Weaknesses remain in the Internal Revenue Service information security systems that contain sensitive taxpayer information, according to a new report.
While the IRS has made strides toward improving its information security and financial reporting controls, the agency still needs to make more improvements, the Government Accountability Office revealed this week.
“Specifically, the agency had not always (1) installed appropriate patches on all databases and servers to protect against known vulnerabilities, (2) sufficiently monitored database and mainframe controls, or (3) appropriately restricted access to its mainframe environment,” the GAO report, which was conducted from April 2013 – April 2014 and released Tuesday reads.
“In addition, IRS had allowed individuals to make changes to mainframe data processing without requiring them to follow established change control procedures to ensure changes were authorized, and did not configure all applications to use strong encryption for authentication, increasing the potential for unauthorized access,” it adds.
According to the government body, a central reason financial and taxpayer data remain at risk and vulnerable is because the IRS has not “effectively implemented” aspects of its information security program.
“The agency has established a comprehensive framework for the program, and continued to improve its controls; however, components of the program did not always function as intended,” GAO noted.
It further said the IRS’s controls on financial reporting systems were not thoroughly tested, policies addressing different users accessing data in different places have not been updated, and that the agency had not incorporated enough detail in its authorization procedures to prevent unauthorized access.
GAO recommended the IRS take three actions to improve its information security and in a separate report, with limited distribution, GAO recommended 23 specific actions to thoroughly address the security concerns.
“Until IRS takes additional steps to (1) more effectively implement its testing and monitoring capabilities, (2) ensure that policies and procedures are updated, and (3) address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure,” the report reads.
GAO explained that he 23 separate recommendations dealt with “specific information security weaknesses related to identification and authentication, authorization, cryptography, and configuration management.”
According to GAO the IRS has agreed to develop a plan to address its the recommendations.