Taxpayer data at IRS remains vulnerable, GAO warns

Computerworld - Less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial Internal Revenue Service systems, the IRS's security practices have been panned by another government entity.

This time, the criticism (download pdf) comes from the Government Accountability Office, which last week released a report highlighting several problems with how the IRS protects taxpayer data. The 24-page assessment examined existing policies and controls as well as IRS efforts to fix security issues reported in a previous GAO audit.

The report shows that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. According to the GAO, while the IRS has addressed 49 of 115 previously reported security issues, several critical areas remain vulnerable.

For example, the IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said. It also noted that the IRS has a tendency to allow sensitive information such as user IDs and passwords to be "readily available" to any user on its networks. Weak passwords and excessive access on the network for authenticated users were also cited as potential threats to taxpayer data.

A lot of the issues are the result of a continued failure by the IRS to implement any agency-wide information security program or review risk assessments annually, the GAO said. As a result, the agency remains "particularly vulnerable" to insider threats and malicious attacks that could expose financial and taxpayer data.

The GAO pointed to specific security problems, including the following: Exposed usernames and passwords on an IRS contractor-maintained Web site; authenticated users on the IRS network with access to shared drives containing taxpayer information, performance appraisal data and sensitive data such as Social Security numbers for other IRS employees; financial information and account data that was transmitted in the clear from the IRS's financial accounting system; inadequate logging of security events for Unix and Windows servers at a data center, and a similar lack of controls for logging changes to mainframe data sets at another data center; a failure to maintain or enforce a baseline configuration for a mainframe system, which supports the revenue accounting operation of record and other critical applications.

The steps the IRS has taken to improve security include setting up better controls to prevent network access by unauthenticated users; paying more attention to patching critical vulnerabilities; and formulating better contingency plans for documenting critical business processes.

In a one-page response to the report, IRS Commissioner Douglas Shulman said data security and privacy are of "utmost importance" to the IRS, and he pledged that the agency would provide a "detailed corrective action plan" that addresses the concerns raised by the GAO. A spokesperson at the IRS could not be immediately reached for comment.