Taxpayer information held on the US Internal Revenue Service (IRS) computers is still at risk because of continuing security control weaknesses.
A report by the US Government Accountability Office (GAO) says, “These weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification or loss, possibly without detection, and place IRS operations at risk of disruption.”
The GAO assessed IRS progress in correcting previously reported information security weaknesses at two sites, and determined whether controls in place ensured the confidentiality, integrity and availability of taxpayers’ data.
Although the GAO found that the IRS had made some progress, it found the tax collection agency had failed to fix 40 previously reported IT security flaws. In addition, it found new weaknesses too.
For instance, the IRS had not put in place effective access controls for network management, user accounts and passwords, and user rights and file permissions.
It also failed on the logging and monitoring of security-related events.
The IRS had also failed to physically secure computer resources, and to prevent unauthorised changes to system software.
“Until the IRS fully implements a comprehensive agency-wide information security programme, its facilities and computing resources, and the information that is processed, stored and transmitted, will remain vulnerable,” said the GAO report.
The IRS has told the GAO it is now addressing the reported problems across its operations.