IRS Systems Security:

Although Significant Improvements Made, Tax Processing Operations and Data Still at Serious Risk

AIMD-99-38: Published: Dec 14, 1998. Publicly Released: Jan 13, 1999.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the Internal Revenue Service's (IRS) progress in correcting serious computer security weaknesses at five IRS facilities, focusing on: (1) additional security weaknesses identified at the five facilities and at an IRS facility not included in GAO's previous report; and (2) steps IRS has taken or plans to take to implement a service-wide computer security management program.

GAO noted that:(1) IRS is making significant progress to improve computer security over its facilities; (2) since GAO's April 1997 report, IRS has acknowledged the seriousness of its computer security weaknesses, consolidated overall responsibility for computer security management within one executive-level office under its Chief Information Officer, reevaluated its approach to computer security management, and developed a high-level plan for mitigating the weaknesses GAO identified; (3) GAO found that IRS has corrected or mitigated the risks associated with 63 percent of the weaknesses discussed in its prior report; (4) while progress has been made, serious weaknesses continue to exist at the five facilities visited during GAO's prior audit, and it identified several additional weaknesses at those locations and at a sixth facility included in this review; (5) these weaknesses exist primarily because IRS has not yet fully institutionalized its computer security management program; (6) these weaknesses affect IRS' ability to control physical access to its data processing facilities and sensitive taxpayer data and computer programs, prevent or detect unauthorized changes to taxpayer data or computer software, and restore essential IRS operations following an emergency or natural disaster; (7) until these weaknesses are mitigated, IRS continues to run the risk of its tax processing operations being disrupted; (8) furthermore, sensitive taxpayer data entrusted to IRS could be disclosed to unauthorized individuals, improperly used or modified, or destroyed, thereby exposing taxpayers to loss or damages resulting from identity fraud and other financial crimes; (9) in comments agreeing with GAO's recommendations, IRS stated that since the end of GAO's review, it had also specified actions planned and under way to address the remaining weaknesses; and (10) GAO will review those actions as part of its audit of IRS' fiscal year 1998 financial statements.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In our FY 1999 summary report of IRS computer security control, we noted that IRS had not fully evaluated controls over key computing resources. We recommended that IRS periodically evaluate the effectiveness of controls over key computing resources at IRS facilities. IRS's Office of Security Services has established and implemented a program for reviewing and evaluating security controls over information systems at IRS facilities. As a result, IRS has greater assurance that components comply with its security policies.

    Recommendation: The Commissioner of Internal Revenue should ensure that IRS completes the implementation of an effective service-wide computer security management program. This program should include procedures for periodically evaluating the effectiveness of controls over key computing resources at IRS facilities.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: In our FY 1999 summary report of IRS computer security weaknesses, we noted that IRS had not fully assessed risks for all of its facilities, networks, major systems, and data. We recommended that IRS developed procedures for assessing risk for all of IRS's facilities, networks, major systems, and taxpayer data on a regular, ongoing basis to ensure that controls are adequate. IRS has since developed security policy and guidance pertaining to requirements for periodic risk assessment commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. As a result, IRS has greater assurance that through such policy its controls are adequate.

    Recommendation: The Commissioner of Internal Revenue should ensure that IRS completes the implementation of an effective service-wide computer security management program. This program should include procedures for assessing risks for all of IRS' facilities, networks, major systems, and taxpayer data on a regular, ongoing basis to ensure that controls are adequate.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: In our FY 1999 summary report of IRS computer security controls, we noted that IRS's disaster recovery plans lacked essential information, were not adequately tested, did not meet users' business needs and were incomplete. We recommended that IRS establish controls that ensure that disaster recovery plans and business resumption plans are comprehensive, current, and fully tested. IRS has since established oversight support for the paper tests of disaster recovery plans and reviewed campus and area disaster recovery activities. Also, IRS Office of Security acted as the lead partner in identification and prioritization of business processes. Furthermore, the headquarters's continuity of operations plan has been upgraded and tested. As a result, IRS is in a better position to resume its operations in the aftermath of a disaster.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and Director of the Office of Systems Standards and Evaluation to work in conjunction with the facility directors as appropriate to continue efforts to establish controls that ensure that disaster recovery plans and business resumption plans are comprehensive, current, and fully tested.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Implemented

    Comments: In our FY 1999 summary report of IRS computer security controls, we noted that IRS did not implement independent quality assurance review or testing of locally developed programs. In addition, application programmers used live taxpayer data for software testing purposes, increasing the risk that sensitive taxpayer data could be disclosed to unauthorized individuals. We recommended that IRS ensure that all computer programs and program modifications are authorized, tested, and independently reviewed and that live taxpayer data is not used for software testing. IRS has begun a configuration management improvement whose focus includes evaluation, resolution and standardization of all application and system development and operations. In addition, IRS instituted an approval process before live taxpayer data could be used for software testing. As a result, IRS has greater assurance of improved security over its software quality control process.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and Director of the Office of Systems Standards and Evaluation to work in conjunction with the facility directors as appropriate to continue efforts to ensure that all computer programs and program modifications are authorized, tested, and independently reviewed and that real taxpayer data is not used for software testing.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: In our FY 1999 summary report of IRS computer control, we noted that IRS did not physically protected telecommunications equipment and dial-in access was not adequately protected, thereby increasing the risk of unauthorized access and disclosure of sensitive taxpayer data. We recommended that IRS establish adequate safeguards over telecommunications equipment and remote access to IRS systems. IRS has since secured physical access to telecommunications equipment and established security offices responsible for monitoring security controls over external and internal connections. In addition, IRS has established appropriate security policy standards to provide controls over telecommunications infrastructure. As a result, IRS has greater assurance that unauthorized individuals would not have access to sensitive taxpayer information.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and Director of the Office of Systems Standards and Evaluation to work in conjunction with the facility directors as appropriate to continue efforts to establish adequate safeguards over telecommunications equipment and remote access to IRS systems.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Closed - Implemented

    Comments: In our FY 1999 summary report of IRS computer security weaknesses, we noted that security software was not configured to provide optimum security over tape media. We recommended that IRS configure security software to provide optimum security over tape media. IRS has since restricted access to the security software to provide improved security over access to data on tape media. As a result, IRS has greater assurance that access to sensitive data on tape media would be limited to authorized personnel.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and Director of the Office of Systems Standards and Evaluation to work in conjunction with the facility directors as appropriate to continue efforts to configure security software to provide optimum security over tape media.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Closed - Implemented

    Comments: In our FY 1999 summary report of IRS computer security weaknesses, we noted that IRS did not limit access to system software to individuals with a need to know, access to key system logs was available, and the powerful "root" authority had been granted to users whose assigned duties did not require such capabilities. We recommended that IRS limit access authority to only those computer programs and data needed to perform job responsibilities and review access authority regularly to identify and correct inappropriate access. IRS has since implemented corrective actions to adequately ensure that access to key computer applications and systems was limited to authorized persons for authorized purposes. As a result, IRS has greater assurance that only authorized personnel would be granted access to sensitive programs and data.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and Director of the Office of Systems Standards and Evaluation to work in conjunction with the facility directors as appropriate to continue efforts to limit access authority to only those computer programs and data needed to perform job responsibilities and review access authority regularly to identify and correct inappropriate access.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Closed - Implemented

    Comments: In our FY 1999 summary report of IRS computer security weaknesses, we noted that access to sensitive computing areas, such as computer rooms, data communication areas, and tape libraries was not adequately controlled. We recommended that IRS implement appropriate control measures to limit physical access to facilities, computer rooms, and computing resources based on job responsibilities. IRS has since developed a corrective action plan to adequately ensure that access to key computer applications and systems is limited to authorized persons for authorized purposes by issuing new and updated computer and physical access controls, and personnel security requirements. In addition, IRS conducted an extensive analysis of its guard forces to ensure adequate staffing and performed security reviews at each computing center to identify security vulnerabilities. As a result, IRS has greater assurance that physical access to its computing resources and facilities would be more secured.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and Director of the Office of Systems Standards and Evaluation to work in conjunction with the facility directors as appropriate to continue efforts to implement appropriate control measures to limit physical access to facilities, computer rooms, and computing resources based on job responsibility.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Closed - Implemented

    Comments: In our FY 1999 summary report of IRS computer security control, we noted that IRS had not consistently implemented actions to eliminate or mitigate the weaknesses identified during computer control evaluations. We recommended that IRS implement actions to correct or mitigate weaknesses identified during such computer control evaluations. IRS, as verified by our follow-up general control reviews, has since implemented numerous corrective actions. As a result, IRS has enhanced its effectiveness in protecting taxpayer information against unauthorized access attempts.

    Recommendation: The Commissioner of Internal Revenue should ensure that IRS completes the implementation of an effective service-wide computer security management program. This program should include procedures for implementing actions to correct or mitigate weaknesses identified during such computer control evaluations.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Nov 17, 2015

Looking for more? Browse all our products here