IRS Financial Systems Vulnerable to Insider ThreatsGAO: Tax Agency Inconsistent with Implementing Security Controls
The IRS failed to restrict sufficiently users' access to databases to only the access needed to perform their jobs; secure the system employed to support and manage its computer access request, approval and review processes; update database software residing on servers that support its general ledger system; and enable certain auditing features on databases supporting several key systems, according a report issued by the Government Accountability Office. In addition, GAO said, 65 of 88 or nearly three quarters of previously reported weaknesses remain unresolved or unmitigated.
The reason for these weaknesses? GAO said the IRS hasn't fully implemented key components of its comprehensive information security program. Although IRS has processes in place intended to monitor and assess its internal controls, auditors said, these processes were not always effective.
GAO cited this example: IRS's testing neither detected many of the vulnerabilities GAO identified during the audit nor assess a key application in its environment. The agency also hadn't effectively validated corrective actions reported to resolve previously identified weaknesses. "Although IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended," said the audit written by Nancy Kingsbury, managing director of applied research and method, and Gregory Wilshusen, director of information security issues. "
The auditors pointed out that the IRS had resolved 39 of the 88 previously identified weaknesses; but 16 of the 39 weaknesses had not been mitigated.
GAO said the IRS has various initiatives underway to bolster security over its networks and systems. "Until the agency corrects the identified weaknesses, its financial systems and information remain unnecessarily vulnerable to insider threats, including errors or mistakes and fraudulent or malevolent acts by insiders," the auditors wrote. This means the IRS places at increased risk of unauthorized disclosure, modification or destruction financial and taxpayer information. GAO also said financial data is at increased risk of errors that result in misstatement and the agency's management decisions may be based on unreliable or inaccurate financial information.
Considered collectively, the auditors wrote, these weaknesses serve as the basis for GAO's determination that IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2010.
- Update risk assessments whenever there is a significant change to the system, the facilities where the system resides, or other conditions that may affect the security or status of system accreditation.
- Revise the risk assessment for the mainframe environment supporting the general ledger for tax-related activities and tax processing applications to include all portions of the environment that could affect security.
- Update policies and procedures pertaining to password controls to ensure they are consistent.
- Document and implement policy and procedures for how systems-managed storage as an access control mechanism should be administered, managed, and monitored.
- Revise the application security plan to describe controls in place in its current mainframe operating environment.
- Perform comprehensive testing of the key network component considered to be a high-risk system, at least annually.
- Test the application security for the general ledger system for tax-related activities in its current operating environment.
- Perform comprehensive testing of security controls over the mainframe environment to include all portions of the operating environment.
In a separate and limited distributed report, GAO made 32 detailed recommendations to be taken to correct specific IT security weaknesses related to identification and authentication, authorization, cryptography, audit and monitoring, physical security, configuration management and segregation of duties identified during this audit.
IRS Commissioner Douglas Shulman, in a letter to GAO, didn't dispute the audit, suggesting processes are underway to address the auditor's concerns. "The IRS has established enterprise, repeatable processes which are overseen by an internal team that performs self-inspects, identities and mitigates risks, and provides executive governance over the corrective actions to this material weakness," Schulman wrote. "The combination of all of these actions makes us confident that we are steadily progressing toward eliminating this issue as a material weakness."
The latest report echoes findings in earlier audits (see GAO: Weak Controls Put IRS System at Risk and Weak Security Controls Raise Doubts About IRS Data).