DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

IRS Needs to Further Improve Controls over Financial and Taxpayer Data: GAO

Posted on March 29, 2016 by Dissent

The highlights of a new GAO report on the IRS:

The Internal Revenue Service (IRS) made progress in implementing information security controls; however, weaknesses in the controls limited their effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data. During fiscal year 2015, IRS continued to devote attention to securing its information systems that process sensitive taxpayer and financial information. Key among its actions were further restricting access privileges on key financial applications and continuing its migration to multifactor authentication across the agency. However, significant control deficiencies remained. For example, the agency had not always (1) implemented controls for identifying and authenticating users, such as applying proper password settings; (2) appropriately restricted access to servers; (3) ensured that sensitive user authentication data were encrypted; (4) audited and monitored systems to ensure compliance with agency policies; and (5) ensured access to restricted areas was appropriate. In addition, unpatched and outdated software exposed IRS to known vulnerabilities.

An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program. The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training. However, aspects of its program had not yet been effectively implemented. For example, IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring access. In addition, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate. Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective. For example, for the 28 prior recommendations that IRS informed us that it had addressed, 9 of the associated weaknesses had not been effectively corrected.

Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies and (2) effectively implement elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2015.

Why GAO Did This Study

The IRS has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation’s tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the financial and sensitive taxpayer data that resides on those systems.

As part of its audit of IRS’s fiscal year 2015 and 2014 financial statements, GAO assessed whether controls over key financial and tax processing systems were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans and procedures; interviewed key agency officials; and tested controls over key financial applications at four locations.

What GAO Recommends

In addition to the prior recommendations that have not been implemented, GAO is recommending that IRS take 2 additional actions to more effectively implement security-related policies and plans. In a separate report with limited distribution, GAO is recommending 43 actions that IRS can take to address newly identified control weaknesses. In commenting on a draft of this report, IRS agreed with our recommendations.

INFORMATION SECURITY: IRS Needs to Further Improve Controls over Financial and Taxpayer Data
GAO-16-398: Published: Mar 28, 2016. Publicly Released: Mar 28, 2016.
Download Report (pdf, 36 pp.)

Related posts:

  • HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?
  • The President Ordered a Board to Probe a Massive Russian Cyberattack. It Never Did.
Category: Commentaries and AnalysesGovernment SectorID TheftOf Note

Post navigation

← Ca: Alberta Health Services implements new privacy training following massive fall 2015 breach
GA: Non-profit director leaves town and abandons donations and clients’ personal information →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The data appear fake. (1)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases
  • Multiple lawsuits filed against Doyon Ltd over April 2024 data breach and late notification
  • Chinese hackers suspected in breach of powerful DC law firm
  • Qilin Emerged as The Most Active Group, Exploiting Unpatched Fortinet Vulnerabilities
  • CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’
  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.