The IRS made progress during fiscal 2009 to address information security weaknesses but GAO has said the agency still has a long way to go.
It said the agency has corrected or mitigated 28 of 89 previously reported weaknesses and deficiencies, 21 of 74 previously identified information security control weaknesses and 7 of 15 previously identified program deficiencies.
For example, according to GAO-10-355, the IRS has changed vendor-supplied user accounts and passwords, avoided storing clear-text passwords in scripts, enhanced its policies and procedures for configuring mainframe operations, and established an alternate processing site for its procurement system.
However, while the IRS has corrected 28 control weaknesses and program deficiencies, 61 of them, or about 70 percent remain unresolved or unmitigated, GAO said.
GITAO said IRS continues to install patches in an untimely manner and use passwords that were are not complex.
IRS officials say they continue to address uncorrected weaknesses and, subsequent to GAO’s site visits, have completed additional corrective actions on some of them.
Despite these actions, newly identified and the unresolved information security control weaknesses in key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information, GAO said.