Information Security
IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data Gao ID: GAO-11-308 March 15, 2011The Internal Revenue Service (IRS) has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect financial and sensitive taxpayer information that resides on those systems. As part of its audit of IRS's fiscal years 2010 and 2009 financial statements, GAO assessed whether controls over key financial and tax processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at four sites.
Although IRS made progress in correcting previously reported information security weaknesses, control weaknesses over key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information. Specifically, IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its financial systems and information. For example, the agency did not sufficiently (1) restrict users' access to databases to only the access needed to perform their jobs; (2) secure the system it uses to support and manage its computer access request, approval, and review processes; (3) update database software residing on servers that support its general ledger system; and (4) enable certain auditing features on databases supporting several key systems. In addition, 65 of 88--about 74 percent--of previously reported weaknesses remain unresolved or unmitigated. An underlying reason for these weaknesses is that IRS has not yet fully implemented key components of its comprehensive information security program. Although IRS has processes in place intended to monitor and assess its internal controls, these processes were not always effective. For example, IRS's testing did not detect many of the vulnerabilities GAO identified during this audit and did not assess a key application in its current environment. Further, the agency had not effectively validated corrective actions reported to resolve previously identified weaknesses. Although IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended. For example, the agency reported that it had resolved 39 of the 88 previously identified weaknesses; however, 16 of the 39 weaknesses had not been mitigated. IRS has various initiatives underway to bolster security over its networks and systems; however, until the agency corrects the identified weaknesses, its financial systems and information remain unnecessarily vulnerable to insider threats, including errors or mistakes and fraudulent or malevolent acts by insiders. As a result, financial and taxpayer information are at increased risk of unauthorized disclosure, modification, or destruction; financial data is at increased risk of errors that result in misstatement; and the agency's management decisions may be based on unreliable or inaccurate financial information. These weaknesses, considered collectively, are the basis for GAO's determination that IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2010. GAO recommends that IRS take eight actions to fully implement key components of its comprehensive information security program. In a separate report with limited distribution, GAO is recommending 32 specific actions for correcting newly identified control weaknesses. In commenting on a draft of this report, IRS agreed to develop a detailed corrective action plan to address each recommendation.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Gregory C. Wilshusen Team: Government Accountability Office: Information Technology Phone: (202) 512-6244GAO-11-308, Information Security: IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data
This is the accessible text file for GAO report number GAO-11-308
entitled 'Information Security: IRS Needs to Enhance Internal Control
over Financial Reporting and Taxpayer Data' which was released on
March 15, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Report to the Commissioner of Internal Revenue:
March 2011:
Information Security:
IRS Needs to Enhance Internal Control over Financial Reporting and
Taxpayer Data:
GAO-11-308:
GAO Highlights:
Highlights of GAO-11-308, a report to the Commissioner of Internal
Revenue.
Why GAO Did This Study:
The Internal Revenue Service (IRS) has a demanding responsibility in
collecting taxes, processing tax returns, and enforcing the nation‘s
tax laws. It relies extensively on computerized systems to support its
financial and mission-related operations and on information security
controls to protect financial and sensitive taxpayer information that
resides on those systems.
As part of its audit of IRS‘s fiscal years 2010 and 2009 financial
statements, GAO assessed whether controls over key financial and tax
processing systems are effective in ensuring the confidentiality,
integrity, and availability of financial and sensitive taxpayer
information. To do this, GAO examined IRS information security
policies, plans, and procedures; tested controls over key financial
applications; and interviewed key agency officials at four sites.
What GAO Found:
Although IRS made progress in correcting previously reported
information security weaknesses, control weaknesses over key financial
and tax processing systems continue to jeopardize the confidentiality,
integrity, and availability of financial and sensitive taxpayer
information. Specifically, IRS did not consistently implement controls
that were intended to prevent, limit, and detect unauthorized access
to its financial systems and information. For example, the agency did
not sufficiently (1) restrict users‘ access to databases to only the
access needed to perform their jobs; (2) secure the system it uses to
support and manage its computer access request, approval, and review
processes; (3) update database software residing on servers that
support its general ledger system; and (4) enable certain auditing
features on databases supporting several key systems. In addition, 65
of 88”about 74 percent”of previously reported weaknesses remain
unresolved or unmitigated.
An underlying reason for these weaknesses is that IRS has not yet
fully implemented key components of its comprehensive information
security program. Although IRS has processes in place intended to
monitor and assess its internal controls, these processes were not
always effective. For example, IRS‘s testing did not detect many of
the vulnerabilities GAO identified during this audit and did not
assess a key application in its current environment. Further, the
agency had not effectively validated corrective actions reported to
resolve previously identified weaknesses. Although IRS had a process
in place for verifying whether each weakness had been corrected, this
process was not always working as intended. For example, the agency
reported that it had resolved 39 of the 88 previously identified
weaknesses; however, 16 of the 39 weaknesses had not been mitigated.
IRS has various initiatives underway to bolster security over its
networks and systems; however, until the agency corrects the
identified weaknesses, its financial systems and information remain
unnecessarily vulnerable to insider threats, including errors or
mistakes and fraudulent or malevolent acts by insiders. As a result,
financial and taxpayer information are at increased risk of
unauthorized disclosure, modification, or destruction; financial data
is at increased risk of errors that result in misstatement; and the
agency‘s management decisions may be based on unreliable or inaccurate
financial information. These weaknesses, considered collectively, are
the basis for GAO‘s determination that IRS had a material weakness in
internal control over financial reporting related to information
security in fiscal year 2010.
What GAO Recommends:
GAO recommends that IRS take eight actions to fully implement key
components of its comprehensive information security program. In a
separate report with limited distribution, GAO is recommending 32
specific actions for correcting newly identified control weaknesses.
In commenting on a draft of this report, IRS agreed to develop a
detailed corrective action plan to address each recommendation.
View [hyperlink, http://www.gao.gov/products/GAO-11-308] or key
components. For more information, contact Nancy R. Kingsbury at (202)
512-2700 or kingsburyn@gao.gov, or Gregory C. Wilshusen at (202)512-
6244 or wilshuseng@gao.gov.
[End of section]
Contents:
Letter:
Background:
Significant Weaknesses Continue to Place Financial and Taxpayer
Information at Risk:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendix I: Objective, Scope, and Methodology:
Appendix II: Comments from the Internal Revenue Service:
Appendix III: GAO Contacts and Staff Acknowledgments:
Abbreviations:
FISMA: Federal Information Security Management Act:
IRS: Internal Revenue Service:
NIST: National Institute of Standards and Technology:
TIGTA: Treasury Inspector General for Tax Administration:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
March 15, 2011:
The Honorable Douglas H. Shulman:
Commissioner of Internal Revenue:
Dear Commissioner Shulman:
The Internal Revenue Service (IRS) has a demanding responsibility in
collecting taxes, processing tax returns, and enforcing the nation's
tax laws. It relies extensively on computerized systems to support its
financial and mission-related operations and on information security
controls[Footnote 1] to protect the confidentiality, integrity, and
availability of the financial and sensitive taxpayer information that
resides on those systems.
As part of our audit of IRS's fiscal years 2010 and 2009 financial
statements,[Footnote 2] we assessed the effectiveness of the agency's
information security controls over its key financial and tax
processing systems, information, and interconnected networks at four
locations. These systems support the processing, storage, and
transmission of financial and sensitive taxpayer information. In our
report on IRS's fiscal years 2010 and 2009 financial statements, we
reported that IRS could not rely on the internal controls[Footnote 3]
contained in its automated financial management system to provide
reasonable assurance that (1) its financial statements, taken as a
whole, were fairly stated; (2) the information IRS relied on to make
decisions on a daily basis was accurate, complete, and timely; and (3)
proprietary financial and taxpayer information was appropriately
safeguarded. We concluded that the new information security weaknesses
we identified in fiscal year 2010 and the unresolved weaknesses from
prior audits, considered collectively, represent a material weakness
[Footnote 4] in internal control over financial reporting related to
information security.
Our objective was to determine whether IRS's controls over key
financial and tax processing systems are effective in ensuring the
confidentiality, integrity, and availability of financial and
sensitive taxpayer information. To do this, we examined IRS
information security policies, plans, and procedures; tested controls
over key financial applications; interviewed key agency officials; and
reviewed our prior reports to identify previously reported weaknesses
and assessed the effectiveness of corrective actions taken. We
concentrated our evaluation on threats emanating from sources internal
to IRS's computer networks.
We conducted this audit from May 2010 to March 2011 in accordance with
U.S. generally accepted government auditing standards. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objective. For additional information
about our objective, scope, and methodology, refer to appendix I.
Background:
The use of information technology has created many benefits for
agencies such as IRS in achieving their missions and providing
information and services to the public, but extensive reliance on
computerized information also creates challenges in securing that
information from various threats. Information security is especially
important for government agencies, where maintaining the public's
trust is essential.
Without proper safeguards, computer systems are vulnerable to
individuals and groups with malicious intentions who can intrude and
use their access to obtain sensitive information, commit fraud,
disrupt operations, or launch attacks against other computer systems
and networks. The risk to these systems are well-founded for a number
of reasons, including the increase in reports of security incidents,
the ease of obtaining and using hacking tools, and steady advances in
the sophistication and effectiveness of attack technology. The Federal
Bureau of Investigation has identified multiple sources of threats,
including foreign entities engaged in intelligence gathering and
information warfare, domestic criminals, hackers, virus writers, and
disgruntled employees or contractors working within an organization.
In addition, the U.S. Secret Service and the CERTŪ Coordination Center
[Footnote 5] studied insider threats in the government sector and
stated in a January 2008 report[Footnote 6] that "government sector
insiders have the potential to pose a substantial threat by virtue of
their knowledge of, and access to, employer systems and/or databases."
Insider threats include errors or mistakes and fraudulent or
malevolent acts by insiders.
Our previous reports, and those by federal inspectors general,
describe persistent information security weaknesses that place federal
agencies, including IRS, at risk of disruption, fraud, or
inappropriate disclosure of sensitive information. Accordingly, we
have designated information security as a governmentwide high-risk
area since 1997, most recently in 2011.[Footnote 7]
Information security is essential to creating and maintaining
effective internal controls. The Federal Managers' Financial Integrity
Act of 1982 requires us to issue standards for internal control in
federal agencies.[Footnote 8] The standards[Footnote 9] provide the
overall framework for establishing and maintaining internal control
and for identifying and addressing major performance and management
challenges and areas at greatest risk of fraud, waste, abuse, and
mismanagement. The term internal control is synonymous with the term
management control, which covers all aspects of an agency's operations
(programmatic, financial, and compliance). The attitude and philosophy
of management toward information systems can have a profound effect on
internal control. Information system controls consist of those
internal controls that are dependent on information systems processing
and include general controls at the entitywide, system, and business
process application levels (security management, access controls,
configuration management, segregation of duties, and contingency
planning); business process application controls (input, processing,
output, master file, interface, and data management system controls);
and user controls (controls performed by people interacting with
information systems).
Recognizing the importance of securing federal agencies' information
systems, Congress enacted the Federal Information Security Management
Act (FISMA)[Footnote 10] in December 2002 to strengthen the security
of information and systems within federal agencies. FISMA requires
each agency to develop, document, and implement an agencywide
information security program for the information and information
systems that support the operations and assets of the agency, using a
risk-based approach to information security management. Such a program
includes assessing risk; developing and implementing cost-effective
security plans, policies, and procedures; providing specialized
training; testing and evaluating the effectiveness of controls;
planning, implementing, evaluating, and documenting remedial actions
to address information security deficiencies; and ensuring continuity
of operations.
IRS Is the Tax Collector for the United States:
IRS has demanding responsibilities in collecting taxes, processing tax
returns, and enforcing federal tax laws, and relies extensively on
computerized systems to support its financial and mission-related
operations. In fiscal year 2010, IRS processed hundreds of millions of
tax returns, collected about $2.3 trillion in federal tax payments,
and paid about $467 billion in refunds to taxpayers. Further, the size
and complexity of IRS add unique operational challenges. IRS employs
over 100,000 people in its Washington, D.C., headquarters and over 700
offices in all 50 states and U.S. territories and in some U.S.
embassies and consulates. To manage its data and information, the
agency operates three enterprise computing centers located in Detroit,
Michigan; Martinsburg, West Virginia; and Memphis, Tennessee. IRS also
collects and maintains a significant amount of personal and financial
information on each American taxpayer. Protecting the confidentiality
of this sensitive information is paramount; otherwise, taxpayers could
be exposed to loss of privacy and to financial loss and damages
resulting from identity theft or other financial crimes.
The Commissioner of Internal Revenue has overall responsibility for
ensuring the confidentiality, integrity, and availability of the
information and information systems that support the agency and its
operations. FISMA requires the Chief Information Officer (CIO) or
comparable official at federal agencies to be responsible for
developing and maintaining an information security program. IRS has
delegated this responsibility to the Associate Chief Information
Officer for Cybersecurity, who heads the Office of Cybersecurity. The
Office of Cybersecurity's mission is to protect taxpayer information
and the IRS's electronic system, services, and data from internal and
external cyber security-related threats by implementing security
practices in planning, implementation, risk management, and
operations. IRS develops and publishes its information security
policies, guidelines, standards, and procedures in the Internal
Revenue Manual and other documents in order for IRS divisions and
offices to carry out their respective responsibilities in information
security. In October 2010, the Treasury Inspector General for Tax
Administration (TIGTA) stated that security, including computer
security, was the top priority in its list of top 10 management
challenges for IRS in fiscal year 2011.[Footnote 11]
Significant Weaknesses Continue to Place Financial and Taxpayer
Information at Risk:
Although IRS has made progress in correcting information security
weaknesses that we have reported previously, many weaknesses have not
been corrected and we identified many new weaknesses during fiscal
year 2010. Specifically, 65 out of 88 previously reported weaknesses
[Footnote 12]--about 74 percent--have not yet been corrected. In
addition, we identified 37[Footnote 13] new weaknesses. These
weaknesses relate to access controls, configuration management, and
segregation of duties. Weaknesses in these areas increase the
likelihood of errors in financial data that result in misstatement and
expose sensitive information and systems to unauthorized use,
disclosure, modification, and loss. An underlying reason for these
weaknesses--both old and new--is that IRS has not yet fully
implemented key components of a comprehensive information security
program. These weaknesses continue to jeopardize the confidentiality,
integrity, and availability of the financial and sensitive taxpayer
information processed by IRS's systems and, considered collectively,
are the basis of our determination that IRS had a material weakness in
internal control over its financial reporting related to information
security in fiscal year 2010.[Footnote 14]
IRS Did Not Sufficiently Control Access to Information Resources:
A basic management objective for any organization is to protect the
resources that support its critical operations from unauthorized
access. Organizations accomplish this objective by designing and
implementing controls that are intended to prevent, limit, and detect
unauthorized access to computing resources, programs, information, and
facilities. Access controls include those related to user
identification and authentication, authorization, cryptography, audit
and monitoring, and physical security. However, IRS did not fully
implement effective controls in these areas. Without adequate access
controls, unauthorized individuals may be able to login, access
sensitive information, and make undetected changes or deletions for
malicious purposes or personal gain. In addition, authorized
individuals may be able to intentionally or unintentionally add,
modify, or delete data to which they should not have been given access.
Controls Were Not Consistently Implemented for Identifying and
Authenticating Users:
A computer system needs to be able to identify and authenticate each
user so that activities on the system can be linked and traced to a
specific individual. An organization does this by assigning a unique
user account to each user, and in so doing, the system is able to
distinguish one user from another--a process called identification.
The system also needs to establish the validity of a user's claimed
identity by requesting some kind of information, such as a password,
that is known only by the user--a process known as authentication. The
combination of identification and authentication--such as user
account/password combinations--provides the basis for establishing
individual accountability and for controlling access to the system.
The Internal Revenue Manual requires the use of a strong password for
authentication (defined as a minimum of eight characters, containing
at least one numeric or special character, and a mixture of at least
one uppercase and one lower case letter). Furthermore, the Internal
Revenue Manual states that database account passwords are not to be
reused within 10 password changes[Footnote 15] and that the password
grace time for a database--the number of days an individual has to
change his or her password after it expires--should be set to 10.
IRS properly configured password complexity on its servers used to
manage access to network resources. In addition, IRS made progress in
correcting a previously identified weakness by restricting remote
login access. However, IRS did not consistently implement strong
authentication controls on certain systems, as required by the
Internal Revenue Manual. For example:
* Databases that support IRS administrative accounting and procurement
systems had a certain password control set to "null." This password
control verifies certain password settings, such as password
complexity and minimum password length, to ensure the user's password
complies with IRS policy. By configuring this control to "null," no
password verifications are performed.
* Seventeen of 90 network devices[Footnote 16] we reviewed had a
password length of 6 characters.
* Databases that support the IRS's administrative accounting and
procurement systems contained several password resource values that
were not set to the settings required by IRS policy. For example, the
password reuse and password grace time values were set to "unlimited."
As a result of these weaknesses, increased risk exists that an
individual with malicious intentions could gain inappropriate access
to these sensitive IRS applications and data, and potentially use the
access to attempt compromises of other IRS systems.
Users Have More System Access than Needed to Perform Their Jobs:
Authorization is the process of granting or denying access rights and
permissions to a protected resource, such as a network, a system, an
application, a function, or a file. A key component of granting or
denying an individual access rights is the concept of "least
privilege." Least privilege, which is a basic principle for securing
computer resources and information, means that a user is granted only
those access rights and permissions needed to perform official duties.
To restrict legitimate users' access to only those programs and files
needed to do their work, organizations establish access rights and
permissions to users. These "user rights" are allowable actions that
can be assigned to one user or to a group of users. File and directory
permissions are rules that regulate which users can access a
particular file or directory and the extent of that access. To avoid
unintentionally authorizing a user access to sensitive files and
directories, an organization should give careful consideration to its
assignment of rights and permissions. IRS policy states that access
control measures based on least privilege and that provide protection
from unauthorized alteration, loss, unavailability, or disclosure of
information should be implemented. Additionally, the Internal Revenue
Manual requires that the guest account be disabled to prevent any user
from being authenticated as a guest.
Although IRS had taken steps to control access to systems, it
continued to permit excessive access. For example, IRS had corrected a
previously identified weakness by limiting access to certain key
financial documents used for input into the administrative accounting
system. However, it continued to permit excessive access to several
systems by granting rights and permissions that gave users more access
than they needed to perform their assigned functions. For example, IRS
granted excessive privileges to a database account on the online
system used to support and manage its computer access request,
approval, and review process. In addition, the agency allowed some
individuals to manually enter commands that would permit them to
bypass the application programs intended to be used to access the
data. Also, all database users had unnecessary execute permissions on
several sensitive database packages[Footnote 17] that allowed them to
manipulate data and gain access to sensitive files and directories on
IRS's access authorization, administrative accounting, electronic tax
payment, and procurement systems. Furthermore, while IRS made progress
in correcting a previously identified weakness by disabling the guest
account on some SQL servers, IRS had not disabled the SQL server guest
account on its real property management system, increasing the risk
that unauthorized users could use this account to gain system access.
These excessive access privileges can provide opportunities for
individuals to circumvent security controls.
Sensitive Data Is Sent across the IRS Network Unencrypted:
Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive information. A
basic element of cryptography is encryption, which is used to
transform plain text into cipher text using a special value known as a
key and a mathematical process known as an algorithm. According to IRS
policy, the use of insecure protocols should be restricted because its
widespread use can allow passwords and other sensitive data to be
transmitted across its internal network unencrypted.
Although IRS discontinued the use of unencrypted protocols on the
servers supporting the procurement system, its network devices were
configured to use protocols that allowed unencrypted transmission of
sensitive data. For example, 37 of the 90 network devices we reviewed
and a server supporting the IRS's tax payment system used unencrypted
protocols to transmit sensitive information. In addition, IRS had not
corrected previously identified weaknesses, such as weak encryption
controls over user login to its administrative accounting system and
transmission of unencrypted mainframe administrator login information
across its network. By not encrypting sensitive data, IRS is at
increased risk that an unauthorized individual could view and then use
the data to gain unwarranted access to its system and/or sensitive
information.
IRS Did Not Consistently Audit and Monitor Security-Relevant Activity
on Certain Systems:
To establish individual accountability, monitor compliance with
security policies, and investigate security violations, it is crucial
to determine what, when, and by whom specific actions have been taken
on a system. Organizations accomplish this by implementing system or
security software that provides an audit trail--a log of system
activity--that they can use to determine the source of a transaction
or attempted transaction and to monitor users' activities. The way in
which organizations configure system or security software determines
the nature and extent of information that can be provided by the audit
trail. To be effective, organizations should configure their software
to collect and maintain audit trails that are sufficient to track
security-relevant events. The Internal Revenue Manual states that IRS
should enable and configure audit logging on all systems to aid in the
detection of security violations, performance problems, and flaws in
applications. Additionally, IRS policy states that security controls
in information systems shall be monitored on an ongoing basis.
IRS is currently utilizing a commercial off-the-shelf audit trail
solution allowing the agency to review audit log reports and analyze
audit data. In addition, IRS has established the Enterprise Security
Audit Trails Project Management Office, which is responsible for
managing all enterprise audit initiatives and identifying and
overseeing deployment and transition of various audit trail solutions.
Despite these steps forward, IRS did not enable certain auditing
features on three systems we reviewed. For example, IRS did not enable
security event auditing[Footnote 18] or system privilege
auditing[Footnote 19] features on databases that support its access
authorization, administrative accounting, and procurement systems. In
addition, IRS had not corrected a previously identified weakness in
which certain servers were not configured to ensure sufficient audit
trails. As a result, IRS's ability to establish individual
accountability, monitor compliance with security policies, and
investigate security violations was limited.
Physical Access Controls Were Not Consistently Implemented:
Physical security controls are important for protecting computer
facilities and resources from espionage, sabotage, damage, and theft.
These controls involve restricting physical access to computer
resources, usually by limiting access to the buildings and rooms in
which they are housed and periodically reviewing access granted, in
order to ensure that access continues to be appropriate. At IRS,
physical access control measures, such as physical access cards that
are used to permit or deny access to certain areas of a facility, are
vital to safeguarding its facilities, computing resources, and
information from internal and external threats. The Internal Revenue
Manual requires access controls to protect employees and contractors,
information systems, and the facilities in which they are located. The
policy also requires that entry to restricted areas should be limited
to only those who need it to perform their job duties. It also
requires department managers of restricted areas to review, validate,
sign, and date the authorized access list for restricted areas on a
monthly basis and then forward the list to the physical security
office for review of employee access.
Although IRS had implemented numerous physical security controls,
certain controls were not working as intended, and the agency had not
consistently applied the policy in others. IRS has a dedicated guard
force at each computing center visitor entrance. These guards screen
every visitor that enters these facilities. The agency had also
corrected a previously identified weakness by consistently reviewing
the images displayed on x-ray machines while screening employees,
visitors, and contractors entering restricted areas. However, visitor
physical access cards to restricted areas at one computing center
provided unauthorized access to other restricted areas within the
center--a weakness previously reported in 2010. In addition, IRS had
not consistently applied its processes for reviewing access to
restricted areas within its computing centers. For example, effective
procedures were not in place at two of the three computing centers to
ensure that individuals with an ongoing need to access restricted
areas within the center were reviewed regularly in order to assess
whether the access was warranted to perform their job. Although one
computing center regularly reviewed the visitor access list, it did
not review the list of individuals who had ongoing access. The other
center only reviewed access based on the number of times in a given
week the individual entered certain areas within the center, rather
than based on the individual's need to perform job duties. Further, at
the third data center, IRS was unable to provide evidence that the
physical security office had addressed a prior recommendation to
remove employee access to restricted areas when a manager indicated
access was no longer needed.
Because employees and visitors may have unnecessary access to
restricted areas, IRS has reduced assurance that its computing
resources and sensitive information are adequately protected from
unauthorized access.
Weaknesses in Other Information Security Controls Increase Risk:
In addition to access controls, other important controls should be in
place to ensure the confidentiality, integrity, and availability of an
organization's information. These controls include policies,
procedures, and techniques for securely configuring information
systems, and segregating incompatible duties. However, IRS has
weaknesses in these areas, thus increasing its risk of unauthorized
use, disclosure, modification, or loss of information and information
systems.
Outdated and Unsupported Software Exposes IRS to Known Vulnerabilities:
Configuration management involves, among other things, (1) verifying
the correctness of the security settings in the operating systems,
applications, or computing and network devices and (2) obtaining
reasonable assurance that systems are configured and operating
securely and as intended. Patch management, a component of
configuration management, is an important element in mitigating the
risks associated with software vulnerabilities. When a software
vulnerability is discovered, the software vendor may develop and
distribute a patch or work-around to mitigate the vulnerability.
Without the patch, an attacker can exploit a software vulnerability to
read, modify, or delete sensitive information; disrupt operations; or
launch attacks against systems at another organization. Outdated and
unsupported software is more vulnerable to an attack and exploitation
because vendors no longer provide updates, including security updates.
Accordingly, the Internal Revenue Manual states that IRS will manage
systems to reduce vulnerabilities by promptly installing patches. In
addition, the manual states that system administrators will ensure the
operating system version is a version for which the vendor still
offers standardized technical support.
Although IRS made progress in updating certain systems, it did not
always apply critical patches to its databases that support two
financial applications. For example, the agency made major upgrades to
key servers supporting the administrative accounting system; however,
databases supporting this and another administrative accounting
application had not been updated with the latest critical patches. In
addition, patches had not been applied since 2006 for at least four
other database installations on servers supporting the agency's
general ledger system for tax-related activities. IRS had also not
corrected previously identified weaknesses related to outdated and
unsupported software on domain name servers. As a result, the agency
has limited assurance that its systems are protected from known
vulnerabilities.
Incompatible Duties Were Not Appropriately Segregated on Certain
Financial Management Systems:
Segregation of duties refers to the policies, procedures, and
organizational structures that help ensure that no single individual
can independently control all key aspects of a process or computer-
related operation and thereby gain unauthorized access to assets or
records. Often, organizations achieve segregation of duties by
dividing responsibilities among two or more individuals or
organizational groups. This diminishes the likelihood that errors and
wrongful acts will go undetected, because the activities of one
individual or group will serve as a check on the activities of the
other. Inadequate segregation of duties increases the risk that
erroneous or fraudulent transactions could be processed, improper
program changes implemented, and computer resources damaged or
destroyed. The Internal Revenue Manual requires that IRS divide and
separate duties and responsibilities of incompatible functions among
different individuals so that no individual shall have all of the
necessary authority and system access to disrupt or corrupt a critical
security process. Furthermore, the manual specifies that the primary
security role of any database administrator is to administer and
maintain database repositories for proper use by authorized
individuals and that database administrators shall not have system
administrator access rights.
IRS did not always appropriately segregate certain duties.
Specifically, on its general ledger system for tax-related activities,
IRS granted certain database administration privileges to at least 25
database users with no database administration duties. These
privileges allowed them to grant other users access to tables within
the database, including the ability to add, change, or delete
important accounting data. In addition, IRS had not corrected a
previously identified weakness related to permitting an individual the
ability to execute the roles and responsibilities of both a database
and system administrator for the procurement system. By not properly
segregating incompatible duties in these financial management systems,
IRS reduces the effectiveness of its internal controls over financial
management and increases the likelihood of errors and misstatements.
Additionally, these weaknesses increase the potential for unauthorized
use or disclosure of sensitive information or disruption of systems.
IRS Has Not Fully Implemented Key Components of Its Information
Security Program:
An underlying reason for the information security weaknesses in IRS's
financial and tax processing systems is that it has not yet fully
implemented key components of its comprehensive information security
program. FISMA requires each agency to develop, document, and
implement an information security program that, among other things,
includes:
* periodic assessments of the risk and magnitude of harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information systems;
* policies and procedures that (1) are based on risk assessments, (2)
cost-effectively reduce information security risks to an acceptable
level, (3) ensure that information security is addressed throughout
the life cycle of each system, and (4) ensure compliance with
applicable requirements;
* plans for providing adequate information security for networks,
facilities, and systems;
* security awareness training to inform personnel of information
security risks and of their responsibilities in complying with agency
policies and procedures, as well as training personnel with
significant security responsibilities for information security;
* periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices, to be performed with a
frequency depending on risk, but no less than annually, and that
includes testing of management, operational, and technical controls
for every system identified in the agency's required inventory of
major information systems;
* a process for planning, implementing, evaluating, and documenting
remedial action to address any deficiencies in its information
security policies, procedures, or practices; and:
* plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency.
IRS has made progress in developing and documenting elements of its
information security program. To bolster security over its networks
and systems and to address its information security weaknesses, IRS
has developed various initiatives. For example, IRS has created a
detailed roadmap to guide its efforts in targeting critical
weaknesses. The agency is in the process of implementing this
comprehensive plan to mitigate numerous information security
weaknesses, such as those associated with access controls, audit
trails, contingency planning, and training. According to the plan, the
last of these weaknesses is scheduled to be resolved in the first
quarter of fiscal year 2014. In addition, IRS has developed metrics to
measure success in complying with guides, policies, and standards in
the areas of inventory management, configuration management, access
authorizations, auditing, and change management. As long as these
efforts remain flexible to address changing technology and evolving
threats, include our findings and those of TIGTA in measuring success,
and are fully and effectively implemented, they should improve the
agency's overall information security posture.
Although the agency has a framework in place for its comprehensive
information security program, as demonstrated below, key components of
IRS's program have not yet been fully implemented.
Although IRS Had Documented Risk Assessments, One Had Not Been Updated
and Another Was Not Comprehensive:
According to the National Institute of Standards and Technology
(NIST), risk is determined by identifying potential threats to the
organization and vulnerabilities in its systems, determining the
likelihood that a particular threat may exploit vulnerabilities, and
assessing the resulting impact on the organization's mission,
including the effect on sensitive and critical systems and data.
Identifying and assessing information security risks are essential to
determining what controls are required. Moreover, by increasing
awareness of risks, these assessments can generate support for the
policies and controls that are adopted in order to help ensure that
the policies and controls operate as intended. Consistent with NIST
guidance, IRS requires its risk assessment process to detail the
residual risk[Footnote 20] assessed, as well as potential threats, and
to recommend corrective actions for reducing or eliminating the
vulnerabilities identified. IRS policy also requires system risk
assessments to be updated a minimum of every 3 years or whenever there
is a significant change to the system, the facilities where the system
resides, or other conditions that may affect the security or status of
system accreditation.
Although IRS had implemented a risk assessment process, which
includes, among other things, threat and vulnerability identification,
impact analysis, risk determination, and recommended corrective
actions, certain risks may not have been identified. For the six
systems that we reviewed, five of the risk assessments were up-to-
date, documented, and formally approved by IRS management. However,
IRS's general ledger system for tax-related activities was moved from
one mainframe environment to another at a different facility; yet, the
risk assessment had not been updated. Further, IRS's risk assessment
of the mainframe environment supporting its general ledger for tax-
related activities and tax processing applications was not
comprehensive. Specifically, the assessment did not consider all
potential threats and vulnerabilities for portions of the system; IRS
considered the test and development environment of the system as out
of scope although these portions could affect the system's security.
As a result, potential risks to this system may not be fully known and
associated controls may not be in place.
Policies and Procedures Were in Place, but Some Were Inconsistent and
Others Lacked Specificity:
Another key element of an effective information security program is to
develop, document, and implement risk-based policies, procedures, and
technical standards that govern security over an agency's computing
environment. If properly developed and implemented, policies and
procedures should help reduce the risk associated with unauthorized
access or disruption of services. In addition, technical security
standards can provide consistent implementation guidance for each
computing environment. Developing, documenting, and implementing
security policies and standards are the important primary mechanisms
by which management communicates its views and requirements; these
policies also serve as the basis for adopting specific procedures and
technical controls. In addition, agencies need to take the actions
necessary to effectively implement or execute these procedures and
controls. Otherwise, agency systems and information will not receive
the protection that the security policies and controls should provide.
IRS had generally developed, documented, and approved information
security policies and procedures, and had corrected a previously
identified weakness by enhancing its policies and procedures related
to password age and configuration settings to comply with federal
guidance. However, some policies were inconsistent and some were
lacking specifics about administering, managing, and monitoring
certain controls. For example, the agency's overall policy on password
management requires that systems be configured such that passwords
cannot be reused within 24 password changes; another policy specified
3 in one section and 10 in another. Inconsistent policies can lead to
less stringent implementation of controls, such as those for password
management. In addition, specific policy and procedures for a key
access control were lacking. Although IRS relies on system-managed
storage[Footnote 21] as a key access control to prevent unauthorized
access between logical partitions[Footnote 22] that have different
mission support functions and different security requirements, the
agency did not document in its policy or related procedures how this
control environment should be administered, managed, and monitored. As
a result, IRS does not have processes in place to verify that system-
managed storage controls are implemented, administered, and monitored
in a manner that provides necessary access controls. Further, in an
August 2010 report,[Footnote 23] TIGTA reported that IRS had not
documented all IT security roles and responsibilities in the Internal
Revenue Manual and had not developed day-to-day IT security procedures
and guidelines. Without having fully documented, approved, and
implemented policies and procedures, IRS cannot ensure that its
information security requirements are applied consistently across the
agency.
Security Plans Were Documented, but One Plan Did Not Describe Controls
in the Current Environment:
An objective of system security planning is to improve the protection
of information technology resources. A system security plan provides
an overview of the system's security requirements and describes the
controls that are in place or planned to meet those requirements. OMB
Circular A-130 requires that agencies develop system security plans
for major applications and general support systems, and that these
plans address policies and procedures for providing management,
operational, and technical controls. Furthermore, IRS policy requires
that security plans describing the security controls in place or
planned for its information systems be developed, documented,
implemented, reviewed annually, and updated a minimum of every 3 years
or whenever there is a significant change to the system.
Although IRS documented its management, operational, and technical
controls in system security plans for the six systems we reviewed, one
plan did not reflect the current operating environment. IRS used OMB
Circular A-130 as guidance to develop system security plans for the
respective systems. In addition, IRS documented the review of its
system security plans through certification and accreditation memos,
which provide IRS with the authorization to operate systems. These
memos were formally approved by key officials. Further, all the plans
reviewed were within the 3-year time frame. However, one application's
system security plan did not describe controls in place in the current
environment. IRS had moved this application from one mainframe to
another, but the plan still reflected controls from the previous
environment. Without a specific and accurate security plan for this
key financial system, IRS cannot ensure that appropriate controls are
in place to protect the critical information this system stores.
Security Awareness and Specialized Training Was Provided to All
Employees Reviewed:
Individuals can be one of the weakest links in securing systems and
networks. Therefore, a very important component of an information
security program is providing sufficient training so that users
understand system security risks and their own role in implementing
related policies and controls to mitigate those risks. IRS policy
requires that personnel performing information technology security
duties meet minimum continuing professional education hours in
accordance with their roles. Individuals performing security roles are
required by IRS to have 12, 8, or 4 hours of specialized training per
year, depending on their specific role.
IRS had processes in place for providing employees with security
awareness and specialized training. For the employees with specific
security-related roles and the newly-hired employees that we reviewed,
all met the required minimum security awareness and specialized
training hours.
Tests and Evaluations of Policies, Procedures, and Controls Were Not
Always Effective:
Another key element of an information security program is to test and
evaluate policies, procedures, and controls to determine whether they
are effective and operating as intended. This type of oversight is a
fundamental element because it demonstrates management's commitment to
the security program, reminds employees of their roles and
responsibilities, and identifies and mitigates areas of noncompliance
and ineffectiveness. Although control tests and evaluations may
encourage compliance with security policies, the full benefits are not
achieved unless the results improve the security program. FISMA
requires that the frequency of tests and evaluations be based on risks
and occur no less than annually. The Internal Revenue Manual also
requires periodic testing and evaluation of the effectiveness of
information security policies and procedures.
Although IRS has processes in place intended to monitor, test, and
evaluate its security policies and procedures, these processes were
not always effective. For example, IRS did not:
* Detect many of the readily identifiable vulnerabilities we are
reporting. We previously recommended that IRS expand the scope for
testing and evaluating controls to ensure more comprehensive testing.
* Perform comprehensive testing within the past year for one of its
key network components that it considered to be a high-risk system.
* Test application security over its general ledger system for tax-
related activities in its current production environment. This general
ledger system was moved from one mainframe environment to another at a
different facility; yet, the test and evaluation had not been updated
to reflect the current operating environment. We tested access
controls in the current environment and identified weaknesses in the
general ledger system's controls that compromised segregation of
duties and jeopardized the integrity of the application's data.
* Comprehensively test security controls over the mainframe
environment supporting its general ledger for tax-related activities
and tax processing applications. For example, the test was limited to
a portion of the operating environment and, therefore, did not test
all of the relevant controls.
In addition, in an August 2010 report,[Footnote 24] TIGTA reported
that IRS did not properly conduct compliance assessments to test the
implementation of day-to-day IT procedures. Because of the lack of
comprehensive testing, IRS may not be fully aware of vulnerabilities
that could adversely affect critical applications and data.
Remedial Action Plans Were Complete, but Corrective Actions Were Not
Fully Validated:
A remedial action plan is a key component of an agency's information
security program as described in FISMA. Such a plan assists agencies
in identifying, assessing, prioritizing, and monitoring progress in
correcting security weaknesses that are found in information systems.
In its annual FISMA guidance to agencies, OMB requires agency remedial
action plans, also known as plans of action and milestones, to include
the resources necessary to correct identified weaknesses. According to
the Internal Revenue Manual, the agency should document weaknesses
found during security assessments, as well as planned, implemented,
and evaluated remedial actions to correct any deficiencies. IRS policy
further requires that IRS track the resolution status of all
weaknesses and verify that each weakness is corrected.
IRS had a process in place for evaluating and tracking remedial
actions. The agency developed remedial action plans for the systems
that we reviewed and implemented a remedial action process to address
deficiencies in its information security policies, procedures, and
practices. These plans documented weaknesses and included planned
actions that were tracked by IRS. In addition, during fiscal year
2010, IRS made progress toward correcting previously reported
information security weaknesses, correcting or mitigating 23 of the 88
previously identified weaknesses that were unresolved at the end of
our prior audit.[Footnote 25] However, at the time of our review, 65
of 88--about 74 percent--of the previously reported weaknesses
remained unresolved or unmitigated. According to IRS officials, the
agency is continuing actions toward correcting or mitigating
previously reported weaknesses.
However, the agency's process for verifying whether an action had
corrected or mitigated the weakness was not working as intended. The
agency informed us that it had corrected 39 of the 88 previously
reported weaknesses, but we determined that IRS had not fully
implemented the remedial actions for 16 of the 39 weaknesses that it
considered corrected. We previously recommended that IRS implement a
revised verification process that ensures remedial actions are fully
implemented. Until the agency takes additional steps to implement a
more effective verification process, it will have limited assurance
that weaknesses are being properly mitigated or corrected and that
controls are operating effectively.
IRS Documented Contingency Plans for Major Systems and Made Efforts to
Mitigate Previous Weaknesses:
Continuity of operations planning, which includes contingency
planning, is critical to protecting sensitive information. To ensure
that mission-critical operations continue, organizations should be
able to detect, mitigate, and recover from service disruptions while
preserving access to vital information. Organizations should prepare
plans that are clearly documented, communicated to staff who could be
affected, and updated to reflect current operations. In addition,
testing contingency plans is essential in determining whether the
plans will function as intended in an emergency situation. FISMA
requires that plans and procedures be in place to ensure continuity of
operations for agency information systems. IRS policy states that
individuals with responsibility for disaster recovery should be
provided with copies of or access to agency disaster recovery plans.
IRS had appropriately documented and communicated the four contingency
plans we reviewed. In addition, IRS had resolved prior weaknesses by
updating disaster recovery and business resumption plans to include
UNIX and Windows mission-critical systems and ensuring the
availability of a disaster recovery keystroke manual for its
administrative accounting system.
Conclusions:
Although IRS continues to make progress in correcting or mitigating
previously reported weaknesses, implementing controls over key
financial systems, and developing and documenting a framework for its
comprehensive information security program, information security
weaknesses--both old and new--continue to jeopardize the
confidentiality, integrity, and availability of IRS's systems. An
underlying reason for the information security weaknesses in IRS's
financial and tax processing systems is that it has not yet fully
implemented key components of its comprehensive information security
program. The financial and taxpayer information on IRS systems will
remain particularly vulnerable to insider threats until the agency (1)
addresses newly identified and previously reported weaknesses
pertaining to identification and authentication, authorization,
cryptography, audit and monitoring, physical security, configuration
management, and segregation of duties; and (2) fully implements key
components of a comprehensive information security program that
ensures risk assessments are conducted in the current operating
environment; policies and procedures are appropriately specific and
effectively implemented; security plans are written to reflect the
current operating environment; processes intended to test, monitor,
and evaluate internal controls are appropriately detecting
vulnerabilities; comprehensive testing is conducted on key networks on
an at least annual basis; and tests and evaluations are conducted in
the current operating environment.
Until IRS takes these further steps, financial and taxpayer
information are at increased risk of unauthorized disclosure,
modification, or destruction; financial data is at increased risk of
errors that result in misstatement; and the agency's management
decisions may be based on unreliable or inaccurate financial
information. These weaknesses, considered collectively, were the basis
of our determination that IRS had a material weakness in internal
control over financial reporting related to information security in
fiscal year 2010.
Recommendations for Executive Action:
In addition to implementing our previous recommendations, we are
recommending that the Commissioner of Internal Revenue take the
following eight actions to fully implement key components of the IRS
comprehensive information security program:
* Update risk assessments whenever there is a significant change to
the system, the facilities where the system resides, or other
conditions that may affect the security or status of system
accreditation.
* Update the risk assessment for the mainframe environment supporting
the general ledger for tax-related activities and tax processing
applications to include all portions of the environment that could
affect security.
* Update policies and procedures pertaining to password controls to
ensure they are consistent.
* Document and implement policy and procedures for how systems-managed
storage as an access control mechanism should be administered,
managed, and monitored.
* Update the application security plan to describe controls in place
in its current mainframe operating environment.
* Perform comprehensive testing of the key network component
considered to be a high-risk system, at least annually.
* Test the application security for the general ledger system for tax-
related activities in its current operating environment.
* Perform comprehensive testing of security controls over the
mainframe environment to include all portions of the operating
environment.
We are also making 32 detailed recommendations in a separate report
with limited distribution. These recommendations consist of actions to
be taken to correct specific information security weaknesses related
to identification and authentication, authorization, cryptography,
audit and monitoring, physical security, configuration management, and
segregation of duties identified during this audit.
Agency Comments:
In providing written comments (reprinted in app. II) on a draft of
this report, the Commissioner of Internal Revenue stated that the
security and privacy of taxpayer and financial information is of the
utmost importance to the agency and that he appreciated that the draft
report recognized the progress IRS has made in improving its
information security program and that numerous initiatives are
underway. He also noted that IRS is committed to securing its computer
environment and will continually evaluate processes, promote user
awareness, and apply innovative ideas to increase compliance. The
Commissioner stated that IRS is steadily progressing toward
eliminating the material weakness in information security by
establishing enterprise repeatable processes, which are overseen by an
internal team that performs self-inspections, identifies and mitigates
risk, and provides executive governance over corrective actions.
Further, he stated that IRS will provide a detailed corrective action
plan addressing each of our recommendations.
This report contains recommendations to you. As you know, 31 U.S.C. §
720 requires the head of a federal agency to submit a written
statement of the actions taken on our recommendations to the Senate
Committee on Homeland Security and Governmental Affairs and to the
House Committee on Oversight and Government Reform not later than 60
days from the date of the report and to the House and Senate
Committees on Appropriations with the agency's first request for
appropriations made more than 60 days after the date of this report.
Because agency personnel serve as the primary source of information on
the status of recommendations, we request that the agency also provide
us with a copy of the agency's statement of action to serve as
preliminary information on the status of open recommendations.
We are sending copies of this report to interested congressional
committees, the Secretary of the Treasury, and the Treasury Inspector
General for Tax Administration. The report also is available at no
charge on the GAO Web site at [hyperlink, http://www.gao.gov].
If you have any questions regarding this report, please contact Nancy
R. Kingsbury at (202) 512-2700 or Gregory C. Wilshusen at (202) 512-
6244. We can also be reached by e-mail at kingsburyn@gao.gov and
wilshuseng@gao.gov. Contact points for our Office of Congressional
Relations and Public Affairs may be found on the last page of this
report. Key contributors to this report are listed in appendix III.
Sincerely yours,
Signed by:
Nancy R. Kingsbury:
Managing Director, Applied Research and Methods:
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
[End of section]
Appendix I: Objective, Scope, and Methodology:
The objective of our review was to determine whether controls over key
financial and tax processing systems were effective in protecting the
confidentiality, integrity, and availability of financial and
sensitive taxpayer information at the Internal Revenue Service (IRS).
To do this, we examined IRS information security policies, plans, and
procedures; tested controls over key financial applications; and
interviewed key agency officials in order to (1) assess the
effectiveness of corrective actions taken by IRS to address weaknesses
we previously reported[Footnote 26] and (2) determine whether any
additional weaknesses existed. This work was performed in connection
with our audit of IRS's fiscal year 2010 and 2009 financial statements
for the purpose of supporting our opinion on internal control over the
preparation of those statements.
To determine whether controls over key financial and tax processing
systems were effective, we considered the results of our evaluation of
IRS's actions to mitigate previously reported weaknesses, and
performed new audit work at the three enterprise computing centers
located in Detroit, Michigan; Martinsburg, West Virginia; and Memphis,
Tennessee, as well as an IRS facility in New Carrollton, Maryland. We
concentrated our evaluation on threats emanating from sources internal
to IRS's computer networks. Considering systems that directly or
indirectly support the processing of material transactions that are
reflected in the agency's financial statements, we focused on eight
critical applications/systems as well as the general support systems.
Our evaluation was based on our Federal Information System Controls
Audit Manual,[Footnote 27] which contains guidance for reviewing
information system controls that affect the confidentiality,
integrity, and availability of computerized information; National
Institute of Standards and Technology guidance; and IRS policies and
procedures. We evaluated controls by:
* reviewing the complexity and expiration of password settings to
determine if password management had been enforced;
* analyzing users' system access to determine whether they had been
granted more permissions than necessary to perform their assigned
functions;
* reviewing configuration files for servers and network devices to
determine if encryption was being used for transmitting data;
* assessing configuration settings to evaluate settings used to audit
security-relevant events and discussing and observing monitoring
efforts with IRS officials;
* observing and analyzing physical access controls to determine if
computer facilities and resources had been protected;
* inspecting key servers to determine whether critical patches had
been installed or software was up-to-date; and:
* examining user access and responsibilities to determine whether
incompatible functions had been segregated among different individuals.
Using the requirements in the Federal Information Security Management
Act that establish elements for an effective agencywide information
security program, we reviewed and evaluated IRS's implementation of
its security program by:
* analyzing IRS's risk assessments for six IRS financial and tax
processing systems that are key to supporting the agency's financial
statements, to determine whether risks and threats had been documented;
* comparing IRS's policies, procedures, practices, and standards to
actions taken by IRS personnel to determine whether sufficient
guidance had been provided to personnel responsible for securing
information and information systems;
* analyzing security plans for six systems to determine if management,
operational, and technical controls had been documented and if
security plans had been updated;
* verifying whether new employees had received system security
orientation within the first 10 working days;
* verifying whether employees with security-related responsibilities
had received specialized training within the year;
* analyzing test plans and test results for six IRS systems to
determine whether management, operational, and technical controls had
been tested at least annually;
* reviewing IRS's system remedial action plans to determine if they
were complete;
* reviewing IRS's actions to correct weaknesses to determine if they
had effectively mitigated or resolved the vulnerability or control
deficiency;
* reviewing system backup and recovery procedures to determine if they
had adequately provided for recovery and reconstitution to the
system's original state after a disruption or failure; and:
* examining contingency plans for six IRS systems to determine whether
those plans had been tested or updated.
In addition, we discussed with management officials and key security
representatives, such as those from IRS's Computer Security Incident
Response Center, Office of Cybersecurity, as well as the three
computing centers, whether information security controls were in
place, adequately designed, and operating effectively.
[End of section]
Appendix II: Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Commissioner:
Washington, D.C. 20224:
March 1, 2011:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, DC 20548:
Dear Mr. Wilshusen:
Thank you for the opportunity to comment on the draft report,
Information Security: IRS Needs to Enhance Internal Control Over
Financial Reporting and Taxpayer Data (GAO-11-308). We appreciate that
your draft report recognizes the progress that the Internal Revenue
Service has made to improve our information security program and that
numerous initiatives are underway.
The security and privacy of all taxpayer and financial information is
of utmost importance to us, and the integrity of our financial systems
continues to be sound. We are committed to securing our computer
environment as we continually evaluate processes, promote user
awareness, and apply innovative ideas to increase compliance.
The IRS has established enterprise repeatable processes which are
overseen by an internal team that performs self-inspections,
identifies and mitigates risks, and provides executive governance over
the corrective actions to this material weakness. The combination of
all of these actions makes us confident that we are steadily
progressing toward eliminating this issue as a material weakness.
We appreciate your continued support and guidance as we work to
improve our security posture and look forward to working with you to
develop appropriate measures. We will provide the detailed corrective
action plan addressing each of the recommendations with our response
to the final report.
If you have any questions or would like to discuss our response in
further detail, please contact Terence V. Milholland, Chief Technology
Officer, at (202) 622-6800.
Sincerely,
Signed by:
Douglas H. Shulman:
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Nancy R. Kingsbury (202) 512-2700 or kingsburyn@gao.gov Gregory C.
Wilshusen (202) 512-6244 or wilshuseng@gao.gov:
Staff Acknowledgments:
In addition to the individuals named above, David Hayes (assistant
director), Jeffrey Knott (assistant director), Angela Bell, Mark
Canter, Sharhonda Deloach, Nancy Glover, Nicole Jarvis, George
Kovachick, Sylvia Shanks, Eugene Stevens, Michael Stevens, and Daniel
Swartz made key contributions to this report.
[End of section]
Footnotes:
[1] Information security controls include logical and physical access
controls, configuration management, segregation of duties, and
continuity of operations. These controls are designed to ensure that
access to data is appropriately restricted, physical access to
sensitive computing resources and facilities is protected, only
authorized changes to computer programs are made, incompatible duties
are segregated among individuals, and back-up and recovery plans are
adequate and tested to ensure the continuity of essential operations.
[2] GAO, Financial Audit: IRS's Fiscal Years 2010 and 2009 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-11-142]
(Washington, D.C.: Nov. 10, 2010).
[3] Internal controls include the processes and procedures for
planning, organizing, directing, and controlling program operations,
and management's system for measuring, reporting, and monitoring
program performance.
[4] A material weakness is a deficiency, or a combination of
deficiencies, in internal controls such that there is a reasonable
possibility that a material misstatement of the entity's financial
statements will not be prevented or detected and corrected on a timely
basis.
[5] The CERTŪ Coordination Center is a center of Internet security
expertise located at the Software Engineering Institute, a federally
funded research and development center operated by Carnegie Mellon
University.
[6] U.S. Secret Service and Computer Emergency Response Team, Insider
Threat Study: Illicit Cyber Activity in the Government Sector
(Washington, D.C., and Pittsburgh, Pa.: January 2008).
[7] GAO, High-Risk Series: Information Management and Technology,
[hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington,
D.C.: February 1997) and High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February
2011).
[8] See 31 U.S.C. § 3511.
[9] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[10] FISMA was enacted as title III, E-Government Act of 2002, Pub L.
No. 107-347, Dec. 17, 2002.
[11] TIGTA, Management and Performance Challenges Facing the Internal
Revenue Service for Fiscal Year 2011 (Washington, D.C.: October 2010).
[12] In a separate report with limited distribution, we provide the
status of each of the 88 previously reported weaknesses.
[13] This number includes 29 specific technical weaknesses and 8
weaknesses associated with IRS's comprehensive information security
program.
[14] [hyperlink, http://www.gao.gov/products/GAO-11-142].
[15] As noted later in this report, IRS policy regarding this password
control is inconsistent.
[16] Network devices include routers, switches, and firewalls.
[17] According to Oracle, a package is an encapsulated collection of
related program objects stored together in the database. Program
objects are procedures, functions, variables, constants, cursors, and
exceptions.
[18] Security event auditing is used to log authentication events.
[19] System privilege auditing logs the use of powerful system
privileges that enable corresponding actions. Privilege auditing can
be set to log a selected user or every user in the database.
[20] Residual risk is the risk remaining after the implementation of
new or enhanced controls.
[21] According to IBM, system-managed storage allows the operating
system to take over many storage management tasks that had previously
been performed manually.
[22] According to IBM, logical partitioning provides users the ability
to divide a single server into several independent systems. Each
partition is capable of running one or more applications in an
independent environment with its own set of operational attributes.
[23] TIGTA, More Actions Are Needed to Correct the Security Roles and
Responsibilities Portion of the Computer Security Material Weakness,
2010-20-084 (Washington, D.C.: Aug. 26, 2010).
[24] TIGTA, 2010-20-084.
[25] GAO, Information Security: IRS Needs to Continue to Address
Significant Weaknesses, [hyperlink,
http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19,
2010) and Information Security: Significant Weaknesses at IRS Continue
to Jeopardize Financial and Taxpayer Data, [hyperlink,
http://www.gao.gov/products/GAO-10-300SU] (Washington, D.C.: Mar. 19,
2010).
[26] We examined corrective actions for weaknesses IRS reported as
having been corrected as of April 30, 2010.
[27] GAO, Federal Information System Controls Audit Manual,
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington,
D.C.: February 2009).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
