The IRS is improving its computer security, but the agency still has some problems so serious they cannot be made public, according to a General Accounting Office report released Tuesday by Sen. Fred Thompson, R-Tenn.
According to the report ("IRS Systems Security: Although Significant Improvements Made, Tax Processing Operations and Data Still at Risk," AIMD-99-38), the IRS has fixed 63 percent of the problems GAO identified in an April 1997 report (AIMD-97-49), including accounting for 6,400 missing magnetic storage tapes that could contain sensitive taxpayer data. A total of 397 tapes were missing from the six facilities GAO visited this time around.
"While some improvement has been made at the IRS, they still have a long way to go," said Thompson, who heads the Senate Governmental Affairs Committee. "Until the IRS systematically fixes its computer security weaknesses, instead of only patching isolated security problems, taxpayers will continue to be exposed to loss and damages resulting from identity fraud and other financial crimes."
Following the April 1997 report, the IRS created the Office of Systems Standards and Evaluation, which is responsible for handling security and privacy issues. The office includes more than 60 security, privacy and systems specialists, led by two senior executives who report to the agency's chief information officer.
The office has developed a plan for identifying and correcting security weaknesses at all the IRS' facilities and begun conducting security reviews.
Nevertheless, security weaknesses remain, GAO said.
For example, some employees without the need to know have access to individuals' tax information. The IRS also has not completed disaster recovery plans for all systems and hasn't adequately tested backup procedures, GAO said.
GAO said organizations should follow a risk management cycle to continually monitor computer security. The cycle starts with assessing risks and determining ways to mitigate them. Then organizations must put security controls in place and educate employees who are responsible for maintaining security. The security controls and procedures should be monitored and evaluated. A central manager or office should be placed in charge of security who can keep the risk management cycle flowing, GAO said.
Now that IRS has created such a central office, GAO recommended the agency limit physical access to facilities and computer rooms, restrict access to computer programs to those employees who need access to do their jobs, improve tracking of computer tapes and beef up disaster recovery plans.
In a written response to the GAO report, IRS Commissioner Charles Rossotti agreed with the recommendations, though he noted that assessing and dealing with security risks at the IRS' more than 1,000 facilities will take more than a few years.
NEXT STORY: Feds say they'll meet energy efficiency goals