Auditing IRS Security

Walk around the elephant of the Internal Revenue Service, and like the six blind men of the fable, you'll find a menagerie of beasts.

Walk around the elephant of the Internal Revenue Service, and like the six blind men of the fable, youll find a menagerie of beasts. Excessive complexity, concentration of sensitive data and recurring demonstrations of poor information security practices are among the unattractive aspects that might dominate ones perceptions from one angle or another—no matter how benign the actual animals intentions might be.

In the same way, the personal integrity and professionalism of IRS staff too often are masked by systemic failures—in particular, by recurring data protection failures that got their latest public exposure just days after this years tax-filing deadline. Last months report from the United States Government Accountability Office painted a picture not of inactivity but of failure to keep pace with evolving threats. Enterprise IT managers should ask themselves if an equally thorough examination of their operations might find similar problems.

/zimages/4/28571.gifClick here to read more about the most recent GAO report.

Of 53 IRS information security weaknesses cited by the GAO in 2002, 21 remained unresolved in the assessment of the audit team that performed its work from August through December 2004. That team also found that although 32 problems were being "corrected or mitigated," 39 weaknesses had arisen to "impair [the] IRSs ability to ensure the confidentiality, integrity, and availability of its sensitive financial and taxpayer data and FinCENs Bank Secrecy Act data," said the report, referring to the need for IRS support to the U.S. Treasury Departments Financial Crimes Enforcement Network.

Enterprise systems are at risk of developing the same multiple-personality disorder that the GAO report found in IRS systems. Developed for the purpose of administering the tax code, the IRS systems are now also expected to assist other law enforcement tasks. Its data controls fail, though, to allocate privileges correctly, meaning that too many users can see too many types of information.

Enterprise systems that got their start as bookkeeping tools, then evolved into CRM (customer relationship management) and regulatory-compliance roles, could easily find themselves becoming similarly conflicted and compromised.

A mere resolve to do better is inadequate. The GAO found the IRS had not implemented security policies and procedures, had not provided appropriate training to workers with security responsibilities and had not begun effective information security testing. Maybe private-sector IT should ask, for example, if logs produced by costly security tools are going unreviewed by too few security staff with too little training—often further handicapped by inadequate ability to direct attention and resources to any found problems.

IRS information security is an elephant in the living room. We all have reason to care about its competence. Well do well, though, to take advantage of this rare time when we get to audit the IRS and learn from its unfortunate example—even while we demand that the IRS and other public agencies do better.

Tell us what you think at

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.