Information Security:

Internal Revenue Service Needs to Remedy Serious Weaknesses over Taxpayer and Bank Secrecy Act Data

GAO-05-482: Published: Apr 15, 2005. Publicly Released: Apr 15, 2005.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Internal Revenue Service (IRS) relies extensively on computerized systems to support its financial and mission-related operations. In addition, IRS provides computer processing support to the Financial Crimes Enforcement Network (FinCEN)--another Treasury bureau. As part of IRS's fiscal year 2004 financial statements, GAO assessed (1) the status of IRS's actions to correct or mitigate previously reported weaknesses at one of its critical data processing facilities and (2) the effectiveness of IRS's information security controls in protecting the confidentiality, integrity, and availability of key financial and tax processing systems.

IRS has made progress in correcting or mitigating previously reported information security weaknesses and in implementing controls over key financial and tax processing systems that are located at one of its critical data processing facilities. It has corrected or mitigated 32 of the 53 weaknesses that GAO reported as unresolved at the time of our prior review in 2002. However, in addition to the remaining 21 previously reported weaknesses for which IRS has not completed actions, 39 newly identified information security control weaknesses impair IRS's ability to ensure the confidentiality, integrity, and availability of its sensitive financial and taxpayer data and FinCEN's Bank Secrecy Act data. For example, IRS has not implemented effective electronic access controls over its mainframe computing environment to logically separate its taxpayer data from FinCEN's Bank Secrecy Act data--two types of data with different security requirements. In addition, IRS has not effectively implemented certain other information security controls relating to physical security, segregation of duties, and service continuity at the facility. Collectively, these weaknesses increase the risk that sensitive taxpayer and Bank Secrecy Act data will be inadequately protected from unauthorized disclosure, modification, use, or destruction. Moreover, weaknesses in service continuity and business resumption plans heighten the risk that assets will be inadequately protected and controlled to ensure the continuity of operations when unexpected interruptions occur. An underlying cause of these information security control weaknesses is that IRS has not fully implemented certain elements of its agencywide information security program. Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Secretary of the Treasury should direct the IRS Commissioner to perform an assessment to determine whether taxpayer data has been disclosed to unauthorized individuals.

    Agency Affected: Department of the Treasury

    Status: Closed - Implemented

    Comments: According to IRS, the agency performed an assessment to determine whether data had been disclosed to any unauthorized individuals.

    Recommendation: To help fully implement IRS's information security program, the Secretary of the Treasury should direct the IRS Commissioner to implement an ongoing process of testing and evaluating IRS's information systems to ensure compliance with established policies and procedures.

    Agency Affected: Department of the Treasury

    Status: Closed - Implemented

    Comments: IRS has established an ongoing process of testing and evaluating its systems, including periodically testing and evaluating its systems and configurations to determine compliance with established policies and procedures.

    Recommendation: To help fully implement IRS's information security program, the Secretary of the Treasury should direct the IRS Commissioner to ensure that employees with significant information security responsibilities are provided the sufficient training and understand their role in implementing security related policies and controls.

    Agency Affected: Department of the Treasury

    Status: Closed - Implemented

    Comments: In fiscal year 2008, GAO verified that IRS had ensured that employees with significant information security responsibilities had been provided appropriate training in accordance with IRS policy.

    Recommendation: To help fully implement IRS's information security program, the Secretary of the Treasury should direct the IRS Commissioner toensure that established security policies and procedures are consistently followed and implemented.

    Agency Affected: Department of the Treasury

    Status: Closed - Implemented

    Comments: Based on recurring audit work at IRS data centers, GAO has observed that the agency has continued to implement its information security program with more consistent implementation of established policies and procedures.

    Recommendation: The Secretary of the Treasury should direct the FinCEN Director to perform an assessment to determine whether Bank Secrecy Act data have been disclosed to unauthorized individuals.

    Agency Affected: Department of the Treasury

    Status: Closed - Implemented

    Comments: According to a FinCEN official, the Secretary delegated this recommendation to IRS; IRS performed an assessment to determine whether data had been disclosed to unauthorized individuals.

    Jul 31, 2014

    Jun 18, 2014

    Apr 29, 2014

    Apr 7, 2014

    Jan 8, 2014

    Dec 11, 2013

    Nov 14, 2013

    Oct 29, 2013

    Sep 6, 2013

    Looking for more? Browse all our products here