Information Security
Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks
Gao ID: GAO-03-44 May 30, 2003
As part of its annual audits of IRS's financial statements, GAO assessed the effectiveness of information security controls at certain IRS facilities and over certain specific applications--controls meant to protect IRS's information systems and taxpayer data. Because the detailed reports that followed these reviews contained sensitive information and could be detrimental to the government if released to the public, they were issued only to IRS and congressional requesters. This public report is based on 18 such reports issued during the 3-year period ending July 31, 2002. Although it does not identify specific IRS facilities or applications, the report does provide GAO's assessment of the overall effectiveness of IRS's information security.
IRS has made and continues to make important progress towards improving its information security and implementing a comprehensive information security program. Nonetheless, weaknesses continue to threaten the confidentiality, integrity, and availability of sensitive systems and taxpayer data. IRS's implementation of logical access controls--those designed to ensure that only authorized individuals can read, alter, or delete data--has been inconsistent and accounts for three quarters of the 765 general control weaknesses found at the 11 facilities reviewed. Weaknesses in the other four control categories have further reduced IRS's effectiveness in physically securing it's assets, separating incompatible duties among individuals, preventing unauthorized changes to software programs, and ensuring the agency's ability to continue operations after an unexpected interruption. In addition, 112 application control weaknesses hindered IRS's ability to limit access to 5 key applications to authorized persons for authorized purposes. The extent of these weaknesses demonstrates that information security is an agency wide challenge. An underlying cause of these weaknesses is that IRS had not yet fully implemented certain elements of its agency-wide information security program. As a result, it had not adequately identified or assessed risks in order to determine needed security measures, implemented or complied with policies to meet those needs, promoted adequate security awareness and training, and monitored the effectiveness of policies or mitigated known security vulnerabilities. IRS management is committed to completing such an agency-wide program. Until it does, however, IRS will remain at heightened risk of access to critical data by unauthorized persons--individuals who could obtain personal taxpayer data to perpetrate identity theft and commit financial crimes.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-03-44, Information Security: Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks
This is the accessible text file for GAO report number GAO-03-44
entitled 'Information Security: Although Progress Made, Weaknesses at
the Internal Revenue Service Continue to Pose Risks' which was released
on May 30, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census, Committee on Government
Reform, House of Representatives:
United States General Accounting Office:
GAO:
May 2003:
Information Security:
Progress Made, but Weaknesses at the Internal Revenue Service Continue
to Pose Risks:
GAO-03-44:
GAO Highlights:
Highlights of GAO-03-44, a report to the Chairman and Ranking Minority
Member of the Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census, Committee on Government
Reform, House of Representatives
Why GAO Did This Study:
As part of its annual audits of IRS‘s financial statements, GAO
assessed the effectiveness of information security controls at certain
IRS facilities and over certain specific applications”controls meant
to protect IRS‘s information systems and taxpayer data. Because the
detailed reports that followed these reviews contained sensitive
information and could be detrimental to the government if released to
the public, they were issued only to IRS and congressional requesters.
This public report is based on 18 such reports issued during the 3-
year period ending July 31, 2002. Although it does not identify
specific IRS facilities or applications, the report does provide GAO‘s
assessment of the overall effectiveness of IRS‘s information security.
What GAO Found:
IRS has made and continues to make important progress toward improving
its information security and implementing a comprehensive information
security program. Nonetheless, weaknesses continue to threaten the
confidentiality, integrity, and availability of sensitive systems and
taxpayer data. IRS‘s implementation of logical access controls”those
designed to ensure that only authorized individuals can read, alter,
or delete data”has been inconsistent and accounts for three quarters
of the 765 general control weaknesses found at the 11 facilities
reviewed. Weaknesses in the other four control categories (see
breakdown below) have further reduced IRS‘s effectiveness in
physically securing its assets, separating incompatible duties among
individuals, preventing unauthorized changes to software programs, and
ensuring the agency‘s ability to continue operations after an
unexpected interruption. In addition, 112 application control
weaknesses hindered IRS‘s ability to limit access to 5 key
applications to authorized persons for authorized purposes. The extent
of these weaknesses demonstrates that information security is an
agencywide challenge.
An underlying cause of these weaknesses is that IRS had not yet fully
implemented certain elements of its agencywide information security
program. As a result, it had not adequately identified or assessed
risks in order to determine needed security measures, implemented or
complied with policies to meet those needs, promoted adequate security
awareness and training, and monitored the effectiveness of policies or
mitigated known security vulnerabilities.
IRS management is committed to completing such an agencywide program.
Until it does, however, IRS will remain at heightened risk of access
to critical data by unauthorized persons”individuals who could obtain
personal taxpayer data to perpetrate identity theft and commit
financial crimes.
What GAO Recommends:
To assist IRS in implementing an effective agencywide information
security program, GAO is recommending that the Commissioner of
Internal Revenue direct the chief information officer and the senior
management official for each operating division to assess risks and
evaluate security needs, establish and implement adequate policies and
controls, enhance security awareness and training, and monitor the
effectiveness of controls and mitigate known weaknesses, as detailed
in this report. IRS generally agreed with the report and
recommendations.
www.gao.gov/cgi-bin/getrpt?GAO-03-44.
To view the full report, including the scope
and methodology, click on the link above.
For more information, contact Robert F. Dacey at (202) 512-3317 or
daceyr@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Objectives, Scope, and Methodology:
Although Improvements Made, Information Security Weaknesses Still Pose
Risks:
IRS Has Not Fully Implemented Elements of Its Agencywide Security
Program:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendix I: Comments from the Internal Revenue Service:
Figures:
Figure 1: Number of Control Weaknesses Found at IRS Facilities:
Figure 2: Breakdown of Weaknesses by General Control Category:
Abbreviations:
CIO: Chief Information Officer
IRS: Internal Revenue Service
GISRA: Government Information Security Reform Act
NIST: National Institute of Standards and Technology
NSA: National Security Agency
OMB: Office of Management and Budget:
United States General Accounting Office:
Washington, DC 20548:
May 30, 2003:
The Honorable Adam H. Putnam
Chairman
The Honorable William Lacy Clay, Jr.
Ranking Minority Member
Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census
Committee on Government Reform
House of Representatives:
As part of our annual audits of the Internal Revenue Service's (IRS)
financial statements, we assessed the effectiveness of computer-related
general controls at certain IRS facilities and computer controls over
certain applications.[Footnote 1] For each facility or application
assessed, we issued a detailed report to the IRS Chief Information
Officer (CIO) that discusses facility-specific or application-specific
results, conclusions, and recommendations. These reports are designated
for "Limited Official Use Only" because of the sensitive nature of the
information they contain and because release to the public could be
detrimental to the government. During the 3-year period ending July 31,
2002, we issued 14 facility-specific reports and 4 application-specific
reports.
This report summarizes our analysis of the information contained in
those 18 reports and provides our assessment of the overall
effectiveness of IRS's computer controls intended to protect the
confidentiality, integrity, and availability of systems and taxpayer
data. It also identifies key issues affecting IRS's ability to
effectively implement an agencywide information security program and
the status of its actions to do so. We are addressing this report to
you in response to your request.
Results in Brief:
IRS has made important progress toward improving information security
controls and implementing an agencywide information security program.
It has implemented various safeguards designed to help protect its
systems from external attack and has established information security
policies, standards, and guidelines that, if effectively implemented,
would protect its information systems from many threats. Nonetheless,
computer control weaknesses continued to threaten the confidentiality,
integrity, and availability of sensitive systems and taxpayer data.
IRS's inconsistent implementation of logical access controls at its
facilities did not effectively prevent, limit, or detect access to
computing resources. In addition, weaknesses in other information
system controls (including physical security, segregation of duties,
software change controls, and service continuity) reduced IRS's
effectiveness in protecting and controlling physical access to assets,
minimizing the risk of errors or fraud, mitigating the risk of
unauthorized or inappropriate software programs, and ensuring the
continuity of data processing operations when unexpected interruptions
occur. Further, access to key computer applications was not always
limited to authorized persons for authorized purposes. These weaknesses
increased the vulnerability of data processed by IRS's information
systems and continued to expose IRS's tax processing operations to
disruption.
An underlying cause for these weaknesses was that, although it had made
important progress, IRS had not yet fully implemented certain elements
of its agencywide information security program. As a result, the agency
was not adequately (1) identifying and assessing risks to determine
needed security measures; (2) establishing and implementing policies
and controls to meet those needs; (3) promoting awareness and providing
security-related training so that employees understand the risks and
the policies and controls that mitigate them; or (4) monitoring and
evaluating established policies and controls, and mitigating known
security vulnerabilities. IRS has acknowledged the seriousness of its
information security weaknesses and has revised its approach to
implementing the agencywide information security program. Until IRS can
fully implement an effective program and adequately mitigate these
weaknesses, it will remain at heightened risk of access to critical
hardware and software by unauthorized individuals, who could
intentionally or inadvertently add, alter, or delete sensitive data or
computer programs. Such individuals could possibly obtain personal
taxpayer information and use it to commit financial crimes in the
taxpayer's name (identity fraud), such as establishing credit and
incurring debt.
To assist IRS in implementing an effective agencywide information
security program, we are making recommendations to the IRS Commissioner
that address these issues.
In providing written comments on a draft of this report, the
Commissioner of Internal Revenue generally agreed with the report, and
indicated that IRS is acting to implement our recommendations.
Background:
Information security is a critical consideration for any organization
that depends on information systems and computer networks to carry out
its mission or business. It is especially important for government
agencies, where the public's trust is essential. The dramatic expansion
in computer interconnectivity and the rapid increase in the use of the
Internet are changing the way our government, the nation, and much of
the world communicate and conduct business. Without proper safeguards
these changes pose enormous risks that make it easier for individuals
and groups with malicious intent to intrude into inadequately protected
systems and use such access to obtain sensitive information, commit
fraud, disrupt operations, or launch attacks against other computer
systems and networks.
Protecting the computer systems that support critical operations and
infrastructures has never been more important because of the concern
about attacks from individuals and groups with such malicious intent,
including terrorists. These concerns are well founded for a number of
reasons, including the dramatic increases in reported information
security incidents, the ease of obtaining and using hacking tools, the
steady advance in the sophistication and effectiveness of attack
technology, and the dire warnings of new and more destructive attacks
to come.
Computer-supported federal operations are likewise at risk. Our
previous reports, and those of agency inspectors general, describe
persistent information security weaknesses that place a variety of
critical federal operations, including those at IRS, at risk of
disruption, fraud, and inappropriate disclosure.[Footnote 2] This body
of audit evidence led us, in 1997, to:
designate information security as a governmentwide high-risk area in
reports to the Congress.[Footnote 3] It remains so today.[Footnote 4]
How well federal agencies are addressing these risks is a topic of
increasing interest in both the Congress and the executive branch. This
is evidenced by recent hearings on information security[Footnote 5] and
recent legislation intended to strengthen information
security.[Footnote 6] In addition, the administration undertook other
important actions to improve information security, such as integrating
information security into the President's Management Agenda Scorecard.
Moreover, the Office of Management and Budget (OMB) and the National
Institute of Standards and Technology (NIST) have issued security
guidance to agencies.
IRS Is a Major Steward of Personal Taxpayer Information:
In its role as the nation's tax collector, IRS is responsible for
collecting taxes, processing tax returns, and enforcing the nation's
tax laws. In fiscal year 2002, it processed about 200 million tax
returns, accounted for approximately $2 trillion in collections, and
paid about $281 billion in refunds to taxpayers. To efficiently fulfill
its tax processing responsibilities, IRS relies extensively on
interconnected computer systems to perform various functions, such as
collecting and storing taxpayer data, processing tax returns,
calculating interest and penalties, generating refunds, and providing
customer service.
Due to the nature of its mission, IRS collects and maintains a
significant amount of personal and financial data on each American
taxpayer. These data typically include the taxpayer's name, address,
Social Security number, dependents, income, sources of certain types of
income, and certain deductions and expenses. The confidentiality of
this sensitive information is important because if this information is
disclosed to unauthorized individuals, taxpayers could be exposed to a
loss of privacy and to financial loss and damages resulting from
identity theft and financial crimes.
To help provide information security for its operations and assets
(including computing resources and taxpayer information), IRS has
developed and is implementing an agencywide information security
program. According to IRS, this program will, among other things, (1)
ensure the confidentiality, integrity, and availability of information;
(2) assign management responsibility for certifying the adequacy of
security controls to protect information; (3) establish individual
accountability for the data, information, and other information
technology resources to which individuals have access; (4) ensure the
audit capability of all information systems; and (5) provide the
ability to maintain processing during and following an emergency. To
accomplish these goals, IRS has developed and published information
security policies, guidelines, standards, and procedures in the
Internal Revenue Manual, Law Enforcement Manual, and other documents.
IRS's CIO is responsible for developing and maintaining this agencywide
information security program and ensuring that (1) it provides
information security for the operations and assets of the agency and
(2) the agency effectively implements and maintains prescribed
information security policies, procedures, and control techniques. The
senior management official in each of IRS's operating
divisions,[Footnote 7] with the assistance of the CIO, is responsible
for (1) assessing the information security risks associated with the
operations and systems over which the official has control, (2)
determining the levels of information security appropriate to protect
such operations and systems, and (3) periodically testing and
evaluating the effectiveness of information security controls and
techniques. IRS's Chief of Security Services is the agency's senior
agency information security official, responsible for ensuring that IRS
has effective security programs in place to adequately safeguard
taxpayer records, employees, facilities, systems, and other resources.
According to IRS, the operating budget for Security Services is about
$24.5 million for fiscal year 2003.
We Have Previously Reviewed IRS Information Security:
Since 1992, we have reviewed the effectiveness of IRS information
security in connection with our annual audit of IRS's financial
statements.[Footnote 8] The results of these reviews have led us each
year to designate information security as a material weakness.[Footnote
9] We have also evaluated information security at IRS as a result of
congressional requests. For example, in 1998, at the request of the
Chairman and Ranking Minority Member of the Senate Committee on
Governmental Affairs, we evaluated IRS's progress in correcting
previously reported information security weaknesses.[Footnote 10] We
determined that although IRS had made significant progress in improving
information security, serious weaknesses continued to exist at its
facilities because the agency had not yet fully institutionalized its
information security program. We recommended that IRS continue its
actions to implement certain controls and to complete the
implementation of an effective agencywide information security program.
We have also evaluated information security controls for IRS's
electronic filing systems. The Chairman of the Senate Committee on
Governmental Affairs requested that we assess the effectiveness of key
computer controls designed to ensure the security, privacy, and
reliability of IRS's electronic filing systems and electronically filed
taxpayer information. In 2001, we reported that IRS had not adequately
secured access to its electronic filing systems or to the
electronically transmitted tax return information those systems
contained during the 2000 tax filing season because IRS had not taken
adequate steps to assess security risks and monitor the effectiveness
of security controls on an ongoing basis.[Footnote 11] We provided
technical recommendations that addressed specific access control
weaknesses and also recommended, among other things, that IRS implement
procedures to assess risks and monitor the effectiveness of security
controls over electronic filing systems on an ongoing basis. Last year,
we again evaluated IRS's actions to resolve the information security
weaknesses affecting its electronic filing systems and provided
congressional testimony disclosing that IRS had substantially improved
safeguards that controlled external access to its electronic filing
systems and to the electronically transmitted tax return data those
systems contained.[Footnote 12] However, additional improvements were
still needed to protect the electronically transmitted data on those
systems from unauthorized access attempts by users of IRS's internal
network.
Objectives, Scope, and Methodology:
The objectives of our review were to (1) determine whether IRS has
implemented effective computer controls to protect the confidentiality,
integrity, and availability of sensitive systems and taxpayer data, and
(2) determine whether IRS has fully implemented its agencywide
information security program.
To determine the effectiveness of IRS computer controls and whether IRS
had fully implemented its agencywide information security program, we
considered the results of the 14 facility-specific general control
reviews at 11 IRS facilities and 5 application control reviews[Footnote
13] that we performed in connection with our audits of IRS's financial
statements for fiscal years 1998 through 2001. We performed those
reviews using the audit methodology described in our Federal
Information System Controls Audit Manual,[Footnote 14] which discusses
the scope of such reviews and the type of testing required for
evaluating computer controls intended to:
* limit, detect, or monitor logical and physical access to sensitive
computing resources and facilities, thereby protecting them from
unauthorized disclosure, modification, and use;
* ensure that work responsibilities are segregated so that one
individual does not perform or control key aspects of computer-related
operations and thereby have the ability to conduct unauthorized actions
or gain unauthorized access to assets or records;
* prevent unauthorized programs or modifications to existing programs
from being implemented;
* minimize the risk of unplanned interruptions and recover critical
computer processing operations if interruptions occur; and:
* implement an agencywide information security program that includes a
continuing cycle of assessing risk, implementing and promoting policies
and procedures to increase awareness and reduce such risk, monitoring
the effectiveness of those measures, and effectively coordinating those
activities.
We consolidated and analyzed the information contained in reports of
those reviews to determine, on an agencywide basis, the nature and
extent of information security weaknesses affecting IRS systems and
taxpayer data. We also assessed the sufficiency of IRS's information
security policies and guidance by reviewing and comparing them with
guidance issued by NIST, OMB, the National Security Agency (NSA), and
certain vendors of software products used by IRS. In addition, we
obtained and reviewed information-security-related documents and met
with IRS security officials to discuss the status of efforts to correct
reported weaknesses and fully implement the IRS information security
program. We also tested and observed controls over certain network
devices to determine whether IRS securely configured them to minimize
the risk of unauthorized access.
Further, we determined the status of IRS actions to resolve reported
information security weaknesses. We requested and evaluated written
statements from IRS on actions taken to address recommendations made in
the 14 facility-specific and 4 application-specific reports. We also
conducted follow-up visits at four facilities to test the effectiveness
of IRS's actions to resolve general control weaknesses identified in
five reports.
Our review was performed at IRS headquarters and our headquarters in
Washington, D.C., from September 2002 through March 2003, in accordance
with generally accepted government auditing standards.
Although Improvements Made, Information Security Weaknesses Still Pose
Risks:
IRS has made important progress toward improving information security
controls. It has acknowledged the seriousness of its information
security weaknesses and the risks they pose to its operations, and has
again designated information security as a material weakness in the
Department of the Treasury's fiscal year 2002 accountability
report.[Footnote 15] It has also developed a plan of action and
milestones to resolve the material weakness by March 31, 2004.
IRS has increased the resources devoted to securing its systems and
data--increasing, for example, the number of specialists assigned to
Security Services (formerly the Office of Systems Standards and
Evaluation) from about 60 in 1998 to 97 in 2003. It has also
implemented and improved control measures that limit physical access to
facilities and computing resources, and has established a virus
protection and eradication program, including regular updates from its
software suppliers. Further, IRS now has a 24-hour-a-day, 7-day-a-week
Computer Security Incident Response Capability team, which provides
safeguards against various cyber threats. For example, IRS has
installed firewalls and intrusion detection systems on its network,
which the team monitors for security-related events. The agency also
asserts that it has upgraded its headquarters continuity of operations
plan and enhanced its master files disaster recovery
capability.[Footnote 16]
In addition, IRS is acquiring redundant communications capabilities to
ensure that its executives have connectivity with the Department of the
Treasury, law enforcement, and staff affected by incidents. It is also
consolidating several of its geographically dispersed computer systems
and centralizing responsibility for their operation and maintenance.
Although IRS has made important progress, it has not consistently
implemented effective computer controls. Organizations can implement a
number of different types of controls to protect computing resources.
These include logical access controls--which ensure that only
authorized individuals can read, alter, or delete data--and other
information system controls. Such other controls include (1) physical
security; (2) software change controls, which ensure that only
authorized software programs are implemented; (3) segregation of
duties, which reduces the risk that one individual can independently
perform inappropriate actions without detection; and (4) service
continuity, which ensures that computer-dependent operations
experience no significant disruptions.
However, computer-related weaknesses in these areas continued to
pervade the IRS facilities we reviewed between 1999 and 2002. As figure
1 illustrates, many control weaknesses were found at each of the 11
facilities.
Figure 1: Number of Control Weaknesses Found at IRS Facilities:
[See PDF for image]
[A] We performed multiple reviews at these sites. The number of general
control weaknesses indicated in this chart represents the total number
of new weaknesses identified at each site during those reviews.
Weaknesses were counted only once at each site. If a weakness was
identified in a prior review but was not corrected and still existed
during a subsequent review at the same site, it was not counted again.
[End of figure]
Of the 14 general control reviews performed at the 11 facilities
depicted in figure 1, 3 were done at site B, 2 at site E, and 1 at each
of the remaining 9 sites. These reviews identified a total of 765
general control weaknesses at the 11 facilities. The number of new
weaknesses identified in individual reviews ranged from 14 to 80, and
averaged about 54. The large number of weaknesses at each IRS facility
reviewed demonstrates that addressing information security is an
agencywide challenge.
Moreover, weaknesses appeared in all general control categories, as
illustrated in figure 2.
Figure 2: Breakdown of Weaknesses by General Control Category:
[See PDF for image]
[End of figure]
The majority of the weaknesses appear in logical access controls.
Although not as numerically significant as logical access controls,
weaknesses in other information system controls were found at each IRS
facility reviewed and also presented significant risk to IRS systems
and taxpayer data.
Logical Access Controls Were Often Inadequate:
IRS's implementation of logical access controls at its facilities does
not effectively prevent, limit, or detect access to computing
resources. A basic management objective for any organization is to
protect its information systems and critical data from unauthorized
access. Organizations accomplish this by designing and implementing
logical access controls that are intended to prevent, limit, and detect
unauthorized access to computing resources. These controls include user
accounts and passwords, access rights and permissions, network services
and security, and audit and monitoring. Inadequate logical access
controls diminish the reliability of computerized data and increase the
risk of unauthorized disclosure, modification, and use of sensitive
systems and taxpayer data.
User Accounts and Passwords:
A computer system must be able to identify and differentiate among
users so that activities on the system can be linked to specific
individuals. Unique user accounts assigned to specific users allow
systems to distinguish one user from another, a process called
identification. The system must also establish the validity of a user's
claimed identity through some means of authentication, such as a secret
password, known only to its owner. The combination of identification
and authentication, such as user account and password combinations,
provides the basis for establishing individual accountability and
controlling access to the system. Accordingly, agencies (1) implement
procedures to control the creation, use, and removal of user accounts,
and (2) establish password parameters, such as length, life, and
composition, to strengthen the effectiveness of account and password
combinations for authenticating the identity of users.
IRS did not adequately control user accounts and passwords to ensure
that only authorized individuals were allowed access to computer
systems. Weaknesses with the administration of user accounts and the
configuration of password parameters created opportunities for
individuals to masquerade as other users and potentially gain
inappropriate access to computing resources, as the following examples
illustrate.
* IRS did not always promptly remove inactive or unused accounts at any
of the 11 facilities. Inactive accounts indicate that owners no longer
need the access privileges provided by the accounts and may be
attractive targets for individuals attempting to gain unauthorized
access since the account owners may not notice illicit activity on the
accounts.
* Users often created passwords that were common words or contained
only alphabetic characters at eight facilities. The use of such
passwords increases the possibility that someone could guess or crack
the passwords based on personal knowledge of the users or through
password-cracking software.
* IRS did not require passwords for certain accounts at eight
facilities, significantly increasing the risk that unauthorized users
could inappropriately utilize the access privileges provided by these
accounts.
* IRS did not consistently configure certain password parameters
securely, such as required password length and expiration, thereby
increasing the risk that someone could guess the password and be able
to use the compromised password for an extended period of time.
Weaknesses in controls over user accounts and passwords diminish the
overall effectiveness of these controls in preventing individuals from
gaining unauthorized access to computing resources and in tracing
system activity back to the correct individual.
Access Rights and Permissions:
A basic underlying principle for securing computer systems and data is
the concept of least privilege. This means that users are granted only
those access rights and permissions needed to perform their official
duties. Organizations establish access rights and permissions to
restrict the access of legitimate users to the specific programs and
files that they need to do their work. User rights are allowable
actions that can be assigned to users or groups. File and directory
permissions are rules associated with a file or directory that regulate
which users can access them and in what manner. Assignment of rights
and permissions must be carefully considered to avoid giving users
unintentional and unnecessary access to sensitive files and
directories.
However, IRS did not sufficiently restrict user rights and file
permissions on its computer systems. The agency sometimes granted
access rights to users above and beyond those needed to perform their
computer-related job responsibilities and created files with excessive
file permissions, as the following examples illustrate.
* IRS inappropriately established excessive permissions for certain
files at seven facilities. Files with these permissions can be modified
by any user on the system, greatly increasing the risk that a user may,
intentionally or inadvertently, make unauthorized changes to the file
contents.
* IRS granted powerful operating system privileges to users who had no
documented need for such rights at 10 facilities.
Inappropriate access to sensitive files and directories can enable a
successful intruder or legitimate user to gain privileged administrator
access to the system. This access also creates the possibility that
users might unintentionally modify or destroy system files. Such lapses
can compromise the integrity of the operating system and the privacy of
the data that reside on these systems.
Network Services and Security:
Networks are series of interconnected devices and software that allow
individuals to share data and computer programs. Because sensitive
programs and data are stored on or transmitted along networks,
effectively securing networks is essential to protecting computing
resources and data from unauthorized access, manipulation, and use.
Organizations secure their networks, in part, by limiting the services
that are available on the network and by installing and configuring
network devices that permit authorized network service requests and
deny unauthorized requests. Network services consist of protocols for
transmitting data between computers. Network devices include (1)
firewalls designed to prevent unauthorized access into the network, (2)
routers that forward data along the network, (3) switches that filter
and forward information among parts of a network, and (4) servers that
host applications and data. Insecurely configured network services and
devices can make a system vulnerable to internal or external threats,
such as denial-of-service attacks.[Footnote 17] Since networks provide
the entry point for access to electronic information assets, failure to
secure them increases the risk of unauthorized use of sensitive data
and systems.
IRS did not always securely control network services or configure
devices to prevent unauthorized access to and ensure the integrity of
computer systems operating on its networks. The agency enabled
unnecessary, outdated, and misconfigured network services on certain
servers and sometimes configured certain network devices in such a
manner that it did not effectively reduce the risk of misuse or
unauthorized access to computing resources on its networks, as the
following examples demonstrate.
* Intruders could have gained valuable information about systems
without logging in at 9 facilities.
* Insecure remote access existed on its systems at 10 facilities.
* IRS was running easily exploitable and unnecessary services on
servers at 10 facilities.
Running vulnerable network services and insecurely configuring network
devices increase the risk of system compromise, such as unauthorized
access to and manipulation of sensitive system data, disruption of
services, and denial of service.
Audit and Monitoring:
Determining what, when, and by whom specific actions were taken on a
system is crucial to establishing individual accountability, monitoring
compliance with security policies, and investigating security
violations. Organizations accomplish this by implementing system or
security software that provides an audit trail for determining the
source of a transaction or attempted transaction and monitoring users'
activities. How organizations configure the system or security software
determines the nature and extent of audit trail information that is
provided. To be effective, organizations (1) configure the software to
collect and maintain sufficient audit trail information[Footnote 18]
for security-relevant events;[Footnote 19] (2) generate reports that
selectively identify unauthorized, unusual, and sensitive access
activity; and (3) regularly monitor and take action on these reports.
Without sufficient auditing and monitoring, organizations increase the
risk that they may not detect unauthorized activities or policy
violations.
IRS did not consistently audit or monitor computer system activity. The
agency did not (1) establish audit trails on some systems, (2) collect
sufficient audit trail information on other systems, or (3) routinely
review audit trail reports to monitor user activities on some systems
to ensure that users were performing only authorized actions, as the
following examples illustrate.
* IRS did not activate the system feature to collect audit trail
information on key systems at 4 facilities.
* IRS did not capture all security-relevant events in audit logs on
certain systems at 10 facilities.
* IRS did not adequately review audit information or monitor system
activity on certain systems at 7 facilities. For example, agency
personnel had not reviewed the audit configuration settings on certain
systems to ensure that they produced complete audit records. Where
records existed, they were not reviewed to determine if violations had
occurred.
As a result, increased risk exists that IRS may not detect unauthorized
system activity or determine which users are responsible.
Other Information System Controls Were Also Inadequate:
In addition to logical access controls, other important information
system controls help ensure the confidentiality, integrity, and
availability of systems and data at IRS facilities. These controls
include policies, procedures, and techniques that physically secure
data processing facilities and resources, properly segregate computing
resources and incompatible duties among computer personnel, prevent
unauthorized software changes, and effectively ensure the continuation
of computer processing service if an unexpected interruption occurs.
Despite the many information system controls that IRS has implemented,
weaknesses in these areas increase the risk of unauthorized access,
disclosure, and modification of data.
Physical Security:
Physical security controls should be designed to prevent vandalism and
sabotage, theft, accidental or deliberate alteration or destruction of
information or property, attacks on personnel, and unauthorized access
to computing resources. These controls include those that prevent,
limit, and detect access to facility grounds, buildings, and sensitive
work areas. Examples of physical security controls include perimeter
fencing, surveillance cameras, security guards, and locks. On occasion,
persons other than regularly authorized personnel may be granted access
to facilities. An agency should control visitors using a variety of
techniques, such as providing escorts, checking identification,
requiring prior notice, and identifying visitors to staff by means of
badges. Inadequate physical security could lead to the loss of life and
property, the disruption of service and functions, and the unauthorized
disclosure of documents and information.
Although IRS has implemented many physical security controls, certain
weaknesses reduced their effectiveness in protecting and controlling
physical access to facility grounds, buildings, and sensitive work
areas, as the following examples illustrate.
* Inadequate physical barriers, unlocked doors, or other control issues
weakened perimeter security at 10 facilities.
* IRS did not always effectively screen visitors seeking access to
certain facilities.
* At 8 facilities, as visitors left the premises, IRS did not
consistently collect visitor badges to prevent subsequent unauthorized
entry.
As a result, increased risk exists that unauthorized individuals could
gain access to facility grounds, buildings, sensitive computing
resources, and taxpayer data without detection.
Segregation of Duties:
Segregation of duties refers to the policies, procedures, and
organizational structure that help ensure that one individual cannot
independently control all key aspects of a process or computer-related
operation and thereby conduct unauthorized actions or gain unauthorized
access to assets or records. Often, segregation of duties is achieved
by dividing responsibilities among two or more organizational groups.
Dividing duties among two or more individuals or groups diminishes the
likelihood that errors and wrongful acts will go undetected because the
activities of one individual or group will serve as a check on the
activities of the other. Inadequate segregation of duties increases the
risk that erroneous or fraudulent transactions could be processed,
improper program changes implemented, and computer resources damaged or
destroyed.
IRS did not consistently separate incompatible computer-related
activities among individuals. For example, it did not sufficiently
separate incompatible system administration and security
administration duties at its facilities. To illustrate, it did not
always divide among individuals the responsibility for adding and
deleting systems users from the responsibility for maintaining system
audit logs. IRS also assigned incompatible operating system privileges
to users, such as granting auditing privileges to system administrators
at 10 facilities. As a result, increased risk exists that errors or
fraud could occur. For example, these individuals could add fictitious
users with elevated access privileges and perform unauthorized system
activity without detection.
Software Change Control:
Also important for an organization's information security is ensuring
that only authorized software programs are placed in operation. This is
accomplished by instituting policies, procedures, and techniques that
help make sure that all programs and program modifications are properly
authorized, tested, and approved. To protect approved software programs
from unauthorized changes, software development and test activities
should not be performed on the same systems used to process production
data and transactions. Moreover, access to programs should be
restricted to authorized individuals only. Failure to do so increases
the risk that unauthorized programs or changes could be, inadvertently
or deliberately, placed into operation.
IRS did not institute sufficient controls over its software change
procedures at some of the facilities reviewed to ensure that only
authorized or current software programs were placed in operation. It
also did not consistently protect software programs in the operating
environment from the risk of unauthorized modification, as the
following examples illustrate.
* IRS had not established sufficient control mechanisms at two
facilities to ensure that the facilities received all of the program
updates sent by the IRS national office.
* IRS personnel at one facility did not routinely perform post-
implementation reviews of emergency software changes, as is required,
to determine the propriety and effectiveness of the changes, thereby
increasing the risk that unnecessary or unauthorized software was
installed as emergency changes.
* Software developer accounts and/or software development tools were
placed on production servers at five facilities. Such accounts and
tools increase the risk that individuals could make unauthorized
changes to the production software on these servers.
These software change control weaknesses at IRS facilities reduced the
integrity and reliability of data processed by IRS systems.
Service Continuity:
Service continuity controls should be designed to ensure that when
unexpected events occur, critical operations continue without
interruption or are promptly resumed and critical and sensitive data
are protected. These controls include (1) environmental controls and
procedures designed to protect information resources and minimize the
risk of unplanned interruptions and (2) a well-tested plan to recover
critical operations should interruptions occur. If service continuity
controls are inadequate, even relatively minor interruptions can result
in lost or incorrectly processed data, which can cause financial
losses, expensive recovery efforts, and inaccurate or incomplete
financial or management information.
Although progress has been made, weaknesses in service continuity
controls limit IRS's ability to restore and continue data processing
service after a service disruption or emergency occurs. For example:
* IRS had not developed disaster recovery plans for certain key systems
at seven facilities, thereby increasing the risk that IRS employees at
these facilities would not know how to recover these systems and resume
operations if unexpected disruptions occur.
* IRS had not adequately tested certain service continuity plans at
five facilities, thereby reducing assurance that employees are
adequately trained and planned procedures are sufficient to promptly
recover and restore essential information systems and business
operations.
As a result, IRS has diminished assurance that, in case of an
unexpected interruption, it will be able to protect or recover
essential information and critical business processes, potentially
affecting its ability to accomplish its mission and serve taxpayers.
Application Controls Were Insufficient to Mitigate Risk:
Application controls help ensure that transactions are valid, properly
authorized, and completely and accurately processed by the computer. An
application is a program, or group of programs, utilized by end-users
to complete specific tasks, such as financial recording or payroll.
Application controls include authorization controls that ensure that
only authorized transactions by authorized users are entered into the
system. Authorization controls are similar to logical access controls
in that they help to ensure that (1) individual accountability is
maintained, (2) only authorized transactions are processed, (3) the
rights and privileges of users are limited to what is required for
completing job-related duties, and (4) inappropriate or unauthorized
activities are prevented or detected. For example, requiring users to
enter account name/password combinations during log-on to the
application helps ensure that only authorized users are accessing the
application. Lack of such controls increases the risk that inaccurate
or unauthorized transactions will be processed.
IRS did not consistently ensure that access to key computer
applications was limited to authorized persons for authorized purposes.
We reported 112 application control weaknesses during our reviews of
five applications. Authorization control weaknesses, including those
related to password controls, assigning access privileges, and
monitoring user accounts, increased the risk of unauthorized
disclosure, modification, or use of the applications and taxpayer data,
as the following examples illustrate.
* Users created weak passwords on two of the five applications
reviewed, thereby increasing the likelihood that someone could guess or
crack their passwords.
* IRS granted certain employees rights and privileges that exceeded
what their duties required on four applications reviewed.
* IRS did not always promptly revoke access rights of terminated
employees to an application used for accessing taxpayer records.
As a result, increased risk exists that someone could gain unauthorized
access to application and taxpayer data.
IRS Has Corrected Many Reported Weaknesses:
IRS has made important progress in correcting the general and
application control weaknesses that we reported on during the 3-year
period ending July 31, 2002. We performed follow-up general control
reviews for 5 of the 14 facility-specific reports issued during this
period. On the basis of these follow-up reviews, we determined that IRS
had corrected or mitigated the risk of just over half of the weaknesses
(about 57 percent; 137 of 242). In addition, IRS asserts that it has
corrected about a quarter of the weaknesses (about 23 percent; 122 of
523) identified in the remaining 9 reports. These corrective actions
include (1) enhancing the effectiveness of IRS's network security
controls that protect against external attempts to gain unauthorized
access to IRS's internal systems and (2) enhancing, implementing, and
testing the disaster recovery capability for the mission-critical
master files. IRS has also corrected or mitigated the risk of over half
(about 55 percent; 62 of 112) of the application control weaknesses
reported for the 4 applications in the four application reports.
In addition, IRS has developed a plan of actions and milestones for
resolving its material weakness in information security. The plan
addresses the remaining work to be accomplished, which includes:
* reexamining its security roles and responsibilities;
* analyzing security roles and responsibilities to assist it in
developing implementation processes and improve accountability;
* improving its security criteria;
* mapping its policies and procedures to governmentwide security
guidance to ensure the development of robust security criteria; and:
* identifying, prioritizing, and certifying its sensitive systems.
The plan identifies (1) corrective actions, (2) the agency organization
responsible for correcting the weakness, (3) key milestones with
completion dates, and (4) the status of actions. It indicates that the
planned completion date for resolving the material weakness is March
31, 2004, when IRS executives are scheduled to meet to validate the
effectiveness of the corrective actions.
IRS Has Not Fully Implemented Elements of Its Agencywide Security
Program:
An underlying cause for the numerous weaknesses in information system
controls at IRS facilities is that, although IRS has made progress, it
has not fully implemented certain elements of its agencywide
information security program. Our study of strong security management
practices, as summarized in our 1998 Executive Guide,[Footnote 20]
found that leading organizations handle their information security
risks through an ongoing cycle of risk management. This process
involves (1) establishing a centralized management function to
coordinate the continuous cycle of activities while providing guidance
and oversight for the security of the organization as a whole; (2)
assessing risks and determining what security measures are needed; (3)
establishing and implementing policies and controls that meet those
needs; (4) promoting security awareness so that users understand the
risks and the related policies and controls in place to mitigate those
risks; and (5) monitoring policies and controls to ensure that they are
appropriate and effective and that known weaknesses are promptly
mitigated.
IRS has effectively implemented the first key element of the program:
the Office of Security Services serves as the central focal point for
coordinating, guiding, evaluating, and overseeing information security
program activities. It has also taken steps to implement its agencywide
program. For example, IRS has revised its information technology
security policies and guidance to include the latest guidance on
information security issued by OMB and NIST. It has also updated the
specific security roles and responsibilities for its senior officials,
managers, security personnel, and system users. In addition, IRS
routinely reviews the effectiveness of information security at its
facilities and is implementing automated tools to assist with the
monitoring and auditing of the agency's computer systems. However, IRS
has not yet fully or effectively implemented other elements of the
program. These shortcomings undermine the agency's efforts to secure
its facilities, systems, and sensitive data.
Assessing Risks and Determining Needs:
Understanding the risks associated with information systems is a key
element of an information security program. The Federal Information
Security Management Act of 2002 and its predecessor, the Government
Information Security Reform provisions,[Footnote 21] require all
federal agencies to develop comprehensive information security programs
based on assessing and managing risks.[Footnote 22] To help ensure that
information systems are adequately protected from associated risks,
federal organizations can perform risk assessments, develop system
security plans, and formally authorize the use of each system before it
becomes operational.
Risk Assessments:
Identifying and assessing information security risks are essential
steps in determining what controls are required and what level of
resources should be expended on controls. IRS policy requires that a
risk assessment be performed at periodic intervals, commensurate with
the sensitivity and criticality of data processed, but no less
frequently than every 3 years if no assessment has been performed
during that period.
However, at the time of our reviews, IRS had not assessed risks for
many of its systems. According to the Treasury Inspector General for
Tax Administration's Report on the Government Information Security
Reform provisions for IRS for Fiscal Year 2002, only 34 percent of
IRS's reported 305 sensitive systems had been assessed for risk. The
lack of risk assessments indicates that IRS had not done all it was
required to do to understand and manage risks to its systems.
Inadequate assessment of risks can lead to the implementation of
inadequate or inappropriate security controls that do not address the
system's true risks and costly efforts to subsequently implement
effective controls. According to IRS officials, they recognized the
predicament caused by the long-standing practice of not assessing risks
for individual systems. Until the risk assessments are complete, IRS
officials stated that other risk management activities, such as on-site
information security reviews and network scans to identify vulnerable
systems, would assist in identifying risks. Also, under its information
security plan of actions and milestones, IRS has an emphasis on
certification and accreditation and is committed to have all its
sensitive systems certified by 2004.
System Security Plans:
Once a risk assessment has been performed, it can serve as a basis for
defining system security requirements and identifying and selecting
appropriate and cost-effective security controls. Federal information
security laws and OMB Circular A-130, Appendix III, require that system
security plans be prepared for all federal systems that contain
sensitive information. The purpose of these plans is to (1) provide an
overview of the security requirements of the system and describe the
controls in place or planned for meeting those requirements; (2)
delineate responsibilities and expected behavior of all individuals who
access the system; and (3) serve as documentation of the structured
process of planning adequate, cost-effective security protection for a
system. IRS policy requires that all its applications and general
support systems be covered by system security plans and that the plans
be updated at least every 3 years or when significant changes to the
systems occur. To facilitate consistency and ease in preparing system
security plans, IRS has developed a comprehensive template that
includes the required elements for a security plan.
IRS had not developed or updated system security plans for many of its
systems. According to the Treasury Inspector General for Tax
Administration's Report on the Government Information Security Reform
provisions for IRS for Fiscal Year 2002, only 34 percent of IRS's
reported 305 sensitive systems had an up-to-date security plan. Without
current, comprehensive security plans, IRS has no assurance that all
aspects of security have been considered in determining the security
requirements of its sensitive systems and that adequate protection has
been provided to meet those requirements.
System Authorization:
OMB and IRS also require management officials to formally authorize the
use of each general support system and major application before it
becomes operational, when a significant change occurs, and at least
every 3 years thereafter.[Footnote 23] IRS employs a certification and
accreditation process for authorizing the use of its systems and
applications. System certification is based on a technical evaluation
of an information system to see how well it meets its security
requirements, including all applicable federal laws, policies,
regulations, and standards. System accreditation is the written
management authorization for a system to operate and/or process
information. IRS requires that this authorization be based on a
complete and reliable assessment of the management, operational, and
technical controls that are in place to mitigate the vulnerabilities to
which the system is exposed, and assurance that the controls function
as intended. In addition, IRS requires that a risk assessment,
contingency plan, system security plan, and rules of behavior have been
developed and are in place before a system can be authorized for
processing.
However, IRS managers had not authorized the use of many of IRS's
systems. According to the Department of the Treasury's 2002 annual
program review required by the Government Information Security Reform
provisions (P.L. 106-398), only about 35 percent of IRS's sensitive
systems have been authorized for processing following the completion of
system certification and accreditation. Thus, about 65 percent of IRS's
sensitive systems were deployed and operating without written
management authorization and, potentially, without the benefit of a
comprehensive assessment of their security controls. The lack of
authorization indicates that systems' managers have not reviewed and
accepted responsibility for the adequacy of the security controls
implemented on their systems and increases the risk that systems will
be deployed with security vulnerabilities.
The risks associated with not certifying and accrediting systems are
particularly significant for IRS since many of its systems are designed
and developed centrally at one facility and then deployed for operation
at multiple facilities. Thus, the deployment of a centrally developed,
insecurely configured system may introduce security vulnerabilities at
multiple facilities. Indeed, personnel at the IRS facilities reviewed
stated that information systems were deployed with some of the insecure
system configurations identified during our tests.
Establishing and Implementing Policies and Controls:
Another key element of an effective information security program, as
identified during our study of information security management
practices at leading organizations, is establishing and implementing
appropriate policies and related controls. Establishing or documenting
security policies is important because they are the primary mechanism
by which management communicates its views and requirements and serve
as the basis for adopting specific procedures and technical controls.
In addition, agencies need to take the actions necessary to effectively
implement or execute these procedures and controls. Otherwise, agency
systems and information will not receive the protection provided by the
security policies and controls.
IRS has established a substantial set of information security policies,
standards, and guidelines that generally provides appropriate guidance
to personnel responsible for securing IRS information systems and data.
Yet, there were instances in which security policies or implementing
guidelines for certain systems either did not address certain security
controls or were not consistent with strong security practices. These
shortcomings pertained to the configuration and use of certain network
services and devices, password parameters (such as password age and
length), and the assignment of certain operating system rights.
Overall, though, IRS has established information security policies,
standards, and guidelines that, if effectively implemented, would
protect its information systems from many threats.
Effective implementation and compliance have, however, been a problem.
IRS routinely did not effectively implement or comply with its
policies, standards, and guidelines for securing information systems.
About 30 percent of all weaknesses we reported during the 3-year period
existed because IRS personnel did not perform procedures, configure
systems, or implement controls in accordance with IRS policies and
guidelines. Moreover, about half of the weaknesses identified during
our three most recent information security reviews were the result of
IRS personnel not implementing established policies and guidelines.
Implementing and complying with appropriate information security
policies, standards, and guidelines are essential elements of an
effective security program.
Two factors contributed to the creation of these security weaknesses.
First, the procedures IRS established to certify and accredit its
systems are designed to ensure that the systems comply with established
security policies and standards. However, as discussed, IRS's
historically inconsistent performance in certifying and accrediting its
information systems may have resulted in the deployment of systems that
were not configured in accordance with agency policies and standards.
Second, the agency has not established sufficient methods for holding
personnel accountable for implementing security policies and controls.
According to an IRS official, performance standards and measures that
address compliance with information security policies have not been
incorporated into performance appraisal mechanisms for IRS executives,
managers, and users. Until such performance standards and measures are
developed and incorporated into the appraisal process, agency personnel
may not devote sufficient attention and effort to implementing
effective security controls. The inconsistent application of security
policies and controls increases the risk that unauthorized access,
loss, or manipulation of sensitive systems and data may occur.
Promoting Security Awareness and Training:
Another important element of an information security program involves
promoting awareness and providing required training so that users
understand the risks and their role in implementing related policies
and controls to mitigate those risks. Computer intrusions and security
breakdowns often occur because computer users fail to take appropriate
security measures. For this reason, it is vital that employees who use
computer systems in their day-to-day operations be aware of the
importance and sensitivity of the information they handle, as well as
the business and legal reasons for maintaining its confidentiality,
integrity, and availability. OMB Circular A-130, Appendix III, provides
that employees be trained on how to fulfill their security
responsibilities before being allowed access to sensitive systems.
Federal information security laws mandate that all federal employees
and contractors involved with the management, use, or operation of
federal computer systems be provided periodic training in information
security awareness and accepted information security practice.
IRS has developed and implemented several methods for notifying
employees of their security-related responsibilities. These include
specifying security roles and responsibilities in various policy
manuals and documents available to employees, requiring computer users
to certify that they understand the system security rules for all
information systems to which they have been granted access, and
requiring each employee to receive a mandatory annual awareness
briefing that focuses on the protection against and prevention of
willful unauthorized access and inspection of taxpayer returns or tax
return information.
However, the extent of noncompliance with IRS security policies and
guidelines suggests that some IRS employees are either unaware of their
responsibilities or insensitive to the need for implementing important
information system controls. Although IRS had specified security roles
and responsibilities in policy manuals, it had not, at the time of our
reviews, linked them to executive, manager, and user positions in IRS's
operating divisions. According to IRS security officials, some
operating division managers had inappropriately believed that
implementing security controls on their systems was not their
responsibility but, rather, was the responsibility of Security Services
personnel. In addition, IRS did not consistently provide sufficient
security-related training to key security personnel. For example,
security administrators at four IRS facilities possessed limited
knowledge, and had not received training, about certain technical
controls of system software they monitored. Insufficient technical
security knowledge among key security personnel increases the risk that
they will not promptly detect and mitigate security weaknesses.
Monitoring the Effectiveness of Controls and Mitigating Weaknesses:
The final key element of an information security program is ongoing
testing and evaluation to ensure that systems are in compliance with
policies, and that policies and controls are both appropriate and
effective. This type of oversight is a fundamental element because it
demonstrates management's commitment to the security program, reminds
employees of their roles and responsibilities, and identifies and
mitigates areas of noncompliance and ineffectiveness. For these
reasons, OMB Circular A-130, Appendix III, directs that the security
controls of major information systems be independently reviewed or
audited at least every 3 years. Although monitoring in itself may
encourage compliance with security policies, the full benefits of
monitoring are not achieved unless the results improve the security
program. Analyzing the results of monitoring efforts, as well as
security reviews performed by external audit organizations, provides
security specialists and business managers with a means of (1)
identifying new problem areas, (2) reassessing the appropriateness of
existing controls, and (3) identifying the need for new controls.
The IRS Office of Security Services has established a program for
reviewing and evaluating controls over IRS's information systems.
During fiscal year 2002, IRS reported that it performed 258 information
security reviews at key facilities, including computing centers,
development centers, campuses, and area offices. These included
physical security reviews, operations reviews, communications security
reviews, disaster recovery/business resumption reviews, and technical
control reviews over its mainframe, Unix, and Windows NT systems.
However, IRS did not always take full advantage of review or audit
results to proactively improve security controls at its facilities.
Specifically, it did not take sufficient steps to ensure that
weaknesses identified at one facility were promptly considered and
addressed at other facilities. Our reviews have consistently identified
weaknesses at IRS facilities that were previously identified at other
facilities. About 61 percent of the weaknesses identified during the 3-
year period covered by this report were found at more than one
facility. For example, nine facilities allowed access to certain system
information without requiring a log-on. We first reported this weakness
at a facility in 1999 and continued to report it at other facilities
through 2001. Further, IRS sometimes did not act to ensure that
weaknesses identified on one system were considered and addressed on
other similar systems at the same facility. For example, during a
follow-up review at one facility, an IRS official said he believed that
the facility had effectively corrected certain previously reported
vulnerabilities because facility employees had corrected the
vulnerabilities on the specific systems that were evaluated during the
prior review. However, they did not consider or correct the same
vulnerabilities on other similar systems that were not included in the
prior review.
As weaknesses are identified, it is important to determine whether
those weaknesses exist on similar systems at the same facility or at
other facilities because of the degree of standardization that exists
among similar systems and facilities. The lack of sufficient procedures
to proactively ensure that weaknesses found at an IRS facility or on a
system are considered and, if necessary, corrected at other facilities
or on similar systems could lead to a false sense of security and
expose IRS systems and data to increased, unnecessary risks.
IRS Is Taking Action to Improve Its Information Security Program:
IRS has acknowledged the seriousness of its information security
weaknesses and is taking action to improve its agencywide information
security program. The program is in transition from a facility-based
approach to an enterprise-based approach, which is aligned with IRS's
reorganized operating divisions and the centralized information
management within Modernization, Information Technology, and Security
Services. This approach, led by Security Services, depends on the
support of various IRS organizations to implement and monitor
corrective actions. This includes defining specific security roles and
responsibilities for executive, manager, and user positions throughout
the agency, including those in the operating divisions. Ongoing efforts
to adequately mitigate weaknesses are primarily focused on developing
and implementing consistent security procedures for all operating
divisions, ensuring day-to-day execution of these procedures, and
certifying the backlog of uncertified systems.
However, until IRS can fully implement an effective agencywide
information security program and adequately mitigate its information
security weaknesses, it will remain at heightened risk of access to
critical hardware and software by unauthorized individuals, who could
intentionally or inadvertently add, alter, or delete sensitive data or
computer programs. Such individuals could possibly obtain personal
taxpayer information and use it to commit financial crimes in the
taxpayer's name (identity fraud), such as establishing credit and
incurring debt.
Conclusions:
IRS has made important progress toward improving information security
controls and implementing an agencywide information security program.
Yet, much work remains to be done to resolve significant control
weaknesses that continue to exist within its computing environment and
to enable IRS to promptly address new security threats and risks as
they emerge. We have previously provided IRS with many detailed
recommendations for mitigating the individual weaknesses summarized in
this report. Ensuring that known weaknesses affecting IRS's computing
resources are promptly mitigated and that computer controls effectively
protect its systems and data requires support and leadership from
senior management of IRS's information technology and operating
divisions, disciplined processes, and consistent oversight.
Implementing an effective agencywide information security program
requires that IRS take a comprehensive approach that includes assessing
risks and evaluating needs, establishing and implementing appropriate
policies and controls, enhancing awareness and technical skills, and
monitoring the effectiveness of controls on an ongoing basis. Further,
a successful program will need the active and accountable involvement
of both (1) operating division executives and managers who understand
which aspects of their missions and information systems are the most
critical and sensitive and (2) technical experts who know the agencies'
systems and understand the technical aspects of implementing security
controls. Until IRS effectively and fully implements its agencywide
information security program, assurance will remain limited that IRS's
financial information and taxpayers' personal information are
adequately safeguarded against unauthorized use, disclosure, and
modification, and its exposure to these risks will remain unnecessarily
high.
Recommendations for Executive Action:
To implement an effective agencywide information security program, we
recommend that the IRS Commissioner direct the Chief Information
Officer and the senior management official of each operating division
to do the following:
* Assess risks and evaluate security needs by:
* performing risk assessments for all systems;
* developing security plans for all systems; and:
* certifying and accrediting all systems before they become
operational, upon significant change, and at least every 3 years
thereafter.
* Establish and implement adequate information security policies and
controls by:
* updating security policies or implementing guidelines pertaining to
the configuration and use of certain network services and devices,
password parameters, and the assignment of certain operating system
rights, to be consistent with strong security practices;
* testing and assessing security controls and configurations of systems
before deployment for compliance with established security policies and
standards; and:
* establishing and incorporating performance standards for compliance
with security policies and procedures in the performance appraisal
process for IRS executives and managers in the information technology
and operating divisions.
* Enhance information security awareness and training programs by:
* providing training to IRS employees and contractors, including
executives, managers, and users, and including those in the information
technology and operating divisions, on their security roles and
responsibilities; and:
* providing security-related training commensurate with job-related
responsibilities to security personnel.
* Monitor the effectiveness of controls and mitigate known information
security weaknesses by establishing and implementing procedures to
proactively ensure that weaknesses found at an IRS facility or on a
system are considered and, if necessary, corrected at other facilities
or on similar systems.
Agency Comments:
In providing written comments on a draft of this report (which are
reprinted in appendix I), the Commissioner of Internal Revenue
generally agreed with the report, and indicated that IRS is acting to
implement our recommendations. The Commissioner noted that safeguarding
taxpayer information is one of IRS's highest priorities and that the
agency continues to strengthen its security controls. According to the
Commissioner, IRS is taking several steps to (1) assess risk and
evaluate its security needs, (2) establish and consistently implement
information security policies and controls, (3) implement a computer
security training program, and (4) develop executive-level feedback
mechanisms to monitor the effectiveness of controls to ensure that
corrective actions are implemented on an enterprisewide basis.
If you have any questions or need further information about the
material contained in this report, please contact Gregory C. Wilshusen,
Assistant Director, at (202) 512-6244, or me at (202) 512-3317. We can
also be reached by E-mail at wilshuseng@gao.gov or daceyr@gao.gov,
respectively. Other key contributors to this report include Ramnik
Dhaliwal, Suzanne Lightman, and Evelyn Logue.
Robert F. Dacey
Director, Information Security Issues:
Signed by Robert F. Dacey:
[End of section]
Appendix I: Comments from the Internal Revenue Service:
DEPARTMENT OF THE TREASURY INTERNAL REVENUE SERVICE WASHINGTON, D.C.
20224:
COMMISSIONER:
May 16, 2003:
Mr. Robert F. Dacey:
Director, Information Security Issues U.S. General Accounting Office:
441 G Street, N.W. Washington, D.C. 20548:
Dear Mr. Dacey:
I have reviewed the General Accounting Office (GAO) report entitled,
Information Security: Although Progress Made, Weaknesses at the
Internal Revenue Service Continue to Pose Risks, (GAO-03-44, May 2003).
I assure you that safeguarding taxpayer information is one of our
highest priorities. As you acknowledged in this report, we have
continued to strengthen important security controls throughout the
three year review period as GAO brought audit findings to our
attention.
Since 1997, GAO has designated information security as a government-
wide, high-risk area. In 1997, we established a facility-based approach
to secure our physical environment and to focus on resolving
vulnerabilities of our most critical tax processing systems and data.
The GAO acknowledged that we implemented many significant corrective
actions under this approach, but that several internal control
weaknesses continue to exist. In this report, you indicated we have
adequately mitigated external physical vulnerabilities, but that we
need to continue to focus on the internal vulnerabilities of our
systems.
We agree with this assessment and as a result, in FY2002, we began
transitioning the security program from a facility-based approach to an
enterprise-based approach, which is aligned with our reorganized
business units and the centralized information management within
Modernization, Information Technology and Security Services (MITSS).
This approach relies on the involvement of the IRS leadership and
managers, and focuses on identifying, mitigating, and resolving control
risks throughout the IRS by implementing consistent and appropriate
security policies, training, and monitoring processes. We believe this
approach will improve our overall security program and mitigate much of
the identified computer security weaknesses.
This report focuses on resolving inconsistencies and making needed
improvements. However, I would like to mention some of the many
accomplishments of the security:
program over the last eighteen months that have significantly
strengthened the security of the IRS and improved consistency in many
security-related areas. These accomplishments include:
* Improved physical security controls at data processing facilities:
* Improved campus and mailroom capabilities by enhancing mail handling
locations, operations, and training:
* Enhanced decision support capabilities by implementing four Situation
Awareness and Management Centers that provide daily reports on physical
and cyber incidents to the IRS senior leaders:
* Upgraded and tested the Headquarters' Continuity of Operations Plan
(COOP):
* Enhanced disaster recovery capability for the Masterfile by
establishing an in-house capability:
* Improved controls, updated standards, and installed security upgrades
for mainframe systems, mid-level computing environments, and electronic
filing systems:
In addition, we strengthened our computer security capabilities by
establishing
important operational capabilities to safeguard against hacking and
terrorist threats. We maintain a virus protection and eradication
program, which includes regular updates from virus software suppliers.
This program is tightly integrated with our 24X7 Computer Security
Incident Response Capability (CSIRC) team, which protects our network
and systems against various cyber threats. In this regard, we can
quickly respond to external and internal electronic intrusions to our
infrastructure.
During the remainder of FY2003 and FY2004 our primary focus will be to
continue implementing strong security measures and mitigating computer
security material weaknesses. We analyzed previous GAO findings on the
computer security material weakness, and identified nine specific areas
needing improvement. These nine areas are being addressed in the Plan
of Actions and Milestones (POA&M) report that we use to monitor
progress by activity and responsible organization. We are also using
the Treasury Security Assessment Framework to prioritize actions, track
progress, and quantify success. We expect to significantly improve the
consistent implementation of security controls by December 2003.
In August and December 2002, and most recently in April 2003, IRS
representatives met with GAO and the Treasury Inspector General for Tax
Administration on the specific actions needed to demonstrate the
adequacy of our material weakness mitigation approach, and presented
the POA&M. We received GAO's concurrence on our strategy. I have
enclosed a description of how this material weakness mitigation
strategy and other efforts address the Recommendations for Executive
Actions.
These report findings, along with GAO's assistance, have been
instrumental in supporting our continuing efforts to improve our
computer security capabilities. If you have any questions, or if you
would like to discuss this response in more detail, please contact me
or Dave A. Mader, Acting Deputy Commissioner, Modernization,
Information Technology and Security Services at (202) 622-6800.
Sincerely,
Mark W. Everson:
Signed by Mark W. Everson:
Enclosure:
The following information outlines the major components of IRS'
security program that address each of GAO's specific recommendations
for executive action:
1. IRS' security program includes continuous activities that assess risk
and evaluate security needs by:
a. Conducting security compliance reviews of logical information
technology controls, physical facility controls, personnel security
controls, and continuity of operations capability at all computing
centers, campuses, and other computer locations that support major
financial systems and infrastructure. For FY2003, we will implement
throughout the agency the National Institute of Standards and
Technology security self-assessment, a component of the Federal
Information Security Management Act:
b. Ensuring that security plans are
developed to assess the risk level of each sensitive system in
accordance with acceptable certification and accreditation criteria:
c. Identifying and prioritizing all sensitive systems for certification
and accreditation, monitoring for re-certification, and reducing the
current backlog of uncertified systems (scheduled to be 75% completed
by September 30, 2003 and 100% complete by September 30, 2004):
2. IRS' corrective action plan to mitigate computer security material
weakness will consistently establish and implement adequate information
security policies and controls to:
a. Adequately restrict electronic access to and within computer network
operational components by issuing appropriate guidelines, standards,
and procedures, as well as a change control process for network
standards:
b. Adequately ensure that access to key computer applications and
systems is limited to authorized persons for authorized purposes by
issuing new and updated computer and physical access controls, and
personnel security requirements:
c. Consistently implement configuration and change control management
processes to optimally configure system software to ensure the security
and integrity of system programs, files, and data, and include testing
and assessing of security controls before deploying systems:
d. Effectively monitor key networks and systems to identify
unauthorized activities and inappropriate system configurations by
deploying auditing standards, procedures, and notification processes:
In addition, IRS will develop and incorporate a written performance
standard to address executive and manager responsibilities for
effective security controls for all activities under their
jurisdiction. This performance standard will be included
as a "Commitment" in all FY2004 executive performance plans. (Because
an employee must serve a minimum of 120 days under a standard before
he/she can be rated against it, we cannot implement a security standard
for the FY2003 performance period, which ends on September 30.):
3. IRS' corrective action plan for computer security material weakness
will consistently establish, enhance, and implement an adequate
computer security training program by:
a. Appropriately define security roles and responsibilities for
executives, managers, users, system administration, security
administration, database administration, user administration,
operations, and software
development, including contractors, as well as develop appropriate
security awareness and training mechanisms:
b. Sufficiently provide security awareness and technical security-
related training commensurate with the daily duties of key personnel
through an updated and targeted security curriculum for information
security professionals:
4. IRS' corrective action plan for computer security material weakness
will include executive level feedback mechanisms to monitor
effectiveness of controls and to mitigate known weakness to ensure that
we:
a. Provide reports and metrics to accountable executives on the state
of compliance with security controls that have an enterprise-wide
impact
b. Apply appropriate corrective actions enterprise-wide for
consistent implementation and stronger overall security controls.
[End of section]
FOOTNOTES
[1] General controls are the structure, policies, and procedures that
apply to an organization's overall computer operations. They establish
the environment in which application systems and controls operate.
Application controls are the structure, policies, and procedures that
apply to separate individual application systems.
[2] U.S. General Accounting Office, Information Security: Serious and
Widespread Weaknesses Persist at Federal Agencies, GAO/AIMD-00-295
(Washington, D.C.: Sept. 6, 2000).
[3] U.S. General Accounting Office, High-Risk Series: Information
Management and Technology, GAO/HR-97-9 (Washington, D.C.: February
1997).
[4] U.S. General Accounting Office, High-Risk Series: Protecting
Information Systems Supporting the Federal Government and the Nation's
Critical Infrastructures, GAO-03-121 (Washington, D.C.: January 2003).
[5] U.S. General Accounting Office, Information Security: Progress
Made, but Challenges Remain to Effectively Protect Federal Systems and
the Nation's Critical Infrastructures, GAO-03-564T (Washington, D.C.:
Apr. 8, 2003); Computer Security: Progress Made, but Critical Federal
Operations and Assets Remain at Risk, GAO-03-303T (Washington, D.C.:
Nov. 19, 2002); Information Security: Comments on the Proposed Federal
Information Security Management Act of 2002, GAO-02-677T (Washington,
D.C.: May 2, 2002); and Information Security: Additional Actions Needed
to Implement Reform Legislation, GAO-02-470T (Washington, D.C.: Mar. 6,
2002).
[6] E-Government Act of 2002 (P.L. 107-347, Title III, Section 301,
Dec. 17, 2002); and Government Information Security Reform Provisions
in Fiscal Year 2001 Defense Authorization Act (P. L. 106-398, Division
A, Title X, Subtitle G, Section 1061, Oct. 30, 2000).
[7] IRS has reorganized itself into four major operating divisions,
aligned by types of taxpayers: Wage and Investment, Small Business and
Self-Employed, Large and Mid-Size Business, and Tax Exempt and
Government Entities. The senior management official for each of these
major divisions is a commissioner. Other operating divisions include
Appeals, Chief Counsel, Communications and Liaison, and Criminal
Investigation.
[8] U.S. General Accounting Office, Financial Audit: Examination of
IRS's Fiscal Year 1992 Financial Statements, GAO/AIMD-93-2 (Washington,
D.C.: June 30, 1993).
[9] A material weakness is a condition that precludes the agency's
internal controls from providing reasonable assurance that material
misstatements in the financial statements would be prevented or
detected on a timely basis.
[10] U.S. General Accounting Office, IRS Systems Security: Although
Significant Improvements Made, Tax Processing Operations and Data Still
at Serious Risk, GAO/AIMD-99-38 (Washington, D.C.: Dec. 14, 1998).
[11] U.S. General Accounting Office, Information Security: IRS
Electronic Filing Systems, GAO-01-306 (Washington, D.C.: Feb. 16,
2001).
[12] U.S. General Accounting Office, Tax Administration: IRS Continues
to Face Management Challenges in its Business Practices and
Modernization Efforts, GAO-02-619T (Washington, D.C.: Apr. 15, 2002).
[13] Although five applications were reviewed, only four application-
specific reports were issued. One report contained the results of two
application control reviews.
[14] U.S. General Accounting Office, Federal Information System
Controls Audit Manual, GAO/AIMD-12.19.6 (Washington, D.C.: January
1999).
[15] The Federal Managers' Financial Integrity Act of 1982 (Public Law
97-255) requires the head of each agency to annually prepare a
statement that identifies material weaknesses in the agency's systems
of internal accounting and administrative control and its plans and
schedule for correcting them.
[16] Master files are the large central databases that contain
historical and current detailed information on taxpayers' personal
data, filing status, tax returns, and return-related documents.
[17] A denial-of-service attack is an attack on a network that sends a
flood of useless traffic that prevents legitimate use of the network.
[18] Audit trail information generally includes the (1) date and time
the event occurred, (2) user ID associated with the event, (3) type of
event, and (4) result of the event.
[19] Security-relevant events include (1) successful and unsuccessful
log-on attempts; (2) log-offs; (3) change of password; (4) creation,
deletion, opening, and closing of files; (5) all actions of users with
privileged authority; and (6) program initiation.
[20] U.S. General Accounting Office, Information Security Management:
Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.:
May 1998).
[21] When we performed our audit work, the two major laws related to
federal computer information security that were in effect were the
Computer Security Act, P. L. No. 100-235, January 8, 1988, and the
Government Information Security Reform provisions (GISRA), Title X,
Subtitle G, P. L. 106-398, October 30, 2000. Effective December 17,
2002, the Federal Information Security Management Act of 2002, Title
III, P. L. 107-347, repealed GISRA and the Computer Security Act and
replaced them with similar, but strengthened provisions.
[22] The February 1996 revision to OMB Circular A-130, Appendix III,
Security of Federal Automated Information Resources, directs agencies
to use a risk-based approach to determine adequate security, including
a consideration of the major factors in risk management: the value of
the system or application, threats, vulnerabilities, and the
effectiveness of current or proposed safeguards. Additional guidance on
effective risk assessment is available in NIST publications and in our
Information Security Risk Assessment: Practices of Leading
Organizations, GAO/AIMD-00-33 (Washington, D.C.: November 1999).
[23] Authorization is sometimes referred to as accreditation.
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to daily E-mail alert for newly
released products" under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: