US tax department still putting taxpayer data at risk

27.03.2006
The Internal Revenue Service continues to put taxpayers' sensitive personal data at risk by not strengthening its information security systems, according to a report by the U.S. Government Accountability Office.

The IRS has corrected 41 of 81 specific technical weaknesses the GAO found last year, but more needs to be done, according to the report.

'Although [the] IRS has made progress, controls over its key financial and tax processing systems located at two sites were ineffective,' the GAO said in the report, which was released last week. 'In addition to the 40 previously reported weaknesses for which IRS has not completed actions, GAO identified new information security control weaknesses that threaten the confidentiality, integrity and availability of IRS's financial information systems and the information they process.'

The IRS has not implemented effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events, the GAO said. Although the IRS has a policy to deal with password expiration and complexity, it does not always follow its own requirements, the GAO said.

For example, the IRS has not implemented the use of complex passwords on its Windows servers and it does not adequately control the storage of passwords on its systems, the GAO said. The agency has also failed to restrict users' access to just the information they need to do their jobs, according to the report.

'For example, [the] IRS granted administrators of certain Windows servers a user right that could allow them to add false entries into the security log,' the GAO said. 'In addition, it granted all users on one Windows server 'read' access to a certain registry setting that would allow users to remote read sensitive system settings.'