As tax time looms, a new report by the Government Accountability Office (GAO) found that the Internal Revenue Service (IRS) has made "limited progress" in addressing significant security vulnerabilities, but many weaknesses "continue to threaten the confidentiality, integrity, and availability of IRSs financial and tax processing systems and information."
The GAO cited the IRS' failure to implement its information security program as a "primary reason" for the continued vulnerabilities.
"Until [the] IRS fully implements an agencywide information security program that includes...security plans, training, adequate tests and evaluations, and a continuity of operations process for all major systems, the financial and sensitive taxpayer information on its systems will remain vulnerable," the GAO said.
Among the GAO's findings:
The IRS did not perform enough oversight of ensuring only authorized personnel had access to its systems. The GAO found evidence of personnel sharing usernames and passwords to access a database production server for the IRS' procurement system.
The IRS often granted users more access than necessary for performing their duties to systems, and did not adequately police usage or receipt of anonymous e-mails, which increases the vulnerability to phishing scams.
Physical security vulnerabilities at examined IRS offices included leaving the server for a procurement database in a cubicle, rather than a secured office, and handing out secure access cards to more employees than were necessary.
The GAO previously reported in March 2006 that the IRS had gaping holes in its security practices, such as leaving passwords for computers available for anyone to read, failing to verify photo identification of visitors as IRS employees, and not providing proper oversight and training for contractors in its employ.
The new report did note improvements on some of these fronts, such as improving password storage and creation policies, increased audits and monitoring for mainframe and Windows machines, and increased training for employees and contractors, particularly in the event of disaster.
IRS Commissioner Mark Everson acknowledged the failures of the IRS to provide a comprehensive security plan in his response to the report, but defended the steps the agency took, as he did last year.
"The IRS takes its security and privacy responsibilities seriously," Everson said. "While we have made significant progress, we recognize that continued diligence is required."
The GAO report comes on the heels of new evidence that the IRS is faltering in its ability to fill the "tax gap" of uncollected and underreported tax payments. National Taxpayer Advocate Nina Olson reported to Congress in January that noncompliance in tax collection forced compliant taxpayers to shoulder more of the burden. Many issues with taxpayer debt could be avoided through earlier negotiation with taxpayers, rather than waiting for debts to accrue interest and penalties, Olson said.
The IRS had planned to outsource data collection functions to an outside company, IAP World Services, as part of a large-scale privatization program, but eventually reduced the breadth of the program after IAP admitted it would not have many of the data centers ready in time for the upcoming tax season, and to ensure that the new employees would be properly trained.
The full GAO report is available as a PDF document.