The U.S. Internal Revenue Service (IRS) failed to implement a good deal of security controls recommended over the years, leaving financial reporting and taxpayer data vulnerable to “inappropriate and undetected use, modification, or disclosure.”

Following an audit on IRS systems during the fiscal year 2018, the U.S. Government Accountability Office (GAO) concludes that the agency still has 127 recommendations to address, most of them from past evaluations.

107 of them result from previous audits while the latest assessment added 20 new ones. The largest part relates to access controls while others are for configuration management, segregation of duties, and contingency planning.

The new recommendations in GAO’s report refer to 14 new information system security control faults in the areas mentioned above.

Access controls problems

GAO found that the IRS still has issues with identification and authentication of users, authorization of access permissions, and
encryption of sensitive information. A total of eight deficiencies were uncovered in these processes.

Specifically for identification and authentication, the IRS did not enforce using certificates for digitally signing PDF files some tax documents included. The agency also failed to apply its policy for password expiration dates and to use multi-factor authentication to access certain applications.

On the authorization side, GAO found that an application still had a function enabled that was not needed for business purposes but permitted some user accounts to download the app’s full database or parts of it.

Another problem is that individual user accounts can access certain databases supporting tax processing systems, although it is not necessary for all of them.

GAO’s audit also discovered that the IRS does not encrypt certain servers, the email service, and some database connections.

Configuration management

IRS has problems on the configuration management front, too, which covers security features for all hardware and software components through their life cycle. The issues at hand refer to the following deficiencies:

• implementing mandatory access controls for an application
• updating unsupported database software and apply vendor-supplied patches for certain applications
• updating third-party software on workstations consistently
• upgrading certain outdated and unsupported software network devices.

Normal user in admin goup, email service managed by one

GAO’s report points to another practice that threatens the security of the data: auditors found that the IRS had a non-administrator account present in an administrator group for one of its databases.

Furthermore, the agency’s email service was in the hands of only one individual, which presents obvious risks in case of an unexpected event.

The conclusion of the report is that the IRS improved its security stance overall but the newly identified control deficiencies influence the efficiency of previously adopted measures.