IRS Systems Security:
Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses
T-AIMD-97-76, Apr 10, 1997
GAO discussed the Internal Revenue Service's (IRS) computer security weaknesses. GAO stated that neither this testimony or the report just released quantifies the total number of weaknesses that GAO found or the number of weaknesses found in each of the eight functional categories of security that GAO reviewed, or details the most serious weaknesses that GAO found.
GAO noted that: (1) GAO's on-site reviews of security at five facilities disclosed many weaknesses in eight functional areas; (2) these areas are physical security, logical security, data communications management, risk analysis, quality assurance, internal audit and security, security awareness, and contingency planning; (3) of these eight, the primary weaknesses were in the areas of physical and logical security; (4) collectively, the five facilities could not account for approximately 6,400 units of magnetic storage media which could contain taxpayer data; (5) printouts containing taxpayer data were left unprotected and unattended in open areas of two facilities where they could be compromised; (6) tapes containing taxpayer data were not overwritten prior to reuse, providing the potential for unauthorized disclosure; (7) access to system software was not limited to individuals with a need to know; (8) application programmers were allowed to move development software into the production environment without adequate controls and these programmers were allowed to use taxpayer data for testing purposes, which places these data at unnecessary risk of unauthorized disclosure and modification; (9) two facilities had not performed an audit of operations within the last 5 years; (10) three of the five facilities did not have an adequate security awareness program; (11) none of the five facilities visited had comprehensive disaster recovery plans or completed business resumption plans, which should specify the disaster recovery goals and milestones required to meet the business needs of their customers; (12) to address the threat of IRS employee browsing of taxpayer information, IRS developed the Electronic Audit Research Log (EARL) and has taken legal and disciplinary actions against employees caught browsing; (13) IRS does not have reliable, objective measures for determining whether or not IRS is making progress in reducing browsing; (14) IRS facilities inconsistently review and refer incidents of employee browsing, apply penalties for browsing violations, and publicize the outcome of browsing cases to deter other employees from browsing; and (15) EARL cannot detect all instances of browsing because it only monitors employees using the Integrated Data Retrieval System.