From the U.S. Government Accountability Office, www.gao.gov

Transcript for: IRS Information Security

Description: Audio interview by GAO staff with Greg Wilshusen, Director,
Information Technology

Related GAO Work: GAO-16-398: Information Security: IRS Needs to Further
Improve Controls over Financial and Taxpayer Data

Released: March 2016


[ Background Music ]

[ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and
information from the U.S. Government Accountability Office. It's March
2016. To do its job, the IRS has to collect and keep a variety of
sensitive information about taxpayers. But how does it make sure this
information is secure? A team led by Greg Wilshusen, a director in GAO's
Information Technology team, recently reviewed how IRS protects your
personal and financial information. GAO's Jacques Arsenault sat down
with Greg to talk about what they found.

[ Jacques Arsenault: ] I just filed my tax returns a couple of weeks
ago, can you tell me what kinds of information is the IRS collecting
from taxpayers?

[ Greg Wilshusen: ] Well Jacques, the IRS collects a veritable treasure
trove of information on taxpayers. It includes their name, address,
social security numbers, as well as the information on individuals' tax
returns, such as their income levels, their sources of income and other
deductions and stock transactions that may be reported on an
individual's tax return. But it's also what businesses and their
employers and their stock brokers and others may send to the IRS as
well.

[ Jacques Arsenault: ] Now, your report talks about information security
controls. What exactly are these, and, in a perfect world, what kinds of
controls would the IRS have to protect taxpayer data?

[ Greg Wilshusen: ] There are a number of different types of information
security controls, and these include logical and access security
controls, configuration management, and continuity of operations plans.
These controls are designed and intended to help assure that appropriate
restrictions are placed on data so that they're not accessed by
unauthorized individuals. And they also help to assure that physical
access to resources and facilities is adequately protected.

[ Jacques Arsenault: ] Okay, so these controls are making me a little
more comfortable, but how well is the IRS doing at implementing these
kinds of controls?

[ Greg Wilshusen: ] Well, IRS does a fair job in implementing some of
them but what we have found is that there are a number of weaknesses in
the controls that IRS implements over its taxpayer and financial
systems. For example, their password controls and passwords were easily
guessable on a number of systems that we looked at, including that they
were not encrypted on 11 of the 14 systems that we examined. Also,
configuration management controls, such as installing patches, where
it's not being performed in a timely manner. We also found to its
benefit that IRS generally did perform risk assessments and tested its
contingency plans on a regular basis. But we also found that IRS did not
adequately track security awareness training for its contractors. And
this is important because IRS relies to a great extent on contractors to
perform some of its IT services.

[ Jacques Arsenault: ] So it sounds like IRS is taking a number of steps
and has a number of things in place, but there are some definite holes
that can create vulnerabilities and there seems to be a theme that there
are things in place but they don't go as far as they need to really get
these under control. And you also talked about, in the report, some
systematic management challenges at IRS that may be leading to some of
that. Can you tell me a little more about that?

[ Greg Wilshusen: ] Sure, those systematic and management-related issues
pertain to a number of things; for example, some of IRS's policies and
procedures were out of date and no longer reflected the current
environment, as well as its system security plans. So there increases
the risk that the controls in place may not be the appropriate given the
current environment. We also found that IRS did not perform
comprehensive tests and evaluations of its information security
controls, and this is vitally important because this control helps IRS
to identify vulnerabilities that they can then take action on but in
comparing our tests and the results from our procedures, we found a
number of vulnerabilities to IRS systems that IRS did not identify and
was unaware of. And another key programmatic shortfall with IRS is its
process for implementing remedial actions to correct known
vulnerabilities in a timely manner. This past year, IRS corrected about
21 of the 70 outstanding recommendations and findings that we have
previously reported and it had also indicated that it had actually
closed 28 of those prior findings but when we conducted our tests, we
found that 9, nearly a third of the findings and recommendations that we
previously made, that IRS believed it had closed, were still open. In
this report, we are making 44 additional recommendations, which will
help IRS have a path forward, if you will, in order to take corrective
actions on these weaknesses and vulnerabilities that we identified. But
it will be up to IRS to adequately and effectively implement those
recommendations and that's something we'll be looking at next year when
we look at IRS's procedures once again.

[ Jacques Arsenault: ] Oh, I'll definitely be interested and I'd hope
that we'll have some good news on that front. Finally, for people who
have recently filed taxes or are about to get their returns in, what's
the bottom line of this report?

[ Greg Wilshusen: ] Well, the bottom line is that IRS has made progress
in implementing security over its systems that process financial data
and taxpayer information. However, a number of vulnerabilities and
weaknesses that we identified unnecessarily increased the risk that that
data could be compromised, either through unauthorized access and
disclosure, or alteration, or possibly even destruction. And so, the
bottom line I guess, once again for all the listeners is to be sure to
file you taxes and IRS will hopefully take better care them.

[ Background Music ]

[Narrator:] To learn more, visit GAO.gov and be sure to tune in to the
next episode of GAO's Watchdog Report for more from the congressional
watchdog, the U.S. Government Accountability Office.