IRS Systems Security:

Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses

AIMD-97-49: Published: Apr 8, 1997. Publicly Released: Apr 8, 1997.

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the Internal Revenue Service's (IRS) computer security, focusing on whether IRS is effectively: (1) managing computer security; and (2) addressing employee browsing of electronic taxpayer data.

GAO noted that: (1) over the last 3 years, GAO has reported on a number of computer security problems at IRS and has made recommendations for strengthening IRS' computer security management effectiveness; (2) nevertheless, IRS continues to have serious weaknesses in the controls used to safeguard IRS computer systems, facilities, and taxpayer data; (3) GAO's recent on-site reviews of security at five facilities disclosed many weaknesses in the areas of physical security, logical security, data communications management, risk analysis, quality assurance, internal audit and security, security awareness, and contingency planning; (4) for example, the five facilities could not account collectively for approximately 6,400 missing units of magnetic storage media, such as tapes and cartridges, which could contain taxpayer data; (5) in addition, printouts containing taxpayer data were left unprotected and unattended in open areas of two facilities where they could be compromised; (6) also, none of the facilities visited had comprehensive disaster recovery plans, which threaten the facilities' ability to restore operations following emergencies or natural disasters; (7) one area of unauthorized access that has been the focus of considerable attention is electronic browsing of taxpayer data by IRS employees; (8) despite this attention, IRS is still not effectively addressing the problem via thorough employee monitoring, accurate recording of browsing violations, or consistent application and publication of enforcement actions; (9) for example, IRS currently does not monitor all employees with access to automated systems and data for electronic browsing activities; (10) in addition, when instances of browsing are identified, IRS does not consistently investigate them or publicize them to deter others from browsing, and does not consistently punish browsers; (11) until these serious weaknesses are corrected, IRS runs the risk of its tax processing operations being disrupted and taxpayer data being improperly used, modified, or destroyed; and (12) IRS should prepare a plan for correcting the weaknesses at the five facilities GAO visited and for identifying and correcting security weaknesses at other IRS locations.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Commissioner of Internal Revenue should prepare a plan by April 30, 1997, for: (1) correcting all the weaknesses GAO identified at the five facilities GAO visited; and (2) for identifying and correcting security weaknesses at the other IRS locations.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: On May 7, 1997, IRS issued its plan to correct the weaknesses identified at the five facilities, and identify and correct the weaknesses at other data facilities. IRS is implementing this plan. Those weaknesses are now being corrected at all five facilities.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 3.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected the significant weaknesses in data communications management at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 4.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected all the weaknesses in data communications management at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 5.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has increased physical protection over the consolidated data network node and has implemented a policy restricting the use of data to officials who have a need for the information.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 1.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected some of the risk analysis weaknesses at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 2.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected all the risk analysis weaknesses at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 3.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected some of the risk analysis weaknesses at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 4.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has strengthened IRS risk analysis practices and procedures at Facility 4. For example, IRS has incorporated the facility's risk management program into its system certification program.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the risk analysis weaknesses GAO identified at facility 5.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has strengthened IRS risk analysis practices and procedures at Facility 5. For example, IRS has performed a risk analysis of its network at the facility for locally developed programs.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 1.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected all the weaknesses in quality assurance at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 2.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected a majority of the data communications weaknesses at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the data communications management weaknesses GAO identified at facility 1.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected the key weaknesses in data communications management at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 5.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected all the logical security weaknesses identified at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 1.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected the significant weaknesses in logical security at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 2.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected the key weaknesses in physical security at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 3.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected the significant weaknesses in physical security at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 4.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected the key weaknesses in physical security at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the physical security weaknesses GAO identified at facility 5.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has taken actions to address physical security at Facility 5. The actions include upgrading the capability of perimeter camera monitors.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 1.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected the key weaknesses in logical security at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 2.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected all the weaknesses in logical security at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 3.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has taken actions to address logical security practices at Facility 3. This includes prohibiting database administrators and computer systems analysts from performing security administration-related functions and revoking special system privileges from those users who did not have a need for such access.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the logical security weaknesses GAO identified at facility 4.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has taken actions to address logical security practices at Facility 4. This includes prohibiting application programmers to stage their own software for production.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 2.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has implemented policies and procedures for testing all locally developed programs. In addition, programmers are no longer allowed to use taxpayer data for testing purposes.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 3.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS officials at Facility 3 have taken steps to phase out most locally developed software and have implemented policies and procedures to ensure remaining locally developed programs adhere to Y2K programming standards.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 2.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected all the contingency planning weaknesses identified at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 3.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected the key contingency planning weaknesses at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 4.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has implemented procedures for loading the operating system and restoring direct access storage devices, applications, and telecommunications services.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 5.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected all the contingency planning weaknesses identified at this facility.

    Recommendation: The Commissioner of Internal Revenue should provide this plan to selected congressional committees, including the Senate Committee on Governmental Affairs.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: On May 14, 1997, IRS provided its corrective action plan to the Senate Committee on Governmental Affairs and to other interested congressional committees.

    Recommendation: The Commissioner of Internal Revenue should report IRS' progress against this plan in its fiscal year 1999 budget submissions.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In August 1997, IRS delivered a security plan to the Congress for correcting the computer security weaknesses identified in the report. In February 1998, IRS reported on the progress made against that plan in its FY 1999 budget submission.

    Recommendation: The Commissioner of Internal Revenue should, until corrected, report the security control weaknesses that GAO identified as material weaknesses in Treasury's Federal Managers' Financial Integrity Act reports.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: With the fiscal year 1997 Treasury Federal Manager's Financial Integrity Act (FMFIA) report, IRS began reporting the security control weaknesses identified by GAO as material weaknesses. The material weaknesses were reported by facility type--computing center, service center, district office, and other.

    Recommendation: The Commissioner of Internal Revenue should, by June 1997, reevaluate IRS' approach to computer security and report the results to selected congressional committees, including the Senate Committee on Governmental Affairs.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In March 1997, IRS assigned its Office of System Standards and Evaluation (SSE) responsibility for reevaluating IRS' approach to computer security and for reporting the results of this reevaluation to the Congress by June 1997. In August 1997, the SSE reported the results of its reevaluation to the Congress.

    Recommendation: The Commissioner of Internal Revenue should ensure that IRS completely and consistently monitors, records, and reports the full extent of electronic browsing.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In October 1997, IRS designated the Office of the Chief Inspector as the responsible office for centralized tracking, reporting, and adjudication of unauthorized access (browsing) cases. In February 1998, as a part of its FY 1999 budget submission, IRS reported to the Congress on the number of employees disciplined for intentional unauthorized access to taxpayer records. IRS plans to annually report on all unauthorized access as a part of its annual budget submissions.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the contingency planning weaknesses GAO identified at facility 1.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has developed and implemented a new awareness program known as UNAX (Unauthorized Access). All employees are required to attend UNAX training and employees are required to sign a statement acknowledging that they have read the material and are aware of their rights.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the security awareness weaknesses GAO identified at facility 5.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: Based on GAO's followup work, facility 5 has corrected all reported security awareness weaknesses.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the security awareness weaknesses GAO identified at facility 4.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has developed and implemented a new awareness program known as UNAX (Unauthorized Access). All employees are required to attend UNAX training and employees are required to sign a statement acknowledging that they have read the material and are aware of their rights.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 4.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected the significant weaknesses in quality assurance at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the quality assurance weaknesses GAO identified at facility 5.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected a majority of the quality assurance weaknesses at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all internal audit and security weaknesses GAO identified at facility 1.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected all the internal audit weaknesses identified at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the internal audit and security weaknesses GAO identified at facility 2.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: Based on GAO's followup work, facility 2 has corrected all reported internal audit and security weaknesses.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the internal audit and security weaknesses GAO identified at facility 3.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: Since the report, IRS has taken several steps to address this recommendation, including developing procedures to monitor activities of information system personnel to deter employee browsing of taxpayer data.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the internal audit and security weaknesses GAO identified at facility 4.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS is implementing this recommendation by initiating security reviews and forwarding weekly violation reports to managers in the field for their review and appropriate followup.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the internal audit and security weaknesses GAO identified at facility 5.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has developed and implemented a comprehensive set of local security policies and procedures to ensure that security safeguards are adequate and that potential security problems are brought to management's attention.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the security awareness weaknesses GAO identified at facility 2.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has corrected all the security awareness weaknesses identified at this facility.

    Recommendation: The Commissioner of Internal Revenue should include in this plan specific steps for correcting all the security awareness weaknesses GAO identified at facility 3.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has developed and implemented a new awareness program known as UNAX (Unauthorized Access). All employees are required to attend UNAX training and employees are required to sign a statement acknowledging that they have read the material and are aware of their rights.

    Recommendation: The Commissioner of Internal Revenue should report IRS' progress in eliminating browsing in IRS' annual budget submission.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In August 1997, the Department of Treasury and IRS reported to key Congressional Committees on the actions being taken to control unauthorized access to taxpayer records. In February 1998 as a part of its FY 1999 budget submission, IRS reported to the Congress on the number of employees disciplined for intentional unauthorized access to taxpayer records. IRS plans to annually report on all unauthorized access as a part of its annual budget submissions.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here