The Government Accountability Office (GAO) published a report last week that detailed the results of an audit on the IRS's financial statements for 2008. The nation's tax collector failed to implement controls to prevent, limit and detect unauthorized access to its information systems -- for example, enforcing strong passwords, authorizing user access, encrypting sensitive data, monitoring changes on its mainframe and physically protecting its resources, the audit report states.
Last year's audit also found that the IRS failed to enforce strong passwords, encrypt sensitive data and physically protect computer resources.
“The key reason for these weaknesses is that IRS has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively,” the 2009 report states.
The IRS relies on computerized programs to support its operations, which include tax collection, tax return processing and enforcing the nation's tax laws, the GAO said. The weaknesses represent exposures in internal controls over systems that are used to process, store and transmit “sensitive” taxpayer information, according to a letter sent last Friday from the GAO to Douglas Shulman, IRS commissioner.
The IRS mitigated just 49 of 115 weaknesses that were reported in the last audit, the GAO said. Though most of the weaknesses identified last year still remain unresolved, the IRS did take some positive steps that included implementing controls for unauthenticated network access and encryption for sensitive data going across its network. It also improved patching of critical vulnerabilities and updated contingency plans to document critical business processes.
An IRS spokesman on Tuesday referred SCMagazineUS.com to a December letter from Shulman, who said the IRS is “committed to securing our computer environment as we continually evaluate processes, promote user awareness and apply innovative ideas to increase compliance.”
Observers said this week that the IRS has failed to develop a solid security framework.
“Open items still on the report were alarming,” Ken Stasiak, CEO of SecureState, which supplies security services to government and businesses, told SCMagazineUS.com on Tuesday. “It would be at the taxpayer's benefit to see that the issues are taken care of.”
Stasiak said the biggest cause for concern is that the IRS seems to be taking a reactive approach to security, rather than a proactive one.
Security shortfalls have been plaguing the IRS for at least six years. And last September, the U.S. Treasury Inspector General for Tax Administration identified 2,093 potential web servers, with at least one security vulnerability, connected to the IRS network.