DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

GAO: IRS Needs to Continue Improving Controls over Financial and Taxpayer Data

Posted on March 20, 2015 by Dissent

What GAO found in its new report on Information Security and the IRS:

The Internal Revenue Service (IRS) made progress in implementing information security controls; however, weaknesses limit their effectiveness in protecting the confidentiality, integrity and availability of financial and sensitive taxpayer data. During fiscal year 2014, IRS continued to devote attention to securing its information systems that process sensitive taxpayer and financial information. Key among its actions were improving the security over the software that manages changes to its mainframe environment and upgrading secure communications enterprise-wide for sensitive data. However, significant control deficiencies existed. For example, IRS did not install appropriate security updates on all of its databases and servers, and did not sufficiently monitor control activities that support its financial reporting. In addition, IRS did not effectively maintain the secure configuration of a key application, or appropriately segregate duties by allowing a developer unnecessary access to the application.

An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program. The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training. However, aspects of its program were not yet effectively implemented. For example, IRS’s testing methodology did not always determine whether required controls were operating effectively; consequently, GAO continued to identify control weaknesses that had not been detected by IRS. Also, IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring of access, thereby increasing the risk of unauthorized access to tax processing systems not being detected. In addition, IRS did not reassess controls for a key system after significant changes had been made in the operating environment. Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective. For example, of 69 previously reported weaknesses that remained unresolved at the end of GAO’s last audit, IRS indicated it had implemented corrective actions for 24 of them; however, GAO determined that 10 of the 24 weaknesses had not been fully resolved.

Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies and (2) effectively implements elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2014.

Read the full report:

INFORMATION SECURITY: IRS Needs to Continue Improving Controls over Financial and Taxpayer Data. GAO-15-337: Published: Mar 19, 2015.

No related posts.

Category: Commentaries and AnalysesGovernment Sector

Post navigation

← Credit card data breach at LAX
British Judo in deep shido after cyber attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.