Report: IRS information security still poor

The IRS continues to have “pervasive” information security weaknesses that put taxpayer information at risk, and it has made limited progress in fixing dozens of problems the U.S. Government Accountability Office (GAO) has previously identified, according to a GAO report released Tuesday.

The IRS, the tax-collecting arm of the U.S. government, has “persistent information security weaknesses that place [it] at risk of disruption, fraud or inappropriate disclosure of sensitive information,” the GAO report said. The agency, which collected about $2.7 trillion in taxes in 2007, has fixed just 29 of 98 information security weaknesses identified in a report released last March, the new report said.

“Information security weaknesses — both old and new — continue to impair the agency’s ability to ensure the confidentiality, integrity and availability of financial and taxpayer information,” the GAO report said. “These deficiencies represent a material weakness in IRS’s internal controls over its financial and tax processing systems.”

The GAO has issued multiple reports blasting IRS information security in recent years.

The latest report described an IRS data center that took more than four months to install critical patches to server software.

At one IRS data center, about 60 employees had access to commands that would allow them to make “significant” changes to the operating system, the GAO said. At two data centers, administrator access to a key application contained unencrypted data log-ins, potentially revealing users’ names and passwords.

Three IRS sites visited by GAO auditors had computers or servers with poor password controls, the GAO said. Inactive user accounts were not deleted within six months, in violation of IRS policy, and some user passwords on Unix systems did not meet length or complexity requirements.

The IRS also had lax physical security controls in place for protecting IT facilities, the GAO report said. One data center allowed at least 17 workers access to sensitive areas when their jobs didn’t require it, the GAO said. That same center did not always remove physical access authorizations from workers who no longer needed it. In March, that data center had identified 54 employees who no longer needed access, but in June, 29 of those employees still had access to the sensitive areas.

Linda Stiff, the IRS acting commissioner, said the agency made significant progress in fixing information security problems during 2007. The agency completed security testing on 260 applications and systems, installed disk encryption software on all of its 52,000 laptop computers and implemented data encryption for mainframe tapes, she wrote in a letter to the GAO.

A U.S. Department of Treasure audit, released in March, found that between January 2003, and June 2006, nearly 500 IRS laptops were stolen from employees.

In 2007, the IRS issued cable locks to all employees with laptops, implemented two-factor authentication for remote access to IRS networks, and put in place an antivirus Internet gateway system, Stiff’s letter to the GAO said.

“While we agree that we have not yet fully implemented critical elements of our agency-wide information security program, the security and privacy of taxpayer information is of great concern to the IRS,” Stiff wrote. “We recognize that there is significant work to be accomplished to address our information security deficiencies, and we are taking aggressive steps to correct previously reported weaknesses and improve our overall information security program.”

An IRS spokeswoman said the agency would not comment beyond Stiff’s letter.