The GAO found dozens of new security weaknesses in its latest review of the IRS, adding to a list of dozens of other weakness identified earlier but not corrected.
The problems range from a lack of effective network access controls to insufficient logging and monitoring of security incidents.
"Collectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place IRS operations at risk of disruption," the GAO warned in a report released March 24.
Its not that the IRS has been sitting idle, ignoring information security altogether. Over the past year it has implemented controls to protect mainframe system files that contain user accounts and passwords. However, several of the agencys security vulnerabilities come right out of the pages of IT Security 101.
Password management—a challenge for many organizations in the private sector—has haunted the IRS. According to the GAO, the agency put requirements in place for password expiration and storage, but it hasnt always implemented them. In one instance cited by the GAO, the IRS stored clear text passwords in readable form at one of its sites rather than using encryption.
Patches were not always installed in a timely fashion either. Some patches issued in 2001 were not applied to some Unix servers that were reviewed in 2005.
The lagging patch management left servers that are used for processing taxpayer data vulnerable to denial-of-service attacks, the GAO cautioned.
A big part of the agencys problem is that it has not yet put into action a complete, agencywide information security program, the GAO found. The IRS was not consistent in configuring network and device security to prevent unauthorized access. It permitted users to log on remotely with unencrypted protocols; it did not do enough to prevent the use of vulnerable services on its servers; it did not adequately restrict access to certain accounts; and it configured servers with insufficient audit trails.
Too many people at the IRS were given unnecessary access to key financial systems as well, according to the auditors.
For example, all mainframe users were given enough access that they could read, modify, delete or create new data sets without restriction; administrators of certain Windows server were in a position to add false entries into the security log; and all users on one of the Windows servers had access to a registry setting that would let them remotely read sensitive system settings.
"Inappropriate access to sensitive files and directories provides opportunities for individuals to circumvent security controls to deliberately or inadvertently read, modify, or delete critical or sensitive information," the GAO said.
Physical security was found to be an ongoing problem for the IRS as well, even though the agency has made some progress in this area recently. At one site, the GAO found that guards did not always examine photo IDs to verify employees identities.
Additionally, according to the GAO, the agency has not sufficiently trained employees with significant security responsibilities, and it has not adequately tested its systems or deployed key hardware at its disaster recovery facilities.
Mark Everson, commissioner of Internal Revenue, agreed that his agency needs to work on implementing a comprehensive, agencywide information security program. The IRS is in the process of trying to correct the problems that GAO identified, he said.
"The IRS has continued the extremely aggressive initiative it began in 2004 to complete the full suite of required security activity at each of its computing centers and campuses and to support security certification and accreditation," Everson said in response to the GAO report.