To fix IRS computer security, GAO recommends dozens of corrective actions
Serious security weaknesses threaten sensitive taxpayer information, the Government Accountability Office says.
The GAO says that in a report it did not release to the public, it recommended in detail that the Internal Revenue Service take 30 specific actions on newly identified information security weaknesses. The problems are related to identification and authentication, authorization, cryptography, audit and monitoring, and configuration management, the GAO says.
In the public report (.pdf), released March 15, the GAO makes additional recommendations, such as that the IRS should update its evaluations to ensure that it can determine if authentication controls are functioning properly. It should also fully document a continuous monitoring strategy, the report says.
In response, the IRS's acting commissioner told GAO that it would address the recommendations but that "the integrity of the IRS's financial systems continues to be sound," the report says. But, auditors say, the IRS hasn't always effectively implemented access controls to protect information.
That's a "key reason for the information security weaknesses" in the IRS's tax processing systems, the report says--the agency has developed a comprehensive security program but hasn't actualized all of it.
The size of the IRS presents operational challenges, the report says. The agency has more than 650 offices in all 50 states, U.S. territories, and some embassies and consulates., and it relies heavily on computer systems to manage the data it maintains on every U.S. taxpayer.
- download the report, GAO-13-350 (.pdf)