IRS incorrectly claimed security issues had been corrected

In addition to addressing less than 30 percent of the information security weaknesses highlighted in a 2007 Government Accountability Office report, the Internal Revenue Service provided false claims about its progress, according to a Government Accountability Office auditor.

A new GAO report released Tuesday (GAO-08-211) states that the agency corrected or mitigated 29 of the 98 information security weaknesses highlighted at the time of GAO's last review in 2007. Among other findings, the IRS failed to consistently enforce strong password management for identifying users, authorize user access according to job functions, encrypt sensitive data, monitor changes on the mainframe computer server that supports the agency's general ledger for tax administration, and physically protect computer resources. That, combined with failure to implement internal controls and system configuration policies, continues to threaten financial and taxpayer information, according to the report.

"IRS needs to establish a risk-based approach for mitigating weaknesses and … fully implement an information security program on an agencywide basis in order to ensure that issues don't reoccur later," said Gregory Wilshusen, director of information security issues at GAO.

Also of concern to GAO were incorrect reports from the IRS about steps made to improve information security. "Our objective was to follow up on previously reported weaknesses to see progress," Wilshusen said. "Interestingly, they reported several weaknesses as being mitigated, but when we went in to do our follow-up exam, [we] found [they] had not been corrected." Wilshusen could not specify which vulnerabilities the IRS erroneously claimed to have been dealt with, saying that release of specific information could spur malicious attacks against its networks.

The IRS declined comment for this article.

The agency has made some progress, tightening access controls for certain critical servers, limiting computer room access to authorized individuals, developing a security plan for a key financial system, and updating servers that were running unsupportable operating systems. In addition, the IRS began efforts to establish security policies, procedures and practices with six enterprisewide goals that would help protect and encrypt data, secure information technology assets, and build security into new applications.

GAO also made seven recommendations to improve information security, including updates to policies and procedures for configuring mainframe operations, specialized training, expanded testing, enhanced contractor oversight and contingency planning.

"We recognize that there is significant work to be accomplished to address our information security deficiencies, and we are taking aggressive steps to correct previously reported weaknesses and improve our overall information security program," the IRS stated in a letter of response to GAO. In addition to implementing a strict information security program, the IRS will initiate a performance standard focused on resolving security weaknesses and reporting the security compliance status of computer systems connected to its network.

The IRS is not alone. In April 2007, GAO reported (GAO-07-751T) that 24 major federal agencies continue to have weaknesses with information security controls. A number of other GAO reports highlight the failures by specific agencies to deal with problems.

"The guys at GAO are wonderful, but this report could have been written every year for the past eight years -- at least -- and for nearly every agency," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md.

In September 2007, IT security firm Symantec released its Internet security threat report, which found that one in four security breaches occurred in the government sector.

"It's almost like Groundhog Day -- we're entering 2008 with this report on IRS, but the title of the agency could just as easily be left blank," said Jim Russell, vice president for public sector at Symantec. "A lot of the issues cited can be solved through policy compliance. IRS need to get a handle on what their environment looks like, but more importantly, they need to look at endpoints and servers and make sure they they're standardized with the latest security software and have the latest patches. Security policy and compliance is not what you address in January, then slap your hands together and figure you're fine for the year. It's ongoing."