In a study (PDF) issued last week, the Government Accountability Office states that the IRS has corrected less than one-third of the 89 security weaknesses identified in its audit of the tax agency last year.
"While IRS has corrected 28 control weaknesses and program deficiencies, 61 of them -- or about 69 percent -- remain unresolved or unmitigated," the report states. "For example, IRS continued to install patches in an untimely manner and used passwords that were not complex. In addition, IRS did not always verify that remedial actions were implemented, or effectively mitigate the security weaknesses."
Weaknesses in IRS systems "continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information," the GAO says. "IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information.
"For example," the report continues, "IRS did not always (1) enforce strong password management for properly identifying and authenticating users; (2) authorize user access to permit only the access needed to perform job functions; (3) log and monitor security events on a key system; and (4) physically protect its computer resources."
A key reason for the slow resolution of the vulnerabilities is that the IRS has not yet fully implemented its agencywide IT security program to ensure controls are appropriately designed and operating effectively, the GAO says. The agency hasn't been conducting annual reviews of risk assessments, for example, and it hasn't been checking to ensure contractors received security awareness training.
"Until these control weaknesses and program deficiencies are corrected, the agency remains unnecessarily vulnerable to insider threats related to the unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as the disruption of system operations and services," the report says.
The IRS permitted "excessive access" to systems and files by granting rights and permissions that gave users more access than they needed to perform their assigned functions, the GAO states.
"For example, about 120 IRS employees had access to key documents, including cost data for input to its administrative accounting system and a critical process-control spreadsheet used in IRS's cost allocation process," the report says. "However, fewer than 10 employees needed this access to perform their jobs."
The IRS also configured 18 of its routers with a protocol that allows unencrypted, plain-text authentication, and the agency did not always effectively log and monitor security events, the GAO says. Outdated and unsupported applications running on IRS systems could also put taxpayer data at risk, according to the report.
The IRS says it is developing a comprehensive plan that will address all of the vulnerabilities identified in the GAO report.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.