The IRS has made progress in improving information security, but significant deficiencies remain in its systems for protecting sensitive taxpayer and financial data, according to a new report by the Government Accountability Office.
Among the continuing information security weaknesses cited by the government watchdog are a lack of access controls, which could allow unauthorized users to gain access to sensitive taxpayer information.
As part of its audit of the IRS’s fiscal 2014 and 2015 financial statements, the GAO found that the IRS has not always implemented controls for identifying and authenticating users, such as applying proper password settings, appropriately restricted access to servers, or ensured that sensitive user authentication data were encrypted.
“Until IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implement elements of its information security program … its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure,” the GAO wrote.
According to the report, the IRS has not ensured that many of its corrective actions to address previously identified deficiencies were effective. “Of the 28 prior recommendations that IRS informed us that it had addressed, nine of the associated weaknesses had not been effectively corrected,” the GAO noted.
In addition to those prior recommendations that have not been implemented, the GAO is recommending the IRS take two additional actions to more effectively implement security-related policies and plans.
Firstly, the report said, the IRS should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application. It should also update the security plan for systems that provide network infrastructure services to IRS personnel and information systems to reflect changes to the operating environment.
The GAO also made 43 technical recommendations in a separate report with limited distribution.