The report, released late last week, delivers a rather scathing assessment of an attempt by the IRS to improve the security of its IT system, reporting that the agency's system "remains unnecessarily vulnerable" and puts taxpayer information at risk, particularly to insider threats.
Sixty-nine percent of 89 security weaknesses and deficiencies identified by the GAO during a 2008 fiscal year audit remain unresolved, according to the report, which depicts the IRS' attitude toward security as rather blasé.
"Information security weaknesses -- both old and new -- continue to impair the agency's ability to ensure the confidentiality, integrity, and availability of financial and taxpayer information," the GAO said.
The main reason the IRS lacks IT security is that the agency has no comprehensive security management system in place, the GAO said. Moreover, it has not implemented appropriate access controls when it comes to sensitive information.
Specifically, the IRS continues to use weak passwords, ineffectively remove accounts for employees who no longer work for the agency, and allow agency personnel excessive file and directory permissions, according to the report.
The agency also allows user and administrator login information to be transmitted without encryption, fails to install patches in a timely matter, and ineffectively verifies that even the most basic security actions are complete. Moreover, it does not always do annual reviews of risk assessments, the GAO concluded.
Despite its overall negative evaluation, there were some bright spots in the report.
The IRS has corrected 28 of the 89 IT security weaknesses identified in the 2008 audit, taking steps to change vendor-supplied user accounts and passwords, and avoid storing clear-text passwords in scripts.
The agency also has enhanced policies and procedures for configuring mainframe operations and established an alternate processing site for its procurement system, according to the report.
Still, these efforts are not enough to create a secure system, the GAO said, and it provides recommendations for improving the situation.
The IRS should develop policies and procedures for network security, including better intrusion detection, and train contract workers on security awareness within their first 10 working days, according to the report.
Additionally, the agency should more carefully document and review the results of testing and evaluating controls, and implement an effective disaster recovery plan, the report says.