The Government Accountability Office has released a new report, “IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk (GAO-14-405￼￼),” concerning security problems that could affect the privacy of taxpayers. Here’s an excerpt detailing problems at the Internal Revenue Service:
Specifically, the agency had not always (1) installed appropriate patches on all databases and servers to protect against known vulnerabilities, (2) sufficiently monitored database and mainframe controls, or (3) appropriately restricted access to its mainframe environment. In addition, IRS had allowed individuals to make changes to mainframe data processing without requiring them to follow established change control procedures to ensure changes were authorized, and did not configure all applications to use strong encryption for authentication, increasing the potential for unauthorized access.
An underlying reason for these weaknesses is that IRS has not effectively implemented portions of its information security program. The agency has established a comprehensive framework for the program, and continued to improve its controls; however, components of the program did not always function as intended. For example, IRS’s testing procedures over financial reporting systems were not always thorough in that its testing methodology did not always determine whether required controls were operating effectively. In addition, IRS had not updated key mainframe policies and procedures to address issues such as users accessing files used by one processing environment from a different environment. Further, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate.
Until IRS takes additional steps to (1) more effectively implement its testing and monitoring capabilities, (2) ensure that policies and procedures are updated, and (3) address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure. These deficiencies, including shortcomings in the information security program, were the basis of our determination that IRS had a significant deficiency in its internal control over its financial reporting systems for fiscal year 2013.