Taxpayer information held on the US Internal Revenue
Service (IRS) computers is still at risk because of continuing
security control weaknesses.
A report by the US Government Accountability Office (GAO) says,
“These weaknesses increase the risk that sensitive financial and
taxpayer data will be inadequately protected against disclosure,
modification or loss, possibly without detection, and place IRS
operations at risk of disruption.”
The GAO assessed IRS progress in correcting previously reported
information security weaknesses at two sites, and determined
whether controls in place ensured the confidentiality, integrity
and availability of taxpayers’ data.
Although the GAO found that the IRS had made some progress, it
found the tax collection agency had failed to fix 40 previously
reported IT security flaws. In addition, it found new weaknesses
too.
For instance, the IRS had not put in place effective access
controls for network management, user accounts and passwords, and
user rights and file permissions.
It also failed on the logging and monitoring of security-related
events.
The IRS had also failed to physically secure computer resources,
and to prevent unauthorised changes to system software.
“Until the IRS fully implements a comprehensive agency-wide
information security programme, its facilities and computing
resources, and the information that is processed, stored and
transmitted, will remain vulnerable,” said the GAO report.
The IRS has told the GAO it is now addressing the reported
problems across its operations.