Information Security: Continued Progress Needed to Strengthen Controls at the Internal Revenue Service
The Internal Revenue Service (IRS) has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations. Effective information security controls are essential for ensuring that information is adequately protected from inadvertent or deliberate misuse, disruption, or destruction. As part of its audit of IRS's fiscal year 2005 financial statements, GAO assessed (1) the status of IRS's actions to correct or mitigate previously reported information security weaknesses at two sites and (2) whether controls over key financial and tax processing systems located at the facilities are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer data.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should enhance policies and procedures related to password age and configuration settings to comply with federal guidelines. |
IRS enhanced its policies and procedures related to password age and configuration settings to comply with federal guidelines.
|
| Internal Revenue Service | To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should review system security plans to ensure that they appropriately address nonmajor applications. |
In fiscal year 2008, we verified that IRS had updated system security plans to address nonmajor applications.
|
| Internal Revenue Service | To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should ensure contractors with significant information security responsibilities are provided with sufficient specialized training. |
In fiscal year 2008, we verified that contractors had received specialized training as required by IRS policy.
|
| Internal Revenue Service | To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should ensure that remedial action plans are complete and up to date. |
In fiscal year 2008, we verified that IRS had taken action to ensure that remedial action plans were complete and up-to-date.
|
| Internal Revenue Service | To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should continue to enhance continuity of operations capabilities by (1) training non-IRS staff to restore operations, (2) updating disaster recovery plans to include disaster recovery procedures for UNIX and Windows systems, (3) updating business resumption plans to include UNIX and Windows systems, and (4) installing UNIX-based hardware and equipment for processing applications and data at IRS's disaster recovery hot-site. |
In 2010 we observed that trained off-site staff have access to the recovery procedures. In addition, IRS has updated its recovery and business resumption plans, as well as installed Unix-based hardware and equipment at its disaster recovery hot-site.
|