InformationWeek: The Business Value of Technology

InformationWeek: The Business Value of Technology
InformationWeek Big Data Coverage
= Member Content
Facebook Twitter Share

E-mail | Print | Permalink | LinkedIn | RSS

IRS Leaves Taxpayer Data Insecure, GAO Finds


Annual audit of the agency's financial and tax systems notes that some earlier problems remain and identifies new ones.


By Patience Wait
InformationWeek
March 20, 2013 09:06 AM

Mobile Government: 10 Must-Have Smartphone Apps
Mobile Government: 10 Must-Have Smartphone Apps
(click image for larger view and for slideshow)
The Internal Revenue Service still has IT security holes that could put taxpayer data at risk, according to a report from the Government Accountability Office.

The IRS identified the security of taxpayer data as its top management priority for fiscal 2013, and the GAO credits the agency for steps taken in response to security issues identified in earlier audits of its computer systems. But the report notes that some problems with the agency's financial and tax-processing systems remain and identifies new ones.

The GAO notes that the IRS collects and maintains personal and financial information on U.S. taxpayers in data centers in Detroit, Memphis and Martinsburg, W.V. "Protecting the confidentiality of this sensitive information is paramount. Otherwise, taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes," the report says.

[ What can federal IT teams do to protect their systems, networks and data? Read Next Steps In Data Center Security. ]

The GAO audited the IRS's security efforts over the past 12 months. Among the vulnerabilities identified in the GAO report are easily-guessed passwords, passwords that hadn't been changed in almost two years, and storing unencrypted user names and passwords in a file with a revealing name. The report makes no mention of actual security breaches during the period audited.

The IRS also has been lax with data encryption and in controlling access to databases, servers, and systems, the GAO found. And the tax-collection agency has failed to update its systems within 30 days of software patches being released, according to the GAO.

Cybersecurity training is another area where the IRS needs to improve. Although the agency's policies require that all new employees and contractors receive security awareness training during their first two weeks on the job, the GAO found that more than half of contractors were not in compliance.

The Obama administration has made the continuous monitoring of federal IT systems a government-wide initiative. The report found that although the IRS has taken steps toward implementing continuous monitoring, it has not defined monitoring and assessment metrics.

The GAO made four recommendations for remediation. The IRS needs to:

-- Update policies and procedures for system access.

-- Strengthen the testing and evaluation of authentication controls.

-- Update mainframe testing and evaluation processes.

-- Establish more comprehensive documentation of continuous monitoring strategies.

In a separate report with limited distribution, the GAO also made 30 specific recommendations on a range of other issues it identified.

InformationWeek's 2013 Government IT Innovators program will feature the most innovative government IT organizations in the 2013 InformationWeek 500 issue and on InformationWeek.com. Does your organization have what it takes? The nomination period for 2013 Government IT Innovators closes April 12.

Federal agencies must eliminate 800 data centers over the next five years. Find how they plan to do it in the new all-digital issue of InformationWeek Government. Download it now (registration required).




InformationWeek encourages readers to engage in spirited, healthy debate, including taking us to task. However, InformationWeek moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. InformationWeek further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS


Advertisement

InformationWeek Reports

report Cloud Implementer's Checklist
Once your agency has completed the business case for a private cloud, how do you actually move ahead with your data center transformation? Our report provides a practical set of steps to get you there, including a "to do" list that will be helpful to anyone on your IT team who's involved in the project. By the time you're done, your data center should be home to a more flexible, on-demand IT services.

report Cloud Compliance in Government
Compute clouds created for government data centers must adhere to a range of specifications designed to support data and system security, privacy, and governance. FISMA, HIPAA, SOX, and SAS 70 are just some of the requirements that have to be taken into account as federal IT pros deploy a shared-services cloud model. In this report, we identify the key specs that need to be factored into any federal cloud architecture.

report Government Cloud Platform Strategy
This report analyzes the key IT infrastructure considerations that must be taken into account for implementing cloud services in federal data centers: software/hardware environment, multi-tenancy, security, virtualization, and management tools. We also explain the key important role that APIs play in supporting hybrid scenarios that tap into public cloud services.

report The Business Case for Government Clouds
This report assesses usage scenarios, barriers, and other variables that factor into the decision of whether and how to implement cloud computing in federal environments.