Sidebar: IRS Still Puts Taxpayer Data at Risk, Says GAO

The Internal Revenue Service continues to put taxpayers' personal data at risk by not strengthening its information security systems, according to a report by the U.S. Government Accountability Office.

"Although [the] IRS has made progress [over the past year], controls over its key financial and tax processing systems located at two sites were ineffective," the GAO said in the report, which was released late last month.

The report concluded that the tax agency corrected 41 of 81 specific technical weaknesses that the GAO found last year. But the GAO also found that the security system now needs further updates to correct "new information security control weaknesses that threaten the confidentiality, integrity and availability of IRS's financial information systems and the information they process."

According to the GAO, the IRS has not yet implemented effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events. Also, the report said, the IRS doesn't always follow its own policy dealing with password expiration and complexity.

For example, the IRS has not implemented the use of complex passwords on its Windows servers, and it does not adequately control the storage of passwords on its systems, the GAO said. The agency has also failed to restrict users' access to just the information they need to do their jobs, according to the report.

"Collectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification or loss, possibly without detection, and place IRS operations at risk of disruption," the GAO said.

Until the IRS fully implements a comprehensive information security program, its facilities and computers -- as well as the information that is processed, stored and transmitted on its systems -- will be vulnerable, the report said.

The GAO recommends, in part, that the IRS enhance policies and procedures related to password and configuration settings to comply with federal guidelines, ensure that contractors with significant information security responsibilities are given specialized training, ensure that disaster recovery plans are complete and updated, and continue to enhance continuity capabilities by training non-IRS staff to restore operations.

In a letter to Gregory Wilshusen, the GAO's IT director, IRS Commissioner Mark Everson acknowledged that his agency needs a comprehensive security program and agreed to implement the five recommendations in the report.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon