Potential security problems reportedly stem from inadequate measures to ensure the security of digital information, and from the IRS’s failure to properly vet the vast majority of its employees.
The Government Accountability Office released a report on Friday focusing on the agency’s IT security measures. It found five potentially problematic shortfalls in the IRS’s treatment of digital taxpayer information.
…the agency continues to face challenges in controlling access to its information resources. For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas. In addition, unpatched and outdated software exposed IRS to known vulnerabilities, and the agency had not enforced backup procedures for a key system.
GAO noted that the IRS “has not fully implemented a comprehensive information security program,” and hence has left taxpayer information vulnerable to security breaches.
The report made five broad recommendations for actions that the IRS can take to remedy the problems, and said it would detail 23 separate measures to do so in a subsequent report.
Douglas Shulman, the agency’s commissioner, assured the GAO that the IRS “will provide the detailed corrective action plan addressing each of the recommendations with our response to the final report.”
“The security and privacy of all taxpayer and financial information is of utmost importance to us and the integrity of our financial systems continues to be sound,” he added.
The Treasury Department’s Inspector General, meanwhile, raised its own concerns in a separate report released late last month. That report focused on the IRS’s hiring procedures, and found that the agency had failed to adequately screen more than three quarters of new hires.
The IRS has implemented controls designed to ensure that applicants pursuing permanent or temporary employment with the IRS are suitable, and background investigation requests are properly initiated. However, our review at four of nine Employment Operations branch offices revealed that nearly 77% of the cases reviewed (507 of 662 cases) did not have sufficient documentation that would allow us to verify that the Employment Operations offices completed all of the required pre-screening steps before the employee reported for duty.
The IG went on to recommend that the IRS direct its Human Capital Officer to develop policies to rectify the shortfall. The HCO told the IG in a subsequent letter, “we believe we can fully implement the recommendation to develop requirement and retention policies that ensure pre-screening actions are completed and fully documented in a consistent manner.”
While in both cases the IRS expressed confidence that it would address security concerns, it remains to be seen whether the agency will manage to do so before the pre-tax day flood of information that waits just around the corner.