GAO Report Cites Weaknesses in IRS Information Security Systems
Internal Revenue Service records, including taxpayer information, are vulnerable to tampering or disclosure because it has not yet fixed dozens of information security weaknesses, according to a government report.
The existing problems, the congressional Government Accountability Office said, included giving too many people access to sensitive material, failure to encrypt all sensitive data and weak physical security controls.
One data center allowed at least 17 individuals access to sensitive areas without justifying a need based on their job duties. Another center did not perform periodic reviews of records accounting for mechanical keys used to gain access to sensitive areas. The IRS also continues to use passwords that are not complex, and it installs patches in an untimely manner, the report indicated.
One reason for the weaknesses, the GAO said, is that the IRS has not yet fully implemented an agencywide information security program.
“Until these weaknesses are corrected, the agency remains particularly vulnerable to insider threats,” including unauthorized access to taxpayer information; disclosure, modification or destruction of that information, and disruption of operations and services.
Effective information security controls are critical for an agency that last year collected about $2.7 trillion in taxes and enforced the nation’s tax laws, the report said.
The IRS has made progress in some areas, including implementing controls for user IDs for certain critical services and improving physical protection for its procurement system, GAO said.
In addition, it said the IRS should identify individuals with significant security responsibilities for specialized training and enhance oversight of contractors to ensure they are complying with security policies.
Acting IRS Commissioner Linda Stiff, in response to the report, wrote that the agency recognizes “there is significant work to be accomplished to address our information security deficiencies and we are taking aggressive steps to correct previously reported weaknesses.”
- PE Firm Cornell Sued Over $345 Million Instant Brands Dividend
- Swiss Re: Mitigating Flood Risk 10x More Cost Effective Than Rebuilding
- Changing the Focus of Claims, Data When Talking About Nuclear Verdicts
- US High Court Declines Appeal, Upholds Coverage Ruling on Treated Wood