Most cringe at the thought of hearing from the Internal Revenue Services (IRS) -- and all out laugh at the prospect of intentionally knocking on its door. But not so for VARs who can provide security services to help the agency lockdown vulnerable taxpayer data.
On April 15, the U.S. Government Accountability Office (GAO) reported to Congress 39 new information security vulnerabilities, saying, "these weaknesses increase the risk that sensitive taxpayer and Bank Secrecy Act data will be inadequately protected from unauthorized disclosure, modification, use or destruction."
Among the vulnerabilities was a lack of electronic-access controls, physical security, segregation of duties and service continuity. The GAO reported that until an agencywide information security program is established -- currently under way, but not yet completed -- vulnerabilities will remain.
According to research firm Gartner, such risks emphasize the need for the government to address its own data security flaws before focusing on such private sector snafus as those recently experienced by ChoicePoint and LexisNexis. And given the lack of appropriate skills, the IRS needs help to do it.
"The IRS could benefit from some basic identity access management applications," says Avivah Litan, vice president and research director at Gartner. "They definitely need a lot of help with back-end, suspicious transaction-pattern detection."
Gartner specifically recommends that the IRS work with the Social Security Administration to identify and investigate fraudulent use of Social Security numbers, and implement stricter access controls to taxpayer information as well as transaction pattern detection systems that identify suspicious inquiries.
"It's a great opportunity for providing services," Litan says. "This is a new area that government doesn't know much about. The IRS needs to first get their business process together so that they can then deal with the data sitting in hundreds of back-end systems. It's going to involve multimillion-dollar projects requiring expertise in security, access control, data integrity, and system integration and compliance."