March 2016: IRS Needs to Further Improve Controls over Financial and Taxpayer Data

Excerpt

What GAO Found The Internal Revenue Service (IRS) made progress in implementing information security controls; however, weaknesses in the controls limited their effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data. During fiscal year 2015, IRS continued to devote attention to securing its information systems that process sensitive taxpayer and financial information. Key among its actions were further restricting access privileges on key financial applications and continuing its migration to multifactor authentication across the agency.

However, significant control deficiencies remained. For example, the agency had not always (1) implemented controls for identifying and authenticating users, such as applying proper password settings; (2) appropriately restricted access to servers; (3) ensured that sensitive user authentication data were encrypted; (4) audited and monitored systems to ensure compliance with agency policies; and (5) ensured access to restricted areas was appropriate. In addition, unpatched and outdated software exposed IRS to known vulnerabilities.

An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program. The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training.

Continue scrolling for more...

However, aspects of its program had not yet been effectively implemented. For example, IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring access. In addition, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate.

Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective. For example, for the 28 prior recommendations that IRS informed us that it had addressed, 9 of the associated weaknesses had not been effectively corrected.

Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies and (2) effectively implement elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.

These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2015.

Download the Document

https://documents.theblackvault.com/documents/financial/676097.pdf

 

Follow The Black Vault on Social Media:

This post was published on March 29, 2016 6:05 am

John Greenewald

Recent Posts

The DoD Inspector General’s Evaluation of the DoD’s Actions Regarding Unidentified Aerial Phenomena

This article was originally written in August 2024. However, additional document releases related to these…

July 15, 2025

Do Not Respond: Pentagon Staff Instructed to Ignore The Black Vault’s UAP Inquiry

The Department of Defense (DoD) has released 151 pages of internal records related to the…

July 15, 2025

U.S. Government Confirms Multiple Drone Incursions Over Pantex Nuclear Facility; Newly Released Documents Reveal Previously Unreported Security Events

The U.S. Department of Energy (DOE) has released a series of previously undisclosed documents confirming…

July 12, 2025

Air Force Confirms Drone Swarms Over Wright-Patterson AFB Led to Airspace Shutdown; Videos and Reports Released

Newly released Air Force records confirm that Wright-Patterson Air Force Base (WPAFB) in Ohio experienced…

July 11, 2025

Navy Withheld Nearly 500 Pages About UAP Video Release Decision, Records Show FOIA Pressure Drove Disclosure

Newly released documents obtained through the Freedom of Information Act (FOIA) reveal that the U.S.…

July 9, 2025

CIA Mishandles UFO Files Again: Intelligence on Soviet UFO Reports Lost Forever

The CIA’s history of losing or mismanaging UFO-related records continues with yet another example, this…

July 7, 2025