN 
Director to assess whether Bank Secrecy Act data have been disclosed to 
unauthorized individuals. The Acting Deputy Secretary of the Treasury 
generally agreed with the recommendations and identified specific 
completed and planned corrective actions.

www.gao.gov/cgi-bin/getrpt?GAO-05-482.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Greg Wilshusen at 202-512-
3317 or wilshuseng@gao.gov.

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Objectives, Scope, and Methodology: 

IRS Has Made Progress in Correcting Previously Reported Weaknesses: 

Serious Weaknesses Place Taxpayer and Bank Secrecy Act Data at Risk: 

Information Security Program Is Not Fully Implemented at IRS: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendixes: 

Appendix I: Comments from the Secretary of the Treasury: 

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Staff Acknowledgments: 

BSA: Bank Secrecy Act: 

CIO: chief information officer: 

FinCEN: Financial Crimes Enforcement Network: 

FISMA: Federal Information Security Management Act of 2002: 

IRS: Internal Revenue Service: 

MASS: Mission Assurance and Security Services: 

RACF: Resource Access Control Facility: 

Letter April 15, 2005: 

The Honorable F. James Sensenbrenner Jr.: 
Chairman: 
The Honorable John Conyers Jr.: 
Ranking Minority Member: 
Committee on the Judiciary: 
House of Representatives: 

As part of our audit of the Internal Revenue Service's (IRS) fiscal 
year 2004 financial statements,[Footnote 1] we assessed the 
effectiveness of IRS's information security controls[Footnote 2] over 
key financial systems, data, and interconnected networks at one of 
IRS's critical data processing facilities that support the processing, 
storage, and transmission of sensitive financial and taxpayer data. In 
addition, the facility maintains Bank Secrecy Act data on behalf of the 
Financial Crimes Enforcement Network (FinCEN). These data are used by 
federal law enforcement and regulatory agencies, as well as IRS, to 
support their investigations of financial crimes, including terrorist 
financing and money laundering. 

This report describes (1) the status of IRS's actions to correct or 
mitigate previously reported weaknesses at the facility and (2) whether 
controls over key financial and tax processing systems have been 
effective in ensuring the confidentiality, integrity, and availability 
of financial and sensitive taxpayer data. In response to your request, 
we are addressing this report to you. 

Separately, we issued a Limited Official Use Only report to you 
detailing the results of our review. This version of the report, for 
public release, provides a general summary of the vulnerabilities 
identified and our recommendations to help strengthen and improve IRS's 
information security controls. 

Results in Brief: 

IRS has made progress in correcting or mitigating previously reported 
information security weaknesses and implementing controls over key 
financial and tax processing systems that are located at a critical 
data processing facility. The agency has corrected or mitigated 32 of 
the 53 weaknesses that we reported as unresolved at the time of our 
prior review in 2002. For example, IRS improved perimeter security by 
installing barriers at the facility's entrance and implemented 
procedures to ensure that up-to-date copies of disaster recovery plans 
would be maintained at an off-site storage facility. 

However, IRS has not effectively implemented controls over key 
financial and tax processing systems located at the facility. In 
addition to the remaining 21 previously reported weaknesses, for which 
IRS has not completed actions, 39 newly identified information security 
control weaknesses impair IRS's ability to ensure the confidentiality, 
integrity, and availability of its sensitive financial and taxpayer 
data and FinCEN's Bank Secrecy Act data. IRS has not implemented 
effective electronic access controls to prevent, limit, or detect 
unauthorized access to computing resources from the internal IRS 
computer network. For example, access controls over the mainframe 
computing environment did not logically separate IRS's taxpayer data 
from FinCEN's Bank Secrecy Act data--two types of data with different 
security requirements. As a result, all mainframe users could read or 
copy Bank Secrecy Act data, and law enforcement users could read or 
copy taxpayer data. In addition, IRS had not effectively implemented 
certain other information security controls relating to physical 
security, segregation of duties, and service continuity at the 
facility. Collectively, these weaknesses increase the risk that 
sensitive taxpayer and Bank Secrecy Act data will not be adequately 
protected from unauthorized disclosure, modification, use, or loss. 
Moreover, weaknesses in service continuity and business resumption 
plans heighten the risk that assets will not be adequately protected 
and controlled to ensure the continuity of operations when unexpected 
interruptions occur. 

These information security control weaknesses exist primarily because 
IRS has not fully implemented an agencywide information security 
program to effectively protect the information and information systems 
that support the operations and assets of the agency. Although IRS has 
taken some action, including establishing the office of Mission 
Assurance and Security Services, appointing a senior information 
security officer to manage the program, and establishing a task force 
for conducting risk assessments and security test and evaluations, as 
part of activities required for certification and accreditation, it has 
not fully implemented key elements of an effective information program. 
For example, it has not (1) fully implemented established security 
policies and procedures, (2) provided specialized training to employees 
with significant security responsibilities, and (3) effectively 
instituted a process for performing periodic test and evaluation of its 
systems. Until IRS fully implements a comprehensive agencywide 
information security program, its facilities, computing resources, and 
the information that is processed, stored, and transmitted on its 
systems will remain vulnerable. 

We are making recommendations to the Secretary of the Treasury to 
direct the IRS Commissioner to take several actions to fully implement 
a comprehensive agencywide information security program and to 
determine whether taxpayer information has been disclosed to 
unauthorized individuals. We further recommend that the Secretary of 
the Treasury direct the FinCEN Director to perform an assessment to 
determine whether Bank Secrecy Act data have been disclosed to 
unauthorized users. The IRS Chief of Mission Assurance and Security 
Services informed us that certain corrective actions have been 
completed subsequent to the completion of our fieldwork. 

In providing written comments on a draft of this report, the Acting 
Deputy Secretary of the Treasury generally agreed with our 
recommendations, identified specific corrective actions that IRS has 
taken or plans to take to address the recommendations, and provided 
other comments. 

Background: 

Information security is a critical consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business. It is especially important for government 
agencies, where the public's trust is essential. The dramatic expansion 
in computer interconnectivity and the rapid increase in the use of the 
Internet are changing the way our government, the nation, and much of 
the world communicate and conduct business. Without proper safeguards 
they also pose enormous risks that make it easier for individuals and 
groups with malicious intent to intrude into inadequately protected 
systems and use such access to obtain sensitive information, commit 
fraud, disrupt operations, or launch attacks against other computer 
systems and networks. 

Protecting the computer systems that support critical operations and 
infrastructures has never been more important because of the concern 
about attacks from individuals and groups, including terrorists. These 
concerns are well founded for a number of reasons, including the 
dramatic increase in reports of security incidents, the ease of 
obtaining and using hacking tools, the steady advance in the 
sophistication and effectiveness of attack technology, and the dire 
warnings of new and more destructive attacks to come. 

Computer-supported federal operations are likewise at risk. Our 
previous reports, and those of agency inspectors general, describe 
persistent information security weaknesses that place a variety of 
critical federal operations, including those at IRS, at risk of 
disruption, fraud, and inappropriate disclosure. We have designated 
information security as a governmentwide high-risk area since 
1997[Footnote 3]--a designation that remains today.[Footnote 4]

In December 2002, Congress enacted the Federal Information Security 
Management Act of 2002 (FISMA) to strengthen security of information 
and systems within federal agencies.[Footnote 5] FISMA requires each 
agency to develop, document, and implement an agencywide information 
security program to provide information security for the information 
and systems that support the operations and assets of the agency, using 
a risk-based approach to information security management. In addition, 
FISMA requires that the Secretary of the Treasury be responsible for, 
among other things, (1) providing information security protections 
commensurate with the risk and magnitude of the harm resulting from 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of the agency's information systems and information; (2) 
ensuring that senior agency officials provide information security for 
the information and information systems that support the operations and 
assets under their control; and (3) delegating to the agency chief 
information officer (CIO) the authority to ensure compliance with the 
requirements imposed on the agency under the act. 

Treasury's CIO is responsible for developing and maintaining a 
departmentwide information security program and for developing and 
maintaining information security policies, procedures, and control 
techniques that address all applicable requirements. Each Treasury 
bureau, including the IRS, is responsible for implementing Treasury-
mandated security policies within its domain. In order to implement 
departmentwide security policies, IRS is required to develop its own 
information security program, including its own security compliance 
functions. 

IRS Is a Key Steward of Personal Taxpayer Information: 

As the nation's tax collector, IRS has the demanding responsibility of 
collecting taxes, processing tax returns, and enforcing the nation's 
tax laws. In fiscal years 2004 and 2003, IRS collected about $2 
trillion in tax payments, processed hundreds of millions of tax and 
information returns, and paid about $278 billion and $300 billion, 
respectively, in refunds to taxpayers. IRS employs tens of thousands of 
people in its 10 service campuses,[Footnote 6] three computing centers, 
and numerous field offices throughout the United States. To efficiently 
fulfill its tax processing responsibilities, IRS relies extensively on 
interconnected networks of computer systems to perform various 
functions, such as collecting and storing taxpayer data, processing tax 
returns, calculating interest and penalties, generating refunds, and 
providing customer service. 

Because of the nature of its mission, IRS also collects and maintains a 
significant amount of personal and financial data on each American 
taxpayer. The confidentiality of this sensitive information must be 
protected; otherwise, taxpayers could be exposed to loss of privacy and 
to financial loss and damages resulting from identity theft or other 
financial crimes. 

To help provide information security for its operations and assets 
(including computing resources and taxpayer information), IRS has 
developed and is implementing an agencywide information security 
program. The Commissioner of Internal Revenue has overall 
responsibility for ensuring the confidentiality, availability, and 
integrity of information and information systems supporting the agency 
and its operations. The Chief of MASS is responsible for developing 
policies and procedures regarding information technology security; 
providing assurance services to improve physical, data, and personnel 
security; conducting independent testing; and ensuring security is 
integrated into its modernization activities. To help accomplish these 
goals, IRS has developed and published information security policies, 
guidelines, standards, and procedures in the Internal Revenue Manual, 
Law Enforcement Manual, and other documents. 

IRS Also Provides Processing Support for FinCEN: 

In addition to processing its own financial and tax information, IRS 
provides information processing support to FinCEN, another Treasury 
bureau. FinCEN administers and enforces the Bank Secrecy Act 
(BSA)[Footnote 7] and its implementing provisions. Congress enacted the 
BSA to prevent banks and other financial service providers from being 
used as intermediaries for, or to hide the transfer or deposit of money 
derived from, criminal activity. Since its passage, Congress has 
amended the BSA to enhance law enforcement effectiveness. Today, more 
than 170 crimes are listed in federal money-laundering statutes. They 
cover a broad range, including drug trafficking, gunrunning, murder for 
hire, fraud, acts of terrorism, and the illegal use of wetlands. The 
list also includes certain foreign crimes. The reporting and record 
keeping requirements of the BSA regulations create a paper trail for 
law enforcement to investigate money laundering schemes and other 
illegal activities. This paper trail operates to deter illegal activity 
and provides a means to trace the movements of money through the 
financial system. 

FinCEN relies on IRS to operate and maintain computer systems that 
process and store a significant amount of FinCEN's sensitive 
information. This information includes reports and filings from banks 
and other financial institutions that are required under BSA, such as 
currency transactions, foreign bank and financial accounts, 
international transportation of currency or monetary instruments, and 
criminal referrals of suspicious activities reports. This information 
is determined by FinCEN to have a high degree of usefulness in 
criminal, tax, regulatory, intelligence, and counterterrorism 
investigations, and in implementing counter money laundering programs 
and compliance procedures. This network supports federal, state, and 
local law enforcement, and intelligence and investigative agencies as 
part of the federal government's effort to combat terrorism and to 
investigate and prosecute crime. 

Objectives, Scope, and Methodology: 

The objectives of our review were to determine (1) the status of IRS's 
actions to correct or mitigate previously reported weaknesses and (2) 
whether controls over key financial and tax processing systems located 
at the facility have been effective in ensuring the confidentiality, 
integrity, and availability of sensitive financial and taxpayer data. 
We concentrated our evaluation primarily on threats emanating from 
internal sources on IRS's computer networks. To guide our work, we used 
the audit methodology described in our Federal Information System 
Controls Audit Manual,[Footnote 8] which discusses the scope of such 
reviews and the type of testing required for evaluating general 
controls. We also used FISMA to guide our review of IRS's 
implementation of its information security program. Specifically, we 
evaluated information system controls intended to: 

* limit, detect, and monitor logical and physical access to sensitive 
computing resources and facilities, thereby safeguarding them from 
misuse and protecting them from unauthorized disclosure and 
modification;

* maintain operating system integrity through effective administration 
and control of powerful computer programs and utilities that execute 
privileged instructions;

* prevent the introduction of unauthorized changes to application 
software in the existing software environment;

* ensure that work responsibilities are segregated, so that one 
individual does not perform or control all key aspects of computer-
related operations and thereby have the ability to conduct unauthorized 
actions or gain unauthorized access to assets or records;

* minimize the risk of unplanned interruptions and recover critical 
computer processing operations in the case of disaster or other 
unexpected interruptions; and: 

* implement an agencywide information security program that includes a 
continuing cycle of assessing risk, implementing and promoting policies 
and procedures to reduce such risk, and monitoring the effectiveness of 
those activities. 

To evaluate these controls, we identified and reviewed pertinent IRS 
information security policies and procedures, guidance, security plans, 
relevant reports, and other documents, and we tested the effectiveness 
of these controls. We also discussed with key security representatives 
and management officials whether information security controls were in 
place, adequately designed, and operating effectively. 

We performed our review at the IRS facility, at IRS's National Office 
in New Carrollton, Maryland, and at our headquarters in Washington, 
D.C., in accordance with generally accepted government auditing 
standards from August through December 2004. We discussed the results 
of our review with IRS, Treasury, and FinCEN officials. 

IRS Has Made Progress in Correcting Previously Reported Weaknesses: 

IRS has made progress in correcting previously reported information 
security weaknesses. The agency has corrected or mitigated 32 of the 53 
weaknesses that we reported as unresolved at the time of our last 
review in 2002. For example, IRS has: 

* improved perimeter security by installing barriers at the facility's 
entrance to prevent unauthorized vehicles from entering the premises,

* implemented policies and procedures to ensure that system software 
products are tested and evaluated prior to installation,

* discontinued the practice of using shared accounts and passwords to 
administer its network authentication server and firewall, and: 

* implemented procedures to ensure that disaster recovery plans are up-
to-date and maintained at the off-site storage facility. 

While IRS has taken steps to strengthen its information security 
controls, it had not completed actions to correct or mitigate the 
remaining 21 previously reported weaknesses. These weaknesses include 
granting and authorizing inappropriate access permissions over Unix 
system files, permitting remote access capabilities that expose 
passwords and user identifications, allowing users to implement easily 
guessed passwords, and permitting unrestricted physical access to 
sensitive computing areas. Failure to resolve these issues will leave 
IRS facilities and sensitive data vulnerable to unauthorized access, 
manipulation, and destruction. 

Serious Weaknesses Place Taxpayer and Bank Secrecy Act Data at Risk: 

IRS has not effectively implemented information security controls to 
properly protect the confidentiality, integrity, and availability of 
data processed by the facility's computers and networks. In addition to 
the 21 previously reported weaknesses that remain uncorrected, we 
identified 39 new information security weaknesses during this review. 
Serious weaknesses related to electronic access to computing resources 
from sources located on IRS's internal computer network place sensitive 
taxpayer and Bank Secrecy Act data--including information related to 
financial crimes, terrorist financing, money laundering, and other 
illicit activities--at significant risk of unauthorized disclosure, 
modification, or destruction. In addition, information security 
weaknesses that exist in other control areas, such as physical 
security, segregation of duties, and service continuity, further 
increase risk to the computing environment. 

Collectively, these weaknesses threaten IRS's ability to perform its 
operational missions, such as processing tax returns and law 
enforcement information, both of which rely on IRS's computer systems 
and networks to process, store, and transmit data. 

Electronic Access Controls Were Inadequate: 

A basic management objective for any organization is to protect the 
data supporting its critical operations from unauthorized access. 
Organizations accomplish this objective by designing and implementing 
electronic controls that are intended to prevent, limit, and detect 
unauthorized access to computing resources, programs, and data. 
Electronic access controls include user accounts and passwords, access 
rights and permissions, network services and security, and audit and 
monitoring of security-related events. Inadequate electronic access 
controls diminish the reliability of computerized data and increase the 
risk of unauthorized disclosure, modification, and destruction of these 
data. 

Electronic access controls were not effectively implemented to prevent, 
limit, and detect unauthorized access to the facility's computer 
systems and data. Numerous vulnerabilities existed in IRS's computing 
environment because of the cumulative effects of control weaknesses in 
the areas of user accounts and passwords, access rights and 
permissions, network services and security, and audit and monitoring of 
security-related events. 

User Accounts and Passwords: 

A computer system must be able to identify and differentiate among 
users so that activities on the system can be linked to specific 
individuals. Unique user accounts assigned to specific users allow 
systems to distinguish one user from another--a process called 
identification. The system must also establish the validity of a user's 
claimed identity through some means of authentication, such as a 
password, known only to its owner. The combination of identification 
and authentication, such as user account/password combinations, 
provides the basis for establishing individual accountability and 
controlling access to the system. Accordingly, agencies should (1) 
implement procedures to control the creation, use, and removal of user 
accounts and (2) establish password parameters, such as length, life, 
and composition, to strengthen the effectiveness of account/password 
combinations for authenticating the identity of users. 

IRS did not adequately control user accounts and passwords to ensure 
that only authorized individuals were granted access to its systems and 
data. For example, it did not adequately protect mainframe systems 
files that contain embedded user accounts and passwords. Access to 
these files was not adequately restricted, and user account and 
password combinations could have been read by any authorized user--IRS, 
law enforcement, and contractors--of the system. In addition, IRS did 
not adequately control user accounts and passwords to ensure that only 
authorized individuals were allowed access to its servers and networks. 
As a result, increased risk exists that unauthorized users could gain 
authorized user ID and password combinations to claim a user identity 
and then use that identity to gain access to sensitive taxpayer or Bank 
Secrecy Act data. 

Access Rights and Permissions: 

A basic underlying principle for securing computer systems and data is 
the concept of least privilege. This means that users are granted only 
those access rights and permissions they need to perform their official 
duties. Organizations establish access rights and permissions to 
restrict the access of legitimate users to only the specific programs 
and files that they need to do their work. User rights are allowable 
actions that can be assigned to users or groups. File and directory 
permissions are rules associated with a file or directory; they 
regulate which users can access them and in what manner. Assignment of 
rights and permissions must be carefully considered to avoid giving 
users unnecessary access to sensitive files and directories. 

IRS routinely permitted excessive access to the facility's computer 
systems--mainframes, Unix, and Windows--that support sensitive taxpayer 
and Bank Secrecy Act data and to critical datasets and files. Access 
controls over the mainframe computing environment did not logically 
separate IRS's data from FinCEN's data. For example, IRS granted all 
7,460 mainframe users--IRS employees, non-IRS employees, contractors--
regardless of their official duties, the ability to read and modify 
sensitive taxpayer and Bank Secrecy Act data, including information 
about citizens, law enforcement personnel, and individuals subject to 
investigation. In addition, IRS also did not adequately restrict access 
rights and permissions on its Windows servers. For example, it did not 
adequately restrict access to Windows accounts with powerful rights 
over the operating system. Inappropriate access to accounts with 
powerful rights can compromise the integrity of the operating system 
and the privacy of the data that reside on the servers. 

Network Services and Security: 

Networks are series of interconnected devices and software that allow 
individuals to share data and computer programs. Because sensitive 
programs and data are stored on or transmitted along networks, 
effectively securing networks is essential to protecting computing 
resources and data from unauthorized access, manipulation, and use. 
Organizations secure their networks, in part, by installing and 
configuring network devices that permit authorized network service 
requests and deny unauthorized requests and by limiting the services 
that are available on the network. Network devices include (1) 
firewalls designed to prevent unauthorized access into the network, (2) 
routers that filter and forward data along the network, (3) switches 
that forward information among parts of a network, and (4) servers that 
host applications and data. Network services consist of protocols for 
transmitting data between computers. Insecurely configured network 
services and devices can make a system vulnerable to internal or 
external threats, such as denial-of-service attacks. Since networks 
often provide the entry point for access to electronic information 
assets, failure to secure those networks increases the risk of 
unauthorized use of sensitive data and systems. 

IRS did not securely control network services to prevent unauthorized 
access to and ensure the integrity of IRS's computer networks and 
systems at the facility. For example, IRS did not adequately secure its 
network against known vulnerabilities or misconfigured network services 
on several of its infrastructure devices. As a result, an unauthorized 
user could gain access to these network devices and gain control of the 
facility's network, placing IRS and FinCEN data at risk. Further, this 
unauthorized control could seriously disrupt computer operations. 

Audit and Monitoring of Security-Related Events: 

Determining what, when, and by whom specific actions were taken on a 
system is crucial to establishing individual accountability, monitoring 
compliance with security policies, and investigating security 
violations. Organizations accomplish this by implementing system or 
security software that provides an audit trail for determining the 
source of a transaction or attempted transaction and for monitoring 
users' activities. How organizations configure the system or security 
software determines the nature and extent of audit trail information 
that is provided. To be effective, organizations should (1) configure 
the software to collect and maintain sufficient audit trails for 
security-related events; (2) generate reports that selectively identify 
unauthorized, unusual, and sensitive access activity; and (3) regularly 
monitor and take action on these reports. Without sufficient auditing 
and monitoring, organizations increase the risk that they may not 
detect unauthorized activities or policy violations. 

The risks created by the serious electronic access control weaknesses 
discussed above were heightened because IRS did not effectively audit 
and monitor system activity on its servers. For example, not all 
Windows servers at the facility were configured to ensure sufficient 
retention of security logs. As a result, there was a higher risk of 
unauthorized system activity going undetected. 

IRS and FinCEN Data Are at Significant Risk: 

The cumulative effect of inadequate electronic access controls specific 
to user accounts and passwords, access rights and permissions, network 
services and security, and audit and monitoring places sensitive 
taxpayer and Bank Secrecy Act data at risk of unauthorized disclosure, 
use, modification, or destruction, possibly without detection. More 
specifically, electronic access controls over authorized users--IRS 
employees, contractors, and law enforcement officials--were not 
effectively implemented to restrict these users to the data they needed 
in order to perform their official duties and to protect sensitive 
programs and data from unauthorized access, manipulation, and use. 

As a result, we were able to view and print Bank Secrecy Act data from 
datasets containing Suspicious Activity Reports that have been filed 
under the Bank Secrecy Act. The information we were able to capture 
included, among other things, dates of the investigation, the name, 
Social Security number, and driver's license number of the individual 
under investigation, the number and total dollar amount of financial 
transactions, and suspected terrorist activity, if any. Moreover, the 
weaknesses in electronic access controls also allowed FinCEN users, who 
include federal, state, and local law enforcement officials, the 
capability to access sensitive IRS systems and view taxpayer 
information. The Internal Revenue Code[Footnote 9] prohibits disclosure 
of taxpayer data generally, and the Taxpayer Browsing Protection 
Act[Footnote 10] prohibits unauthorized browsing of taxpayer returns or 
information by federal, state, and local employees. We have previously 
reported violations of IRS employees browsing taxpayer information and 
on IRS's efforts to monitor employee browsing.[Footnote 11] Given the 
weaknesses with its audit and monitoring controls, it is unlikely that 
IRS would be able to detect any illegal browsing of taxpayer 
information with the systems currently in use. 

Unless these weaknesses are corrected, sensitive taxpayer and Bank 
Secrecy Act data will remain at risk of unauthorized disclosure, use, 
modification, or destruction, possibly without detection. 

Other Information Security Weaknesses Exist: 

In addition to the electronic access security controls, other 
information security controls should be in place to ensure the 
confidentiality, integrity, and availability of an organization's 
systems and data. These controls include policies, procedures, and 
control techniques that physically secure an organization's computer 
resources and systems, provide proper segregation of incompatible 
duties and computer functions among computer users, and ensure 
continuity of computer processing operations in the event of a disaster 
or unexpected interruption. 

Physical Security: 

Physical security controls are important for protecting computer 
facilities and resources from vandalism and sabotage, theft, accidental 
or deliberate alteration or destruction of information or property, 
attacks on personnel, and unauthorized access to computing resources. 
Physical security controls should prevent, limit, and detect access to 
facility grounds, buildings, and sensitive work areas and the agency 
should periodically review the access granted to computer facilities 
and resources to ensure that this access continues to be appropriate. 
Examples of physical security controls include perimeter fencing, 
surveillance cameras, security guards, and locks. Inadequate physical 
security could lead to the loss of life and property, the disruption of 
functions and services, and the unauthorized disclosure of documents 
and information. 

Although IRS has implemented physical security controls, certain 
weaknesses reduce the effectiveness of these controls in protecting and 
controlling physical access to assets at the facility. For example, 
guards did not always verify employees' identities as they entered the 
facility. Failure to check IRS photo identifications increases the risk 
that unauthorized individuals could gain access to the facility. In 
addition, IRS did not always maintain effective control over the 
issuance of master keys. The lack of accountability over master keys 
increases the likelihood that an unauthorized person could gain 
possession of a master key and use it to access sensitive areas. 

Segregation of Duties: 

Controls that segregate duties are the policies, procedures, and 
organizational structure that prevent one individual from controlling 
key aspects of computer-related operations and thereby having the 
capability to conduct unauthorized actions or gain unauthorized access 
to assets or records without being promptly detected. Inadequately 
segregated duties increase the risk that erroneous or fraudulent 
transactions could be processed, improper program changes implemented, 
or computer resources damaged or destroyed. 

We identified instances in which duties were not adequately segregated 
to ensure that no individual had complete authority or system access, 
which could result in fraudulent activity. For example, developers were 
routinely granted production level access on the facility's mainframe 
processing environment by individuals other than those responsible for 
the security administration of the mainframe. A review of one month of 
audit logs showed that 24 users (including 5 contractors) who were only 
granted access to the development mainframe environment had their 
access privileges elevated to production--several of them on a daily 
basis. Although user access was being logged, MASS employees neither 
controlled the action that elevated the developers' access permissions 
nor routinely monitored audit logs. As a result, MASS employees did not 
detect that users' access had been elevated. Granting developers access 
to production systems creates the potential for those individuals to 
perform incompatible functions. 

Service Continuity: 

Service continuity controls should be designed to ensure that when 
unexpected events occur, critical operations continue without 
interruption or are promptly resumed and that critical and sensitive 
data are protected. These controls include (1) environmental controls 
and procedures designed to protect information resources and minimize 
the risk of unplanned interruptions and (2) a well-tested plan to 
recover critical operations should interruptions occur. If service 
continuity controls are inadequate, even relatively minor interruptions 
can result in lost or incorrectly processed data, which can cause 
financial losses, expensive recovery efforts, and inaccurate or 
incomplete financial or management information. 

IRS has in place environmental controls designed to protect computing 
resources and personnel; it also has a program for periodic testing of 
disaster recovery plans. However, IRS's disaster recovery and business 
resumption plans for resuming operations following a disruption did not 
include procedures for Unix and Windows systems. In the event of a 
disaster, the facility may not be able to coordinate appropriate 
measures to restore critical Unix and Windows systems. 

Information Security Program Is Not Fully Implemented at IRS: 

The weaknesses described in this report are symptomatic of an 
agencywide information security program that is not fully implemented 
across IRS. Implementing an information security program is essential 
to ensuring that controls over information and information systems work 
effectively on a continuing basis, as described in our May 1998 study 
of security management best practices.[Footnote 12]

We previously recommended to the IRS Commissioner that IRS complete its 
implementation of an effective agencywide information security 
program.[Footnote 13] Since our last review, IRS has made important 
progress toward improving information security management. For example, 
as part of activities required for certification and accreditation of 
all IRS general support systems,[Footnote 14] it established MASS, 
appointed a senior information security officer to manage the program, 
and established a task force for conducting risk assessments and 
security test and evaluations. However, the recurring and newly 
identified weaknesses discussed in this report, as well as the 
similarity of these weaknesses to those we have previously identified 
at other IRS facilities, are indicative of an information security 
program that is not fully implemented across the agency. 

FISMA, consistent with our security management best practices guide, 
requires key elements of an agency's information security program to 
strengthen information security and to adequately protect the 
information and systems that support its operations. These elements 
include: 

* policies and procedures that (1) are based on risk assessments, (2) 
cost-effectively reduce risks, (3) ensure that information security is 
addressed throughout the life cycle of each system, and (4) ensure 
compliance with applicable requirements;

* security awareness training to inform personnel, including 
contractors and other users of information systems, of information 
security risks and their responsibilities in complying with agency 
policies and procedures; and: 

* at least annual testing and evaluation of the effectiveness of 
information security policies, procedures, and practices relating to 
the management, operational, and technical controls of every major 
information system that is identified in the agencies' inventories. 

Establishing and Implementing Policies: 

A key element of an effective information security program is 
establishing and implementing appropriate policies, procedures, and 
technical standards to govern security over an agency's computing 
environment. Such policies and procedures should integrate all security 
aspects of an organization's interconnected environment, including 
local and wide area networks and interconnections to contractor and 
other federal agencies that support critical mission operations. In 
addition, technical security standards are needed to provide consistent 
implementing guidance for each computing environment. Establishing and 
documenting security policies is important because they are the primary 
mechanism by which management communicates its views and requirements; 
these policies also serve as the basis for adopting specific procedures 
and technical controls. In addition, agencies need to take the actions 
necessary to effectively implement or execute these procedures and 
controls. Otherwise, agency systems and information will not receive 
the protection that should be provided by the security policies and 
controls. 

Although IRS has established and documented policies and procedures for 
specific security areas, including password standards and disaster 
recovery planning, it frequently has not implemented them. We continue 
to report that the facility has not implemented policies and procedures 
contained in IRS's Law Enforcement Manual and Internal Revenue Manual 
pertaining to user accounts and passwords, access rights and 
permissions, network services and security, audit and monitoring, and 
other information system controls. Of the new weaknesses identified, 33 
of 39 resulted from IRS not implementing its established security 
policies and procedures. As a result, IRS is at increased risk that 
sensitive financial, taxpayer, and Bank Secrecy Act data could be 
exposed to unauthorized access without detection. 

Promoting Security Awareness and Training: 

Another key element of an information security program involves 
promoting awareness and providing required training so that users 
understand the risks and their role in implementing related policies 
and controls to mitigate those risks. Computer intrusions and security 
breakdowns often occur because computer users fail to take appropriate 
security measures. For this reason, it is vital that employees who use 
computer resources in their day-to-day operations be made aware of the 
importance and sensitivity of the information they handle, as well as 
the business and legal reasons for maintaining its confidentiality, 
integrity, and availability. FISMA mandates that all federal employees 
and contractors involved in the use of agency information systems be 
provided periodic training in information security awareness and 
accepted information security practice. Further, FISMA requires agency 
heads to ensure employees with significant information security 
responsibilities are provided sufficient training. 

IRS has established information security awareness programs for its 
employees and contractors. These programs include distributing security 
awareness bulletins and brochures and creating information security 
poster boards. As reported by Treasury's OIG in its 2004 FISMA report, 
100 percent of IRS employees received security awareness training; 
however, only 28 percent of IRS government and contractor employees 
with significant security responsibilities received specialized 
training. Security administration staff at the facility stated that 
they were largely self-taught in security software and that only one 
staff member in the past 2 years had received technical mainframe 
security training. Consequently, the staff was not knowledgeable about 
some of the more recent technical advances relating to the mainframe 
operating system and security software. 

Subsequent to the completion of our fieldwork, the Chief of MASS 
informed us that he formally assigned information system security 
officers for each of the IRS campuses and computing centers, and the 
IRS network and held specialized training for these officers. 

Testing and Evaluating the Effectiveness of Controls: 

The final key element of an information security program is ongoing 
testing and evaluation to ensure that systems are in compliance with 
policies, and that policies and controls are both appropriate and 
effective. This type of oversight is a fundamental element because it 
demonstrates management's commitment to the security program, reminds 
employees of their roles and responsibilities, and identifies and 
mitigates areas of noncompliance and ineffectiveness. Although control 
tests and evaluations may encourage compliance with security policies, 
the full benefits of such activities will not be achieved unless the 
results improve the security program. Analyzing the results of 
monitoring efforts--as well as security reviews performed by external 
audit organizations--provides security specialists and business 
managers with a means of identifying new problem areas, reassessing the 
appropriateness of existing controls, and identifying the need for new 
controls. 

IRS performs periodic testing and evaluation of its Unix, Windows, and 
Mainframe systems. Specifically, IRS uses software tools and monitoring 
reports to determine if its systems are in compliance with agency 
information security policies, procedures, and practices. However, 
output from these tools was not always reliable and accurate. Further, 
IRS did not effectively audit and monitor the facility's information 
security systems. Specifically, user activity on critical Unix systems 
were not being logged, full auditing of system user rights was not 
always occurring, audit logs on Windows servers were not always 
retained, and monitoring reports detailing security-related events on 
mainframe computers were not always complete. 

Until IRS fully implements an effective program, it will not be able to 
ensure the security of its highly interconnected computer environment, 
facilities, and resources. Moreover, IRS will not be able to ensure the 
confidentiality, integrity, or availability of the sensitive financial, 
taxpayer, and Bank Secrecy Act data that it processes, stores, and 
transmits. As a result, IRS's operations and assets remain vulnerable 
to unauthorized disclosure, manipulation, use, or destruction. 

Conclusions: 

Significant information security weaknesses exist at IRS that place 
sensitive financial, taxpayer, and Bank Secrecy Act data at risk of 
disclosure, modification, or loss, possibly without detection, and 
place IRS's operations at risk of disruption. Specifically, IRS has not 
consistently implemented effective electronic access controls, 
including user accounts and passwords, access rights and permissions, 
and network security, or fully implemented a program to audit and 
monitor access activity. In addition, weaknesses in physical security, 
segregation of duties, and service continuity increase the level of 
risk. Although IRS continues to make progress in mitigating previously 
reported information security weaknesses and implementing general 
controls over key financial and tax processing systems at the facility, 
it has not taken all the necessary steps to mitigate known information 
security control weaknesses and to ensure the confidentiality, 
integrity, and availability of taxpayer and Bank Secrecy Act data. 
Consequently, taxpayer and Bank Secrecy Act data may have been 
disclosed to unauthorized individuals. Ensuring that known weaknesses 
affecting IRS's computing resources are promptly mitigated and that 
general controls are effective to protect the facility's computing 
environment require top management support and leadership, disciplined 
processes, and consistent oversight. Until IRS takes steps to mitigate 
these weaknesses and fully implements its agencywide information 
security program, limited assurance exists that taxpayers' personal 
information and IRS-processed law enforcement information will be 
adequately safeguarded against unauthorized disclosure, modification, 
or destruction. 

Recommendations for Executive Action: 

To help fully implement IRS's information security program, we 
recommend that Secretary of the Treasury direct the IRS Commissioner to 
take the following three actions: 

* Ensure that established security policies and procedures are 
consistently followed and implemented. 

* Ensure that employees with significant information security 
responsibilities are provided the sufficient training and understand 
their role in implementing security related policies and controls. 

* Implement an ongoing process of testing and evaluating IRS's 
information systems to ensure compliance with established policies and 
procedures. 

In addition, we recommend that the Secretary of the Treasury direct the 
IRS Commissioner to perform an assessment to determine whether taxpayer 
data has been disclosed to unauthorized individuals. 

Further, we recommend that the Secretary of the Treasury direct the 
FinCEN Director to perform an assessment to determine whether Bank 
Secrecy Act data have been disclosed to unauthorized individuals. 

We are also making recommendations in a separate report designated for 
"Limited Official Use Only." These recommendations address actions 
needed to correct the specific information security weaknesses related 
to electronic access controls and other information system controls at 
the facility. 

Agency Comments: 

In providing written comments on a draft of this report (reprinted in 
app. I), the Acting Deputy Secretary of the Treasury generally 
concurred with our recommendations in both the public and Limited 
Official Use Only reports and identified specific corrective actions 
that IRS has taken or plans to take to address the recommendations. 

The Acting Deputy Secretary of the Treasury concurred with our 
recommendation to take several actions to fully implement an effective 
agencywide information security program. The Acting Deputy stated that 
IRS continues to make progress in addressing the computer security 
deficiencies throughout the agency, as noted in our public and Limited 
Official Use Only reports. The Acting Deputy stated that in mid-2004, 
IRS began an agencywide initiative to complete required security 
activities, such as the development of security plans and security 
testing by fiscal year 2005. 

The Acting Deputy's comments also addressed several completed 
corrective actions, including properly configuring access rights to the 
mainframe computing environment, auditing the activity of high-level 
user access on the mainframe environment, capturing and pursuing all 
security violations, designating Information Systems Security Officers 
at all IRS locations, and establishing the position of Director, 
Information Technology Security to ensure that the overall design of 
new applications and the operation of current systems adhere to 
security requirements. 

The Acting Deputy Secretary also concurred with our recommendation to 
direct the IRS Commissioner to perform an assessment to determine 
whether taxpayer data have been disclosed to unauthorized individuals. 

Regarding our recommendation to direct the FinCEN Director to perform 
an assessment to determine whether Bank Secrecy Act data have been 
disclosed to unauthorized individuals, the Acting Deputy stated that it 
is more appropriate to have IRS conduct this review because FinCEN does 
not have the legal authority to conduct such an assessment of IRS tax 
information. This alternative approach meets the intent of our 
recommendation as long as IRS reports the results of its assessment to 
the Director of FinCEN. 

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the House Committee on Government Reform; House and 
Senate Committees on Appropriations; House and Senate Committees on 
Budget; Secretary of the Treasury; Commissioner of Internal Revenue; 
and Treasury's Director, Financial Crimes Enforcement Network. We also 
will make copies available to others upon request. In addition, this 
report will be available at no charge on the GAO Web site at 
http://www.gao.gov. 

If you or your office have any questions about this report, please 
contact Gregory C. Wilshusen at (202) 512-3317 or Keith A. Rhodes at 
(202) 512-6412; we can also be reached by e-mail at [Hyperlink, 
wilshuseng@gao.gov] or [Hyperlink, rhodesk@gao.gov]. Other contacts and 
key contributors to this report are listed in appendix II. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

Signed by: 

Keith A. Rhodes: 
Chief Technologist: 

[End of section]

Appendixes: 

Appendix I: Comments from the Secretary of the Treasury: 

THE DEPUTY SECRETARY OF THE TREASURY: 

WASHINGTON: 

April 14, 2005: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

I am writing to provide the Treasury Department's comments on the 
Government Accountability Office's draft report, entitled Information 
Security: Internal Revenue Service Needs to Remedy Serious Weaknesses 
Over Taxpayer and Law Enforcement Data, and its related limited-
official use report. The draft report contains three recommendations. 
The first two recommend that the IRS fully implement an effective 
agency-wide information security program and assess whether taxpayer 
data have been disclosed to unauthorized individuals. The third 
recommends that the Financial Crimes Enforcement Network (FinCEN) 
assess whether law enforcement data have been disclosed to unauthorized 
individuals. 

With regard to the first recommendation and other findings related to 
the IRS that you presented in the report, the IRS continues to make 
progress in addressing computer security deficiencies throughout the 
agency. Many weaknesses have been corrected and additional controls 
have been implemented; however, more challenges remain and are being 
addressed. The IRS began an extremely aggressive initiative in mid-2004 
to complete the full suite of required security activities at each of 
its computing centers and campuses and to support security 
certification and accreditation. This is being accomplished using the 
latest processes and guidance specified by the National Institute for 
Standards and Technology and in accordance with the requirements of the 
Federal Information Security Management Act (FISMA). 

The security activities include the development of security plans, 
security documentation, and security testing. These activities are 
scheduled to be completed in FY 2005 at all of the computing centers 
and campuses. In addition, access rights to the mainframe computing 
environment at the facility have now been properly configured, and the 
mainframe computing environment makes use of additional auditing tools. 
The output logs generated by these tools are reviewed regularly by the 
computing center IT staff and the security staff. The activities of any 
user with higher level system privileges are specifically audited by 
the tools in place, and all security violations are captured and 
aggressively pursued. 

To facilitate the accomplishment of the required security activities, 
the IRS implemented several organizational changes. For example, the 
IRS's Mission Assurance and Support Services organization designated 
Information Systems Security Officers for each computing center and 
campus. These security professionals are responsible for day-to-day 
security operations. Moreover, the IRS's Chief Information Officer 
established the position of Director of Information Technology 
Security, to ensure that the overall design of new applications and the 
operation of current systems adhere to security requirements. 

Further, as mandated by FISMA, all IRS senior officials are engaged in 
fulfilling their security responsibilities for the business systems and 
applications in operation at the computing centers and campuses. To 
strengthen the security program, the IRS recognizes that compliance 
with established policies and procedures is mandatory. Accordingly, 
specialized security technical training is currently underway to 
support the secure operations of IRS's complex computing environments. 
Enhanced security processes are being defined for all new systems 
developments and systems upgrades. The IRS anticipates significantly 
improved performance in this summer's FISMA annual systems security 
review. This review should also demonstrate noteworthy progress in the 
establishment of a more robust agency-wide information security 
program. Due to proactive initiatives, the IRS anticipates achieving 
noteworthy progress by the end of this fiscal year in resolving or 
mitigating GAO and the Treasury Department Inspector General for Tax 
Administration (TIGTA) audit findings and weaknesses. Finally, the IRS 
has developed mandatory testing activities for all systems. 

With regard to the second recommendation, ensuring taxpayer data 
integrity is a responsibility that the IRS does not take for granted. 
The mainframe system at the facility is audited yearly by either GAO or 
TIGTA. The facility has operated the systems containing Bank Secrecy 
Act information since the early 1980s, and there has never been a 
separate system to administer the requirements of the Act. This audit 
is the first to identify the issue of how the data at the facility are 
segmented, and now that it has been identified as an issue, the IRS is 
working to address the finding. Therefore, the IRS will assess the 
extent to which taxpayer data may have potentially been disclosed to 
unauthorized individuals. 

With regard to the third recommendation, related to FinCEN, we concur 
that it is appropriate to assess whether Bank Secrecy Act data have 
been disclosed to unauthorized individuals as a result of the GAO 
findings. However, the IRS is the more appropriate entity to conduct 
this review of its audit and monitoring capabilities. Moreover, FinCEN 
does not have the legal authority under Title 26 to assess systems 
housing IRS tax information. Such an assessment would be very difficult 
for FinCEN to accomplish. 

I would like to request that throughout your report, all references to 
FinCEN's data as "law enforcement data" be changed to "Bank Secrecy Act 
data" (including in the report's title). Also, please note that on page 
7, second paragraph, second sentence, the words "criminal referrals of 
need to be deleted. 

To ensure the Treasury Department takes all necessary steps to address 
the issues identified in the audit, I have asked the Chief Information 
Officer to review the status of these efforts on a quarterly basis and 
keep me informed of our progress. 

Thank you for the opportunity to respond to this draft GAO report. If 
you have any questions or wish to discuss these comments further, 
please contact Barry K. Hudson (Acting Chief Financial Officer) at 
(202) 622-0750. 

Sincerely,

Signed by: 

Arnold I. Havens: 

Acting Deputy Secretary: 

cc: Mark W. Everson, Commissioner, IRS; 
William J. Fox, Director, FinCEN: 
Ira L. Hobbs, Chief Information Officer: 

[End of section]

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Jenniffer Wilson, (202) 512-9192: 

Staff Acknowledgments: 

In addition to the individual named above, Gerald Barnes, Bruce Cain, 
Joseph Cruz, Joanne Fiorino, Denise Fitzpatrick, Ed Glagola, David 
Hayes, Myong Suk Kim, Harold Lewis, Mary Marshall, Duc Ngo, Ron Parker, 
Charles Roney, Eugene Stevens, and Henry Sutanto made key contributions 
to this report. 

(310555): 

FOOTNOTES

[1] GAO, Financial Audit: IRS's Fiscal Years 2004 and 2003 Financial 
Statements, GAO-05-103 (Washington, D.C.: Nov. 10, 2004). 

[2] Information security controls include electronic access controls, 
software change control, physical security, segregation of duties, and 
service continuity. These controls are designed to ensure that access 
to data is appropriately restricted, that only authorized changes to 
computer programs are made, that physical access to sensitive computing 
resources and facilities is protected, that computer security duties 
are segregated, and that back-up and recovery plans are adequate to 
ensure the continuity of essential operations. 

[3] GAO, High-Risk Series: Information Management and Technology, 
GAO/HR-97-9 (Washington, D.C.: February 1997). 

[4] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: 
January 2005). 

[5] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No. 107-347, 116 Stat. 2946 (Dec. 17, 2002). 

[6] IRS campuses perform functions such as customer service, account 
management, and tax examination services, whereas computing centers 
focus primarily on data processing and software development activities. 

[7] Titles I and II of Public Law 91-508 and 31 U.S.C. sections 5311-
5330, as amended by the USA PATRIOT Act and the Intelligence Reform and 
Terrorism Prevention Act of 2004, are known as the Bank Secrecy Act. 
Regulations implementing the Bank Secrecy Act appear at 31 C.F.R. Part 
103. 

[8] GAO, Federal Information System Controls Audit Manual, GAO/AIMD-
12.19.6 (Washington, D.C.: January 1999). 

[9] 26 U.S.C. § 6103. 

[10] 26 U.S.C. § 7213A. 

[11] GAO, IRS Systems Security and Funding: Additional Information on 
Employee Browsing and Tax Systems Modernization, GAO/AIMD/GGD-97-140R 
(Washington, D.C.: June 23, 1997); IRS Systems Security and Funding: 
Employee Browsing Not Being Addressed Effectively and Budget Requests 
for New Systems Development Not Justified, GAO/T-AIMD-97-82 
(Washington, D.C.: Apr. 15, 1997). 

[12] GAO, Executive Guide: Information Security Management--Learning 
from Leading Organization, GAO/AIMD-98-68 (Washington, D.C.: May 1998). 

[13] GAO, Information Security: Progress Made, but Weaknesses at the 
Internal Revenue Service Continue to Pose Risks, GAO-03-44 (Washington, 
D.C.: May 30, 2003). 

[14] General support systems are sets of resources that provide 
necessary information technology infrastructure support to applications 
and business functionality such that compromise would have a severe 
adverse effect on the IRS mission, tax administration functions, or 
employee welfare. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: