Weak controls leave taxpayer data vulnerable
From patching to passwords, the Government Accountability Office is troubled by persistent shortcomings with the data security posture at IRS.
The IRS' IT is not secure due in large part to a lack of patching and access controls, according to a Government Accountability Office report released March 28.
The agency has been making progress, the report notes, but in its reviews of IRS systems, GAO found lingering discrepancies that threaten to compromise sensitive data.
Sometimes there are gaps between IRS policies and practice, while in other cases the policies themselves need updating, the report states.
GAO lauded the IRS for implementing an automated tool to manage password requirements in its Windows environment but also found that in several systems the IRS didn't force periodic password resets -- despite an IRS policy mandating new passwords every 90 days for user accounts and every year for service accounts -- or enabled a "generic" account, undermining access management goals.
The agency also relied on easily guessable passwords on many systems' servers, auditors said.
In addition, GAO found that in several cases, the IRS granted "excessive privileges" to users. For one tax payment system, users who didn't need editing privileges to do their jobs could nonetheless alter tax payment data.
Of 12 systems GAO reviewed, two lacked critical patches, including a patch that had been available since August 2012.
"By not installing critical patches in a timely manner, IRS increases the risk that known vulnerabilities in its systems may be exploited," the report states.
It's a problem the IRS has acknowledged before.
"We've got enough systems that we get literally thousands of patches, upgrades, security upgrades [and] we don't have the resources to implement them all," IRS Commissioner John Koskinen said recently. "We probably wouldn't implement all of them in any event, but there are some that we don't implement simply because we don't have the resources to do it."
GAO recommended that the IRS update its audit plans for systems and applications and update its security plan for information systems to reflect operating environment changes.
Another 43 technical recommendations were submitted out of the public eye.
In response to the report, Koskinen said he agreed with the recommendations but would need to review the feasibility of implementing them.
NEXT STORY: U.S. and Germany expand cyber cooperation