IRS still puts taxpayer data at risk

The US Internal Revenue Service continues to puttaxpayers personal data at risk by not strengthening itsinformation security systems, according to a report by the USGovernment Accountability Office.

“Although [the] IRS has made progress [over the past year],controls over its key financial and tax processing systems locatedat two sites were ineffective,” the GAO said in the report, whichwas released late last month.

The report concluded that the tax agencycorrected 41 of 81 specific technical weaknesses that the GAO foundlast year. But the GAO also found that the security system nowneeds further updates to correct “new information security controlweaknesses that threaten the confidentiality, integrity andavailability of IRS’s financial information systems and theinformation they process.”

According to the GAO, the IRS has not yetimplemented effective electronic access controls related to networkmanagement, user accounts and passwords, user rights and filepermissions, and logging and monitoring of security-related events.Also, the report said, the IRS doesn’t always follow its own policydealing with password expiration and complexity.

For example, the IRS has not implemented the useof complex passwords on its Windows servers, and it does notadequately control the storage of passwords on its systems, the GAOsaid. The agency has also failed to restrict users’ access to justthe information they need to do their jobs, according to thereport.

“Collectively, these weaknesses increase therisk that sensitive financial and taxpayer data will beinadequately protected against disclosure, modification or loss,possibly without detection, and place IRS operations at risk ofdisruption,” the GAO said.

Until the IRS fully implements a comprehensiveinformation security program, its facilities and computers, as wellas the information that is processed, stored and transmitted on itssystems, will be vulnerable, the report said.

The GAO recommends, in part, that the IRSenhance policies and procedures related to password andconfiguration settings to comply with federal guidelines, ensurethat contractors with significant information securityresponsibilities are given specialized training, ensure thatdisaster recovery plans are complete and updated, and continue toenhance continuity capabilities by training non-IRS staff torestore operations.

In a letter to Gregory Wilshusen, the GAO’s ITdirector, IRS Commissioner Mark Everson acknowledged that hisagency needs a comprehensive security program and agreed toimplement the five recommendations in the report.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now