Information Security:
Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks
GAO-03-44: Published: May 30, 2003. Publicly Released: May 30, 2003.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-3317
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
As part of its annual audits of IRS's financial statements, GAO assessed the effectiveness of information security controls at certain IRS facilities and over certain specific applications--controls meant to protect IRS's information systems and taxpayer data. Because the detailed reports that followed these reviews contained sensitive information and could be detrimental to the government if released to the public, they were issued only to IRS and congressional requesters. This public report is based on 18 such reports issued during the 3-year period ending July 31, 2002. Although it does not identify specific IRS facilities or applications, the report does provide GAO's assessment of the overall effectiveness of IRS's information security.
IRS has made and continues to make important progress towards improving its information security and implementing a comprehensive information security program. Nonetheless, weaknesses continue to threaten the confidentiality, integrity, and availability of sensitive systems and taxpayer data. IRS's implementation of logical access controls--those designed to ensure that only authorized individuals can read, alter, or delete data--has been inconsistent and accounts for three quarters of the 765 general control weaknesses found at the 11 facilities reviewed. Weaknesses in the other four control categories have further reduced IRS's effectiveness in physically securing it's assets, separating incompatible duties among individuals, preventing unauthorized changes to software programs, and ensuring the agency's ability to continue operations after an unexpected interruption. In addition, 112 application control weaknesses hindered IRS's ability to limit access to 5 key applications to authorized persons for authorized purposes. The extent of these weaknesses demonstrates that information security is an agency wide challenge. An underlying cause of these weaknesses is that IRS had not yet fully implemented certain elements of its agency-wide information security program. As a result, it had not adequately identified or assessed risks in order to determine needed security measures, implemented or complied with policies to meet those needs, promoted adequate security awareness and training, and monitored the effectiveness of policies or mitigated known security vulnerabilities. IRS management is committed to completing such an agency-wide program. Until it does, however, IRS will remain at heightened risk of access to critical data by unauthorized persons--individuals who could obtain personal taxpayer data to perpetrate identity theft and commit financial crimes.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In fiscal year 2007 we verified that IRS, in response to our recommendation, had assessed the risks for each system reviewed.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by performing risk assessments for all systems.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007 we verified that IRS, in response to our recommendation, had included a security plan in its certification and accreditation documentation for each system reviewed.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by developing security plans for all systems that comply with federal guidelines.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: IRS has developed and implemented a certification and accreditation methodology. In fiscal year 2007 we verified that IRS, in response to our recommendation, assessed risks and evaluated security needs by certifying and accrediting its information systems.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by certifying and accrediting all systems before they become operational, upon significant change, and at least every 3 years thereafter.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007 we verified that IRS, in response to our recommendation, had updated security policies to be consistent with strong security practices.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by updating security policies or implementing guidelines pertaining to the configuration and use of certain network services and devices, password parameters, and the assignment of certain operating system rights, to be consistent with strong security practices.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: IRS tests and assesses security controls and configurations of systems before deployment in implementing its certification and accreditation process.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by testing and assessing security controls and configurations of systems before deployment for compliance with established security policies and standards.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007, we verified that IRS has included a security management category as part of its departmentwide performance standards for executives
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by establishing and incorporating performance standards for compliance with security policies and procedures in the performance appraisal process for IRS executives and managers in the information technology and operating divisions.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007, we verified that IRS is providing annual training to system users on their security roles and responsibilities.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to enhance information security awareness and training programs by providing training to IRS employees and contractors, including executives, managers, and users, and including those in the information technology and operating divisions, on their security roles and responsibilities.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007, we verified that IRS has established minimum training hours and a curriculum for individuals with specific security-related job responsibilities.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to enhance information security awareness and training programs by providing security-related training commensurate with job-related responsibilities to security personnel.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2006, we verified that IRS had developed a "material weakness" plan to address information security weaknesses across platforms and across facilities.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to monitor the effectiveness of controls and mitigate known information security weaknesses by establishing and implementing procedures to proactively ensure that weaknesses found at an IRS facility or on a system are considered and, if necessary, corrected at other facilities or on similar systems.
Agency Affected: Department of the Treasury: Internal Revenue Service
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Dec 20, 2018
Information Security:
Significant Progress Made, but CDC Needs to Take Further Action to Resolve Control Deficiencies and Improve Its ProgramGAO-19-70: Published: Dec 20, 2018. Publicly Released: Dec 20, 2018.
Dec 18, 2018
-
Information Security:
Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting against IntrusionsGAO-19-105: Published: Dec 18, 2018. Publicly Released: Dec 18, 2018.
Dec 6, 2018
-
Cybersecurity:
Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat InformationGAO-19-114R: Published: Dec 6, 2018. Publicly Released: Dec 6, 2018.
Nov 13, 2018
-
Information Security:
OPM Has Implemented Many of GAO's 80 Recommendations, but Over One-Third Remain OpenGAO-19-143R: Published: Nov 13, 2018. Publicly Released: Nov 13, 2018.
Sep 17, 2018
-
Cybersecurity:
Office of Federal Student Aid Should Take Additional Steps to Oversee Non-School Partners' Protection of Borrower InformationGAO-18-518: Published: Sep 17, 2018. Publicly Released: Sep 17, 2018.
Sep 7, 2018
-
Data Protection:
Actions Taken by Equifax and Federal Agencies in Response to the 2017 BreachGAO-18-559: Published: Aug 30, 2018. Publicly Released: Sep 7, 2018.
Sep 6, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-622: Published: Sep 6, 2018. Publicly Released: Sep 6, 2018.
Jul 31, 2018
-
Information Security:
IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer DataGAO-18-391: Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.
Jul 25, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018.
Jul 12, 2018
-
Information Security:
Supply Chain Risks Affecting Federal AgenciesGAO-18-667T: Published: Jul 12, 2018. Publicly Released: Jul 12, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
