TOPICS
TOPICS
IRS incorrectly claimed security issues had been corrected
In addition to addressing less than 30 percent of the information security weaknesses highlighted in a 2007 Government Accountability Office report, the Internal Revenue Service provided false claims about its progress, according to a Government Accountability Office auditor.
A new GAO report released Tuesday (GAO-08-211) states that the agency corrected or mitigated 29 of the 98 information security weaknesses highlighted at the time of GAO's last review in 2007. Among other findings, the IRS failed to consistently enforce strong password management for identifying users, authorize user access according to job functions, encrypt sensitive data, monitor changes on the mainframe computer server that supports the agency's general ledger for tax administration, and physically protect computer resources. That, combined with failure to implement internal controls and system configuration policies, continues to threaten financial and taxpayer information, according to the report.
"IRS needs to establish a risk-based approach for mitigating weaknesses and ... fully implement an information security program on an agencywide basis in order to ensure that issues don't reoccur later," said Gregory Wilshusen, director of information security issues at GAO.
Also of concern to GAO were incorrect reports from the IRS about steps made to improve information security. "Our objective was to follow up on previously reported weaknesses to see progress," Wilshusen said. "Interestingly, they reported several weaknesses as being mitigated, but when we went in to do our follow-up exam, [we] found [they] had not been corrected." Wilshusen could not specify which vulnerabilities the IRS erroneously claimed to have been dealt with, saying that release of specific information could spur malicious attacks against its networks.
The IRS declined comment for this article.
The agency has made some progress, tightening access controls for certain critical servers, limiting computer room access to authorized individuals, developing a security plan for a key financial system, and updating servers that were running unsupportable operating systems. In addition, the IRS began efforts to establish security policies, procedures and practices with six enterprisewide goals that would help protect and encrypt data, secure information technology assets, and build security into new applications.
GAO also made seven recommendations to improve information security, including updates to policies and procedures for configuring mainframe operations, specialized training, expanded testing, enhanced contractor oversight and contingency planning.
"We recognize that there is significant work to be accomplished to address our information security deficiencies, and we are taking aggressive steps to correct previously reported weaknesses and improve our overall information security program," the IRS stated in a letter of response to GAO. In addition to implementing a strict information security program, the IRS will initiate a performance standard focused on resolving security weaknesses and reporting the security compliance status of computer systems connected to its network.
The IRS is not alone. In April 2007, GAO reported (GAO-07-751T) that 24 major federal agencies continue to have weaknesses with information security controls. A number of other GAO reports highlight the failures by specific agencies to deal with problems.
"The guys at GAO are wonderful, but this report could have been written every year for the past eight years -- at least -- and for nearly every agency," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md.
In September 2007, IT security firm Symantec released its Internet security threat report, which found that one in four security breaches occurred in the government sector.
"It's almost like Groundhog Day -- we're entering 2008 with this report on IRS, but the title of the agency could just as easily be left blank," said Jim Russell, vice president for public sector at Symantec. "A lot of the issues cited can be solved through policy compliance. IRS need to get a handle on what their environment looks like, but more importantly, they need to look at endpoints and servers and make sure they they're standardized with the latest security software and have the latest patches. Security policy and compliance is not what you address in January, then slap your hands together and figure you're fine for the year. It's ongoing."
COMMENTS
- The IRS has approximately six to seven 'lockboxes' needing unlocking. The password complexity requirement for each differs making it (for the most part) impossible to have the same password - leaving users to write down their passwords for others to see. Access should be development like USDA level II eauth , allowing the user to enter their credentials up front and logging out upon completion of use. Brandon Lynch Posted January 11, 2008 12:30 PM
- I worked briefly for the IRS last year, and in order to get into the critical computer databases my supervisor sat right next to me and made me show her all my passwords and security questions. I kept trying to keep them secret, and she insisted that if I got locked out, she was the one who had to restore my access so she needed that info. I'm sure that's not right. Moreover, anyone in that office could access the safe, and all the lockbox keys for individual lockboxes stored in the safe had duplicates. The duplicates were in a drawer in the safe, in case someone was absent and the others needed to get into their lockbox. So how safe do you think I felt leaving $6000 collected in cash from taxpayers in the safe over night? Even if it was in my lockbox, it could be taken by anyone in that office. Since I was new, and the others long term well trusted folks (most of them protected by the union, too -- an the union rep claimed he had a cold hence did not contact me in 3 months) -- well, anyway, it was a set up for disaster. The security seemed to be intense due to special access codes for all the computer programs, special access to the safe, lockboxes inside the safe -- but in the end I did not feel there was a way to keep the money safe. Mary Lori Posted January 10, 2008 12:53 PM
- While some of this long-standing mess may be due to a lack of management committment, most can be attached to unfunded mandates (setting the bar high and providing no resources to reach it), excessive outsourcing (which saps existing funds), lack of fed recruiting for tech skills, and a lack of concern for the completion of critical government missions (in this case secure and responsible collection of revenue) on the part of the current administration. From FEMA, to GSA contracting scandals, to corruption at HUD, etc...agencies need both funds and the ability to build solid core staff for on-going critical missions...they are NOT currently receiving what they need. GAO is doing an excellent job of providing the taxpayers with a brutally honest (they deserve it) assessment of their government's effectiveness. This administration apparently does not understand that "efficiency" does NOT equal effectiveness. A-76 seems to be a mission prioritized over all other government missions. This is a sad state for America. Don Posted January 10, 2008 7:39 AM
PROMO RIGHT: GBC
Advancing the business of government through analysis, insight and the sharing of best practices.
SPONSORED RESEARCH
Achieving a Greener Federal Government IBM
Federal Cybersecurity: Securing the Nation's Information IBM
American Recovery and Reinvestment Act: New Requirements for Tracking and Reporting Federal Workforce Data Kronos
Managing the Stimulus: A Candid Survey of Federal Program Managers Accenture and Microsoft
Improving Collaboration and Productivity in 21st Century Government: The Role of Communication for Government Executives Cisco
