March 2016: IRS Needs to Further Improve Controls over Financial and Taxpayer Data

Excerpt

What GAO Found The Internal Revenue Service (IRS) made progress in implementing information security controls; however, weaknesses in the controls limited their effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data. During fiscal year 2015, IRS continued to devote attention to securing its information systems that process sensitive taxpayer and financial information. Key among its actions were further restricting access privileges on key financial applications and continuing its migration to multifactor authentication across the agency.

However, significant control deficiencies remained. For example, the agency had not always (1) implemented controls for identifying and authenticating users, such as applying proper password settings; (2) appropriately restricted access to servers; (3) ensured that sensitive user authentication data were encrypted; (4) audited and monitored systems to ensure compliance with agency policies; and (5) ensured access to restricted areas was appropriate. In addition, unpatched and outdated software exposed IRS to known vulnerabilities.

An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program. The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training.

Continue scrolling for more...

However, aspects of its program had not yet been effectively implemented. For example, IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring access. In addition, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate.

Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective. For example, for the 28 prior recommendations that IRS informed us that it had addressed, 9 of the associated weaknesses had not been effectively corrected.

Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies and (2) effectively implement elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.

These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2015.

Download the Document

https://documents.theblackvault.com/documents/financial/676097.pdf

 

Follow The Black Vault on Social Media:

This post was published on March 29, 2016 6:05 am

John Greenewald

Recent Posts

FBI Files: Historical Figures & Groups

Background Welcome to the FBI Files on Historical Figures & Groups archive at The Black…

August 31, 2025

FOIA Emails Reveal Pentagon’s Tight Control Over AARO “Historical Record Report” Rollout and Messaging

A new release of Department of Defense (DoD) emails obtained through the Freedom of Information…

August 27, 2025

New Documents Detail Slow, Multi-Agency Vetting of “Skinwalkers at the Pentagon”

Newly released Department of Defense records reveal the prolonged and often frustrating prepublication review process…

August 12, 2025

FAA Records Add ‘Black Cube’ Sighting to Wright-Patterson AFB Drone Mystery

Newly released Federal Aviation Administration (FAA) documents obtained by The Black Vault under FOIA case…

August 11, 2025

FBI Files: Directors, Agents and Personnel of the Central Intelligence Agency (CIA)

Background The Central Intelligence Agency was created in 1947 with the signing of the National…

August 7, 2025

DOD Releases “Verbal Legal Advisement” Given to UFO Whistleblower David Grusch

The Department of Defense (DOD) has released, in full, the exact text of the “Verbal…

August 4, 2025