From the U.S. Government Accountability Office, www.gao.gov

Transcript for: IRS Controls over Financial and Taxpayer Data

Description: Audio interview by GAO staff with Greg Wilshusen, Director,
Information Technology

Related GAO Work: GAO-15-337: Information Security: IRS Needs to
Continue Improving Controls over Financial and Taxpayer Data

Released: March 2015

[ Background Music ]

[ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and
information from the U.S. Government Accountability Office. It's March
2015. IRS relies extensively on computer systems and information
security controls to protect taxpayers’ sensitive personal and financial
data. A team led by Greg Wilshusen, a director in GAO's Information
Technology team, recently reviewed IRS information security policies,
plans, and procedures. GAO's Jacques Arsenault sat down with Greg to
discuss what they found.

[ Jacques Arsenault: ] What kinds of IT systems does IRS use to fulfill
its mission?

[ Greg Wilshusen: ] IRS uses a wide variety of information systems and
networks and computer applications to perform its mission. It, for
example, has workstations for over its 94,000 employees that operate in
600 cities and offices. It also maintains and operates database
management systems, application servers, and big mainframe systems to
handle the bulk processing that IRS does do. And most of these are all
highly interconnected through a wide range of local area networks and
wide area networks. These systems particularly are critical to IRS
because of just the large volume of activity that they do. For example,
in fiscal year 2014, IRS collected over $3.1 trillion, processed about
199 million tax and information returns, and paid about $374 billion in
tax refunds.

[ Jacques Arsenault: ] And can you talk about the types of information
security threats that face IRS?

[ Greg Wilshusen: ] There are a couple different types as we classify
them. One is like the untargeted or non-targeted attacks and threats.
And these are the types of threats where the attacker doesn't
necessarily have a specific agency or organization in mind. He just
throws out, for example, worms or computer malicious software and tries
to catch whomever he can. Then there are also targeted attacks. And
certainly IRS would make an attractive target because it possesses a
treasure trove of personally identifiable information on American
taxpayers. And so there are both those types of individuals, for
example, fraudsters who wish to try to collect personally identifiable
information in order to perpetrate identity theft or other types of
financial crimes, as well as other adversaries who may wish to disrupt
the funding of federal government operations. In addition, another key
threat are those posed by insiders. Insiders already have access to
systems within the IRS, and their actions either inadvertently can cause
a disruption in service or create some integrity issues on the data, or
they could have some malicious intent too.

[ Jacques Arsenault: ] Did you find in your work that IRS is effectively
ensuring that all of this sensitive information maintains its
confidentiality and integrity?

[ Greg Wilshusen: ] Well, we did find that IRS is making improvements in
its protection of this type of information and over its systems. For
example, it has established policies and procedures for assigning
privileges to users, for controlling access to its systems, encrypting
data, and also auditing and monitoring system activities. However, we
also found that the IRS had an inconsistent implementation of those
policies and procedures across the enterprise. For example, we
identified that the passwords on many accounts were weak and were
subject to guessing or at least an increased risk of being guessed by
some individual. It also often granted privileges that were in excess of
need. And that's a violation of the principle of least privilege in
which the agency should only assign those access permissions to a system
that are necessary for the individual to complete its job-related
responsibilities and no more, as well as IRS did not consistent patch
their software in a timely manner, and this is vitally important because
software patches help to correct and mitigate vulnerabilities in
software code that are well-known and could be exploited by outsiders or
malicious insiders.

[ Jacques Arsenault: ] So, then finally for taxpayers and the general
public, what would you say is the bottom line of this report?

[ Greg Wilshusen: ] Well, IRS is making progress in protecting taxpayer
data. However, much more needs to be done. It needs to address its
weaknesses that we've identified in this report as well as our prior
reports we conducted at the service. And also it needs to assure that it
takes corrective actions timely. And as a result of the weaknesses that
we identified, we reported that IRS continued to have a significant
deficiency in its information system controls for financial reporting.

[ Background Music ]

[ Narrator: ] To learn more, visit GAO.gov and be sure to tune in to the
next episode of GAO's Watchdog Report for more from the congressional
watchdog, the U.S. Government Accountability Office.