Until the IRS takes appropriate steps to resolve control deficiencies, taxpayer data will remain "unnecessarily vulnerable" to inappropriate use, says Gregory Wilshusen, GAO director of information security issues and co-author of the audit report, which was published March 28.
The audit uncovered IRS's failure to perform comprehensive tests and evaluations of its information security controls. "This is vitally important because this control helps IRS to identify vulnerabilities that they can take action on," Wilshusen says. "But in comparing our test and the result from our procedures, we found a number of vulnerabilities to IRS systems that IRS did not identify and was unaware of. "Past Weaknesses Not 'Effectively Corrected'
In its new audit, GAO says the IRS claimed it had corrected previously identified control weaknesses in 28 cases, but in nine of those instances, auditors determined they were not "effectively corrected." GAO, in the audit, also points out weaknesses in IRS password controls. The auditors say the tax agency used passwords on a number of servers that could be easily guessed. On some servers, password expiration dates were not set. None of the 112 mainframe service accounts was configured to require a password change. As a result of these weaknesses, GAO says the IRS had reduced ability to control who was accessing its systems and data.
The audit also reveals that unpatched and outdated software exposed IRS to known vulnerabilities.
Wilshusen says some of the IRS's policies and procedures no longer reflected its current computing environment and systems security plans. "So, this increases the risk that the controls in place may not be appropriate, given the current environment."
Russ Fox, Bozo Tax Tip #9 1/2: 300 Million Witnesses Can’t Be Right!. “For a tax blogger, people like Richard Hatch are wonderful.”