This is the accessible text file for GAO report number GAO-06-328 
entitled 'Information Security: Continued Progress Needed to Strengthen 
Controls at the Internal Revenue Service' which was released on March 
24, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Commissioner of Internal Revenue: 

March 2006: 

Information Security: 

Continued Progress Needed to Strengthen Controls at the Internal 
Revenue Service: 

GAO-06-328: 

GAO Highlights: 

Highlights of GAO-06-328, a report to the Commissioner of Internal 
Revenue 

Why GAO Did This Study: 

The Internal Revenue Service (IRS) has a demanding responsibility in 
collecting taxes, processing tax returns, and enforcing the nationís 
tax laws. It relies extensively on computerized systems to support its 
financial and mission-related operations. Effective information 
security controls are essential for ensuring that information is 
adequately protected from inadvertent or deliberate misuse, disruption, 
or destruction. 

As part of its audit of IRSís fiscal year 2005 financial statements, 
GAO assessed (1) the status of IRSís actions to correct or mitigate 
previously reported information security weaknesses at two sites and 
(2) whether controls over key financial and tax processing systems 
located at the facilities are effective in ensuring the 
confidentiality, integrity, and availability of financial and sensitive 
taxpayer data. 

What GAO Found: 

IRS has made progress in correcting or mitigating previously reported 
information security weaknesses and in implementing controls over key 
financial and tax processing systems that are located at two of its 
critical data processing sites. It has corrected or mitigated 41 of the 
81 specific technical weaknesses that we reported as unresolved at the 
time of our last review at those selected sites. 

Although IRS has made progress, controls over its key financial and tax 
processing systems located at two sites were ineffective. In addition 
to the 40 previously reported weaknesses for which IRS has not 
completed actions, GAO identified new information security control 
weaknesses that threaten the confidentiality, integrity, and 
availability of IRSís financial information systems and the information 
they process. For example, IRS has not implemented effective electronic 
access controls related to network management, user accounts and 
passwords, user rights and file permissions, and logging and monitoring 
of security-related events. In addition, it has not effectively 
implemented other information security controls to physically secure 
computer resources, and to prevent exploitation of vulnerabilities and 
unauthorized changes to system software. Collectively, these weaknesses 
increase the risk that sensitive financial and taxpayer data will be 
inadequately protected against disclosure, modification, or loss, 
possibly without detection, and place IRS operations at risk of 
disruption. 

A key reason for IRSís weaknesses in information security controls is 
that it has not yet fully implemented an information security program 
to ensure that effective controls are established and maintained. Until 
IRS fully implements a comprehensive agencywide information security 
program, its facilities and computing resources and the information 
that is processed, stored, and transmitted on its systems will remain 
vulnerable. 

Status of Previously Reported Weaknesses at Selected Sites: 

[See PDF for image] 

[End of figure] 

What GAO Recommends: 

GAO recommends that the IRS Commissioner take several actions to fully 
implement an information security program. In commenting on a draft of 
this report, IRS concurred with our recommendations. 

www.gao.gov/cgi-bin/getrpt?GAO-06-328. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Gregory C. Wilshusen at 
(202) 512-6244 or wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Objectives, Scope, and Methodology: 

IRS Has Made Progress in Correcting Previously Reported Weaknesses: 

Significant Weaknesses Place Financial and Taxpayer Data at Risk: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendixes: 

Appendix I: Comments from the Commissioner of Internal Revenue: 

Appendix II: GAO Contacts and Staff Acknowledgments: 

Figures: 

Figure 1: Status of Previously Reported Weaknesses at Selected IRS 
Sites: 

Figure 2: Status of Specialized Training for IRS Employees with 
Significant Security Responsibilities: 

Abbreviations: 

CIO: chief information officer: 

FISMA: Federal Information Security Management Act of 2002: 

IRS: Internal Revenue Service: 

NIST: National Institute of Standards and Technology: 

NSA: National Security Agency: 

OMB: Office of Management and Budget: 

TIGTA: Treasury Inspector General for Tax Administration: 

Letter March 23, 2006: 

The Honorable Mark W. Everson: 
Commissioner of Internal Revenue: 

Dear Commissioner Everson: 

The Internal Revenue Service (IRS) has a demanding responsibility in 
collecting taxes, processing tax returns, and enforcing the nation's 
tax laws. It relies extensively on computerized systems to support its 
financial and mission-related operations. Effective information system 
controls are essential to ensuring that information is adequately 
protected from inadvertent or deliberate misuse, fraudulent use, 
improper disclosure, or destruction. These controls also affect the 
confidentiality, integrity, and availability of financial and taxpayer 
information. 

As part of our audit of the IRS's fiscal year 2005 financial 
statements,[Footnote 1] we assessed the effectiveness of its 
information security controls[Footnote 2] over key financial systems, 
data, and interconnected networks at two of IRS's critical data 
processing sites that support the processing, storage, and transmission 
of sensitive financial and taxpayer data. 

This report describes (1) the status of IRS's actions to correct or 
mitigate previously reported information security weaknesses at the 
sites and (2) whether controls over key financial and tax processing 
systems are effective in ensuring the confidentiality, integrity, and 
availability of financial and sensitive taxpayer data. 

This report provides a general summary of the vulnerabilities 
identified and our recommendations to help strengthen and improve IRS's 
information security program. We are also issuing a separate report for 
limited distribution that contains sensitive information. It describes 
in more detail the information security weaknesses that we identified 
and our specific recommendations for correcting them. 

Results in Brief: 

IRS has made progress in implementing more effective information 
security controls over key financial and tax processing systems that 
are located at two critical data processing sites, and has corrected or 
mitigated 41 of the 81 specific technical weaknesses that we reported 
as unresolved at the time of our last review at those selected sites. 
Actions have been taken to address weaknesses related to electronic 
access, physical access, and software change controls, among others. 
For example, IRS has implemented controls to protect mainframe system 
files that contain embedded user accounts and passwords. 

Nevertheless, significant control weaknesses continue to threaten the 
confidentiality, integrity, and availability of key financial and tax 
processing systems and information. In addition to the remaining 40 
previously reported specific technical weaknesses, for which IRS had 
not completed actions at the time of our review, other newly identified 
information security control weaknesses exist. IRS has not implemented 
effective electronic controls to prevent, limit, or detect unauthorized 
access to computing resources from its internal network. For example, 
IRS was not adequately managing its network, user accounts and 
passwords, and user privileges, and it was not adequately logging and 
monitoring security-relevant events. In addition, IRS faces risks to 
its key financial and tax-processing systems due to weaknesses in 
physical security, patch management, and system change controls. As a 
result, sensitive data and computing resources are at increased risk of 
unauthorized use, modification, loss, and disclosure, possibly without 
detection. 

A key reason for the information security weaknesses in IRS's financial 
and tax processing systems was that the agency had not yet fully 
implemented its information security program. IRS has developed the 
framework for an effective information security program, with written 
policies and procedures that designate responsibility for 
implementation throughout the agency, and risk assessments that 
identify potential threats and recommended actions for reducing 
vulnerabilities. It has also established an incident handling program 
with defined procedures for detecting, responding to, and reporting 
security incidents. However, it has not fully implemented other key 
elements. For example, it has not (1) consistently implemented its 
policies and procedures, (2) completed system security plans, (3) 
trained employees with significant security responsibilities, (4) 
adequately tested and evaluated systems to ensure compliance with 
policies and procedures, (5) completed remedial action plans, and (6) 
installed key hardware and equipment at its disaster recovery site. 
Until IRS fully implements a comprehensive agencywide information 
security program, its facilities, computing resources, and the 
information that is processed, stored, and transmitted on its systems 
will remain vulnerable. 

We are making recommendations to the Commissioner of Internal Revenue 
to take several actions to fully implement a comprehensive agencywide 
information security program. 

In providing written comments on a draft of this report, the 
Commissioner of Internal Revenue acknowledged that IRS needs to 
continue to implement a comprehensive agencywide security program, and 
agreed to implement the five recommendations in this report. He said 
that efforts are under way to remedy weaknesses and will continue until 
all recommendations have been addressed. 

Background: 

Information security is an important consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business. The same speed and accessibility that create 
the enormous benefits of the computer age can, if not properly 
controlled, allow individuals and groups with malicious intent to 
intrude into inadequately protected systems and use this access to 
obtain sensitive information, commit fraud, disrupt operations, or 
launch attacks against other computer networks and systems. 

Protecting computer systems that support critical operations and 
infrastructures is important due to the concern about attacks from 
individuals and groups, including terrorists. These concerns are well 
founded for a number of reasons, including the ease of obtaining and 
using hacking tools, the steady advance in the sophistication and 
effectiveness of attack technology, and the warnings of new and more 
destructive attacks to come. 

Computer-supported federal operations are likewise at risk. Our 
previous reports, and those of agency inspectors general, describe 
persistent information security weaknesses that place a variety of 
critical federal operations, including those at IRS, at risk of 
disruption, fraud, and inappropriate disclosure. We have designated 
information security as a governmentwide high-risk area since 
1997[Footnote 3]--a designation that remains today.[Footnote 4] 

In December 2002, Congress enacted the Federal Information Security 
Management Act of 2002 (FISMA) to strengthen security of information 
and systems within federal agencies.[Footnote 5] FISMA requires each 
agency to develop, document, and implement an agencywide information 
security program to provide information security for the information 
and systems that support the operations and assets of the agency. 

In its role as the nation's tax collector, IRS has a demanding 
responsibility in collecting taxes, processing tax returns, and 
enforcing the nation's tax laws. In fiscal year 2005, IRS collected 
about $2.3 trillion in tax payments, processed hundreds of millions of 
tax and information returns, and paid about $267 billion in refunds to 
taxpayers. IRS is a large and complex organization, with a unique 
mission that adds operational challenges for management. It employs 
tens of thousands of people in 10 service center campuses, three 
computing centers, and numerous other field offices throughout the 
United States. Because of the nature of its mission, IRS also collects 
and maintains a significant amount of personal and financial data on 
each American taxpayer. The confidentiality of this sensitive 
information must be protected; otherwise, taxpayers could be exposed to 
loss of privacy and to financial loss and damages resulting from 
identity theft or other financial crimes. 

The Commissioner of Internal Revenue has overall responsibility for 
ensuring the confidentiality, availability, and integrity of 
information and information systems supporting the agency and its 
operations. The Chief of Mission Assurance and Security Services is 
responsible for developing policies and procedures regarding 
information technology security; providing assurance services to 
improve physical, data, and personnel security; conducting independent 
testing; and ensuring security is integrated into its modernization 
activities. To help accomplish these goals, IRS has developed and 
published information security policies, guidelines, standards, and 
procedures in the Internal Revenue Manual, Law Enforcement Manual, and 
other documents. 

Objectives, Scope, and Methodology: 

The objectives of our review were to determine (1) the status of IRS's 
actions to correct or mitigate previously reported weaknesses at two 
sites and (2) whether controls over key financial and tax processing 
systems located at the sites are effective in ensuring the 
confidentiality, integrity, and availability of financial and sensitive 
taxpayer data. We concentrated our evaluation primarily on threats 
emanating from internal sources on IRS's computer networks. Our 
evaluation was based on (1) our Federal Information System Controls 
Audit Manual, which contains guidance for reviewing information system 
controls that affect the confidentiality, integrity, and availability 
of computerized data; (2) FISMA, which sets key elements that are 
required for an effective information security program; and (3) 
previous reports from the Treasury Inspector General for Tax 
Administration (TIGTA). 

Specifically, we evaluated information security controls that are 
intended to: 

* prevent, limit, and detect electronic access to computer resources 
(data, programs, and systems), thereby protecting these resources 
against unauthorized disclosure, modification, and use; 

* provide physical protection of computer facilities and resources from 
espionage, sabotage, damage, and theft; 

* prevent the exploitation of vulnerabilities; 

* prevent the introduction of unauthorized changes to application or 
system software; and: 

* ensure that work responsibilities for computer functions are 
segregated so that one individual does not perform or control all key 
aspects of computer-related operations and, thereby, have the ability 
to conduct unauthorized actions or gain unauthorized access to assets 
or records without detection by another individual performing assigned 
responsibilities. 

In addition, we evaluated IRS's information security program. Such a 
program includes assessing risk; developing and implementing policies, 
procedures, and security plans; providing security awareness and 
training; testing and evaluating control effectiveness; planning, 
implementing, evaluating, and documenting remedial action to address 
information security deficiencies; detecting, reporting, and responding 
to security incidents; and ensuring continuity of operations. 

To evaluate IRS's information security controls and program, we 
identified and reviewed pertinent IRS information security policies and 
procedures, guidance, security plans, relevant reports, and other 
documents, and we tested the effectiveness of these controls at two of 
IRS's critical data processing sites. Specifically, our tests focused 
on three critical applications, as well as three general support 
systems[Footnote 6] located at the two sites. We also discussed with 
key security representatives and management officials whether 
information security controls were in place, adequately designed, and 
operating effectively. 

We performed our review at the two previously mentioned IRS sites in 
accordance with generally accepted government auditing standards from 
June through November 2005. We discussed the results of our review with 
IRS officials. 

IRS Has Made Progress in Correcting Previously Reported Weaknesses: 

IRS has made progress toward implementing more effective information 
security controls over key financial and tax processing systems that 
are located at two critical data processing sites, and has corrected or 
mitigated 41 of the 81 specific technical weaknesses that we reported 
as unresolved at the time of our last reviews at the selected 
sites.[Footnote 7] Actions have been taken to address weaknesses 
related to electronic access, physical access, and software change 
controls, among others. For example, IRS has: 

* implemented controls to protect mainframe system files that contain 
embedded user accounts and passwords; 

* improved the security of authentication data for network devices, 
such as routers and switches; 

* securely configured certain vulnerable network services to help 
prevent unauthorized access; 

* implemented procedures for periodically reviewing employee access to 
sensitive areas; and: 

* ensured that its software change control process includes the 
submission of documented test plans. 

Additionally, IRS addressed critical mainframe weaknesses. In 2005, we 
reported[Footnote 8] that IRS had not implemented effective electronic 
access controls over its mainframe computing environment to logically 
separate its taxpayer data from the Financial Crimes Enforcement 
Network's Bank Secrecy Act data, which include information related to 
financial crimes, terrorist financing, money laundering, and other 
illicit activities. These two types of data have different security 
requirements, and, accordingly, we made specific recommendations to 
correct these access control weaknesses. Since our last report, IRS has 
taken action to mitigate these weaknesses. 

Although IRS has taken steps to strengthen its information security 
controls, it had not completed actions to correct or mitigate the 
remaining 40 previously reported technical weaknesses as illustrated in 
figure 1. 

Figure 1: Status of Previously Reported Weaknesses at Selected IRS 
Sites: 

[See PDF for image] 

[End of figure] 

These weaknesses include routinely permitting unencrypted protocols for 
remote log-on capability; not taking sufficient measures to prevent 
attackers from accessing information, copying sensitive files, and 
introducing malicious code via CD-ROM drives; inadequately restricting 
access to certain accounts with powerful rights over the system's 
operating system; and configuring servers without ensuring sufficient 
audit trails. Failure to resolve these issues will leave sensitive IRS 
computing resources and data vulnerable to unauthorized access, 
manipulation, and destruction. 

In addition, last year we made three recommendations related to 
improving IRS's information security program. These recommendations 
included ensuring that established security policies and procedures are 
consistently followed and implemented, ensuring that employees with 
significant information security responsibilities are provided with the 
sufficient training and understand their role in implementing security- 
related policies and controls, and implementing an ongoing process of 
testing and evaluating systems to ensure compliance with established 
policies and procedures. IRS agreed to implement these recommendations 
and is in the process of doing so. 

Significant Weaknesses Place Financial and Taxpayer Data at Risk: 

Although IRS has made progress in implementing information security for 
its financial and tax processing systems and information by addressing 
many of its previously identified security weaknesses, significant 
weaknesses in electronic access and other information security controls 
continue to threaten the confidentiality, integrity, and availability 
of those systems and information. A primary reason for these weaknesses 
is that IRS has not yet fully implemented its information security 
program. As a result, weaknesses in controls over its key financial and 
tax processing systems could impair IRS's ability to perform vital 
functions and increase the risk of unauthorized disclosure, 
modification, or destruction of taxpayer data. 

Electronic Access Controls Were Inadequate: 

A basic management objective for any organization is to protect the 
resources that support its critical operations from unauthorized 
access. Organizations accomplish this objective by designing and 
implementing controls that are intended to prevent, limit, and detect 
unauthorized access to computing resources, programs, and information. 
Electronic access controls include those related to network management, 
user accounts and passwords, user rights and file permissions, and 
logging and monitoring of security-relevant events. Inadequate controls 
over electronic processes diminish the reliability of computerized 
information, and they increase the risk of unauthorized disclosure, 
modification, and destruction of sensitive information and of 
disruption of service. 

IRS's electronic access controls were inadequate. Serious weaknesses 
existed in network management, user accounts and passwords, user rights 
and file permissions, and logging and monitoring of security-relevant 
events. 

Network Management: 

Networks are collections of interconnected computer systems and devices 
that allow individuals to share resources, such as computer programs 
and information. Because sensitive programs and information are stored 
on or transmitted along networks, effectively securing networks is 
essential to protecting computing resources and data from unauthorized 
access, manipulation, and use. Organizations secure their networks, in 
part, by installing and configuring network devices that permit 
authorized network service requests, deny unauthorized requests, and 
limit the services that are available on the network. Devices used to 
secure networks include (1) firewalls that prevent unauthorized access 
to the network, (2) routers that filter and forward data along the 
network, (3) switches that forward information among segments of a 
network, and (4) servers that host applications and data. Network 
services consist of protocols for transmitting data between network 
devices. Insecurely configured network services and devices can make a 
system vulnerable to internal or external threats, such as denial-of- 
service attacks.[Footnote 9] Because networks often include both 
external and internal access points for electronic information assets, 
failure to secure these assets increases the risk of unauthorized 
modification of sensitive information and systems, or disruption of 
service. 

IRS did not consistently configure network services and devices 
securely to prevent unauthorized access to and ensure the integrity of 
computer systems operating on its networks. For example, it did not 
sufficiently prevent the use of vulnerable remote services on servers. 
In addition, IRS's network management traffic was not segregated from 
normal user traffic, and IRS continued to rely on unencrypted protocols 
for remote management of certain devices. As a result, the agency is at 
increased risk of system compromise, such as unauthorized access to and 
manipulation of sensitive system data, disruption of services, and 
denial of service. 

According to IRS officials, the agency took actions to mitigate the 
network traffic management weakness subsequent to our site visits. 

User Accounts and Passwords: 

A computer system must be able to identify and differentiate among 
users so that activities on the system can be linked to specific 
individuals. When an organization assigns unique user accounts to 
specific users, the system distinguishes one user from another--a 
process called identification. The system must also establish the 
validity of a user's claimed identity though some means of 
authentication, such as a password, that is known only to its owner. 
The combination of identification and authentication--such as user 
account/password combinations--provides the basis for establishing 
individual accountability and for controlling access to the system. 
Accordingly, agencies (1) establish password parameters, such as number 
of characters, type of characters, and the frequency with which users 
should change their passwords, in order to strengthen the effectiveness 
of passwords for authenticating the identity of users; (2) require 
encryption for passwords to prevent their disclosure to unauthorized 
individuals; and (3) implement procedures to control the use of user 
accounts. IRS policy identifies and prescribes minimum requirements for 
creating and managing passwords, such as minimum password length. 

IRS did not adequately control user accounts and passwords to ensure 
that only authorized individuals were granted access to its systems. 
Although IRS has a policy in place addressing password expiration and 
complexity, it has not always implemented these requirements. For 
example, the agency did not always implement the use of complex 
passwords on its Windows servers. It also set the password expiration 
on a Windows server to a value inconsistent with its policy, and did 
not adequately control the storage of passwords on its systems. For 
example, instead of using encryption, IRS stored clear text passwords 
in readable form at one of the sites. Further, it had not implemented 
procedures to control user accounts by not adequately limiting the 
number of superuser accounts for over half of the UNIX servers 
reviewed. These practices increase the risk that individuals might gain 
unauthorized access to critical resources without attribution. 

User Rights and File Permissions: 

The concept of "least privilege" is a basic underlying principle for 
securing computer systems and data. It means that users are granted 
only those access rights and permissions that they need to perform 
their official duties. To restrict legitimate users' access to only 
those programs and files that they need to do their work, organizations 
establish access rights and permissions. "User rights" are allowable 
actions that can be assigned to users or to groups of users. File and 
directory permissions are rules that are associated with a particular 
file or directory and regulate which users can access them and the 
extent of that access. To avoid unintentionally giving users 
unnecessary access to sensitive files and directories, an organization 
must give careful consideration to its assignment of rights and 
permissions. IRS policy states that users should only be given the 
minimum level of permissions needed to perform job duties. 

IRS permitted excessive access to key financial systems, granting 
rights and permissions that allowed more access than users needed to 
perform their jobs. For example, IRS granted administrators of certain 
Windows servers a user right that could allow them to add false entries 
into the security log. In addition, it granted all users on one Windows 
server "read" access to a certain registry setting that would allow 
users to remotely read sensitive system settings. Further, IRS granted 
mainframe users privileges that were not needed to perform assigned job 
duties. For example, all mainframe users were granted a powerful 
privilege that would allow users to read, execute, modify, delete, or 
create new datasets without restriction. Inappropriate access to 
sensitive files and directories provides opportunities for individuals 
to circumvent security controls to deliberately or inadvertently read, 
modify, or delete critical or sensitive information. 

Logging and Monitoring of Security-Relevant Events: 

To establish individual accountability, monitor compliance with 
security policies, and investigate security violations, it is crucial 
to determine what, when, and by whom specific actions have been taken 
on a system. Organizations accomplish this by implementing system or 
security software that provides an audit trail, or logs of system 
activity, that they can use to determine the source of a transaction or 
attempted transaction and to monitor users' activities. The way in 
which organizations configure system or security software determines 
the nature and extent of information that can be provided by the audit 
trail. To be effective, organizations should configure their software 
to collect and maintain audit trails that are sufficient to track 
security-relevant events. IRS policy states that audit logs must be 
generated for use in monitoring security-related events on all 
multiuser systems, and that these logs must be periodically reviewed. 
Further, National Institute of Standards and Technology (NIST) guidance 
states that organizations should deploy centralized logging servers and 
configure devices to send duplicates of their log entries to the 
centralized servers. 

IRS was not adequately logging and monitoring security-relevant events. 
For example, two Windows servers at one site were not configured to log 
successful and failed attempts to access directory services. In 
addition, neither of the sites visited had implemented centralized 
logging and monitoring of logs for any of the UNIX servers reviewed. 
Further, at one site, although IRS was logging system developer 
activity[Footnote 10] in the production environment, they were not 
monitoring the logs. As a result, the agency is at increased risk that 
unauthorized or inappropriate system activity may not be detected. 

Other Information System Controls Were Not Sufficient: 

In addition to electronic access controls, other important controls 
should be in place to ensure the confidentiality, integrity, and 
availability of an organization's data. These controls include 
policies, procedures, and control techniques to physically secure 
computer resources, prevent exploitation of vulnerabilities, and 
prevent unauthorized changes to system software. Weaknesses in these 
areas increase the risk of unauthorized use, disclosure, modification, 
or loss of IRS's information systems and information. 

Physical Security: 

Physical security controls are important for protecting computer 
facilities and resources from espionage, sabotage, damage, and theft. 
These controls restrict physical access to computer resources, usually 
by limiting access to the buildings and rooms in which the resources 
are housed and by periodically reviewing the access granted, in order 
to ensure that access continues to be appropriate. Examples of physical 
security controls include perimeter fencing, surveillance cameras, 
security guards, and locks. The agency has developed and documented 
policies that identify minimum physical protection measures for 
facilities used to process, transmit, or store sensitive but 
unclassified information in support of critical operations and 
missions. For example, one such IRS policy requires that a facility 
risk assessment should be performed at least once every 5 years. 
Inadequate physical security could lead to loss of life and property, 
disruption of functions and services, and unauthorized disclosure of 
documents and information. 

Although IRS has implemented physical security controls, certain 
weaknesses reduce the effectiveness of these controls in protecting and 
controlling physical access to assets at the two sites we reviewed. For 
example, guards at one site did not always examine IRS-issued photo 
identification to verify employees' identities as they entered the 
facility. Failure to check IRS-issued photo identification increases 
the risk that unauthorized individuals could gain entrance to the 
facility. However, following our notification of this issue, agency 
officials took immediate action during our visit to ensure that the 
security guards always verified each employee's identity against 
official IRS photo identification. 

In addition, IRS has not fully implemented a procedure for periodically 
reviewing employee access to sensitive areas. Although steps have been 
taken to implement such a procedure, access to sensitive areas was not 
being limited to individuals with an ongoing need for that access. Site 
officials acknowledged this problem and stated that efforts are under 
way to correct it. 

Further, although IRS policy requires that a facility risk assessment 
be performed at least once every 5 years, one site's most recent 
facility risk assessment was conducted about 5 years ago, and agency 
officials confirmed that an updated assessment was not planned or under 
way. The lack of a current facility risk assessment hinders IRS's 
ability to determine the effectiveness and appropriateness of existing 
safeguards and security guidelines. 

Patch Management: 

Patch management is a critical process that can help alleviate many of 
the challenges of securing computing systems.[Footnote 11] As 
vulnerabilities in a system are discovered, attackers may attempt to 
exploit them, possibly causing significant damage. Malicious acts can 
range from defacing Web sites to taking control of entire systems and 
thereby being able to read, modify, or delete sensitive information; 
disrupt operations; or launch attacks against other organizations' 
systems. After a vulnerability is validated, the software vendor may 
develop and test a patch or workaround. Incident response groups and 
software vendors issue information updates on the vulnerability and the 
availability of patches. IRS's patch management policy assigns 
organizational responsibilities for the patch management process-- 
including the application of countermeasures to mitigate system 
vulnerabilities if patch testing fails--and requires that patches be 
kept up to date or that officials otherwise apply for a waiver. 

IRS did not consistently install software patches in a timely manner. 
For example, IRS's installation of critical or high-priority patches 
through the configuration management process for Windows systems was 
not timely. Further, several patches--some that had been issued in 
2001--had not been applied to certain UNIX servers that we reviewed in 
2005. Because IRS had not yet installed the latest patches, servers 
used for processing financial information and taxpayer data were 
vulnerable to denial-of-service attacks and to execution of arbitrary 
code that will allow administrative privileges. 

System Change Controls: 

It is important to ensure that only authorized and fully tested systems 
are placed in operation. To ensure that changes to systems are 
necessary, work as intended, and do not result in the loss of data or 
program integrity, such changes should be documented, authorized, 
tested, and independently reviewed. In addition, according to IRS 
policy, a security goal of configuration management is to know what 
changes occur and how they will affect system security. 

IRS did not consistently document changes to critical mainframe system 
files. Changes to key file directories--which could contain program 
files that can override security controls--were not always logged. 
Without proper documentation of changes to critical system files, IRS 
is unable to effectively detect unusual or unauthorized modifications 
to its systems. This increases the risk that undocumented changes could 
be made, jeopardizing the security of sensitive information and 
increasing the likelihood of disruptions to system operations. 

Information Security Program Is Not Yet Fully Implemented: 

A key reason for the information security weaknesses in IRS's financial 
and tax processing systems was that although the agency has developed 
and documented policies and procedures, it has not yet fully 
implemented its information security program to help ensure that 
effective controls were established and maintained. 

FISMA[Footnote 12] requires agencies to develop, document, and 
implement an information security program that includes: 

* periodic assessments of the risk and the magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information and information systems; 

* policies and procedures that (1) are based on risk assessments, (2) 
cost-effectively reduce risks, (3) ensure that information security is 
addressed throughout the life cycle of each system, and (4) ensure 
compliance with applicable requirements; 

* plans for providing adequate information security for networks, 
facilities, and systems; 

* security awareness training to inform personnel--including 
contractors and other users of information systems--of information 
security risks and of their responsibilities in complying with agency 
policies and procedures; 

* at least annual testing and evaluation of the effectiveness of 
information security policies, procedures, and practices relating to 
management, operational, and technical controls of every major 
information system that is identified in the agencies' inventories; 

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies in their information 
security policies, procedures, or practices; 

* procedures for detecting, reporting, and responding to security 
incidents; and: 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

IRS has made important progress in developing a framework for its 
information security program. IRS's policy on information technology 
security requires each of these FISMA elements, and the agency has 
initiatives under way in each of these areas. Specifically, IRS has 
established: 

* a methodology for its general support system certification and 
accreditation process, including guidance on conducting risk 
assessments and security test and evaluations, and developing security 
plans; 

* the office of Mission Assurance and Security Services for developing 
policies and procedures regarding information technology security; 

* a policy describing requirements for its security awareness and 
training program; 

* a working group to develop and execute an approach to managing the 
remedial action tracking and implementation process; 

* the Computer Security Incident Response Center for detecting and 
responding to intrusions and misuse; and: 

* business resumption plans that address continuity of operations for 
certain systems. 

However, we identified instances in which the information security 
program had not been fully or consistently implemented for IRS's 
information systems. In discussions during our review, agency officials 
recognized that more work is needed to continue to improve their 
information security program. 

Risk Assessments: 

Identifying and assessing information security risks are essential 
steps in determining what controls are required. Moreover, by 
increasing awareness of risks, these assessments can generate support 
for the policies and controls that are adopted in order to help ensure 
that these policies and controls operate as intended. Office of 
Management and Budget (OMB) Circular A-130, appendix III, prescribes 
that risk be reassessed when significant changes are made to 
computerized systems--or at least every 3 years. Consistent with NIST 
guidance, IRS requires its risk assessment process to detail the 
residual risk assessed, potential threats, and recommended corrective 
actions for reducing or eliminating the vulnerabilities identified. 

IRS generally identified and assessed information security risks. The 
six risk assessments that we reviewed were current and documented 
residual risk assessed, potential threats, and recommended corrective 
actions for reducing or eliminating the vulnerabilities identified. 

Policies and Procedures: 

Another key element of an effective information security program is to 
develop and implement risk-based policies, procedures, and technical 
standards that govern security over an agency's computing environment. 
If properly implemented, policies and procedures should help reduce the 
risk that could come from unauthorized access or disruption of 
services. Technical security standards provide consistent implementing 
guidance for each computing environment. Establishing and documenting 
security policies is important because they are the primary mechanism 
by which management communicates its views and requirements; these 
policies also serve as the basis for adopting specific procedures and 
technical controls. In addition, agencies need to take the actions 
necessary to effectively implement or execute these procedures and 
controls. Otherwise, agency systems and information will not receive 
the protection that should be provided by the security policies and 
controls. 

IRS has developed information security policies, standards, and 
guidelines that generally provide appropriate guidance to personnel 
responsible for securing IRS information systems and data. Yet, we 
noted instances where policies and procedures were inconsistent with 
federal guidance, incomplete, and not consistently implemented. For 
example, IRS's policies and procedures did not always include minimum 
security requirements as outlined in NIST or National Security Agency 
(NSA) guidance. To illustrate, password standards, such as password age 
and password history, set in IRS policies are less stringent than those 
strongly encouraged by NIST guidance, and specific requirements for 
certain systems, such as use of superuser accounts and configuration of 
registry keys, do not meet the guidance issued by NSA. In addition, 
IRS's methodology for the certification and accreditation of their 
general support systems is incomplete, with several key sections of it 
missing information or left completely blank. Further, we continue to 
report that IRS has not consistently implemented policies and 
procedures contained in the Law Enforcement Manual and Internal Revenue 
Manual pertaining to network management, user accounts and passwords, 
user rights and file permissions, and other information system 
controls. Without effectively updating these policies to establish 
appropriate minimum security requirements, ensuring that policies and 
procedures are complete, and implementing them, IRS has less assurance 
that their systems and information are sufficiently protected. 

Security Plans: 

The objective of system security planning is to improve the protection 
of information technology resources. A system security plan provides an 
overview of the system's security requirements and describes the 
controls that are in place--or planned--to meet those requirements. OMB 
Circular A-130 requires that agencies develop and implement system 
security plans for major applications and for general support systems, 
and that these plans address policies and procedures for providing 
management, operational, and technical controls. Further, NIST 
guidelines state that when nonmajor applications are bundled with a 
general support system, the security requirements for each of the 
nonmajor applications should be included in the general support 
system's security plan. IRS policy requires that security plans be 
developed and provides guidance on developing security plans. According 
to both IRS and NIST guidance, plans should include elements such as 
security controls currently in place or planned, the individual 
responsible for the security of the system, a description of the system 
and its interconnected environment, and rules of behavior. 

The six security plans we reviewed generally included elements such as 
security controls currently in place or planned, the individual 
responsible for the security of the system, a description of the system 
and its interconnected environment, and rules of behavior. However, we 
identified instances where plans were incomplete. Of the three security 
plans for general support systems with nonmajor applications that we 
reviewed, none addressed specific controls for the nonmajor 
applications nor assigned specific accountability for those controls. 
TIGTA identified similar issues,[Footnote 13] and noted that business 
unit owners of nonmajor applications may rely too heavily on the 
general support system controls to protect sensitive data. Without 
complete security plans, IRS cannot ensure that appropriate controls 
are in place to protect its systems and critical information. 

Security Awareness and Training: 

Another important element of an information security program involves 
promoting awareness and providing required training so that users 
understand the system security risks and their role in implementing 
related policies and controls to mitigate those risks. Computer 
intrusions and security breakdowns often occur because computer users 
fail to take appropriate security measures. For this reason, it is 
vital that employees who use computer resources in their day-to-day 
operations be made aware of the importance and sensitivity of the 
information they handle, as well as the business and legal reasons for 
maintaining its confidentiality, integrity, and availability. FISMA 
mandates that all federal employees and contractors who use agency 
information systems be provided with information security awareness 
training. Further, FISMA requires agency chief information officers 
(CIO) to ensure that personnel with significant information security 
responsibilities get specialized training. OMB and NIST also require 
agencies to implement system-specific security training. 

IRS has developed and implemented several methods for notifying 
employees and contractors of their security-related roles and 
responsibilities. These methods include specifying security roles and 
responsibilities in various policy manuals available to employees and 
contractors, providing security awareness training during new hire 
orientations, distributing security awareness bulletins and brochures, 
and creating information security poster boards. As reported by TIGTA 
in its 2005 FISMA report, security awareness training was provided to 
all IRS employees and contractors. 

Despite the agency's efforts in providing security awareness training, 
it did not always provide specialized training to individuals with 
significant information security responsibilities. In its fiscal year 
2005 FISMA submission, IRS reported it has 2,737 employees with 
significant information technology security responsibilities, yet only 
300 (11 percent) of those employees received specialized training (see 
fig. 2). 

Figure 2: Status of Specialized Training for IRS Employees with 
Significant Security Responsibilities: 

[See PDF for image] 

[End of figure] 

IRS did not always provide specialized training for its contractor 
personnel with information security responsibilities. For example, it 
did not provide Computer Security Incident Response Center contractors 
with specialized training. IRS has taken some key steps to address this 
area, including establishing a working group to improve its training 
program. Without sufficiently trained security personnel, security 
lapses are more likely to occur and could contribute to further 
information security weaknesses. 

Tests and Evaluations of Control Effectiveness: 

Another key element of an information security program is the testing 
and evaluation of systems to ensure that they are in compliance with 
security policies and that those policies and controls are both 
appropriate and effective. This type of oversight is a fundamental 
element because it demonstrates management's commitment to the security 
program, reminds employees of their roles and responsibilities, and 
identifies and mitigates areas of noncompliance and ineffectiveness. 
Although control tests and evaluations may encourage compliance with 
security policies, the full benefits are not achieved unless the 
results improve the security program. Analyzing the results of security 
reviews provides security specialists and business managers with a 
means of identifying new problem areas, reassessing the appropriateness 
of existing controls, and identifying the need for new controls. FISMA 
requires that the frequency of tests and evaluations be based on risks, 
but occur no less than annually. Furthermore, IRS policy requires 
periodic testing and evaluation of the effectiveness of information 
security policies and procedures. 

Although IRS had conducted system tests and evaluations for the three 
systems we reviewed, its tests did not identify key security 
vulnerabilities. For example: 

* At one of the IRS sites we visited, one system's security test and 
evaluation report did not identify any vulnerabilities. However, during 
our review, we identified several vulnerabilities, including unpatched 
software. 

* At the same site, IRS did not detect control deficiencies during its 
test and evaluation of the mainframe. For example, IRS was not using 
standardized naming conventions for its datasets and was not logging 
changes to software on the mainframe. These weaknesses could have been 
detected and corrected using the results of effective security tests 
and evaluations. 

In addition, in its 2005 FISMA report, TIGTA reported that security 
tests and evaluations for major applications did not comply with NIST 
standards. Tests did not include all system components, such as 
encryption, telecommunication links, and user account management. 
Without appropriate tests and evaluations, IRS cannot be assured that 
employees and contractors are complying with established policies or 
that policies and controls are appropriate and working as intended. 

Remedial Actions: 

Remedial action plans are a key component described in FISMA. They 
assist agencies in identifying, assessing, prioritizing, and monitoring 
the progress in correcting security weaknesses that are found in 
information systems. According to OMB Circular A-123, agencies should 
take timely and effective action to correct deficiencies that they have 
identified through a variety of information sources. To accomplish 
this, remedial action plans should be developed for each deficiency, 
and progress should be tracked for each. IRS policy also requires a 
process for ensuring remedial action to address any significant 
deficiencies. 

According to TIGTA, IRS has made noteworthy progress in the area of 
tracking remedial actions. In its 2005 FISMA report, TIGTA reported 
that it was able to verify that IRS's remedial action plans included 
weaknesses from various reviews and were tailored to specific 
applications. 

Although IRS had developed remedial plans to address information 
security weaknesses identified through previous reviews, the plans we 
reviewed were incomplete. All four remedial plans were missing certain 
key elements. For example, none of the four plans specified the funds 
required to correct identified weaknesses. In addition, three of the 
plans did not identify scheduled completion dates for correcting or 
mitigating identified weaknesses. Further, the fourth plan was outdated 
because it included scheduled completion dates that had already passed. 
For example, weaknesses that were still considered "open" in June 2005 
had scheduled completion dates of April 2005. IRS officials explained 
that the remedial plans were a "work in progress," since the documents 
were not due to be submitted to OMB until September 2005. However, OMB 
requires at least quarterly updates of agency remedial plans; 
therefore, the plan should have been updated during the time of our 
review. Without complete and current remedial action plans, the agency 
may not be able to prioritize and monitor progress in correcting 
security weaknesses. 

Incident Handling: 

Even strong controls may not block all intrusions and misuse, but 
organizations can reduce the risks associated with such events if they 
promptly take steps to detect and respond to them before significant 
damage can be done. In addition, accounting for and analyzing security 
problems and incidents are effective ways for organizations to gain a 
better understanding of threats to their information and of the costs 
of their security-related problems. Such analyses can pinpoint 
vulnerabilities that need to be eliminated so that they will not be 
exploited again. Problem and incident reports can provide valuable 
input for risk assessments, can help in prioritizing security 
improvement efforts, and can be used to illustrate risks and related 
trends for senior management. 

IRS has implemented an incident handling program and established the 
Computer Security Incident Response Center in 2001. The center's 
mission is to detect, react, and respond to computer security incidents 
targeting the IRS enterprise information infrastructure. It provides 
assistance and guidance in both cyber and physical incident response 
and uses a centralized approach to incident handling across IRS. The 
agency has also defined procedures for detecting, responding to, and 
reporting computer and network security incidents, and has created 
several detailed incident detection and response procedures outlining 
the roles and responsibilities of center personnel and event analysis. 
In 2005, TIGTA reported[Footnote 14] that the center was effective at 
preventing, detecting, and responding to computer security incidents, 
but it recommended further improvements in reporting and documenting 
remedial actions related to incidents. 

Continuity of Operations: 

Continuity of operations controls, which includes disaster recovery 
planning, should be designed to ensure that when unexpected events 
occur, key operations continue without interruption or are promptly 
resumed, and that critical and sensitive data are protected. These 
controls include environmental controls and procedures designed to 
protect information resources and minimize the risk of unplanned 
interruptions, along with a plan to recover critical operations should 
interruptions occur. If continuity of operations controls are 
inadequate, even a relatively minor interruption could result in 
significant adverse nationwide impact on IRS operations. IRS requires 
that continuity of operations, or business resumption, plans be 
included as part of its certification and accreditation process. 

Shortcomings in IRS's ability to recover from disruptions due to 
unexpected events continue to exist. In 2004, we reported that non-IRS 
staff at an IRS site were not trained to restore operations in the 
event IRS staff were not available. In addition, in 2005, we reported 
that the disaster recovery plans we reviewed at an IRS site did not 
include disaster recovery procedures for its UNIX and Windows systems. 
Also, the site's business resumption plans did not include UNIX and 
Windows systems. Although IRS has various initiatives under way to 
improve continuity of operations, these and other shortcomings still 
exist. Specifically, IRS has not procured and installed UNIX-based 
hardware and equipment for processing applications and data at its 
disaster recovery hot-site--an alternate processing location that can 
be used in case of an emergency. Further, in 2005, the agency reported 
that they had tested contingency plans for only 36 percent of its 
systems. Until the agency completes actions to address these 
weaknesses, it is at risk of not being able to appropriately recover in 
a timely manner from certain service disruptions. 

Conclusions: 

IRS has made progress in correcting or mitigating previously reported 
weaknesses and in implementing controls over key financial and tax 
processing systems. However, information security weaknesses--both old 
and new--continue to impair its ability to ensure the confidentiality, 
integrity, and availability of financial and other sensitive data. A 
key reason for these weaknesses is that IRS has not yet fully 
implemented critical elements of its information security program, 
although it has developed a solid framework. Until IRS fully implements 
a comprehensive agencywide information security program that includes 
enhanced policies, procedures, plans, training, and continuity of 
operations, its facilities and computing resources and the information 
that is processed, stored, and transmitted on its systems will remain 
vulnerable. 

Recommendations for Executive Action: 

To help establish effective information security over key financial 
systems, data, and interconnected networks, we recommend that you take 
the following five actions to implement an information security 
program: 

* enhance policies and procedures related to password age and 
configuration settings to comply with federal guidelines; 

* review system security plans to ensure that they appropriately 
address nonmajor applications; 

* ensure contractors with significant information security 
responsibilities are provided with sufficient specialized training; 

* ensure that remedial action plans are complete and up to date; and: 

* continue to enhance continuity of operations capabilities by: 

* training non-IRS staff to restore operations, 

* updating disaster recovery plans to include disaster recovery 
procedures for UNIX and Windows systems, 

* updating business resumption plans to include UNIX and Windows 
systems, and: 

* installing UNIX-based hardware and equipment for processing 
applications and data at IRS's disaster recovery hot-site. 

We are also making recommendations in a separate report with limited 
distribution. These recommendations consist of actions to be taken to 
correct the specific information security weaknesses we identified that 
are related to network management, user accounts and passwords, user 
rights and file permissions, audit and monitoring of security-related 
events, physical security, and patch management at the two sites we 
visited. 

Agency Comments: 

In providing written comments (reprinted in app. I) on a draft of this 
report, the Commissioner of Internal Revenue acknowledged that IRS 
needs to continue to implement a comprehensive agencywide security 
program, and agreed to implement the five recommendations in this 
report. He said that efforts are under way to remedy weaknesses and 
will continue until all recommendations have been addressed. 

The Commissioner also said that IRS is taking an agencywide approach to 
address the root cause of the weaknesses we identified. He also stated 
that many weaknesses have been corrected and additional controls have 
been implemented. Further, he said that IRS is continuing its 
aggressive initiative to complete required security activities at each 
of the computing centers. These activities include the development of 
security plans, security documentation, and security testing. 

This report contains recommendations to you. As you know, 31 U.S.C. 720 
requires the head of a federal agency to submit a written statement of 
the actions taken on our recommendations to the Senate Committee on 
Homeland Security and Governmental Affairs and to the House Committee 
on Government Reform not later than 60 days from the date of the report 
and to the House and Senate Committees on Appropriations with the 
agency's first request for appropriations made more than 60 days after 
the date of this report. Because agency personnel serve as the primary 
source of information on the status of recommendations, GAO requests 
that the agency also provide it with a copy of your agency's statement 
of action to serve as preliminary information on the status of open 
recommendations. 

We are sending copies of this report to interested congressional 
committees and the Secretary of the Treasury. We will also make copies 
available to others upon request. In addition, this report will be 
available at no charge on the GAO Web site at [Hyperlink, 
http://www.gao.gov]. 

If you have any questions regarding this report, please contact Gregory 
Wilshusen at (202) 512-6244 or Keith Rhodes at (202) 512-6412. We can 
also be reached by e-mail at [Hyperlink, wilshuseng@gao.gov] and 
[Hyperlink, rhodesk@gao.gov]. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. Key contributors to this report are listed in 
appendix II. 

Sincerely yours, 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

Signed by: 

Keith A. Rhodes: 
Chief Technologist: 

[End of section] 

Appendixes: 

Appendix I: Comments from the Commissioner of Internal Revenue: 

DEPARTMENT OF THE TREASURY: 
INTERNAL REVENUE SERVICE: 
COMMISSIONER: 
WASHINGTON, D.C. 20224: 

February 27, 2006: 

Mr. Gregory C. Wilshusen: 
Director, Information Technology: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, D.C. 20548: 

Dear Mr. Wilshusen: 

I am writing to provide the Internal Revenue Service's comments on the 
draft Government Accountability Office (GAO) report, Information 
Security. Continued Progress Needed to Strengthen Controls at the 
Internal Revenue Service (GAO-06-328). 

We agree the IRS needs to continue to implement a comprehensive agency- 
wide information security program, and we agree to implement the five 
recommendations contained in the report. Efforts to remedy these 
weaknesses are currently underway and will continue until all 
recommendations have been addressed. We will provide you with a 
detailed corrective action plan in the near future. 

Thank you for recognizing the IRS has made progress in implementing 
more effective information security controls over key financial and tax 
processing systems. The report indicates the IRS has corrected or 
mitigated 41 of the 81 specific technical weaknesses GAO reported as 
unresolved at the time of your last review. Because the IRS's solution 
extends beyond the specific findings and addresses the root cause of 
the weaknesses at an enterprise-wide level, a majority of the 
weaknesses remain open. However, as a result of this agency-wide 
approach and other initiatives we have underway, the IRS now has 
stronger controls to protect taxpayer data. 

As discussed in Treasury's response to the previous GAO report, 
Information Security. Internal Revenue Service Needs to Remedy Serious 
Weaknesses Over Taxpayer and Bank Secrecy Act Data (GAO-05-482) dated 
April 2005, all senior officials at the IRS share the responsibility 
for information technology security. In response to that report, the 
Chief Information Officer and the Chief of Mission Assurance and 
Security Services are collaborating with executives throughout the IRS 
to ensure security policies, standards, and procedures are being 
followed enterprise-wide. 

The IRS continues to make progress in addressing computer security 
deficiencies throughout the Service. Many weaknesses have been 
corrected and additional controls have been implemented. The IRS has 
continued the extremely aggressive initiative it began in 2004 to 
complete the full suite of required security activities at each of its 
computing centers and campuses and to support security certification 
and accreditation. This is being accomplished using the latest 
processes and guidance specified by the National Institute for 
Standards and Technology and in accordance with the requirements of the 
Federal Information Security Management Act. The security activities 
include the development of security plans, security documentation, and 
security testing. 

We are aware that effective information security controls are essential 
for ensuring information is adequately protected from inadvertent or 
deliberate misuse, disruption, or destruction. The IRS takes security 
and privacy responsibilities very seriously. 

I appreciate your continued support and the valuable assistance and 
guidance from your staff. If you have any questions, or you would like 
to discuss this response in more detail, please contact W. Todd Grams, 
Chief Information Officer, at (202) 622-6800, or Daniel Galik, Chief of 
Mission Assurance and Security Services, at (202) 622-8910. 

Sincerely, 

Signed by: 

Mark W. Everson: 

[End of section] 

Appendix II: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Gregory C. Wilshusen, (202) 512-6244 Keith A. Rhodes, (202) 512-6412: 

Staff Acknowledgments: 

In addition to the persons named above, Edward Alexander Jr., Gerald 
Barnes, Bruce Cain, Mark Canter, Nicole Carpenter, Jason Carroll, Lon 
Chin, Kirk Daubenspeck, Neil Doherty, Patrick Dugan, Denise 
Fitzpatrick, Edward Glagola Jr., Nancy Glover, David Hayes, Franklin 
Jackson, Myong Suk Kim, Jeffrey Knott, Mary Marshall, Leena Mathew, 
Kevin Metcalfe, Duc Ngo, Tracy Pierson, Henry Sutanto, and Chris Warweg 
made key contributions to this report. 

(310558): 

FOOTNOTES 

[1] GAO, Financial Audit: IRS's Fiscal Years 2005 and 2004 Financial 
Statements, GAO-06-137 (Washington, D.C.: Nov. 10, 2005). 

[2] Information security controls include electronic access controls, 
software change control, physical security, segregation of duties, and 
continuity of operations. These controls are designed to ensure that 
access to data is appropriately restricted, that only authorized 
changes to computer programs are made, that physical access to 
sensitive computing resources and facilities is protected, that 
computer security duties are segregated, and that back-up and recovery 
plans are adequate to ensure the continuity of essential operations. 

[3] GAO, High-Risk Series: Information Management and Technology, GAO/ 
HR-97-9 (Washington, D.C.: February 1997). 

[4] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: 
January 2005). 

[5] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No. 107-347, 116 Stat. 2946 (Dec. 17, 2002). 

[6] A general support system is an interconnected set of information 
resources under the same direct management control that shares common 
functionality. It normally includes hardware, software, information, 
data, applications, communications, facilities, and people and provides 
support for a variety of users and/or applications. 

[7] The results of these reviews were reported in fiscal years 2003, 
2004, and 2005 in reports for limited distribution due to the sensitive 
information they contained. 

[8] GAO, Information Security: Internal Revenue Service Needs to Remedy 
Serious Weaknesses over Taxpayer and Bank Secrecy Act Data, GAO-05-482 
(Washington, D.C.: Apr. 15, 2005). 

[9] A denial-of-service attack is characterized by an explicit attempt 
by attackers to prevent legitimate users of a service from using that 
service. 

[10] One site was temporarily authorizing system developers' access to 
the production environment on the basis of a business need. Such access 
is not recommended by best practices; a mitigating control is to log 
and monitor developers' activities. 

[11] For example, see GAO, Information Security: Continued Action 
Needed to Improve Software Patch Management, GAO-04-706 (Washington, 
D.C.: June 2, 2004). 

[12] FISMA requires each agency to develop, document, and implement an 
agencywide information security program to provide information security 
for the information and systems that support the operations and assets 
of the agency, including those operated or maintained by contractors or 
others on behalf of the agency, using a risk-based approach to 
information security management. 

[13] Treasury Inspector General for Tax Administration, Federal 
Information Security Management Act Report for Fiscal Year 2005 
(Washington, D.C.: Oct. 7, 2005). 

[14] TIGTA, The Computer Security Incident Response Center Is Operating 
As Intended, Although Some Enhancements Can Be Made, 2005-20-143 
(September 2005). 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: