IRS Security Gaps Could Expose Taxpayer Data

The lack of an agency-wide IT security program means that new security weaknesses are appearing faster than the IRS is plugging the old ones, a report finds.

The name of the U.S. Internal Revenue Service could be added to the likes of ChoicePoint Inc., LexisNexis, and DSW Inc. if the tax collection agency doesnt improve its IT security operation, according to a report Monday from the U.S. Congresss Government Accountability Office.

The GAO report, available here in PDF, found that the IRS is making progress fixing security holes in systems that it operates, but isnt keeping pace with new vulnerabilities, which could expose sensitive financial data to unauthorized individuals.

The IRS needs to improve controls over financial and tax processing systems and finish work to correct or mitigate weaknesses that an audit uncovered in 2002, GAO said.

The latest GAO audit, which was conducted between February and October of 2004 by Pricewaterhouse Coopers LLP, found that the IRS had corrected just 32 of 53 weaknesses from the 2002 review, including perimeter security and disaster recovery plans.

In addition, 39 new weaknesses were discovered. GAO found that the IRS was not adequately securing access to mainframe computers and preventing unauthorized access to computing resources from the IRS network.

The agency also didnt logically separate taxpayer data from data in a system called the FinCEN (Financial Crimes Enforcement Network), which is used by federal law-enforcement agencies and the IRS in investigating financial crimes.

The result is that any user who has access to the mainframe system can also read or copy FinCEN data, and law enforcement officers using FinCEN could access taxpayer data, GAO said.

/zimages/3/28571.gifRead more here about new government privacy policies.

Many of the problems identified by the audit exist because the IRS does not have an agency-wide IT security program. The IRS needs to implement security policies and procedures and provide security training to employees to do a better job of testing and evaluating its systems, GAO said.

In a written response, Acting Deputy Secretary of the Treasury Arnold Havens said that the agency had tightened up access control on its mainframe systems and is working to fix the remaining security holes.

The IRS implemented an aggressive plan in mid-2004 to improve the security of all its campuses and processing centers. The security updates are scheduled to be complete by the end of 2005.

/zimages/3/28571.gifWas the governmental reaction to the LexisNexis and ChoicePoint breaches sufficient? Click here to read Chris Nolans commentary.

The agency considers the confidentiality of taxpayer data a priority and monitors its mainframe systems closely, Havens said. However, he acknowledged that security and confidentiality issues arising from FinCEN and taxpayer data residing on the same mainframe system hadnt been raised before, and that the IRS will have to investigate whether taxpayer data could have been exposed in the past.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest news, views and analysis of technologys impact on government and politics.