The General Accountability Office said in a report issued today that the Internal Revenue Service made some progress during FY 2017 in addressing information security control issues previously flagged by GAO, but it also said a more recent audit by the watchdog agency covering FY 2017 turned up newly identified control deficiencies–leaving IRS with a total of 154 improvement recommendations at the end FY 2017.
The net result:
- IRS had 166 unresolved GAO recommendations at the beginning of FY2017;
- IRS dealt with 49 of those recommendations during the year;
- GAO found 37 new control deficiencies at IRS during its FY 2017 audit;
- IRS ended FY 2017 with 154 open recommendations for improvement.
On the good news front, IRS “made improvements in access controls by, for example, restricting unnecessary user access to certain applications and enforcing strong encryption on certain systems,” GAO said, adding that the agency “also corrected a previously identified contingency planning weakness for one system.”
But at the same time, “continuing and newly identified control deficiencies limited the effectiveness of security controls for protecting the confidentiality, integrity, and availability of IRS’s financial and tax processing systems,” GAO said.
“For example, IRS did not consistently (1) implement access controls by enforcing password expirations and minimum password lengths or by updating expiration dates for contractor passwords; (2) apply configuration management controls by documenting authorizations and approvals for changes to mainframe data and processing, or by installing critical security patches on multiple devices; and (3) implement certain components of its security program by correcting weaknesses in procedures or by updating system security plans,” GAO reported.
“Until IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implements components of its information security program, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure,” GAO said in its latest report.
“These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2017,” it said.
In addition to the 154 open recommendations for improvement, GAO said it is recommending that IRS take another five actions “to more effectively implement security-related policies and plans,” and in a separate non-public report “with limited distribution,” said it lists another 32 actions IRS can take to address newly identified control deficiencies.
The five new recommendations revealed today include: ensuring correct contractor password expiration dates; documenting access authorizations for non-unique accounts; reviewing non-unique accounts at least annually; updating security plans for three systems to reflect changes to their operating environment; and removing from the security plans of five systems references to logging standards that IRS has rescinded.
According to GAO, “IRS agreed with GAO’s recommendations and stated that it would review each of the recommendations and ensure that its corrective actions include a root cause analysis for sustainable fixes that implement appropriate security controls.”