Information Security:
Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks
GAO-03-44: Published: May 30, 2003. Publicly Released: May 30, 2003.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-3317
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
As part of its annual audits of IRS's financial statements, GAO assessed the effectiveness of information security controls at certain IRS facilities and over certain specific applications--controls meant to protect IRS's information systems and taxpayer data. Because the detailed reports that followed these reviews contained sensitive information and could be detrimental to the government if released to the public, they were issued only to IRS and congressional requesters. This public report is based on 18 such reports issued during the 3-year period ending July 31, 2002. Although it does not identify specific IRS facilities or applications, the report does provide GAO's assessment of the overall effectiveness of IRS's information security.
IRS has made and continues to make important progress towards improving its information security and implementing a comprehensive information security program. Nonetheless, weaknesses continue to threaten the confidentiality, integrity, and availability of sensitive systems and taxpayer data. IRS's implementation of logical access controls--those designed to ensure that only authorized individuals can read, alter, or delete data--has been inconsistent and accounts for three quarters of the 765 general control weaknesses found at the 11 facilities reviewed. Weaknesses in the other four control categories have further reduced IRS's effectiveness in physically securing it's assets, separating incompatible duties among individuals, preventing unauthorized changes to software programs, and ensuring the agency's ability to continue operations after an unexpected interruption. In addition, 112 application control weaknesses hindered IRS's ability to limit access to 5 key applications to authorized persons for authorized purposes. The extent of these weaknesses demonstrates that information security is an agency wide challenge. An underlying cause of these weaknesses is that IRS had not yet fully implemented certain elements of its agency-wide information security program. As a result, it had not adequately identified or assessed risks in order to determine needed security measures, implemented or complied with policies to meet those needs, promoted adequate security awareness and training, and monitored the effectiveness of policies or mitigated known security vulnerabilities. IRS management is committed to completing such an agency-wide program. Until it does, however, IRS will remain at heightened risk of access to critical data by unauthorized persons--individuals who could obtain personal taxpayer data to perpetrate identity theft and commit financial crimes.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In fiscal year 2007 we verified that IRS, in response to our recommendation, had assessed the risks for each system reviewed.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by performing risk assessments for all systems.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007 we verified that IRS, in response to our recommendation, had included a security plan in its certification and accreditation documentation for each system reviewed.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by developing security plans for all systems that comply with federal guidelines.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: IRS has developed and implemented a certification and accreditation methodology. In fiscal year 2007 we verified that IRS, in response to our recommendation, assessed risks and evaluated security needs by certifying and accrediting its information systems.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by certifying and accrediting all systems before they become operational, upon significant change, and at least every 3 years thereafter.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007 we verified that IRS, in response to our recommendation, had updated security policies to be consistent with strong security practices.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by updating security policies or implementing guidelines pertaining to the configuration and use of certain network services and devices, password parameters, and the assignment of certain operating system rights, to be consistent with strong security practices.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: IRS tests and assesses security controls and configurations of systems before deployment in implementing its certification and accreditation process.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by testing and assessing security controls and configurations of systems before deployment for compliance with established security policies and standards.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007, we verified that IRS has included a security management category as part of its departmentwide performance standards for executives
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by establishing and incorporating performance standards for compliance with security policies and procedures in the performance appraisal process for IRS executives and managers in the information technology and operating divisions.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007, we verified that IRS is providing annual training to system users on their security roles and responsibilities.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to enhance information security awareness and training programs by providing training to IRS employees and contractors, including executives, managers, and users, and including those in the information technology and operating divisions, on their security roles and responsibilities.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2007, we verified that IRS has established minimum training hours and a curriculum for individuals with specific security-related job responsibilities.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to enhance information security awareness and training programs by providing security-related training commensurate with job-related responsibilities to security personnel.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Closed - Implemented
Comments: In fiscal year 2006, we verified that IRS had developed a "material weakness" plan to address information security weaknesses across platforms and across facilities.
Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to monitor the effectiveness of controls and mitigate known information security weaknesses by establishing and implementing procedures to proactively ensure that weaknesses found at an IRS facility or on a system are considered and, if necessary, corrected at other facilities or on similar systems.
Agency Affected: Department of the Treasury: Internal Revenue Service
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Oct 9, 2020
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
