As GAO watches, IRS works to patch security holes

The IRS looks to shore up systems

In light of GAO findings, the IRS has begun:

  • Configuring access rights to IRS' mainframe computers to separate taxpayer data from FinCEN Bank Secrecy Act data

  • Enhancing auditing software, which generates logs that are reviewed regularly by IT staff

  • Implementing policies and procedures to ensure that system software is tested and evaluated prior to installation

  • Discontinuing the practice of using shared accounts and passwords to administer its network authentication server and firewall

  • Limiting remote access capabilities that expose passwords and user identifications

  • Educating users to implement more complex passwords

  • Assessing whether taxpayer and Bank Secrecy Act data were disclosed to unauthorized persons

  • Putting in place security policies and procedures, documentation and testing

  • Offering specialized training for employees with significant security responsibilities.
  • 'Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources ... will remain vulnerable.'

    'GAO's Gregory Wilshusen

    The IRS, caught in a thicket of IT security problems, is hoping to be mostly out the woods by fall.

    The agency's shortcomings in cybersecurity management put taxpayer and other financial data at risk, the Government Accountability Office said in a recent report.

    'Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored and transmitted on its systems will remain vulnerable,' said Gregory Wilshusen, director of GAO's information security issues.

    GAO again will review the IRS' progress in securing its systems this summer, Wilshusen said.

    'Most weaknesses we identified were management-related issues in terms of how IRS configured systems and assured that established procedures were followed,' Wilshusen said. 'Managing the security risk is the key to securing your systems.'

    The IRS already is fixing the vulnerabilities and anticipates having most problems corrected by September, a Treasury Department official said.

    By then, officials said, they expect to have certified and accredited all systems to comply with the Federal Information Security Management Act.

    'The IRS anticipates significantly improved performance in this summer's FISMA annual systems security review,' said Arnold Havens, Treasury's acting deputy secretary, in a response to GAO earlier this month.

    Treasury received a D+ as its most recent overall FISMA grade, and IRS systems constitute the bulk of Treasury's systems.

    Completing certification and accreditation will be a big step forward for the IRS, said a spokesman for House Government Reform Committee chairman Tom Davis (R-Va.).

    Certification and accreditation lets agencies assess controls for each system and lets management sign off on acceptance of risk and authorize system operations. But 'it does not necessarily mean that a system is secure,' Wilshusen said.

    Other threats could emerge, new vulnerabilities could be identified and changes could occur in the operating environment that would not necessarily be covered by certification and accreditation, he said.

    Legacy systems also present a challenge because security must be bolted on, rather than being incorporated in development as with new systems.

    'These systems can be costly and complicated to transform or update, but not doing so can create greater vulnerabilities,' Government Reform Committee spokesman Drew Crockett said.

    In addition to taxpayer data, the IRS also maintains monthly reports related to suspicious financial transactions under the Bank Secrecy Act for Treasury's Financial Crimes Enforcement Network. The record keeping provides a paper trail for law enforcement to investigate money laundering and terrorist financing.

    New security gaps

    GAO's report criticized the agency for a broad range of weaknesses that must be addressed before the IRS really has a handle on its security. To read the report, go to www.gcn.com and enter 418 in the GCN.com/search box.

    Even as the IRS has fixed some security weaknesses, others have emerged, auditors found. In the two years since the last review, the IRS has fixed 32 of 53 previously identified security weaknesses. But auditors uncovered 39 more during their recent evaluation.

    The weak spots include ineffective electronic access controls over its mainframe computers to separate its taxpayer data from Bank Secrecy Act report data. Consequently, the IRS granted all 7,460 mainframe users, including IRS employees, non-IRS employees and contractors, regardless of their official duties, the ability to access taxpayer and Bank Secrecy Act data.

    'As a result, all mainframe users could read or copy Bank Secrecy Act data, and law enforcement users could read or copy taxpayer data,' Wilshusen said.

    Bank Secrecy Act data includes the name, Social Security number and driver's license number of the individual under investigation and the amounts of financial transactions.

    The IRS will determine whether taxpayer or Bank Secrecy data has been compromised, Treasury's Havens said.

    About the Author

    Mary Mosquera is a reporter for Federal Computer Week.

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above