The Internal Revenue Service (IRS) is making strides toward improving its information security posture, but significant shortfalls remain, according to a new report from the U.S. Government Accountability Office (GAO).
In the 2009 fiscal year, which ended Sept. 30, the IRS “corrected or mitigated” 28 of 89 IT security control weaknesses and program deficiencies that were identified in a 2008 audit, the report said. This included changing vendor user accounts and passwords, avoiding storing passwords in clear text and improving mainframe configuration operations.
But despite the improvements, 61 percent of the identified vulnerabilities at the nation’s tax collector still remain, according to the report.
“Despite these actions, newly identified and the unresolved information security control weaknesses in key financial and tax processing systems continue to jeopardize the confidentiality, integrity and availability of financial and sensitive taxpayer information,” the report said.
The agency appeared to stumble most in protecting access to its sensitive data. For instance, the GAO found, the IRS did not always implement robust password management, control privileged access, log and monitor events or physically safeguard computer equipment.
In addition, the IRS failed to properly deploy security patches in a timely manner, train contractors around security awareness and review risk assessments of IT systems, the report concluded.
“A key reason for these weaknesses is that [the] IRS has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively,” the report said.
IRS Commissioner Douglas Shulman, in a comment letter included in the report, said the agency plans to offer a plan of action for implementing the recommendations contained in the report.
“The security and privacy of all taxpayer and financial information is of utmost importance to us, and the integrity of our financial systems continues to be sound,” he wrote.