Nearly six years after it first criticized the Internal Revenue Service (IRS) for lax information security practices, the U.S. Government Accountability Office said the nation's tax collector still isn't close to having proper controls in place.
The IRS, while showing progress, has yet to remediate 65 of 88 previously reported weaknesses, according to a report dated Tuesday and sent to Douglas Shulman, commissioner of the IRS. In addition, the GAO audit has turned up 37 new weaknesses.
Many of the deficiencies are related to access control, configuration management and segregation of duties, the report said. The GAO pointed out similar problems last year.
"Weaknesses in these areas increase the likelihood of errors in financial data that result in misstatement and expose sensitive information and systems to unauthorized use, disclosure, modification and loss," the report said. "An underlying reason for these weaknesses – both old and new – is that [the] IRS has not yet fully implemented key components of a comprehensive information security program."
The report, released roughly a month before the annual tax filing deadline, added that these deficiencies were placing taxpayer information at risk.
Specifically, the GAO found, some IRS devices can be accessed using simple passwords of six characters or fewer, and the agency is allowing some users excessive privileges beyond what they need to perform their jobs. Similarly, the GAO discovered poor segregation-of-duty practices at the IRS, which could lead to the breach of sensitive information if an employee's responsibilities are not clearly defined and separate from another worker.
The audit also found that some IRS network devices are transmitting unencrypted data. Also, the IRS is not regularly logging potential security threats, and the agency is running some outdated and unpatched software that could invite attack.
The IRS must implement a comprehensive security program that includes, among other things, regular risk assessments, security awareness training, and policies and processes to address weaknesses in the program, the report concluded.
In a response letter to Gregory Wilshusen, GAO's director of information security issues, Shulman said the IRS has created "repeatable processes" to respond to "material weaknesses."
"We appreciate your continued support and guidance as we work to improve our security posture," he wrote.