IRS systems remain 'unnecessarily' open to employee abuse, GAO reports

At the height of tax season, federal auditors reported that weaknesses in the security of the Internal Revenue Service's financial and tax processing systems jeopardize the confidentiality and integrity of taxpayer information.

"The agency remains unnecessarily vulnerable to insider threats related to the unauthorized access to and disclosure, modification or destruction of financial and taxpayer information, as well as the disruption of system operations and services," stated a Government Accountability Office report released on Friday. The IRS depends on computers to collect taxes, process returns and enforce the tax code. The main reason for the agency's vulnerable position is it has not finished instituting a program to ensure security safeguards are adequate and operational, as required by federal information security law.

The audit was conducted between April 2009 and March 2010. The findings are based on a review of information security policies and procedures, tests on key financial applications and interviews with IRS officials.

GAO found that 69 percent of the security weaknesses it flagged last year are still a problem and the auditor discovered additional ones. Among the issues the report highlighted were the use of weak passwords and granting too many employees access to sensitive files and directories. About 120 IRS workers, for example, could log in to cost data for the agency's administrative accounting system and had access to a spreadsheet for allocating costs. Only 10 employees should have access, GAO reported. [attribution right?] Other vulnerabilities include neglecting to record security incidents on an application that supports its procurement system.

In addition, the IRS failed to encrypt log-in information. Encryption renders data indecipherable during transmission. "By not encrypting these data, IRS is at increased risk that an unauthorized individual could view and then use the data to gain unwarranted access to its system and/or sensitive information," the GAO report stated. Contractors also did not always receive proper security training.

The report found the agency lacks the ability to recover important information that would allow it to function during an emergency. "Without [such access], increased risk exists that IRS could be unable to restore its administrative accounting system to its full operational status after a major disruption," GAO noted.

Still, the IRS has made strides in fixing problems GAO identified last year. For instance, the agency has improved procedures for configuring mainframe systems. Additionally, it deployed new controls for important financial systems and made headway in developing a framework for its agencywide information security program. During fiscal 2010, the IRS expects to prioritize identity and access protection, audit trails, and disaster recovery. "These efforts, if fully and effectively implemented, are positive steps toward improving the agency's overall information security posture," the report stated.

GAO's recommendations for completing the security program include securely configuring routers to encrypt network traffic, setting up switches to defend against network attacks and ensuring new contractors receive training within 10 working days.

In a separate document with limited distribution, GAO provided 23 detailed recommendations for correcting specific weaknesses associated with access controls, configuration management and ensuring that no single individual has total control over all aspects of a system.

After reading a draft of the report, Commissioner Douglas Shulman responded in a letter that the IRS will produce a detailed corrective action plan to address each recommendation.

"We are committed to securing our computer environment as we continually evaluate processes, promote user awareness and apply innovative ideas to increase compliance," he wrote. "The integrity of our financial systems continues to be sound."

Schulman added the agency will send the corrective plan to GAO with its response to Friday's final GAO report.

When asked to comment on the final report, IRS officials on Monday referred Nextgov to the agency's initial comments included in the report.

Separately, on March 11, the Treasury Inspector General for Tax Administration released a memo stating budget cutbacks and technical difficulties have prevented a new IT system from improving the process of checking tax compliance. Agents and managers in the division that oversees exempt organizations, employee plans, and government entities to electronically track casework use the system.

"If additional actions are not taken by division management, the federal government will not receive the highest possible return from the $18.7 million of taxpayer funds spent on developing and implementing the system," stated Michael Phillips, deputy inspector general for audit in a Jan. 29 memo. By July 30, the division is expected to develop an action plan that addresses the issues identified in the memo, according to IRS officials.