Information Security: Control Deficiencies Continue to Limit IRS’s Effectiveness in Protecting Sensitive Financial and Taxpayer Data, GAO-17-395: Published: Jul 26, 2017. Publicly Released: Jul 26, 2017.
“The Internal Revenue Service (IRS) made progress in addressing previously reported control deficiencies; however, continuing and newly identified control deficiencies limited the effectiveness of security controls for protecting the confidentiality, integrity, and availability of IRS’s key financial and tax processing systems. During fiscal year 2016, IRS made improvements in access controls over a number of system administrator accounts and updated certain software to prevent exposure to known vulnerabilities. However, the agency did not always (1) limit or prevent unnecessary access to systems, (2) monitor system activities to reasonably assure compliance with security policies, (3) reasonably assure that software was supported by the vendor and was updated to protect against known vulnerabilities, (4) segregate incompatible duties, and (5) update system contingency plans to reflect changes to the operating environment. An underlying reason for these control deficiencies is that IRS had not effectively implemented components of its information security program. The agency had a comprehensive framework for its program, including developing and documenting security plans; however, it did not fully implement other program components. For example, IRS did not always effectively manage information security risk or update certain policies and procedures. GAO has made recommendations to IRS to correct the identified security control deficiencies (see table). However, corrective actions for a number of the deficiencies have not been completed and the associated recommendations remained open at the conclusion of the audit of IRS’s financial statements for fiscal year 2016.”