After repeatedly sounding the alarm about lax data security practices at the Internal Revenue Service (IRS), the U.S. Government Accountability Office (GAO) again has warned that the nation's tax collector is operating with significant deficiencies.
While the IRS has made strides to address previously reported issues, the majority of known security weaknesses have not yet been fixed, according to a financial audit report to the secretary of the treasury, released Tuesday. As was the case in the past, many of the network weaknesses turned up in the latest audit were related to system access and configuration controls.
The IRS, for example, relies on a procurement system that lacks the appropriate access controls and database maintenance. In addition, the IRS still uses unencrypted protocols for a sensitive, tax-processing application.
“Our testing showed that systems used to process tax and financial information did not effectively prevent access from unauthorized users or excessive levels of access for authorized users,” the report states.
Consequently, the IRS cannot fully ensure that financial and taxpayer information is protected, according to the report. The GAO pointed out similar issues last year and again in March, Moreover, a separate GAO report released last month uncovered government-wide vulnerabilities in information security controls that are placing data and systems at an increased risk.
On a more positive note, the IRS has taken some actions this year to improve its state of security, the GAO reported. The agency, for example, formed working groups to identify and fix specific problems, encrypted data transferred among some accounting systems, and implemented critical upgrades for network devices.
Overall, the agency implemented about 15 percent of the GAO's past recommendations for how to bolster security.
IRS Commissioner Douglas Shulman, in a comment letter included in the report, promised that the agency would increase its focus on information security.