Security Watch | Matt Hines » GAO raps IRS on information security (again)

March 30, 2007 | Comments: (0)

GAO raps IRS on information security (again)

TAGS: None

With tax day fast approaching, tens of millions of U.S. residents are preparing to send reams of sensitive personal financial data to the Internal Revenue Service as part of their annual tax filing. That simple fact makes the systems that store that data the worlds fattest target for identity theft.

The big question is: how secure are the IRS's systems for storing taxpayer data.

Not very, according to a report by the Government Accountability Office (GAO). In a report released Friday, GAO s said that IRS has made only "limited progress toward correcting or mitigating previously reported information security weaknesses" at two of its data processing sites, and that 66 percent of the information security weaknesses discovered by previous GAO audits still exist.

In particular, "Significant weaknesses in access controls and other information security controls continue to threaten the confidentiality, integrity, and availability of IRS’s financial and tax processing systems and information," GAO found in its report.

And it gets worse...

"IRS has not consistently implemented effective access controls to prevent, limit, or detect unauthorized access to computing resources from within its internal network. These access controls include those related to user identification and authentication, authorization, cryptography, audit and monitoring, and physical security. In addition, IRS faces risks to its financial and sensitive taxpayer information due to weaknesses in configuration management, segregation of duties, media destruction and disposal, and personnel security controls."

Lack of planning is at the root of IRS's infosecurity problems, according to GAO.

"(IRS) has not yet fully implemented its agency wide information security program to ensure that controls are effectively established and maintained," the report says. "As a result, weaknesses in information security controls over its key financial and tax processing systems could impair IRS’s ability to perform vital functions and could increase the risk of unauthorized disclosure, modification, or destruction of financial and sensitive taxpayer information."

GAO says that it will make recommendations to the Commissioner of Internal Revenue to encourage the agency to implement an information security program and, in a dire sounding disclosure, GAO said that it was also "making recommendations to the commissioner in a separate report with limited distribution. These recommendations consist of actions to be taken to correct the specific information security weaknesses related to user identification and authentication, authorization, cryptography, audit and monitoring, physical security, configuration management, segregation of duties, media destruction and disposal, and personnel security."

Posted by Paul Roberts on March 30, 2007 11:56 AM

RATE THIS ARTICLE: