Information Security: Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks
GAO-03-44
Published: May 30, 2003. Publicly Released: May 30, 2003.
Skip to Highlights
Highlights
As part of its annual audits of IRS's financial statements, GAO assessed the effectiveness of information security controls at certain IRS facilities and over certain specific applications--controls meant to protect IRS's information systems and taxpayer data. Because the detailed reports that followed these reviews contained sensitive information and could be detrimental to the government if released to the public, they were issued only to IRS and congressional requesters. This public report is based on 18 such reports issued during the 3-year period ending July 31, 2002. Although it does not identify specific IRS facilities or applications, the report does provide GAO's assessment of the overall effectiveness of IRS's information security.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by performing risk assessments for all systems. |
Closed – Implemented
In fiscal year 2007 we verified that IRS, in response to our recommendation, had assessed the risks for each system reviewed.
|
| Internal Revenue Service | To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by developing security plans for all systems that comply with federal guidelines. |
Closed – Implemented
In fiscal year 2007 we verified that IRS, in response to our recommendation, had included a security plan in its certification and accreditation documentation for each system reviewed.
|
| Internal Revenue Service | To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to assess the risks and evaluate security needs by certifying and accrediting all systems before they become operational, upon significant change, and at least every 3 years thereafter. |
Closed – Implemented
IRS has developed and implemented a certification and accreditation methodology. In fiscal year 2007 we verified that IRS, in response to our recommendation, assessed risks and evaluated security needs by certifying and accrediting its information systems.
|
| Internal Revenue Service | To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by updating security policies or implementing guidelines pertaining to the configuration and use of certain network services and devices, password parameters, and the assignment of certain operating system rights, to be consistent with strong security practices. |
Closed – Implemented
In fiscal year 2007 we verified that IRS, in response to our recommendation, had updated security policies to be consistent with strong security practices.
|
| Internal Revenue Service | To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by testing and assessing security controls and configurations of systems before deployment for compliance with established security policies and standards. |
Closed – Implemented
IRS tests and assesses security controls and configurations of systems before deployment in implementing its certification and accreditation process.
|
| Internal Revenue Service | To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to establish and implement adequate information security policies and controls by establishing and incorporating performance standards for compliance with security policies and procedures in the performance appraisal process for IRS executives and managers in the information technology and operating divisions. |
Closed – Implemented
In fiscal year 2007, we verified that IRS has included a security management category as part of its departmentwide performance standards for executives
|
| Internal Revenue Service | To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to enhance information security awareness and training programs by providing training to IRS employees and contractors, including executives, managers, and users, and including those in the information technology and operating divisions, on their security roles and responsibilities. |
Closed – Implemented
In fiscal year 2007, we verified that IRS is providing annual training to system users on their security roles and responsibilities.
|
| Internal Revenue Service | To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to enhance information security awareness and training programs by providing security-related training commensurate with job-related responsibilities to security personnel. |
Closed – Implemented
In fiscal year 2007, we verified that IRS has established minimum training hours and a curriculum for individuals with specific security-related job responsibilities.
|
| Internal Revenue Service | To implement an effective agency-wide information security program, the IRS Commissioner should direct the Chief Information Officer and the senior management official of each operating division to monitor the effectiveness of controls and mitigate known information security weaknesses by establishing and implementing procedures to proactively ensure that weaknesses found at an IRS facility or on a system are considered and, if necessary, corrected at other facilities or on similar systems. |
Closed – Implemented
In fiscal year 2006, we verified that IRS had developed a "material weakness" plan to address information security weaknesses across platforms and across facilities.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer securityData integrityFederal information technology security assessment frameworkFinancial statement auditsIdentity theftInformation securityInformation systemsInternal controlsLogical access controlsStrategic planningSystem security plans