The Internal Revenue Service has yet to fully implement a
comprehensive agency-wide information security program to
ensure that effective controls are established and maintained,
the Government Accountability Office has said.
It said that until the IRS does so its facilities and
computing resources as well as the information it processes,
stores and transmits will remain vulnerable.
The agency has made progress correcting or mitigating
previously reported information security weaknesses and putting
controls in place over key financial and tax processing systems
located at two of its critical data processing centers, and it
has corrected or mitigated 41 of 81 technical weaknesses
GAO reported on in a previous review of those sites, according
to GAO-06-328.
It said however that controls over its key financial and tax
processing systems at those sites are ineffective.
GAO said it identified new information security control
weaknesses with the 40 weaknesses that IRS did not address at
the two sites that threaten the confidentiality, integrity,
and availability of IRS’s financial information systems.
The agency has not implemented effective electronic access
controls related to network management, user accounts and
passwords, user rights and file permissions, and logging and
monitoring of security-related events, the report said.
It said the IRS still has yet to physically secure computer
resources as well as prevent the exploitation of vulnerabilities
and unauthorized changes to system software.
