IRS Systems Security and Funding
Employee Browsing Not Being Addressed Effectively and Budget Requests for New Systems Development Not Justified Gao ID: T-AIMD-97-82 April 15, 1997Serious weaknesses continue to plague the controls used to safeguard the Internal Revenue Service's (IRS) computer systems, facilities, and taxpayer data. A GAO review of security at five facilities found that IRS could not account for 6,400 missing units of magnetic storage tape that possibly contained taxpayer information. Moreover, printouts containing taxpayer data were left unprotected and unattended in open areas, and none of the facilities had comprehensive disaster recovery plans, which would allow the facilities to restore operations following emergencies or natural disasters. GAO also found that IRS has not effectively dealt with unauthorized "browsing" of taxpayer records by IRS employees. For example, IRS does not monitor all employees with access to automated systems to determine whether they might be browsing. In addition, even when IRS catches browsers, IRS does not consistently investigate the incidents, publicize them to deter others from browsing, or consistently punish browsers.
GAO noted that: (1) on April 8, 1997, GAO issued a report disclosing many serious computer security weaknesses at IRS; (2) these weaknesses make IRS computer resources and taxpayer data unnecessarily vulnerable to external threats, such as natural disasters and people with malicious intentions; (3) they also expose taxpayer data to internal threats, such as employees accessing taxpayer files for purposes unrelated to their jobs (for example, reading the files of celebrities or neighbors) or making unauthorized changes to taxpayer data, either inadvertently or deliberately for personal gain (for example, to initiate unauthorized refunds or abatements of tax); (4) such unauthorized and improper browsing of taxpayer records has been the focus of considerable attention in recent years; (5) nevertheless, GAO's report shows that IRS is not effectively addressing the problem; (6) IRS still does not effectively monitor employee activity, accurately record browsing violations, consistently punish offenders, or widely publicize reports of incidents detected and penalties imposed; (7) compounding IRS' serious and persistent computer security and employee browsing problems are equally serious and persistent TSM management and technical problems that must be corrected if IRS is to effectively invest in TSM; (8) IRS is requesting $1.131 billion in FYs 1998 and 1999 for TSM development and deployment; (9) however, IRS does not know how it will spend this $1.131 billion and has not yet corrected the management and technical problems that IRS has acknowledged have resulted in hundreds of millions of dollars being wasted thus far on TSM; and (10) this is inconsistent with the Government Performance and Results Act of 1993 and the Clinger-Cohen Act of 1996, which require that information technology investments be supported by convincing business case analyses and disciplined management and technical processes.