Information Security:

Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks

GAO-03-44: Published: May 30, 2003. Publicly Released: May 30, 2003.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

As part of its annual audits of IRS's financial statements, GAO assessed the effectiveness of information security controls at certain IRS facilities and over certain specific applications--controls meant to protect IRS's information systems and taxpayer data. Because the detailed reports that followed these reviews contained sensitive information and could be detrimental to the government if released to the public, they were issued only to IRS and congressional requesters. This public report is based on 18 such reports issued during the 3-year period ending July 31, 2002. Although it does not identify specific IRS facilities or applications, the report does provide GAO's assessment of the overall effectiveness of IRS's information security.

IRS has made and continues to make important progress towards improving its information security and implementing a comprehensive information security program. Nonetheless, weaknesses continue to threaten the confidentiality, integrity, and availability of sensitive systems and taxpayer data. IRS's implementation of logical access controls--those designed to ensure that only authorized individuals can read, alter, or delete data--has been inconsistent and accounts for three quarters of the 765 general control weaknesses found at the 11 facilities reviewed. Weaknesses in the other four control categories have further reduced IRS's effectiveness in physically securing it's assets, separating incompatible duties among individuals, preventing unauthorized changes to software programs, and ensuring the agency's ability to continue operations after an unexpected interruption. In addition, 112 application control weaknesses hindered IRS's ability to limit access to 5 key applications to authorized persons for authorized purposes. The extent of these weaknesses demonstrates that information security is an agency wide challenge. An underlying cause of these weaknesses is that IRS had not yet fully implemented certain elements of its agency-wide information security program. As a result, it had not adequately identified or assessed risks in order to determine needed security measures, implemented or complied with policies to meet those needs, promoted adequate security awareness and training, and monitored the effectiveness of policies or mitigated known security vulnerabilities. IRS management is committed to completing such an agency-wide program. Until it does, however, IRS will remain at heightened risk of access to critical data by unauthorized persons--individuals who could obtain personal taxpayer data to perpetrate identity theft and commit financial crimes.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2007 we verified that IRS, in response to our recommendation, had assessed the risks for each system reviewed.

    Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by performing risk assessments for all systems.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: In fiscal year 2007 we verified that IRS, in response to our recommendation, had included a security plan in its certification and accreditation documentation for each system reviewed.

    Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by developing security plans for all systems that comply with federal guidelines.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: IRS has developed and implemented a certification and accreditation methodology. In fiscal year 2007 we verified that IRS, in response to our recommendation, assessed risks and evaluated security needs by certifying and accrediting its information systems.

    Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by certifying and accrediting all systems before they become operational, upon significant change, and at least every 3 years thereafter.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Implemented

    Comments: In fiscal year 2007 we verified that IRS, in response to our recommendation, had updated security policies to be consistent with strong security practices.

    Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by updating security policies or implementing guidelines pertaining to the configuration and use of certain network services and devices, password parameters, and the assignment of certain operating system rights, to be consistent with strong security practices.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: IRS tests and assesses security controls and configurations of systems before deployment in implementing its certification and accreditation process.

    Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by testing and assessing security controls and configurations of systems before deployment for compliance with established security policies and standards.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Closed - Implemented

    Comments: In fiscal year 2007, we verified that IRS has included a security management category as part of its departmentwide performance standards for executives

    Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by establishing and incorporating performance standards for compliance with security policies and procedures in the performance appraisal process for IRS executives and managers in the information technology and operating divisions.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Closed - Implemented

    Comments: In fiscal year 2007, we verified that IRS is providing annual training to system users on their security roles and responsibilities.

    Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to enhance information security awareness and training programs by providing training to IRS employees and contractors, including executives, managers, and users, and including those in the information technology and operating divisions, on their security roles and responsibilities.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Closed - Implemented

    Comments: In fiscal year 2007, we verified that IRS has established minimum training hours and a curriculum for individuals with specific security-related job responsibilities.

    Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to enhance information security awareness and training programs by providing security-related training commensurate with job-related responsibilities to security personnel.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Closed - Implemented

    Comments: In fiscal year 2006, we verified that IRS had developed a "material weakness" plan to address information security weaknesses across platforms and across facilities.

    Recommendation: To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to monitor the effectiveness of controls and mitigate known information security weaknesses by establishing and implementing procedures to proactively ensure that weaknesses found at an IRS facility or on a system are considered and, if necessary, corrected at other facilities or on similar systems.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Jun 14, 2018

May 14, 2018

Apr 24, 2018

Mar 7, 2018

Feb 6, 2018

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

Looking for more? Browse all our products here