The IRS has made progress putting in place information security controls but weaknesses remain that limit their effectiveness in protecting sensitive taxpayer data.
In 2014 the agency improved the security over the software that manages changes to its mainframe environment and upgraded secure communications enterprise-wide for sensitive data, for example. But according to GAO-15-337, the IRS did not install appropriate security updates on all of its databases and servers, and did not sufficiently monitor control activities that support its financial reporting.
Further, it did not effectively maintain the secure configuration of a key application (to which a developer was given unnecessarily broad access), and its testing methodology did not always determine whether required controls were operating effectively, GAO said, citing the lack of implementation of key elements of its information security program.
The IRS agreed to develop corrective actions to address control weaknesses.
