GAO takes IRS to task over security weaknesses
- By Amanda Ziadeh
- Apr 13, 2016
A recent Government Accountability Office report found that the IRS has inconsistently implemented its agencywide security controls, constituting a “significant deficiency” in financial reporting and exposing taxpayer and financial data to unnecessary risk.
Among the weakness the GAO cited were insufficient controls for identifying and authenticating users, authorizing users’ level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity and physically securing the facilities that house its IT resources.
Specifically, the agency used easily guessable passwords on servers that support key IT systems; users were granted permissions that exceeded what they needed; and some systems were not configured to encrypt sensitive user authentication data. Additionally, the IRS did not establish proper logging for audit and monitoring for two applications, and it failed to ensure the timely application of security patches.
The GAO also addressed the challenges that the IRS is facing detecting identify theft-based refund fraud. Though the IRS worked with consumers, financial institutions and states to further prevent identity fraud, the agency should implement pre-refund matching of taxpayer returns with information returns from employers and strongly assess the costs, benefits and risks of improving methods for authenticating taxpayers, GAO said.
In order to fully improve information security within its systems and prevent data breaches, the GAO made 43 technical recommendations in a separate report to address 26 new weaknesses in access controls and configuration management.
At a hearing before the Senate Finance Committee regarding the report, IRS Commissioner John Koskinen told committee members that the IRS must maintain a “delicate balance” between keeping criminals out of IRS systems while letting legitimate taxpayers in. He said his agency is working on developing a better-coordinated authentication framework to avoid some of the errors made in the past.
Congress continues to ask the IRS to do more with less by enacting deep and damaging cuts to the agency's budget," Sen. Tom Carper (D-Del.) said. "I'm concerned that these successive budget cuts may be pennywise and pound foolish when it comes to ... the agency's ability to protect American taxpayers' information online."
FCW’s Aisha Chowdhry contributed to this report.
Amanda Ziadeh is a former reporter/producer for GCN.