The IRS has corrected 41 of 81 specific technical weaknesses the GAO found last year, but more needs to be done, according to the report.
'Although [the] IRS has made progress, controls over its key financial and tax processing systems located at two sites were ineffective,' the GAO said in the report, which was released last week. 'In addition to the 40 previously reported weaknesses for which IRS has not completed actions, GAO identified new information security control weaknesses that threaten the confidentiality, integrity and availability of IRS's financial information systems and the information they process.'
The IRS has not implemented effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events, the GAO said. Although the IRS has a policy to deal with password expiration and complexity, it does not always follow its own requirements, the GAO said.
For example, the IRS has not implemented the use of complex passwords on its Windows servers and it does not adequately control the storage of passwords on its systems, the GAO said. The agency has also failed to restrict users' access to just the information they need to do their jobs, according to the report.
'For example, [the] IRS granted administrators of certain Windows servers a user right that could allow them to add false entries into the security log,' the GAO said. 'In addition, it granted all users on one Windows server 'read' access to a certain registry setting that would allow users to remote read sensitive system settings.'
The GAO also said the IRS has not effectively put in place other controls to physically secure computers and to prevent exploitation of vulnerabilities and unauthorized changes to system software.
'Collectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification or loss, possibly without detection, and place IRS operations at risk of disruption,' the GAO said.
Until the IRS fully implements a comprehensive information-security program, its facilities and computers -- as well as the information that is processed, stored and transmitted on its systems -- will remain vulnerable, the report said.
The GAO recommends, in part, that the IRS enhance policies and procedures related to password age and configuration settings so that they comply with federal guidelines; ensure that contractors with significant information-security responsibilities are given specialized training; ensure that disaster recovery plans are complete and updated; and continue to enhance continuity of operations capabilities by training non-IRS staff to restore operations.
IRS officials acknowledged the GAO concerns and agreed with the report's findings. In a letter to Gregory Wilshusen, the GAO's IT director, IRS Commissioner Mark Everson acknowledged that his agency needs a comprehensive security program and agreed to implement the five recommendations in the report. He said efforts are already under way to remedy weaknesses and they will continue until all of the issues have been addressed.