Despite information security progress, the Internal Revenue Service still has deficiencies in controls over taxpayer data, according to a study by the Government Accountability Office (GAO).
The study found that the IRS lacked sufficient controls in areas such as identity authentication, server access, encryption of authentication data, auditing systems to ensure compliance with agency policies, and access to restricted areas. The GAO also found that the IRS suffered from outdated systems, which exposed the agency to known threats.
The GAO said that the reason for these weaknesses is that the IRS has not effectively carried out elements of its information security program. Though the security program itself was deemed effective, the report found that the IRS was not taking sufficient action to meet program requirements. In addition, the IRS had not been able to address previously raised security concerns to an acceptable level. For example, of 28 previous security recommendations that the IRS claims to have attended to, nine still had significant weaknesses.
With these deficiencies, the IRS cannot be assured that there is no unsecured access of its information.
The GAO chose to do this assessment as part of the 2015 and 2014 fiscal year review because the IRS relies heavily on digital systems to handle and process sensitive taxpayer data. In a separate report, the GAO will be recommending 43 security changes to get the IRS up to par on the security of the information it processes.
