Information Security: Further Efforts Needed to Address Significant Weaknesses at the Internal Revenue Service
GAO-07-364
Published: Mar 30, 2007. Publicly Released: Mar 30, 2007.
Skip to Highlights
Highlights
In fiscal year 2006, the Internal Revenue Service (IRS) collected about $2.5 trillion in tax payments and paid about $277 billion in refunds. Because IRS relies extensively on computerized systems, effective information security controls are essential to ensuring that financial and taxpayer information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. As part of its audit of IRS's fiscal years 2006 and 2005 financial statements, GAO assessed (1) IRS's actions to correct previously reported information security weaknesses and (2) whether controls were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies and procedures, guidance, security plans, reports, and other documents; tested controls over five critical applications at three IRS sites; and interviewed key security representatives and management officials.
Recommendations
Recommendations for Executive Action
| Agency Affected Sort descending | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should develop a system security plan for the system that supports the general ledger for tax administration activities. |
Closed – Implemented
In fiscal year 2008, we verified that IRS had completed a system security plan for the system that supports its general ledger for tax administration activities.
|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should enhance the Enterprise Learning Management System to include all security-related training courses taken by IRS employees and contractors and to differentiate required training hours for all employees. |
Closed – Implemented
In September 2009, we verified that IRS, in response to our recommendation, implemented a mitigating control and manually enters external training taken by its employees.
|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should update test and evaluation procedures to include tests for vulnerabilities identified in this report, such as password expiration, insecure protocols, and removal of system access after separation from the agency. |
Closed – Implemented
In September 2009, we verified that IRS, in response to our recommendation, updated their test and evaluation templates to include tests for the vulnerabilities identified in our report.
|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should implement a revised remedial action verification process that ensures actions are fully implemented. |
Closed – Not Implemented
Although IRS has actions underway to improve its remedial action process, it has not yet fully implemented the actions and the condition continues to persist.
|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should document weaknesses identified during security assessments in a remedial action plan. |
Closed – Implemented
In fiscal year 2008, we verified that IRS had documented weaknesses identified during security assessments in a remedial action plan.
|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should provide adequate environmental controls for the computer room that houses the procurement system, such as a sufficient air-conditioning system and up-to-date fire extinguishers. |
Closed – Implemented
In fiscal year 2008, we verified that IRS had implemented appropriate environmental controls for the computer room that houses the procurement system, including sufficient air conditioning and up-to-date fire extinguishers.
|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should establish an alternate processing site for the procurement application. |
Closed – Implemented
In fiscal year 2009, we verified that IRS has established an alternate processing site for the procurement application.
|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should test the procurement system recovery plan. |
Closed – Implemented
In July 2009, we verified that IRS, in response to our recommendation, tested the procurement system recovery plan.
|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service (IRS) should update the risk assessments for the five systems reviewed to include the vulnerabilities identified in this report. |
Closed – Implemented
In September 2009, we verified that IRS, in response to our recommendation, incorporated findings from GAO reports into the application risk assessments we reviewed.
|
| Internal Revenue Service | To help establish effective information security over key financial and tax processing systems, financial and sensitive taxpayer information, and interconnected networks, and to implement an agencywide information security program, the Internal Revenue Service should update policies and procedures to include guidance on configuring mainframe ID's used by the operating system and certain powerful mainframe programs used to control processing. |
Closed – Implemented
In December 2009, we verified that IRS updated their policies and procedures to include the needed guidance.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer securityConfidential informationData integrityInformation securityInternal controlsPhysical securityProgram evaluationRisk assessmentRisk managementServersTax administration systemsTax information confidentialityProgram implementation