The Government Accountability Office (GAO) has identified 14 new information system security control deficiencies at the Internal Revenue Service (IRS). Eight of these deficiencies related to access controls, four were related to configuration management, one was related to segregation of duties, and one was related to contingency planning.
The access control deficiencies include identification and authentication of users, authorization of access permissions, and encryption of sensitive information. GAO found that IRS did not enforce the requirement for using the appropriate certificates to electronically sign portable document format documents, including certain tax documents. Nor did IRS consistently enforce necessary limits for maximum password age for user accounts on certain Oracle databases in accordance with its policies. It also failed to use multifactor authentication for accessing certain applications.
Furthermore, IRS did not disable a function within one application that allows certain user accounts to download the application’s entire database of information, nor did it prevent individual user accounts from having unnecessary access to certain databases supporting tax processing systems.
Concerning encryption, GAO found that IRS did not encrypt certain servers or the email service in accordance with its policies. It also failed to enforce certain encrypted database connections. Regarding the email service itself, auditors found that IRS had assigned just one individual to administer the service.
The IRS security deficiencies related to configuration management included the failure to implement mandatory access controls for an application, failure to update unsupported database software and apply vendor-supplied patches for certain applications, failure to update third-party software on workstations consistently, and failure to upgrade certain outdated and unsupported software network devices.
In carrying out its mission and responsibilities for administering tax laws, IRS collects and maintains a significant amount of personal and financial information on each U.S. taxpayer. It is no understatement to say that IRS has a lot of work to do to improve security controls, which first came under scrutiny after the 2015 cyber hack.
The July 18 report follows last summer’s investigation and subsequent report that identified 87 security deficiencies and made 154 recommendations. The latest report says IRS addressed less than half of those recommendations by the September 2018 deadline. The new report makes 20 recommendations, with which IRS has concurred, meaning that it now has to take corrective action to address 127 recommendations, in order to properly secure its financial reporting and taxpayer data.