Taxpayer data at IRS remains vulnerable, GAO warns
The agency sees problems with password security and user access controls
January 13, 2009 12:00 PM ETComputerworld - Less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial Internal Revenue Service systems, the IRS's security practices have been panned by another government entity.
This time, the criticism (download pdf) comes from the Government Accountability Office, which last week released a report highlighting several problems with how the IRS protects taxpayer data. The 24-page assessment examined existing policies and controls as well as IRS efforts to fix security issues reported in a previous GAO audit.
The report shows that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. According to the GAO, while the IRS has addressed 49 of 115 previously reported security issues, several critical areas remain vulnerable.
For example, the IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said. It also noted that the IRS has a tendency to allow sensitive information such as user IDs and passwords to be "readily available" to any user on its networks. Weak passwords and excessive access on the network for authenticated users were also cited as potential threats to taxpayer data.
A lot of the issues are the result of a continued failure by the IRS to implement any agency-wide information security program or review risk assessments annually, the GAO said. As a result, the agency remains "particularly vulnerable" to insider threats and malicious attacks that could expose financial and taxpayer data.
The GAO pointed to specific security problems, including the following: Exposed usernames and passwords on an IRS contractor-maintained Web site; authenticated users on the IRS network with access to shared drives containing taxpayer information, performance appraisal data and sensitive data such as Social Security numbers for other IRS employees; financial information and account data that was transmitted in the clear from the IRS's financial accounting system; inadequate logging of security events for Unix and Windows servers at a data center, and a similar lack of controls for logging changes to mainframe data sets at another data center; a failure to maintain or enforce a baseline configuration for a mainframe system, which supports the revenue accounting operation of record and other critical applications.
The steps the IRS has taken to improve security include setting up better controls to prevent network access by unauthenticated users; paying more attention to patching critical vulnerabilities; and formulating better contingency plans for documenting critical business processes.
In a one-page response to the report, IRS Commissioner Douglas Shulman said data security and privacy are of "utmost importance" to the IRS, and he pledged that the agency would provide a "detailed corrective action plan" that addresses the concerns raised by the GAO. A spokesperson at the IRS could not be immediately reached for comment.
GAO
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

