The United States Government Accountability Office (GAO) believes that “serious weaknesses remain” in the ways that the Internal Revenue Service handles its internal network, problems that could directly implicate taxpayer data according to a report the regulatory group released on Friday.
The 31-page document, “IRS Has Improved Controls but Needs to Resolve Weaknesses,” (.PDF) outlines several problems with the IRS’ system including the way it authenticates users, enforces password complexity, fails to restrict access to its mainframe environment, and fails to keep patches up to date.
The GAO blames most of these problems on the IRS not fully fleshing out its information security program. The report notes that the IRS applied all 58 of the recommendations the GAO had encouraged in a previous report, but left 13 of them unresolved.
Apparently some of the agency’s passwords weren’t complex enough and could be easily guessed while some employees failed to change their passwords after two years, the GAO noted. The GAO even found in one case that “the username and password for a database was stored in clear text in a file that was named so that its contents were easy to guess.”
It’s these weaknesses that the GAO argues could enable risk taxpayer information into being disclosed or modified without authorization.
That’s not to say that the IRS completely failed its audit. From March 2012 to March 2013 the GAO notes the revenue service improved encryption between accounting systems, upgraded critical network devices and formed groups whose sole purpose was spotting at-risk sections of the system. The GAO adds the IRS made several changes to its authorization controls, including restricting some users’ privileges to important files and strengthening application login processes, but the group insists there is further refining to be done.
The report is the third information security-based report the Office has issued in the last three years, following up its “IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data” report in 2011 and its “IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data” in 2012.
The GAO makes four recommendations to the IRS to bring its security program up to speed and promises to make 30 additional recommendations clear in a separate, as yet unreleased report. Going forward, the organization is advising the IRS to a) update its policies and procedures b) update its testing and evaluation methodology c) update its mainframe testing and evaluation processes and d) document a monitoring strategy to stick by the new policies.
In response to the report, the IRS has “agreed to develop a detailed corrective action plan to address each recommendation.”
For more on the report, including a further, in depth look at the recommendations being made by the GAO, head here.