GAO: Sensitive Taxpayer Data At Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


GAO: Sensitive Taxpayer Data At Risk

Despite some improvements, the IRS needs to do much more to secure its IT systems, congressional auditors say.

Taxpayer information housed on Internal Revenue Service computers remains at risk of being exposed because of information security control weaknesses, according to a Government Accountability Office report issued Friday.

"These weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place IRS operations at risk of disruption," wrote GAO information security issues director Gregory Wilshusen and chief technologist Keith A. Rhodes in a 33-page report to IRS Commissioner Mark Everson, who didn't challenge the findings.

GAO, the auditing arm of Congress, examined IRS's fiscal 2005 financial statements, assessing the agency's progress in correcting previously reported information security weaknesses at two sites and determining if controls over key financial and tax processing systems at those facilities effectively ensures the confidentiality, integrity, and availability of sensitive taxpayer data.

The GAO noted some progress, but the IRS has failed to fix 40 previously reported flaws discovered in its IT security. Plus, the GAO identified new information security control weaknesses.

For example, the IRS hasn't instituted effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events, the Congressional auditors said. Also, the tax agency hasn't effectively implemented other information security controls to physically secure computer resources and to prevent exploitation of vulnerabilities and unauthorized changes to system software.

"Until [the] IRS fully implements a comprehensive agencywide information security program," the GAO report states, "its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable."

Everson assured the GAO that the IRS is pursuing an agencywide approach to address the root cause of the weaknesses, adding that many weaknesses have been corrected and additional controls have been implemented. He characterized the IRS efforts to fix security flaws as aggressive, noting that agency is developing security plans, security documentation, and security testing.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll