GAO called on the IRS to fully implement its agency-wide information security program, and also to ensure that contractors receive security awareness training within the first 10 working days.
The report also said the IRS has not consistently implemented controls intended to prevent, limit, and detect unauthorized access to its systems and information, something that, again, is covered in the information security program.
For example, the agency has not always enforced strong password management for properly identifying and authenticating users, or authorized user access to permit only the access needed to perform job functions, GAO said.
It called on the IRS to develop and implement policies and procedures for more securely configuring routers to encrypt network traffic and configuring switches to defend against attacks that could crash the network.
It also recommended that the agency ensure the results of testing and evaluating controls are effectively documented and reviewed, and to ensure key disaster recovery documentation, such as keystroke manuals, are available in a timely manner and that appropriate contacts are readily identified.
