Secure access, authorization among areas still lacking at IRS
The Internal Revenue Service is again taking fire from a government watchdog.
On Friday, the U.S. Government Accountability Office released a fifth consecutive annual report to chronicle security shortfalls at the nation's tax collector. The agency's trouble with GAO dates back to at least 2005.
"Despite IRS' efforts, weaknesses in controls over key financial and tax-processing systems continue to jeopardize the confidentiality, integrity and availability of financial and taxpayer information," the report said. "Specifically, [the] IRS continues to face challenges in controlling access to is information resources."
According to the GAO, the IRS has made some improvements, but deficiencies remain.
For example, the report concluded that the IRS supports "strong password policies" on the database serving its authorization system, but its procurement system does not properly restrict the maximum number of password attempts or ensure that complex credentials are adequately verified.
"As a result of these weaknesses, increased risk exists that an individual with malicious intentions could gain inappropriate access to sensitive IRS applications and data on these systems, and potentially use the access to attempt compromises of other IRS systems," the report said.
On the authorization front, the IRS properly now limits access to its disaster recovery servers and has deployed functionality that detects and fixes irregularities in mainframe access methods. Yet, other systems, including those that process tax and financial information, failed to properly deter unauthorized access.
The IRS is getting better at developing a data-driven security strategy, with continued use of encryption, the report said. However, certain information, including sensitive tax-processing data, still is crossing the network in plain text.
While it has made significant headway in ensuring Windows servers are patched with the latest security updates, systems from other vendors remain vulnerable to attack. The report cites one example in which the IRS failed to apply a fix for a Unix operating system for at least two months after it was made available.
Security awareness training also is lacking. Although employees are receiving education, the agency is slow to provide it to third-party contractors.
Overall, the report blamed many of the alleged faults on the IRS' failure to implement a comprehensive information security program, which is required under the Federal Information Security Management Act, or FISMA. This includes assessing breach risks and evaluating the effectiveness of security protocols.
In addition to its previous recommendations from the previous audits, the GAO issued a fresh to-do list of six items. In addition, it privately provided the IRS with 23 "detailed recommendations" relating to "specific information security weaknesses."
GAO's director of information security issues, Gregory Wilshusen, could not be reached for comment on Monday.
IRS Commissioner Douglas Shulman, in a letter dated March 7, thanked the GAO for its guidance and said it was looking forward to implementing new security measures.