Information Security
Continued Efforts Needed to Address Significant Weaknesses at IRS
Gao ID: GAO-09-136 January 9, 2009
The Internal Revenue Service (IRS) relies extensively on computerized systems to carry out its demanding responsibilities to collect taxes (about $2.7 trillion in fiscal years 2008 and 2007), process tax returns, and enforce the nation's tax laws. Effective information security controls are essential to protect financial and taxpayer information from inadvertent or deliberate misuse, improper disclosure, or destruction. As part of its audits of IRS's fiscal years 2008 and 2007 financial statements, GAO assessed (1) the status of IRS's actions to correct previously reported weaknesses and (2) whether controls were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies and procedures and other documents; tested controls over key financial applications; and interviewed key agency officials.
IRS has continued to make progress in correcting previously reported information security weaknesses. It has corrected or mitigated 49 of the 115 weaknesses that GAO reported as unresolved during its last audit. For example, the agency (1) implemented controls for unauthenticated network access and user IDs on the mainframe, (2) encrypted sensitive data going across its network, (3) improved the patching of critical vulnerabilities, and (4) updated contingency plans to document critical business processes. However, most of the previously identified weaknesses remain unresolved. For example, IRS continues to, among other things, allow sensitive information, including IDs and passwords for mission-critical applications, to be readily available to any user on its internal network, and grant excessive access to individuals who do not need it. According to IRS officials, they are continuing to address the uncorrected weaknesses and, subsequent to GAO site visits, had completed additional corrective actions. Despite IRS's progress, information security control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information. IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information. For example, IRS did not always (1) enforce strong password management for properly identifying and authenticating users; (2) authorize user access, including access to personally identifiable information, to permit only the access needed to perform job functions; (3) encrypt certain sensitive data; (4) effectively monitor changes on its mainframe; and (5) physically protect its computer resources. A key reason for these weaknesses is that IRS has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively. Specifically, IRS did not annually review risk assessments for certain systems, comprehensively test for certain controls, or always validate the effectiveness of remedial actions. Until these weaknesses are corrected, the agency remains particularly vulnerable to insider threats and IRS is at increased risk of unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as inadvertent or deliberate disruption of system operations and services.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-09-136, Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS
This is the accessible text file for GAO report number GAO-09-136
entitled 'Information Security: Continued Efforts Needed to Address
Significant Weaknesses at IRS' which was released on January 9, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Commissioner of Internal Revenue:
United States Government Accountability Office:
GAO:
January 2009:
Information Security:
Continued Efforts Needed to Address Significant Weaknesses at IRS:
GAO-09-136:
GAO Highlights:
Highlights of GAO-09-136, a report to the Commissioner of Internal
Revenue.
Why GAO Did This Study:
The Internal Revenue Service (IRS) relies extensively on computerized
systems to carry out its demanding responsibilities to collect taxes
(about $2.7 trillion in fiscal years 2008 and 2007), process tax
returns, and enforce the nation‘s tax laws. Effective information
security controls are essential to protect financial and taxpayer
information from inadvertent or deliberate misuse, improper disclosure,
or destruction.
As part of its audits of IRS‘s fiscal years 2008 and 2007 financial
statements, GAO assessed (1) the status of IRS‘s actions to correct
previously reported weaknesses and (2) whether controls were effective
in ensuring the confidentiality, integrity, and availability of
financial and sensitive taxpayer information. To do this, GAO examined
IRS information security policies and procedures and other documents;
tested controls over key financial applications; and interviewed key
agency officials.
What GAO Found:
IRS has continued to make progress in correcting previously reported
information security weaknesses. It has corrected or mitigated 49 of
the 115 weaknesses that GAO reported as unresolved during its last
audit. For example, the agency:
* implemented controls for unauthenticated network access and user IDs
on the mainframe,
* encrypted sensitive data going across its network,
* improved the patching of critical vulnerabilities, and,
* updated contingency plans to document critical business processes.
However, most of the previously identified weaknesses remain
unresolved. For example, IRS continues to, among other things, allow
sensitive information, including IDs and passwords for mission-critical
applications, to be readily available to any user on its internal
network, and grant excessive access to individuals who do not need it.
According to IRS officials, they are continuing to address the
uncorrected weaknesses and, subsequent to GAO site visits, had
completed additional corrective actions.
Despite IRS‘s progress, information security control weaknesses
continue to jeopardize the confidentiality, integrity, and availability
of financial and sensitive taxpayer information. IRS did not
consistently implement controls that were intended to prevent, limit,
and detect unauthorized access to its systems and information. For
example, IRS did not always:
* enforce strong password management for properly identifying and
authenticating users;
* authorize user access, including access to personally identifiable
information, to permit only the access needed to perform job functions;
* encrypt certain sensitive data;
* effectively monitor changes on its mainframe; and;
* physically protect its computer resources.
A key reason for these weaknesses is that IRS has not yet fully
implemented its agencywide information security program to ensure that
controls are appropriately designed and operating effectively.
Specifically, IRS did not annually review risk assessments for certain
systems, comprehensively test for certain controls, or always validate
the effectiveness of remedial actions. Until these weaknesses are
corrected, the agency remains particularly vulnerable to insider
threats and IRS is at increased risk of unauthorized access to and
disclosure, modification, or destruction of financial and taxpayer
information, as well as inadvertent or deliberate disruption of system
operations and services.
What GAO Recommends:
To fully implement an agencywide information security program, GAO
recommends that the Commissioner of Internal Revenue (1) ensure risk
assessments for IRS systems are reviewed at least annually and (2)
implement steps to improve the testing and evaluating of controls. In
commenting on a draft of this report, IRS agreed to develop a plan
addressing each of the recommendations.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-136]. For more
information, contact Nancy Kingsbury at (202) 512-2700 or
kingsburyn@gao.gov or Gregory Wilshusen at (202) 512-6244 or
wilshuseng@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
IRS Demonstrated Progress in Correcting Previously Reported Weaknesses:
Weaknesses Placed Financial and Taxpayer Information at Risk:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Internal Revenue Service:
Appendix III: GAO Contacts and Staff Acknowledgments:
Figure:
Figure 1: Previously Identified Weaknesses at IRS Locations:
Abbreviations:
CIO: Chief Information Officer:
FISMA: Federal Information Security Management Act:
IG: Inspector(s) General:
MITS: Modernization and Information Technology Services:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
January 9, 2009:
The Honorable Douglas Shulman:
Commissioner of Internal Revenue:
Dear Commissioner Shulman:
The Internal Revenue Service (IRS) has a demanding responsibility in
collecting taxes, processing tax returns, and enforcing the nation's
tax laws. It relies extensively on computerized systems to support its
financial and mission-related operations. Effective information system
controls are essential for protecting the confidentiality, integrity,
and availability of financial and sensitive taxpayer information and
ensuring that information is adequately protected from inadvertent or
deliberate misuse, fraudulent use, improper disclosure, or destruction.
As part of our audit of IRS's fiscal years 2008 and 2007 financial
statements,[Footnote 1] we assessed the effectiveness of the agency's
information security controls[Footnote 2] over key financial systems,
information, and interconnected networks at four locations. These
systems support the processing, storage, and transmission of financial
and sensitive taxpayer information. In our report on IRS's fiscal years
2008 and 2007 financial statements, we reported that the new
information security deficiencies we identified in fiscal year 2008 and
the unresolved deficiencies from prior audits represent a material
weakness[Footnote 3] in internal controls over financial and tax
processing systems.
We assessed (1) the status of IRS's actions to correct or mitigate
previously reported information security weaknesses and (2) whether
controls over key financial and tax processing systems are effective in
ensuring the confidentiality, integrity, and availability of financial
and sensitive taxpayer information. We conducted this work from April
2008 to January 2009, in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives.
For additional information about our objectives, scope, and
methodology, refer to appendix I.
Results in Brief:
IRS has continued to make progress in correcting previously reported
information security weaknesses. It has corrected or mitigated 49 of
the 115 information security weaknesses that we reported as unresolved
at the time of our last review. For example, the agency implemented
controls for unauthenticated network access and user IDs on the
mainframe, encrypted sensitive data going across its network, improved
the patching of critical vulnerabilities, and updated contingency plans
to document critical business processes. In addition, IRS has several
initiatives under way that are designed to improve information
security, such as implementing a comprehensive plan to address numerous
weaknesses related to network and system access, among other issues.
However, about 57 percent of the previously identified weaknesses
remain unresolved. For example, IRS continues to, among other things,
allow sensitive information, including IDs and passwords for mission-
critical applications, to be readily available to any user on its
internal network, and grant excessive access to individuals who do not
need it. According to IRS officials, they are continuing to address the
uncorrected weaknesses and, subsequent to our site visits, had
completed additional corrective actions.
Despite IRS's progress, information security control weaknesses
continue to jeopardize the confidentiality, integrity, and availability
of financial and sensitive taxpayer information. IRS did not
consistently implement controls that were intended to prevent, limit,
and detect unauthorized access to its systems and information. For
example, IRS did not always (1) enforce strong password management for
properly identifying and authenticating users; (2) authorize user
access, including access to personally identifiable information, to
permit only the access needed to perform job functions; (3) encrypt
certain sensitive data; (4) effectively monitor changes on its
mainframe; and (5) physically protect its computer resources. A key
reason for these weaknesses is that IRS has not yet fully implemented
its agencywide information security program to ensure that controls are
appropriately designed and operating effectively. Specifically, IRS did
not review risk assessments at least annually for certain systems,
comprehensively test certain controls, or always validate the
effectiveness of remedial actions. Until these weaknesses are
corrected, the agency remains particularly vulnerable to insider
threats and IRS is at increased risk of unauthorized access to and
disclosure, modification, or destruction of financial and taxpayer
information, as well as inadvertent or deliberate disruption of system
operations and services.
We are making recommendations to the Commissioner of Internal Revenue
to fully implement a comprehensive agencywide information security
program. In a separate report with limited distribution, we are making
recommendations to correct the specific weaknesses we identified during
our review.
In providing written comments on a draft of this report, the
Commissioner of Internal Revenue stated that the security and privacy
of taxpayer information is of the utmost importance to the agency and
noted that IRS is committed to securing its computer environment as it
continually evaluates processes, promotes user awareness, and applies
innovative ideas to increase compliance. He further stated that IRS
would develop a detailed corrective action plan addressing each of our
recommendations.
Background:
Information security is a critical consideration for any organization
that depends on information systems and computer networks to carry out
its mission or business. It is especially important for government
agencies, where maintaining the public's trust is essential. The
dramatic expansion in computer interconnectivity and the rapid increase
in the use of the Internet have revolutionized the way our government,
our nation, and much of the world communicates and conducts business.
Although this expansion has created many benefits for agencies such as
IRS in achieving their missions and providing information to the
public, it also exposes federal networks and systems to various
threats.
Without proper safeguards, computer systems are vulnerable to
individuals and groups with malicious intent who can intrude and use
their access to obtain sensitive information, commit fraud, disrupt
operations, or launch attacks against other computer systems and
networks. The risks to these systems are well-founded for a number of
reasons, including the dramatic increase in reports of security
incidents, the ease of obtaining and using hacking tools, and steady
advances in the sophistication and effectiveness of attack technology.
For example, the Office of Management and Budget cited[Footnote 4] a
total of 12,198 incidents reported to the U.S. Computer Emergency
Readiness Team (US-CERT)[Footnote 5] by federal agencies during fiscal
year 2007, which is more than twice the number of incidents reported
the prior year. The Federal Bureau of Investigation has identified
multiple sources of threats, including foreign nation states engaged in
intelligence gathering and information warfare, domestic criminals,
hackers, virus writers, and disgruntled employees or contractors
working within an organization. In addition, the U.S. Secret Service
and the CERT Coordination Center[Footnote 6] studied insider threats
and stated in a May 2005 report that "insiders pose a substantial
threat by virtue of their knowledge of, and access to, employer systems
and/or databases."
Our previous reports, and those by federal inspectors general, describe
persistent information security weaknesses that place federal agencies,
including IRS, at risk of disruption, fraud, or inappropriate
disclosure of sensitive information. Accordingly, we have designated
information security as a governmentwide high-risk area since 1997,
[Footnote 7] a designation that remains in force today.
Recognizing the importance of securing federal agencies' information
systems, Congress enacted the Federal Information Security Management
Act (FISMA) in December 2002[Footnote 8] to strengthen the security of
information and systems within federal agencies. FISMA requires each
agency to develop, document, and implement an agencywide information
security program for the information and systems that support the
operations and assets of the agency, using a risk-based approach to
information security management. Such a program includes assessing
risk; developing and implementing cost-effective security plans,
policies, and procedures; providing specialized training; testing and
evaluating the effectiveness of controls; planning, implementing,
evaluating, and documenting remedial actions to address information
security deficiencies; and ensuring continuity of operations.
IRS has demanding responsibilities in collecting taxes, processing tax
returns, and enforcing the nation's tax laws, and relies extensively on
computerized systems to support its financial and mission-related
operations. IRS collected about $2.7 trillion in tax payments in fiscal
years 2008 and 2007; processed hundreds of millions of tax and
information returns; and paid about $426 billion and $292 billion,
respectively, in refunds to taxpayers. Further, the size and complexity
of IRS adds unique operational challenges. The agency employs tens of
thousands of people in its Washington, D.C., headquarters, 10 service
center campuses, 3 computing centers, and numerous other field offices
throughout the United States. IRS also collects and maintains a
significant amount of personal and financial information on each
American taxpayer. The confidentiality of this sensitive information
must be protected; otherwise, taxpayers could be exposed to loss of
privacy and to financial loss and damages resulting from identity theft
or other financial crimes.
The Commissioner of Internal Revenue has overall responsibility for
ensuring the confidentiality, integrity, and availability of the
information and information systems that support the agency and its
operations. FISMA requires the Chief Information Officers (CIO) at
federal agencies to be responsible for developing and maintaining an
information security program. Within IRS, this responsibility is
delegated to the Associate CIO for Cybersecurity. The Office of
Cybersecurity is within the CIO's Modernization and Information
Technology Services (MITS) organization. The mission of MITS is to
deliver information technology services and solutions that drive
effective tax administration to ensure public confidence. MITS's goals
are to improve service, deliver modernization, increase value, and
assure the security and resilience of IRS information systems and data.
The Office of Cybersecurity is responsible for ensuring IRS's
compliance with federal laws, policies, and guidelines governing
measures to assure the confidentiality, integrity, and availability of
IRS electronic systems, services, and data. The Office of Cybersecurity
is to manage IRS's information security program in accordance with
FISMA, including to perform assessments of risks; track compliance;
identify, mitigate and monitor cybersecurity threats; determine
strategy and priorities; and monitor security program implementation.
In order for IRS organizations to carry out their respective
responsibilities in information security, information security
policies, guidelines, standards and procedures have been developed and
published in the Internal Revenue Manual.
IRS Demonstrated Progress in Correcting Previously Reported Weaknesses:
Although IRS has continued to make progress toward correcting
previously reported information security weaknesses at three data
centers and an additional facility, many deficiencies remain. It has
corrected or mitigated 49 of the 115 information security weaknesses
that we reported as unresolved at the time of our last review. IRS
corrected weaknesses related to access controls, including physical
security, among others. For example, it has:
* implemented controls for unauthenticated network access and user IDs
on the mainframe;
* further limited access to its mainframe environment by limiting
access to system management utility functions and mainframe console
commands;
* taken several measures to protect information traversing its network,
such as installing a secure communication service for encryption;
* taken steps to improve its auditing and monitoring capability by
retaining audit logs of security-relevant events for its administrative
accounting system and ensuring that audit logs were being created for
such events on its procurement system;
* removed authority for unrestricted physical access to the computer
room and tape library from individuals who did not need it to perform
their job;
* improved controls over physical access proximity cards;
* enhanced periodic reviews of mainframe configurations;
* improved the disposal of removable media;
* improved patching of critical vulnerabilities, as well as the
timeliness of applying patches at certain facilities; and:
* updated contingency plans to document critical business processes.
In addition, IRS has made progress in improving its information
security program. For example, the agency completed an organizational
realignment, including creation of the Associate CIO for Cybersecurity
position, and has several initiatives under way that are designed to
improve information security. IRS has developed and documented a
detailed road map to guide its efforts in targeting critical
weaknesses. Additionally, it is in the process of implementing a
comprehensive plan to address numerous information security weaknesses,
such as those associated with network and system access, audit trails,
system software configuration, security roles and responsibilities, and
contingency planning. These efforts are a positive step toward
improving the agency's overall information security posture.
Although IRS has moved to correct previously identified security
weaknesses, 66 out of 115 weaknesses--or about 57 percent--remained
open or unmitigated at the time of our site visits (see figure 1).
Figure 1: Previously Identified Weaknesses at IRS Locations:
[Refer to PDF for image]
This figure is a stacked vertical bar graph depicting the following
data:
Previously Identified Weaknesses at IRS Locations:
Location: Data center 1;
Corrective action not fully implemented: 27;
Weakness corrected or mitigated: 21.
Location: Data center 2;
Corrective action not fully implemented: 21;
Weakness corrected or mitigated: 12.
Location: Data center 3;
Corrective action not fully implemented: 10;
Weakness corrected or mitigated: 2.
Location: Other facility;
Corrective action not fully implemented: 8;
Weakness corrected or mitigated: 14.
Source: GAO analysis of agency data.
[End of figure]
Unmitigated deficiencies include those related to access controls, as
well as other controls such as configuration management and personnel
security. For example, IRS continues to, among other things,
* allow sensitive information, including user IDs and passwords for
mission-critical applications, to be readily available to any user on
IRS's internal network;
* use passwords that are not complex enough to avoid being guessed or
cracked;
* grant excessive electronic access to individuals;
* inconsistently apply patches; and:
* not remove separated employees' access in a timely manner for one of
its systems.
Such weaknesses increase the risk of compromise of critical IRS systems
and information. According to IRS officials, they are continuing to
address the uncorrected weaknesses, and subsequent to our site visits,
they had completed corrective actions for some of the weaknesses.
Weaknesses Placed Financial and Taxpayer Information at Risk:
Although IRS has continued to make progress toward correcting
previously reported information security weaknesses at its three data
centers, as well as an additional facility, many deficiencies remain.
These deficiencies include those related to access controls, as well as
other controls such as configuration management and personnel security.
A key reason for these weaknesses is that IRS has not yet fully
implemented its agencywide information security program to ensure that
controls are appropriately designed and operating effectively.
Furthermore, these weaknesses continue to jeopardize the
confidentiality, integrity, and availability of IRS's systems and
contributed to IRS's material weakness in information security during
the fiscal year 2008 financial statement audit.
IRS Did Not Fully Implement Access Controls:
A basic management objective for any organization is to protect the
resources that support its critical operations from unauthorized
access. Organizations accomplish this objective by designing and
implementing controls that are intended to prevent, limit, and detect
unauthorized access to computing resources, programs, information, and
facilities. Inadequate access controls potentially diminish the
reliability of computerized information and increase the risk of
unauthorized disclosure, modification, and destruction of sensitive
information and disruption of service. Access controls include those
related to user identification and authentication, authorization,
cryptography, audit and monitoring, and physical security. IRS did not
fully implement controls in the areas listed above, as the following
sections in this report demonstrate.
Weaknesses Exist in Controls for Identification and Authentication:
A computer system must be able to identify and authenticate different
users so that activities on the system can be linked to specific
individuals. When an organization assigns unique user accounts to
specific users, the system is able to distinguish one user from
another--a process called identification. The system also must
establish the validity of a user's claimed identity by requesting some
kind of information, such as a password, that is known only by the
user--a process known as authentication. The combination of
identification and authentication--such as user account/password
combinations--provides the basis for establishing individual
accountability and for controlling access to the system. According to
the Internal Revenue Manual, passwords should be protected from
unauthorized disclosure and modification when stored and transmitted.
The Internal Revenue Manual also requires IRS to enforce strong
passwords for authentication (defined as a minimum of eight characters,
containing at least one numeric or special character, and a mixture of
at least one uppercase and one lowercase letter).
Although IRS had implemented controls for identification and
authentication, weaknesses continued to exist at two of the sites we
visited. Specifically, usernames and passwords were still viewable on
an IRS contractor-maintained Web site at one of its data centers. In
addition, the agency continued to store passwords in scripts and did
not enforce the use of strong passwords for systems at another data
center. As a result, increased risk exists that an individual could
view or guess these passwords and use them to gain unauthorized access
to IRS systems.
Users Have More System Access Than Needed to Perform Their Jobs:
Authorization is the process of granting or denying access rights and
permissions to a protected resource, such as a network, a system, an
application, a function, or a file. A key component of granting or
denying access rights is the concept of "least privilege." Least
privilege is a basic principle for securing computer resources and
information. This principle means that users are granted only those
access rights and permissions that they need to perform their official
duties. To restrict legitimate users' access to only those protected
resources that they need to do their work, organizations establish
access rights and permissions. "User rights" are allowable actions that
can be assigned to individual users or groups of users. File and
directory permissions are rules that regulate which users can access a
particular file or directory and the extent of that access. To avoid
unintentionally authorizing users' access to sensitive files and
directories, an organization must give careful consideration to its
assignment of rights and permissions. The Internal Revenue Manual
requires that system access be assigned based on least privilege--
allowing access at the minimum level necessary to support the user's
job duties. The Internal Revenue Manual also specifies that only
individuals having a "need to know" in the performance of their duties
should have access to sensitive information including that deemed as
personally identifiable information.
IRS permitted users more privileges on its systems than needed to
perform their official duties. For example, IRS integrated network
device controls with its Windows management controls that could provide
users with excessive access to its network infrastructure. According to
IRS officials, the agency made a cost-based decision to implement this
configuration. In addition, IRS did not restrict access to sensitive
personally identifiable information. To illustrate, the agency allowed
authenticated users on its network access to shared drives containing
taxpayer information, as well as performance appraisal information for
IRS employees including their social security numbers. This information
could allow someone to commit fraud or identity theft. In another
example, the agency did not restrict access to tax data for a major
corporation and allowed all employees with network access the potential
to view this information. These excessive privileges could allow users
unwarranted access to IRS's network or enable them to access
information not needed for their jobs and could place IRS systems or
information at risk.
IRS Transmitted Certain Sensitive Data Across Its Network Unencrypted:
Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive information. A
basic element of cryptography is encryption. Encryption can be used to
provide basic data confidentiality and integrity by transforming plain
text into cipher text using a special value known as a key and a
mathematical process known as an algorithm. IRS policy requires the use
of encryption for transferring sensitive but unclassified information
between IRS facilities. The National Security Agency also recommends
disabling protocols that do not encrypt information transmitted across
the network, such as user ID and password combinations.
Although IRS had implemented controls to encrypt information traversing
its network, it did not always ensure certain sensitive data was
encrypted. For example, one data center has not yet disabled
unencrypted protocol services for all its UNIX servers. Similarly, at
another center, users' login information is still being sent across the
IRS internal network in clear text, potentially exposing account
usernames and passwords. More importantly, IRS continues to transmit
data, such as account and financial information, from its financial
accounting system using an unencrypted protocol. By transmitting data
unencrypted, IRS is at increased risk that an unauthorized individual
could view sensitive information.
IRS Did Not Always Effectively Monitor Its Systems:
To establish individual accountability, monitor compliance with
security policies, and investigate security violations, it is crucial
to know what, when, and by whom specific actions have been taken on a
system. Organizations accomplish this by implementing system or
security software that provides an audit trail, or logs of system
activity, that they can use to determine the source of a transaction or
attempted transaction and to monitor users' activities. The way in
which organizations configure system or security software determines
the nature and extent of information that can be provided by the audit
trail. To be effective, organizations should configure their software
to collect and maintain audit trails that are sufficient to track
security-relevant events.
IRS did not always effectively monitor its systems. For example, IRS
had not configured security software controls to log changes to
datasets that would support effective monitoring of the mainframe at
one of its data centers. In addition, other weaknesses include
inadequate logging of security-relevant events for UNIX and Windows
servers at one data center and for UNIX servers at another. By not
effectively logging changes to its systems, IRS will not have assurance
that it will be able to detect unauthorized system changes that could
adversely affect operations, or appropriately detect security-relevant
events.
IRS Did Not Always Fully Implement Controls for Physical Security:
Physical access controls are used to mitigate the risks to systems,
buildings, and supporting infrastructure related to their physical
environment and to control the entry and exit of personnel in
buildings, as well as data centers containing agency resources.
Examples of physical security controls include perimeter fencing,
surveillance cameras, security guards, and locks. Without these
protections, IRS computing facilities and resources could be exposed to
espionage, sabotage, damage, and theft. The Internal Revenue Manual
requires that all authorized visitors and their packages and briefcases
be examined when entering an IRS facility. In addition, data center
security checkpoint procedures require that officers specifically
screen for cameras and other items that are prohibited from IRS
facilities. The Internal Revenue Manual also states that the authorized
access list into restricted areas will be prepared monthly and dated
and signed by the branch chief, but not before the branch chief
validates the need of individuals to access the restricted area.
Although IRS had implemented numerous physical security controls,
certain controls were not working as intended, and the agency had not
fully implemented others. For example, security guards at one data
center did not ensure that visitors and their possessions were properly
screened when entering the facility. Our staff inadvertently included
digital cameras in packed luggage. Despite screening the luggage with
the magnetometer, the guards did not confront them about the prohibited
items. In another example, IRS prepared access lists identifying
personnel authorized to enter sensitive areas at two centers and at an
additional facility; however, the branch chiefs at the three sites had
not signed or dated the lists as required. This step is essential in
verifying that employees continue to warrant access into restricted
areas. As a result, increased risk exists that prohibited items and
individuals may inappropriately be permitted access to IRS facilities
and restricted areas.
IRS Had Not Fully Implemented Other Information Security Controls:
In addition to access controls, other important controls should be in
place to ensure the confidentiality, integrity, and availability of an
organization's information. These controls include policies,
procedures, and techniques for securely configuring information systems
and implementing personnel security. Weaknesses in these areas increase
the risk of unauthorized use, disclosure, modification, or loss of
IRS's information and information systems.
Configuration Management Requirements Were Inconsistently Implemented:
The purpose of configuration management is to establish and maintain
the integrity of an organization's work products. The Internal Revenue
Manual states that IRS shall establish and maintain baseline
configurations and inventories of organizational information systems
and monitor and control any changes to the baseline configurations.
Proactively managing vulnerabilities of systems will reduce or
eliminate the potential for exploitation and involves considerably less
time and effort than responding after an exploit has occurred. Patch
management, a component of configuration management, is an important
factor in mitigating software vulnerability risks. Patch installation
can help diminish vulnerabilities associated with flaws in software
code. Attackers often exploit these flaws to read, modify, or delete
sensitive information; disrupt operations; or launch attacks against
other organizations' systems. The Internal Revenue Manual requires that
all vendor-supplied security patches be installed on all IRS systems.
IRS did not fully implement its policies for managing changes to its
systems. Specifically, IRS did not maintain or enforce a baseline
configuration for one data center's mainframe system, which supports
the revenue accounting system of record and other applications. In
addition, IRS used an unsupported software package that was not current
and thus vulnerable to attack. Specifically, certain IRS servers were
running an outdated version of software that was no longer supported by
the vendor and, therefore, could not be patched against a known
vulnerability. As a result, IRS has limited assurance that system
changes are being properly monitored and that its systems are protected
against new vulnerabilities.
IRS Did Not Always Implement Personnel Security Controls:
The greatest harm or disruption to a system comes from the actions,
both intentional and unintentional, of individuals. These intentional
and unintentional actions can be reduced through the implementation of
personnel security controls. According to the National Institute of
Standards and Technology (NIST), personnel security controls help
organizations ensure that individuals occupying positions of
responsibility (including third-party service providers) are
trustworthy and meet established security criteria for those positions.
Organizations should also ensure that information and information
systems are protected during and after personnel actions, such as
terminations and transfers. More specifically, the Internal Revenue
Manual requires that all accounts be deactivated within 1 week of an
individual's departure on friendly terms and immediately upon an
individual's departure on unfriendly terms.
IRS did not always ensure that personnel security controls were fully
implemented. For example, at three locations, IRS did not remove
application access within 1 week of separation for 6 of 17 (35 percent)
separated employees we reviewed. IRS also did not deactivate proximity
cards immediately upon employee separation at one of its facilities. As
a result, IRS is at an increased risk that individuals could gain
unauthorized access to its resources.
IRS Had Not Fully Implemented All Elements of Its Information Security
Program:
A key reason for the information security weaknesses in IRS's financial
and tax processing systems is that it has not yet fully implemented its
agencywide information security program to ensure that controls are
effectively established and maintained. FISMA requires each agency to
develop, document, and implement an information security program that,
among other things, includes:
* periodic assessments of the risk and magnitude of harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information systems;
* policies and procedures that (1) are based on risk assessments, (2)
cost effectively reduce information security risks to an acceptable
level, (3) ensure that information security is addressed throughout the
life cycle of each system, and (4) ensure compliance with applicable
requirements;
* plans for providing adequate information security for networks,
facilities, and systems;
* security awareness training to inform personnel of information
security risks and of their responsibilities in complying with agency
policies and procedures, as well as training personnel with significant
security responsibilities for information security;
* periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices, to be performed with a
frequency depending on risk, but no less than annually, and that
includes testing of management, operational, and technical controls for
every system identified in the agency's required inventory of major
information systems;
* a process for planning, implementing, evaluating, and documenting
remedial action to address any deficiencies in its information security
policies, procedures, or practices; and:
* plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency.
IRS has made important progress in developing and documenting elements
of its information security program. However, not all components of its
program have been fully implemented.
Although a Risk Assessment Process Was Implemented, Assessments Were
Not Always Annually Reviewed:
According to NIST, risk is determined by identifying potential threats
to the organization and vulnerabilities in its systems, determining the
likelihood that a particular threat may exploit vulnerabilities, and
assessing the resulting impact on the organization's mission, including
the effect on sensitive and critical systems and data. Identifying and
assessing information security risks are essential to determining what
controls are required. Moreover, by increasing awareness of risks,
these assessments can generate support for the policies and controls
that are adopted in order to help ensure that these policies and
controls operate as intended. Consistent with NIST guidance, IRS
requires its risk assessment process to detail the residual risk
[Footnote 9] assessed, as well as potential threats, and to recommend
corrective actions for reducing or eliminating the vulnerabilities
identified. IRS also requires system risk assessments be reviewed
annually.
Although IRS had implemented a risk assessment process, it did not
always annually review its risk assessments. The risk assessments that
we reviewed were current, documented residual risks assessed, as well
as potential threats, and recommended corrective actions for mitigating
or eliminating the vulnerabilities that were identified. However, two
risk assessments for systems supporting tax processing and inventory
control had not been reviewed annually, per IRS's policy. As a result,
potential risks to these systems and the adequacy of their management,
operational, and technical controls to reduce risks may be unknown.
IRS Had Developed and Documented Policies and Procedures for Key
Elements of Its Information Security Program:
Another key element of an effective information security program is to
develop, document, and implement risk-based policies, procedures, and
technical standards that govern security over an agency's computing
environment. If properly implemented, policies and procedures should
help reduce the risk associated with unauthorized access or disruption
of services. Technical security standards can provide consistent
implementation guidance for each computing environment. Developing,
documenting, and implementing security policies are the important
primary mechanisms by which management communicates its views and
requirements; these policies also serve as the basis for adopting
specific procedures and technical controls. In addition, agencies need
to take the actions necessary to effectively implement or execute these
procedures and controls. Otherwise, agency systems and information will
not receive the protection that the security policies and controls
should provide.
IRS has developed and documented information security policies,
standards, and guidelines that generally provide appropriate guidance
to personnel responsible for securing information and information
systems. This has included guidance for assessing risk, security
planning, security training, testing and evaluating security controls,
contingency planning, and guidance for operating system platforms.
However, as illustrated by the weaknesses identified in this report,
IRS has not yet fully implemented its policies, standards, and
guidelines.
Security Plans Adequately Documented Management, Operational, and
Technical Controls:
An objective of system security planning is to improve the protection
of information technology resources. A system security plan provides an
overview of the system's security requirements and describes the
controls that are in place or planned to meet those requirements. OMB
Circular A-130 requires that agencies develop system security plans for
major applications and general support systems, and that these plans
address policies and procedures for providing management, operational,
and technical controls. Furthermore, IRS policy requires that security
plans be developed, documented, implemented, and periodically updated
for the controls in place or planned for an information system.
IRS had developed, documented, and updated the plans for eight systems
we reviewed. Furthermore, those plans documented the management,
operational, and technical controls in place and included information
required per the OMB Circular A-130 for applications and general
support systems. However, as illustrated by weaknesses identified in
this report, IRS had not yet fully implemented all the controls
documented in its security plans.
Security Awareness and Specialized Training Was Provided for All
Employees Reviewed:
People are one of the weakest links in attempts to secure systems and
networks. Therefore, an important component of an information security
program is providing sufficient training so that users understand
system security risks and their own role in implementing related
policies and controls to mitigate those risks. IRS policy requires that
personnel performing information technology security duties meet
minimum continuing professional education hours in accordance with
their roles. Personnel performing security roles are required by IRS to
have 12, 8, or 4 hours of specialized training per year, depending on
their specific role.
IRS personnel performing information technology security duties met
their minimum continuing professional education requirements. For the
employees and contractors with specific security-related roles that we
reviewed, 36 employees and contractors at one data center, and 24
employees and contractors at another, met the required minimum security
awareness and specialized training hours.
Although Controls Were Tested and Evaluated, Tests Were Not Always
Comprehensive:
Another key element of an information security program is to test and
evaluate policies, procedures, and controls to determine whether they
are effective and operating as intended. This type of oversight is a
fundamental element because it demonstrates management's commitment to
the security program, reminds employees of their roles and
responsibilities, and identifies and mitigates areas of noncompliance
and ineffectiveness. Although control tests and evaluations may
encourage compliance with security policies, the full benefits are not
achieved unless the results improve the security program. FISMA
requires that the frequency of tests and evaluations be based on risks
and occur no less than annually. IRS policy also requires periodic
testing and evaluation of the effectiveness of information security
policies and procedures.
Although IRS had a process in place for testing and evaluating its
systems, the process was not comprehensive. IRS had tested and
evaluated information security controls for each of the eight systems
we reviewed. However, its testing process did not identify certain
weaknesses that we identified during our review. For example, IRS was
not testing for complex passwords on its UNIX servers at one data
center. Additionally, from an enterprisewide perspective, the agency
had not identified inappropriate access to numerous shares containing
sensitive information. Until IRS improves its testing of controls over
its systems, it has reduced assurance that its policies and procedures
are being followed and that controls for its systems are being
effectively implemented and maintained.
Although Remedial Action Plans Were Complete, Corrective Actions Were
Not Always Validated:
A remedial action plan is a key component described in FISMA. Such a
plan assists agencies in identifying, assessing, prioritizing, and
monitoring progress in correcting security weaknesses that are found in
information systems. In its annual FISMA guidance to agencies, OMB
requires agency remedial action plans, also known as plans of action
and milestones, to include the resources necessary to correct
identified weaknesses. According to IRS policy, the agency should
document weaknesses found during security assessments, as well as
document only planned, implemented, and evaluated remedial actions to
correct any deficiencies. The policy further requires that IRS track
the status of resolution of all weaknesses and verify that each
weakness is corrected.
Although remedial action plans were in place, corrective actions were
not always appropriately validated. IRS has developed and implemented a
remedial action process to address deficiencies in its information
security policies, procedures, and practices. However, this remedial
action process was not working as intended, since the verification
process used to determine whether remedial actions were implemented was
not always effective. For example, IRS had informed us that it had
completed actions to close 65 recommendations related to previously
identified weaknesses, however, we determined that 16 of the corrective
actions did not mitigate or correct the underlying control
deficiencies. Without a sound remediation process, IRS will not have
assurance that it has taken the necessary actions to correct weaknesses
in its policies, procedures, and practices. We have previously
identified a similar weakness and recommended that IRS implement a
revised remedial action verification process that ensures actions are
fully implemented, but the condition continued to exist at the time of
our review.
Although Contingency Plans Were Annually Reviewed and Tested, IRS
Recognizes the Need for Further Efforts:
Continuity of operations planning, which includes contingency planning
and disaster recovery planning, is a critical component of information
protection. To ensure that mission-critical operations continue, it is
necessary to be able to detect, mitigate, and recover from service
disruptions while preserving access to vital information. It is
important that these plans be clearly documented, communicated to
potentially affected staff, and updated to reflect current operations.
In addition, testing contingency plans is essential to determine
whether the plans will function as intended in an emergency situation.
FISMA requires that agencywide information security programs include
plans and procedures to ensure continuity of operations. IRS
contingency planning policy requires, among other things, that
contingency plans be reviewed and tested at least annually.
Although contingency plans were in place, IRS recognizes the need for
improvements. The agency has completed contingency plans for the eight
systems we reviewed. Additionally, it has reviewed/updated and tested
these contingency plans annually.[Footnote 10] The plans also
identified critical business processes, correcting a weakness we
reported last year. Although the specific plans we reviewed did not
have any shortcomings, IRS's comprehensive plan for addressing
information security weaknesses recognizes the need for further efforts
to improve the agency's contingency planning, through initiatives
involving disaster recovery planning, some of which will not be
completed until 2011. Until it completes these efforts, IRS is at
increased risk of not being able to effectively recover and continue
operations when an emergency occurs.
Conclusions:
IRS has made progress in correcting or mitigating previously reported
weaknesses, implementing controls over key financial systems, and
developing and documenting a framework for its agencywide information
security program. Information security weaknesses--both old and new--
continue to impair the agency's ability to ensure the confidentiality,
integrity, and availability of financial and taxpayer information.
These deficiencies represent a material weakness in IRS's internal
controls over its financial and tax processing systems. A key reason
for these weaknesses is that the agency has not yet fully implemented
certain key elements of its agencywide information security program.
The financial and taxpayer information on IRS systems will remain
particularly vulnerable to insider threats until the agency (1) begins
to address and correct prior weaknesses across the service and (2)
fully implements a comprehensive agencywide information security
program that ensures risk assessments are appropriately reviewed for
all systems, tests and evaluations of controls for systems are
comprehensive, and the remedial action process effectively validates
corrective actions. Until IRS takes these steps, financial and taxpayer
information are at increased risk of unauthorized disclosure,
modification, or destruction, and the agency's management decisions may
be based on unreliable or inaccurate financial information.
Recommendations for Executive Action:
In addition to implementing our previous recommendations, we recommend
that you take the following two actions to implement an agencywide
information security program:
* ensure risk assessments for IRS systems are reviewed at least
annually, and:
* implement steps to improve the scope of testing and evaluating
controls, such as those for weak passwords.
We are also making eight detailed recommendations in a separate report
with limited distribution. These recommendations consist of actions to
be taken to correct specific information security weaknesses related to
authorization, physical security, and configuration management
identified during this audit.
Agency Comments:
In providing written comments (reprinted in app. II) on a draft of this
report, the Commissioner of Internal Revenue stated that the security
and privacy of taxpayer information is of the utmost importance to the
agency, and noted that IRS is committed to securing its computer
environment as it continually evaluates processes, promotes user
awareness and applies innovative ideas to increase compliance. He also
stated that the agency is working to improve its security posture, and
will develop a detailed corrective action plan addressing each of our
recommendations.
This report contains recommendations to you. As you know, 31 U.S.C. 720
requires the head of a federal agency to submit a written statement of
the actions taken on our recommendations to the Senate Committee on
Homeland Security and Governmental Affairs and to the House Committee
on Oversight and Government Reform not later than 60 days from the date
of the report and to the House and Senate Committees on Appropriations
with the agency's first request for appropriations made more than 60
days after the date of this report. Because agency personnel serve as
the primary source of information on the status of recommendations, GAO
requests that the agency also provide us with a copy of your agency's
statement of action to serve as preliminary information on the status
of open recommendations.
We are sending copies of this report to interested congressional
committees, the Secretary of the Treasury, and the Treasury Inspector
General for Tax Administration. The report also is available at no
charge on the GAO Web site at [hyperlink, http://www.gao.gov].
If you have any questions regarding this report, please contact Nancy
Kingsbury at (202) 512-2700 or Gregory C. Wilshusen at (202) 512-6244.
We can also be reached by e-mail at kingsburyn@gao.gov and
wilshuseng@gao.gov. Key contributors to this report are listed in
appendix III.
Sincerely yours,
Signed by:
Nancy R. Kingsbury:
Managing Director, Applied Research and Methods:
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
[End of section]
The objectives of our review were to determine (1) the status of the
Internal Revenue Service's (IRS) actions to correct or mitigate
previously reported information security weaknesses and (2) whether
controls over key financial and tax processing systems were effective
in protecting the confidentiality, integrity, and availability of
financial and sensitive taxpayer information. This work is part of our
audit of IRS's financial statements for the purpose of supporting our
opinion on internal controls over the preparation of those statements.
To determine the status of IRS's actions to correct or mitigate
previously reported information security weaknesses, we reviewed prior
GAO reports to identify previously reported weaknesses and examined
IRS's corrective action plans to determine which weaknesses IRS
reported corrective actions as being completed. For those instances
where IRS reported it had completed corrective actions, we assessed the
effectiveness of those actions by:
* testing the complexity and expiration of passwords on servers to
determine if strong password management was enforced;
* analyzing users' system authorizations to determine whether they had
more permissions than necessary to perform their assigned functions;
* observing data transmissions across the network to determine whether
sensitive data was being encrypted;
* observing whether system security software was logging successful
system changes;
* testing and observing physical access controls to determine if
computer facilities and resources were being protected from espionage,
sabotage, damage, and theft;
* inspecting key servers and workstations to determine whether critical
patches had been installed or were up-to-date; and:
* examining access responsibilities to determine whether incompatible
functions were segregated among different individuals.
We evaluated IRS's implementation of these corrective actions for three
data centers and an additional facility.
To determine whether controls over key financial and tax processing
systems were effective, we considered the results of our evaluation of
IRS's actions to mitigate previously reported weaknesses at three data
centers and the additional facility. We concentrated our evaluation
primarily on threats emanating from sources internal to IRS's computer
networks and focused on three critical applications and their general
support systems that directly or indirectly support the processing of
material transactions that are reflected in the agency's financial
statements. Our evaluation was based on our Federal Information System
Controls Audit Manual, which contains guidance for reviewing
information system controls that affect the confidentiality, integrity,
and availability of computerized information.
Using the requirements identified by the Federal Information Security
Management Act, which establishes key elements for an effective
agencywide information security program, we evaluated IRS's
implementation of its security program by:
* analyzing IRS's risk assessment process and risk assessments for
eight key IRS financial and tax processing systems to determine whether
risks and threats were documented;
* analyzing IRS's policies, procedures, practices, and standards to
determine whether sufficient guidance was provided to personnel
responsible for securing information and information systems;
* analyzing security plans for eight systems to determine if
management, operational, and technical controls were documented and if
security plans were updated;
* examining training records for personnel with significant
responsibilities to determine if they received training commensurate
with those responsibilities;
* analyzing test plans and test results for eight IRS systems to
determine whether management, operational, and technical controls were
tested at least annually and based on risk;
* observing IRS's process to correct weaknesses and determining whether
remedial action plans were complete; and:
* examining contingency plans for eight IRS systems to determine
whether those plans had been tested or updated.
We also reviewed or analyzed previous reports from the Treasury
Inspector General for Tax Administration and GAO; and discussed with
key security representatives and management officials whether
information security controls were in place, adequately designed, and
operating effectively.
[End of section]
Appendix II: Comments from the Internal Revenue Service:
Department Of The Treasury:
Commissioner:
Internal Revenue Service:
Washington, D.C. 20224:
December 18, 2008:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, DC 20548:
Dear Mr. Wilshusen:
Thank you for the opportunity to comment on the draft report,
Information Security: Continued Efforts Needed to Address Significant
Weaknesses at Internal Revenue Service (Government Accountability
Office-09-136). We appreciate that your draft report recognizes the
progress that the Internal Revenue Service has made to improve our
information security program and that numerous initiatives are
underway.
The security and privacy of taxpayer information is of utmost
importance to us and the integrity of our financial systems continues
to be sound. We are committed to securing our computer environment as
we continually evaluate processes, promote user awareness and apply
innovative ideas to increase compliance.
We appreciate your continued support and guidance as we work to improve
our security posture and look forward to working with you to develop
appropriate measures. We will provide the detailed corrective action
plan addressing each of the recommendations with our response to the
final report.
If you have any questions or would like to discuss our response in
further detail, please contact Terence V. Milholland, Chief Technology
Officer, at (202) 622-4511 or Arthur L. Gonzalez, Chief Information
Officer, at (202) 622-6800.
Sincerely,
Signed by:
Douglas H. Shulman:
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Nancy R. Kingsbury, (202) 512-2700, kingsburyn@gao.gov:
Gregory C. Wilshusen, (202) 512-6244, wilshuseng@gao.gov:
Staff Acknowledgments:
In addition to the individuals named above, David Hayes (Assistant
Director), Jeffrey Knott (Assistant Director), Harold Lewis (Assistant
Director), Larry Crosland, Mark Canter, Sharhonda Deloach, Neil
Doherty, Caryn English, Edward Glagola, Nancy Glover, Rebecca LaPaze,
Kevin Metcalfe, Zsaroq Powe, Eugene Stevens, and Christy Tyson made key
contributions to this report.
[End of section]
Footnotes:
[1] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119]
(Washington, D.C.: Nov. 10, 2008).
[2] Information security controls include logical and physical access
controls, configuration management, segregation of duties, and
continuity of operations. These controls are designed to ensure that
access to data is appropriately restricted, that physical access to
sensitive computing resources and facilities is protected, that only
authorized changes to computer programs are made, that incompatible
duties are segregated among individuals, and that back-up and recovery
plans are adequate to ensure the continuity of essential operations.
[3] A material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected.
[4] OMB, Fiscal Year 2007 Report to Congress on Implementation of the
Federal Information Security Management Act of 2002 (Washington, D.C.:
March 2008).
[5] US-CERT's mission is to protect the nation's Internet
infrastructure. US-CERT coordinates defense against and responses to
cyber attacks by analyzing and reducing cyber threats and
vulnerabilities, disseminating cyber threat warning information, and
coordinating incident response activities.
[6] The CERT Coordination Center is a center of Internet security
expertise located at the Software Engineering Institute, a federally
funded research and development center operated by Carnegie Mellon
University.
[7] GAO, High-Risk Series: Information Management and Technology,
[hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington, D.C.:
February 1997).
[8] FISMA was enacted as title III, E-Government Act of 2002, Pub L.
No. 107-347, Dec. 17, 2002.
[9] Residual risk is the risk remaining after the implementation of new
or enhanced controls.
[10] We did not test the effectiveness of IRS's contingency plan
testing.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: