United States General Accounting Office
GAO Report to the Ranking Minority Member,
Committee on Governmental Affairs,
U.S. Senate
April 1997
IRS SYSTEMS
SECURITY
Tax Processing
Operations and Data
Still at Risk Due to
Serious Weaknesses
GAO/AIMD-97-49
United States
GAO General Accounting Office
Washington, D.C. 20548
Accounting and Information
Management Division
B-276609
April 8, 1997
The Honorable John Glenn
Ranking Minority Member
Committee on Governmental Affairs
United States Senate
Dear Senator Glenn:
This report completes our response to your request to assess and report
on Internal Revenue Service (IRS) computer security. While security is an
area of paramount importance in all computer-based operations, it is
particularly critical to IRS in light of the agency’s vital revenue collection
mission and the sensitivity of the data it processes. Accordingly, we agreed
with your office to determine whether IRS is effectively (1) managing
computer security and (2) addressing employee browsing of electronic
taxpayer data.
On January 30, 1997, we issued to you a report responding to your request.
The report detailed numerous security weaknesses that we found at five
IRS facilities. Because some of the weaknesses are sensitive and could
jeopardize IRS’ security if released to the public, the report was designated
“Limited Official Use” and the identities of the facilities that we visited
were not disclosed. Subsequently, your office requested that we issue an
excerpted version of the report suitable for public release. This report,
which does not quantify either the total number of weaknesses found or
the number of weaknesses found in specific functional categories, and
does not detail the most serious weaknesses, satisfies that request. IRS
commented on a draft of this report, and its comments have been included
in this report, as appropriate. Details of our objectives, scope, and
methodology are in appendix I.
Over the last 3 years, we have reported on a number of computer security
Results in Brief problems at IRS and have made recommendations for strengthening IRS’
computer security management effectiveness. Nevertheless, IRS continues
to have serious weaknesses in the controls used to safeguard IRS computer
systems, facilities, and taxpayer data. Our recent on-site reviews of
security at five facilities disclosed many weaknesses in the areas of
(1) physical security, (2) logical security,1 (3) data communications
management, (4) risk analysis, (5) quality assurance, (6) internal audit and
1
Logical security measures include safeguards incorporated in computer hardware and software.
Page 1 GAO/AIMD-97-49 IRS Systems Security
B-276609
security,2 (7) security awareness, and (8) contingency planning. For
example, the five facilities could not account collectively for
approximately 6,400 missing units of magnetic storage media, such as
tapes and cartridges, which could contain taxpayer data. In addition,
printouts containing taxpayer data were left unprotected and unattended
in open areas of two facilities where they could be compromised. Also,
none of the facilities visited had comprehensive disaster recovery plans,
which threaten the facilities’ ability to restore operations following
emergencies or natural disasters.
One area of unauthorized access that has been the focus of considerable
attention is electronic browsing of taxpayer data by IRS employees. Despite
this attention, IRS is still not effectively addressing the problem via
thorough employee monitoring, accurate recording of browsing violations,
or consistent application and publication of enforcement actions. For
example, IRS currently does not monitor all employees with access to
automated systems and data for electronic browsing activities. In addition,
when instances of browsing are identified, IRS does not consistently
investigate them or publicize them to deter others from browsing, and
does not consistently punish browsers.
Until these serious weaknesses are corrected, IRS runs the risk of its tax
processing operations being disrupted and taxpayer data being improperly
used, modified, or destroyed.
IRS relies on automated information systems to process over 200 million
Background taxpayer returns and collect over $1 trillion in taxes annually. IRS operates
10 facilities throughout the United States to process tax returns and other
information supplied by taxpayers. These data are then electronically
transmitted to a central computing facility, where master files of taxpayer
information are maintained and updated. A second computing facility
processes and stores taxpayer data used by IRS in conducting certain
compliance functions. There are also hundreds of other IRS facilities (e.g.,
regional and district offices) that support tax processing. Because of IRS’
heavy reliance on systems, effective security controls are critical to IRS’
ability to maintain the confidentiality of taxpayer data, safeguard assets,
and ensure the reliability of financial management information.
2
The phrases “internal audit” and “internal security” refer to functional disciplines, not IRS
organizational entities.
Page 2 GAO/AIMD-97-49 IRS Systems Security
B-276609
Computer Security The Computer Security Act3 requires, among other things, the
Requirements establishment of standards and guidelines for ensuring the security and
privacy of sensitive information in federal computer systems. Similarly,
IRS’ Tax Information Security Guidelines require that all computer and
communication systems that process, store, or transmit taxpayer data
adequately protect these data, and the Internal Revenue Code prohibits the
unauthorized disclosure of federal returns and return information outside
IRS. To adequately protect the data, IRS must ensure that (1) access to
computer data, systems, and facilities is properly restricted and
monitored, (2) changes to computer systems software are properly
authorized and tested, (3) backup and recovery plans are prepared, tested,
and maintained to ensure continuity of operations in the case of a disaster,
and (4) data communications are adequately protected from unauthorized
intrusion and interception.
Also, Treasury requires IRS to have C2-level safeguards to protect the
confidentiality of taxpayer data. The Department of Defense defines a
hierarchy of security levels (i.e., A1, B3, B2, B1, C2, C1, and D) with A1
currently being the highest level of protection and D being the minimum
level of protection. C2-level safeguards include all the requirements from
the D and C1 levels and are required by IRS for all sensitive but unclassified
data. These safeguards ensure need-to-know protection and controlled
access to data, including
• a security policy that requires access control;
• identification and authentication that provide mechanisms to continually
maintain accountability;
• operational and life-cycle assurances that include validations of system
integrity and computer systems tests of security mechanisms; and
• documentation such as a security features user’s guide, test
documentation, and design documentation.
Prior GAO Work on IRS Over the past 3 years, we testified and reported numerous times on serious
Computer Security weaknesses with security and other internal controls used to safeguard IRS
computer systems and facilities. For instance, in August 1993, we
identified weaknesses in IRS’ systems which hampered the Service’s ability
to effectively protect and control taxpayer data.4 In this regard, we found
that (1) IRS did not adequately control access given to computer support
3
Public Law 100-235, 101 Stat. 1724 (1988).
4
Financial Management: First Financial Audits of IRS and Customs Revealed Serious Problems
(GAO/T-AIMD-93-3, Aug. 4, 1993).
Page 3 GAO/AIMD-97-49 IRS Systems Security
B-276609
personnel over taxpayer data and (2) established controls did not provide
reasonable assurance that only approved versions of computer programs
were implemented. Subsequently, in December 1993, IRS identified
taxpayer data security as a material weakness in its Federal Managers’
Financial Integrity Act report.
In 1994, we also reported, and IRS acknowledged, that while IRS had made
some progress in correcting computer security weaknesses, IRS still faced
serious and longstanding control weaknesses over automated taxpayer
data. Moreover, we reported that these longstanding weaknesses were
symptomatic of broader computer security management issues, namely,
IRS’ failure to (1) clearly delineate responsibility and accountability for the
effectiveness of computer security within the agency and (2) establish an
ongoing process to assess the effectiveness of the design and
implementation of computer controls.5 To address these issues, we
recommended that IRS greatly strengthen its computer security
management, and IRS agreed to do so.
The unauthorized electronic access of taxpayer data by IRS employees—
commonly referred to as browsing—has been a longstanding problem for
the Service. In October 1992, IRS’ Internal Audit reported that the Service
had limited capability to (1) prevent employees from unauthorized access
to taxpayers’ accounts and (2) detect an unauthorized access once it
occurred.6 We reported in September 1993 that IRS did not adequately
(1) restrict access by computer support staff to computer programs and
data files or (2) monitor the use of these resources by computer support
staff and users.7 As a result, personnel who did not need access to
taxpayer data could read and possibly use this information for fraudulent
purposes. Also, unauthorized changes could be made to taxpayer data,
either inadvertently or deliberately for personal gain, for example, to
initiate unauthorized refunds or abatements of tax. In August 1995, we
reported that the Service still lacked sufficient safeguards to prevent or
detect unauthorized browsing of taxpayer information.8
5
Financial Audit: Examination of IRS’ Fiscal Year 1994 Financial Statements (GAO/AIMD-95-141,
Aug. 4, 1995).
6
Review of Controls Over IDRS Security, (IRS Internal Audit Reference Number 030103, October 23,
1992).
7
IRS Information Systems: Weaknesses Increase Risk of Fraud and Impair Reliability of Management
Information (GAO/AIMD-93-34, Sept. 22, 1993).
8
Financial Audit: Examination of IRS’ Fiscal Year 1994 Financial Statements (GAO/AIMD-95-141,
Aug. 4, 1995).
Page 4 GAO/AIMD-97-49 IRS Systems Security
B-276609
IRS Organizations Several organizations within the IRS are responsible for the security of IRS
Responsible for Managing computer resources and the facilities that house them. For example, the
Computer Security Office of the Chief Information Officer is responsible for formulating
policies and issuing guidelines for logical security, data security, risk
analysis, security awareness, security management, contingency planning,
and telecommunications. The Real Estate division within the Office of the
Chief for Management and Administration is responsible for formulating
policies and issuing guidelines for physical security. The field offices (e.g.,
service centers, computing centers, regional offices, district offices) are
responsible for implementing these policies and guidelines at their
locations. Compliance with the policies and procedures is assessed by
both the headquarters and field offices.
Weaknesses in IRS’ computer systems security continue to place taxpayer
Serious System data and IRS’ automated information systems at risk to both internal and
Security Weaknesses external threats, which could result in the loss of computer services, or in
Persist the unauthorized disclosure, modification, or destruction of taxpayer data.
While IRS has made some progress in protecting taxpayer data, serious
weaknesses persist.
During our five on-site reviews, we found numerous weaknesses in the
following eight functional areas: physical security, logical security, data
communications management, risk analysis, quality assurance, internal
audit and security, security awareness, and contingency planning.9
Primary weaknesses were in the areas of physical and logical security.
Physical Security Physical security and access control measures, such as locks, guards,
fences, and surveillance equipment, are critical to safeguarding taxpayer
data and computer operations from internal and external threats. We
found many weaknesses in physical security at the facilities visited. The
following are examples of these weaknesses:
• Collectively, the five facilities could not account for approximately 6,400
units of magnetic storage media, such as tapes and cartridges, which could
contain taxpayer data. The number per facility ranged from a low of 41 to
a high of 5,946.
• Fire suppression trash cans were not used in several facilities.
9
The order of the functional areas does not denote relative importance. Every area is crucial to
protecting the security of IRS data and facilities.
Page 5 GAO/AIMD-97-49 IRS Systems Security
B-276609
• Printouts containing taxpayer data were left unprotected and unattended
in open areas of two facilities where they could be compromised.
Logical Security Logical security controls limit access to computing resources to only those
(personnel and programs) with a need to know. Logical security control
measures include the use of safeguards incorporated in computer
hardware, system and application software, communication hardware and
software, and related devices. We found numerous weaknesses in logical
security at the facilities visited. Examples of these vulnerabilities include
the following:
• Tapes containing taxpayer data were not overwritten prior to reuse.
• Access to system software was not limited to individuals with a need to
know. For example, at two facilities, we found that data base
administrators10 had access to system software, although their job
functions and responsibilities did not require it.
• Application programmers were allowed to move development software
into the production environment without adequate controls. In addition,
these programmers were allowed to use taxpayer data for testing
purposes, which places these data at unnecessary risk of unauthorized
disclosure and modification.
Data Communications Data communications management is the function of monitoring and
Management controlling communications networks to ensure that they operate as
intended and transmit timely, accurate, and reliable data securely. Without
adequate data communications security, the data being transmitted can be
destroyed, altered, or diverted, and the equipment itself can be damaged.
At the five facilities, we found numerous communications management
weaknesses.
Risk Analysis The purpose of risk analysis is to identify security threats, determine their
magnitude, and identify areas needing additional safeguards. We found
risk analysis weaknesses at the five facilities. For example, none of the
facilities visited conducted a complete risk analysis to identify and
determine the severity of all the security threats to which they were
vulnerable. Without these analyses, systems’ vulnerabilities may not be
identified and appropriate controls not implemented to correct them.
10
The data base administrator is responsible for overall control of the data base, including its content,
storage structure, access strategy, security and integrity checks, and backup and recovery.
Page 6 GAO/AIMD-97-49 IRS Systems Security
B-276609
Quality Assurance An effective quality assurance program requires reviewing software
products and activities to ensure that they comply with the applicable
processes, standards, and procedures and satisfy the control and security
requirements of the organization. One aspect of a quality assurance
program is validating that software changes are adequately tested and will
not introduce vulnerabilities into the system. We found many weaknesses
in quality assurance at the five facilities visited, including instances of
failing to independently test all software prior to placing it into operation.
In addition, when software products were tested, this testing was
sometimes incomplete (e.g., did not include integrity or stress testing).11
Such quality assurance weaknesses can result in systems not functioning
properly, putting federal taxpayer data at risk.
Internal Audit and Security Internal audit and internal security functions are needed to ensure that
safeguards are adequate and to alert management to potential security
problems. We found many weaknesses in the internal audit or internal
security functions at the five facilities visited. For example, two of the
facilities had not audited operations within the last 5 years.
Security Awareness An effective security awareness program is the means through which
management communicates to employees the importance of security
policies, procedures, and responsibilities for protecting taxpayer data.
Three of the five IRS facilities did not have an adequate security awareness
program. For example, at one site there was no process in place for
ensuring that management was made aware of security violations and
security related issues. We found several security awareness weaknesses
at four of the five facilities.
Contingency Planning A contingency plan specifies emergency response, backup operations, and
post disaster recovery procedures to ensure the availability of critical
resources and facilitate the continuity of operations in an emergency
situation. It addresses how an organization plans to deal with the full
range of contingencies from electrical power failures to catastrophic
events, such as earthquakes, floods, and fires. It also identifies essential
business functions and prioritizes resources in order of criticality. To be
effective when needed, a contingency plan must be periodically tested and
personnel trained in and familiar with its use.
11
Integrity testing ensures that an application program performs only its intended functions. Stress
testing assesses system performance at very high workloads.
Page 7 GAO/AIMD-97-49 IRS Systems Security
B-276609
None of the five facilities visited had comprehensive disaster recovery
plans. Specifically, we found that disaster recovery procedures at two of
the five facilities had not been tested, while plans for the remaining
locations were incomplete, i.e., they failed to include instructions for
restoring all mission-critical applications and reestablishing
telecommunications. Further, none had completed business resumption
plans, which should specify the disaster recovery goals and milestones
required to meet the business needs of their customers. We found many
weaknesses in this functional area at the five sites visited.
Taxpayer information can be compromised when IRS employees, who do
Electronic Browsing not have a need to know, electronically peruse files and records. This
Is Not Being practice, which is commonly called browsing, is an area of continuing
Addressed Effectively serious concern. To address this concern, IRS developed an information
system—the Electronic Audit Research Log (EARL)—to monitor and detect
browsing on the Integrated Data Retrieval System (IDRS), the primary
computer system IRS employees use to access and adjust taxpayer
accounts. IRS has also taken legal and disciplinary actions against
employees caught browsing. However, EARL has shortcomings that limit its
ability to detect browsing. In addition, IRS does not know whether the
Service is making progress in reducing browsing. Further, IRS facilities
inconsistently (1) review and refer incidents of employee browsing,
(2) apply penalties for browsing violations, and (3) publicize the outcomes
of browsing cases to deter other employees from browsing.
EARL’s Ability to Detect EARL cannot detect all instances of browsing because it only monitors
Browsing Is Limited employees using IDRS. EARL does not monitor the activities of IRS employees
using other systems, such as the Distributed Input System, the Integrated
Collection System, and the Totally Integrated Examination System, which
are also used to create, access, or modify taxpayer data. In addition,
information systems personnel responsible for systems development and
testing can browse taxpayer information on magnetic tapes, cartridges,
and other files using system utility programs, such as the Spool Display
and Search Facility,12 which also are not monitored by EARL.
Further, EARL has some weaknesses that limit its ability to identify
browsing by IDRS users. For example, because EARL is not effective in
distinguishing between browsing activity and legitimate work activity, it
12
This utility enables a programmer to view a system’s output, which may contain investigative or
taxpayer information.
Page 8 GAO/AIMD-97-49 IRS Systems Security
B-276609
identifies so many potential browsing incidents that a subsequent manual
review to find incidents of actual browsing is time-consuming and difficult.
IRS is evaluating options for developing a newer version of EARL that may
better distinguish between legitimate activity and browsing.
Because IRS does not monitor the activities of all employees authorized to
access taxpayer data and does not monitor the activities of information
systems personnel authorized to access taxpayer data for testing purposes,
IRS has no assurance that these employees are not browsing taxpayer data
and no analytical basis on which to estimate the extent of the browsing
problem or any damage being done.
IRS Progress in Reducing IRS’management information systems do not provide sufficient
and Disciplining Browsing information to describe known browsing incidents precisely or to evaluate
Cases Is Unclear their severity consistently. IRS personnel refer potential browsing cases to
either the Labor Relations or Internal Security units, each of which
records information on these potential cases in its own case tracking
system. However, neither system captures sufficient information to report
on the total number of unauthorized accesses. For example, neither
system contains enough information on each case to determine how many
taxpayer accounts were inappropriately accessed or how many times each
account was accessed. Consequently, for known incidents of browsing, IRS
cannot efficiently determine how many and how often taxpayers’ accounts
were inappropriately accessed. Without such information, IRS cannot
measure whether it is making progress from year to year in reducing
browsing.
A recent report by the IRS EARL Executive Steering Committee13 shows that
the number of browsing cases closed has fluctuated from a low of 521 in
fiscal year 1991 to a high of 869 in fiscal year 1995.14 However, the report
concluded that the Service does not consistently count the number of
browsing cases and that “. . . it is difficult to assess what the detection
programs are producing. . . or our overall effectiveness in identifying IDRS
browsing.”
Further, the committee reported “the percentages of cases resulting in
discipline has remained constant from year to year in spite of the
Commissioner’s ’zero tolerance’ policy.” IRS browsing data for fiscal years
1991 to 1995 show that the percentage of browsing cases resulting in IRS’
13
Electronic Audit Research Log (EARL) Executive Steering Committee Report, (Sept. 30, 1996).
14
We did not verify the accuracy and reliability of these data.
Page 9 GAO/AIMD-97-49 IRS Systems Security
B-276609
three most severe categories of penalties (i.e., disciplinary action,
separation, and resignation/retirement) has ranged between 23 and
34 percent, with an average of 29 percent.15
Incidents of Browsing Are According to IRS, effectively addressing employee browsing requires
Reviewed and Referred consistent review and referral of potential browsing across IRS. However,
IRS processing facilities do not consistently review and refer potential
Inconsistently
browsing cases. The processing facilities responsible for monitoring
browsing had different policies and procedures for identifying potential
violations and referring them to the appropriate unit within IRS for
investigation and action. For example, at one facility, the analysts who
identified potential violations referred all of them to Internal Security,
while staff at another facility sent some to Internal Security and the
remainder to Labor Relations.
The analysts handle the review and referral of potential violations
differently because IRS policies and procedures do not provide guidance in
these areas. In June 1996, IRS’ Internal Audit reported that IRS management
had not developed procedures to ensure that potential browsing cases
were consistently reviewed and referred to management officials
throughout the agency.16 Internal Audit further reported that analysts were
not given clear guidance on where to refer certain cases, especially those
involving potential Internal Security cases, and that procedures had been
developed by some facilities but varied from site to site.
IRS has acted to improve the consistency of its process. In June 1996, it
developed specific criteria for analysts to use when making referral
decisions. A recent report by the EARL Executive Steering Committee
stated that IRS had implemented these criteria nationwide. Because IRS was
in the process of implementing these criteria during our work, we could
not validate their implementation or effectiveness.
Penalties for Browsing Are IRS policies and procedures on disciplining employees caught browsing
Inconsistent Across IRS direct IRS management to ensure that decisions are appropriate and
consistent agencywide. After several IRS directors raised concern that field
offices were not consistent in the types of discipline imposed in similar
15
The mix among these three categories has remained relatively constant each year with disciplinary
action accounting for the vast majority of penalties.
16
Implementation of the Electronic Audit Research Log (EARL), (IRS Internal Audit Ref. No. 064810,
June 21, 1996).
Page 10 GAO/AIMD-97-49 IRS Systems Security
B-276609
cases, IRS’ Western Region analyzed fiscal year 1995 browsing cases for all
its offices and found inconsistent treatment for similar types of offenses.
Examples of inconsistent discipline included
• Temporary employees who attempted to access their own accounts were
given letters of reprimand, although historically, IRS terminated temporary
employees for this type of infraction.
• One employee who attempted to access his own account was given a
written warning, while other employees in similar situations, from the
same division, were not counseled at all.
The EARL Executive Steering Committee also reported widespread
inconsistencies in the penalties imposed in browsing cases. For example,
the committee’s report showed that for fiscal year 1995, the percentage of
browsing cases resulting in employee counseling ranged from a low of
0 percent at one facility to 77 percent at another. Similarly, the report
showed that the percentage of cases resulting in removal ranged from
0 percent at one facility to 7 percent at another. For punishments other
than counseling or removal (e.g., suspension), the range was between
10 percent and 86 percent.
Punishments Assessed for IRSfacilities did not consistently publicize the penalties assessed in
Browsing Not Consistently browsing cases to deter such behavior. For example, we found that one
Publicized to Deter facility never reported disciplinary actions. A representative at this facility
told us that employees were generally aware of cases involving
Violations embezzlement and fraud if the cases received media attention. However,
another facility reported the disciplinary outcomes of browsing cases in its
monthly newsletter. For example, it cited a management official who
accessed a relative’s account and was punished. This facility publicized
cases involving employees at all grade levels to emphasize that browsing
taxpayer data is a serious offense punishable by adverse administrative
actions or legal sanctions, including loss of job and criminal prosecution.
By inconsistently and incompletely reporting on penalties assessed for
employee browsing, IRS is missing an opportunity to more effectively deter
such activity.
The EARL Executive Steering Committee noted that during the past 3 years
IRShad published numerous documents intended to educate and sensitize
employees to the importance of safeguarding taxpayer information.
Nonetheless, the committee found that employees do not perceive the
Service as aggressively pursuing browsing violations. It recommended that
Page 11 GAO/AIMD-97-49 IRS Systems Security
B-276609
communications be more focused and highlight actual examples of
disciplinary actions that have been taken against employees who browse.
IRS’current approach to computer security is not effective. Serious
Conclusions weaknesses persist in security controls intended to safeguard IRS
computer systems, data, and facilities and expose tax processing
operations to the serious risk of disruption and taxpayer data to the risk of
unauthorized use, modification, and destruction. Further, although IRS has
taken some action to detect and deter browsing, it is still not effectively
addressing this area of continuing concern because (1) it does not know
the full extent of browsing and (2) it is inconsistently addressing cases of
browsing.
Because of the serious and persistent security problems cited in our
Recommendations January 30, 1997, “Limited Official Use” version of this report, we
recommended that the Commissioner of Internal Revenue, within 3
months of the date of that report, prepare a plan for (1) correcting all the
weaknesses identified at the five facilities we visited, as detailed in the
January 30, 1997 report, and (2) identifying and correcting security
weaknesses at the other IRS facilities. We stated that this plan should be
provided to the Chairmen and Ranking Minority Members of the
Subcommittees on Treasury, Postal Service, and General Government,
Senate and House Committees on Appropriations; Senate Committee on
Finance; Senate Committee on Governmental Affairs; House Committee
on Ways and Means; and House Committee on Government Reform and
Oversight. We also stated that the Commissioner should report on IRS’
progress on these plans in its fiscal year 1999 budget submission and
should identify the computer security weaknesses discussed in this report
as being material in its Fiscal Year 1996 Federal Managers’ Financial
Integrity Act report and subsequent reports until the weaknesses are
corrected.
Also, because long-standing computer security problems continue to
plague IRS operations, we reiterated our prior recommendation that the
Commissioner, through the Deputy Commissioner, strengthen computer
security management. In doing so, we recommended that the
Commissioner direct the Deputy Commissioner to (1) reevaluate IRS’
current approach to computer security along with plans for improvement,
and (2) report the results of this reevaluation by June 1997, to above cited
congressional committees and subcommittees.
Page 12 GAO/AIMD-97-49 IRS Systems Security
B-276609
Last, in light of the continuing seriousness of IRS employees’ electronic
browsing of taxpayer records, we recommended that the Commissioner
ensure that IRS completely and consistently monitors, records, and reports
the full extent of electronic browsing for all systems that can be used to
access taxpayer data. We recommended that the Commissioner report the
associated disciplinary actions taken and that these statistics along with
an assessment of its progress in eliminating browsing, be included in IRS’
annual budget submission.
In commenting on a draft of this report, IRS agreed with our conclusions
Agency Comments and recommendations and stated that it is working to correct security
and Our Evaluation weaknesses and implement our recommendations. However, it did not
commit to doing so for all recommendations within the time frames
specified. Specifically, we recommended that by April 30, 1997, IRS develop
a plan for (1) correcting all the weaknesses identified at the five facilities
we visited and (2) identifying and correcting any security weaknesses at
the other facilities. We specified this time frame because of the
seriousness of the weaknesses we found. In our view, it is essential that IRS
implement this recommendation expeditiously, and therefore we reiterate
that IRS should complete the above cited plan by April 30, 1997.
Also concerning the correction of the weaknesses identified at the five
facilities visited, IRS stated in its comments that “each facility is taking any
corrective actions required by the GAO review.” This statement is
inconsistent with comments provided by each facility on its own
weaknesses and thus evokes additional concerns about the need for a
more concerted security management effort to ensure a consistent and
effective level of security at all IRS facilities. Specifically, while the five
facilities agreed with many of our findings and described appropriate
corrective actions, they disagreed with many. In some cases, their
comments reflected inconsistent views on the same problems. For
example, some facilities acknowledged the need for fire suppression trash
cans for disposing of combustible material (including paper) and
chemicals in print rooms, while others disagreed. It is imperative that IRS
recognize and correct security weaknesses systematically and consistently
across all its facilities.
IRSalso commented that “a recent reevaluation of the weaknesses by GAO’s
contractor identified that 41% of the weaknesses originally identified in the
GAO report have already been corrected and closed, and an additional 12%
were being adequately addressed by the facilities.” Our contractor’s
Page 13 GAO/AIMD-97-49 IRS Systems Security
B-276609
reevaluation assessment is not yet complete. Given the many serious
security weaknesses yet to be fully dealt with or even addressed at this
point, any preliminary assessment of IRS progress should be viewed with
caution.
In addition, IRS stated that time did not permit it to report the weaknesses
identified in our report as material in its fiscal year 1996 Federal Managers’
Financial Integrity Act report. Instead, IRS has committed to reevaluating
the status of material weaknesses that have and should be reported so that
the fiscal year 1997 Federal Managers’ Financial Integrity Act report will
provide an accurate depiction of the agency’s material weaknesses and
coincide with its approach and plans for improvement.
The full text of IRS’ comments on a draft of this report is in appendix II.
As agreed with your office, unless you publicly announce the contents of
this report earlier, we will not distribute it until 30 days from the date of
this letter. At that time, we will send copies to the Chairman, Senate
Committee on Governmental Affairs, and the Chairmen and Ranking
Minority Members of the (1) Subcommittees on Treasury, Postal Service,
and General Government of the Senate and House Committees on
Appropriations, (2) Senate Committee on Finance, (3) House Committee
on Ways and Means, and (4) House Committee on Government Reform
and Oversight. We will also send copies to the Secretary of the Treasury,
Commissioner of Internal Revenue, and Director of the Office of
Management and Budget. Copies will be available to others upon request.
If you have questions about this report, please contact me at
(202) 512-6412. Major contributors are listed in appendix III.
Sincerely yours,
Dr. Rona B. Stillman
Chief Scientist for Computers
and Telecommunications
Page 14 GAO/AIMD-97-49 IRS Systems Security
Page 15 GAO/AIMD-97-49 IRS Systems Security
Contents
Letter 1
Appendix I 18
Objectives, Scope,
and Methodology
Appendix II 20
Comments From the
Internal Revenue
Service
Appendix III 31
Major Contributors to
This Report
Abbreviations
EARL Electronic Audit Research Log
GAO General Accounting Office
IDRS Integrated Data Retrieval System
IRS Internal Revenue Service
Page 16 GAO/AIMD-97-49 IRS Systems Security
Page 17 GAO/AIMD-97-49 IRS Systems Security
Appendix I
Objectives, Scope, and Methodology
The objectives of our review were to (1) determine whether IRS is
effectively managing computer security and (2) determine whether IRS is
effectively addressing employee browsing of electronic taxpayer data.
To determine the effectiveness of IRS computer security, we first reviewed
the findings from the computer security evaluation conducted by the
public accounting firm of Ernst & Young in support of our audit of IRS’
fiscal year 1995 financial statements. Ernst & Young’s evaluation
addressed general controls over such areas as physical security, logical
security, communications, risk management, quality assurance, internal
security, and contingency planning. Ernst & Young performed its
evaluation at five IRS facilities, as well as IRS headquarters offices where it
examined security policies and procedures.
Using Ernst & Young’s evaluation results as preliminary indicators, we
then evaluated and tested general computer security controls at the same
five facilities in more depth. The areas we reviewed included physical
security, logical security, data communications management, risk analysis,
quality assurance, internal security and internal audit, security awareness,
and contingency planning. Our evaluations included the review of related
IRS polices and procedures; on-site tests and observations of controls in
operation over all the systems in use at these locations; discussions of
security controls with Integrated Data Retrieval System users, security
representatives, and officials at the locations visited. Our evaluation did
not include computer systems penetration testing.
We sent a letter reporting our findings to each IRS facility we visited,
requesting comments and the outline of a plan for corrective actions. We
then analyzed the responses and discussed the results with responsible IRS
headquarters officials. We did not verify IRS’ statements that certain
actions had already been completed, but will do so as part of our audit of
IRS’ financial statements for fiscal year 1996.
To determine the effectiveness of IRS efforts to reduce employee browsing
of taxpayer data, we reviewed documentation and discussed issues
relating to the development and operation of the Electronic Audit
Retrieval Log, the system IRS implemented to identify potential cases of
employee browsing. We also reviewed data from the two systems IRS uses
to track identified cases of browsing in order to determine the ability of
these systems to accurately report the nature and extent of employee
browsing. In addition, we discussed with IRS Internal Security officials the
actions they are taking to investigate instances of browsing, and we
Page 18 GAO/AIMD-97-49 IRS Systems Security
Appendix I
Objectives, Scope, and Methodology
reviewed the Electronic Audit Research Log (EARL) Executive Steering
Committee Report dated September 30, 1996.
To evaluate IRS’ computer management and security, we assessed
information pertaining to computer controls in place at headquarters and
field locations and held discussions with headquarters officials. We did not
assess the controls that IRS plans to incorporate into its long-term Tax
Systems Modernization program.
We requested comments on a draft of this report from IRS and have
reflected them in the report as appropriate. Our work was performed at IRS
headquarters in Washington, D.C., and at five facilities located throughout
the United States from May 1996 through November 1996. We performed
our work in accordance with generally accepted government auditing
standards.
Page 19 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 20 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 21 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 22 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 23 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 24 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 25 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 26 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 27 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 28 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 29 GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service
Page 30 GAO/AIMD-97-49 IRS Systems Security
Appendix III
Major Contributors to This Report
Randolph C. Hite, Senior Assistant Director
Accounting and Ronald W. Beers, Assistant Director
Information Ronald E. Parker, Senior Information Systems Analyst
Management Division, Ronald E. Famous, Senior Information Systems Analyst
Gary N. Mountjoy, Assistant Director
Washington, D.C.
Carl L. Higginbotham, Senior Information Systems Analyst
Atlanta Field Office Glenda C. Wright, Senior Information Systems Analyst
Teresa F. Tucker, Information Systems Analyst
(511529) Page 31 GAO/AIMD-97-49 IRS Systems Security
Ordering Information
The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.
Orders by mail:
U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015
or visit:
Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC
Orders may also be placed by calling (202) 512-6000
or by using fax number (301) 258-4066, or TDD (301) 413-0006.
Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.
For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:
info@www.gao.gov
or visit GAO’s World Wide Web Home Page at:
http://www.gao.gov
PRINTED ON RECYCLED PAPER
United States Bulk Rate
General Accounting Office Postage & Fees Paid
Washington, D.C. 20548-0001 GAO
Permit No. G100
Official Business
Penalty for Private Use $300
Address Correction Requested
IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses
Published by the Government Accountability Office on 1997-04-08.
Below is a raw (and likely hideous) rendition of the original report. (PDF)