oversight

IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses

Published by the Government Accountability Office on 1997-04-08.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Accounting Office

GAO              Report to the Ranking Minority Member,
                 Committee on Governmental Affairs,
                 U.S. Senate


April 1997
                 IRS SYSTEMS
                 SECURITY
                 Tax Processing
                 Operations and Data
                 Still at Risk Due to
                 Serious Weaknesses




GAO/AIMD-97-49
                   United States
GAO                General Accounting Office
                   Washington, D.C. 20548

                   Accounting and Information
                   Management Division

                   B-276609

                   April 8, 1997

                   The Honorable John Glenn
                   Ranking Minority Member
                   Committee on Governmental Affairs
                   United States Senate

                   Dear Senator Glenn:

                   This report completes our response to your request to assess and report
                   on Internal Revenue Service (IRS) computer security. While security is an
                   area of paramount importance in all computer-based operations, it is
                   particularly critical to IRS in light of the agency’s vital revenue collection
                   mission and the sensitivity of the data it processes. Accordingly, we agreed
                   with your office to determine whether IRS is effectively (1) managing
                   computer security and (2) addressing employee browsing of electronic
                   taxpayer data.

                   On January 30, 1997, we issued to you a report responding to your request.
                   The report detailed numerous security weaknesses that we found at five
                   IRS facilities. Because some of the weaknesses are sensitive and could
                   jeopardize IRS’ security if released to the public, the report was designated
                   “Limited Official Use” and the identities of the facilities that we visited
                   were not disclosed. Subsequently, your office requested that we issue an
                   excerpted version of the report suitable for public release. This report,
                   which does not quantify either the total number of weaknesses found or
                   the number of weaknesses found in specific functional categories, and
                   does not detail the most serious weaknesses, satisfies that request. IRS
                   commented on a draft of this report, and its comments have been included
                   in this report, as appropriate. Details of our objectives, scope, and
                   methodology are in appendix I.


                   Over the last 3 years, we have reported on a number of computer security
Results in Brief   problems at IRS and have made recommendations for strengthening IRS’
                   computer security management effectiveness. Nevertheless, IRS continues
                   to have serious weaknesses in the controls used to safeguard IRS computer
                   systems, facilities, and taxpayer data. Our recent on-site reviews of
                   security at five facilities disclosed many weaknesses in the areas of
                   (1) physical security, (2) logical security,1 (3) data communications
                   management, (4) risk analysis, (5) quality assurance, (6) internal audit and

                   1
                    Logical security measures include safeguards incorporated in computer hardware and software.



                   Page 1                                                   GAO/AIMD-97-49 IRS Systems Security
             B-276609




             security,2 (7) security awareness, and (8) contingency planning. For
             example, the five facilities could not account collectively for
             approximately 6,400 missing units of magnetic storage media, such as
             tapes and cartridges, which could contain taxpayer data. In addition,
             printouts containing taxpayer data were left unprotected and unattended
             in open areas of two facilities where they could be compromised. Also,
             none of the facilities visited had comprehensive disaster recovery plans,
             which threaten the facilities’ ability to restore operations following
             emergencies or natural disasters.

             One area of unauthorized access that has been the focus of considerable
             attention is electronic browsing of taxpayer data by IRS employees. Despite
             this attention, IRS is still not effectively addressing the problem via
             thorough employee monitoring, accurate recording of browsing violations,
             or consistent application and publication of enforcement actions. For
             example, IRS currently does not monitor all employees with access to
             automated systems and data for electronic browsing activities. In addition,
             when instances of browsing are identified, IRS does not consistently
             investigate them or publicize them to deter others from browsing, and
             does not consistently punish browsers.

             Until these serious weaknesses are corrected, IRS runs the risk of its tax
             processing operations being disrupted and taxpayer data being improperly
             used, modified, or destroyed.


             IRS relies on automated information systems to process over 200 million
Background   taxpayer returns and collect over $1 trillion in taxes annually. IRS operates
             10 facilities throughout the United States to process tax returns and other
             information supplied by taxpayers. These data are then electronically
             transmitted to a central computing facility, where master files of taxpayer
             information are maintained and updated. A second computing facility
             processes and stores taxpayer data used by IRS in conducting certain
             compliance functions. There are also hundreds of other IRS facilities (e.g.,
             regional and district offices) that support tax processing. Because of IRS’
             heavy reliance on systems, effective security controls are critical to IRS’
             ability to maintain the confidentiality of taxpayer data, safeguard assets,
             and ensure the reliability of financial management information.




             2
              The phrases “internal audit” and “internal security” refer to functional disciplines, not IRS
             organizational entities.



             Page 2                                                        GAO/AIMD-97-49 IRS Systems Security
                            B-276609




Computer Security           The Computer Security Act3 requires, among other things, the
Requirements                establishment of standards and guidelines for ensuring the security and
                            privacy of sensitive information in federal computer systems. Similarly,
                            IRS’ Tax Information Security Guidelines require that all computer and
                            communication systems that process, store, or transmit taxpayer data
                            adequately protect these data, and the Internal Revenue Code prohibits the
                            unauthorized disclosure of federal returns and return information outside
                            IRS. To adequately protect the data, IRS must ensure that (1) access to
                            computer data, systems, and facilities is properly restricted and
                            monitored, (2) changes to computer systems software are properly
                            authorized and tested, (3) backup and recovery plans are prepared, tested,
                            and maintained to ensure continuity of operations in the case of a disaster,
                            and (4) data communications are adequately protected from unauthorized
                            intrusion and interception.

                            Also, Treasury requires IRS to have C2-level safeguards to protect the
                            confidentiality of taxpayer data. The Department of Defense defines a
                            hierarchy of security levels (i.e., A1, B3, B2, B1, C2, C1, and D) with A1
                            currently being the highest level of protection and D being the minimum
                            level of protection. C2-level safeguards include all the requirements from
                            the D and C1 levels and are required by IRS for all sensitive but unclassified
                            data. These safeguards ensure need-to-know protection and controlled
                            access to data, including

                        •   a security policy that requires access control;
                        •   identification and authentication that provide mechanisms to continually
                            maintain accountability;
                        •   operational and life-cycle assurances that include validations of system
                            integrity and computer systems tests of security mechanisms; and
                        •   documentation such as a security features user’s guide, test
                            documentation, and design documentation.


Prior GAO Work on IRS       Over the past 3 years, we testified and reported numerous times on serious
Computer Security           weaknesses with security and other internal controls used to safeguard IRS
                            computer systems and facilities. For instance, in August 1993, we
                            identified weaknesses in IRS’ systems which hampered the Service’s ability
                            to effectively protect and control taxpayer data.4 In this regard, we found
                            that (1) IRS did not adequately control access given to computer support

                            3
                             Public Law 100-235, 101 Stat. 1724 (1988).
                            4
                             Financial Management: First Financial Audits of IRS and Customs Revealed Serious Problems
                            (GAO/T-AIMD-93-3, Aug. 4, 1993).



                            Page 3                                                  GAO/AIMD-97-49 IRS Systems Security
B-276609




personnel over taxpayer data and (2) established controls did not provide
reasonable assurance that only approved versions of computer programs
were implemented. Subsequently, in December 1993, IRS identified
taxpayer data security as a material weakness in its Federal Managers’
Financial Integrity Act report.

In 1994, we also reported, and IRS acknowledged, that while IRS had made
some progress in correcting computer security weaknesses, IRS still faced
serious and longstanding control weaknesses over automated taxpayer
data. Moreover, we reported that these longstanding weaknesses were
symptomatic of broader computer security management issues, namely,
IRS’ failure to (1) clearly delineate responsibility and accountability for the
effectiveness of computer security within the agency and (2) establish an
ongoing process to assess the effectiveness of the design and
implementation of computer controls.5 To address these issues, we
recommended that IRS greatly strengthen its computer security
management, and IRS agreed to do so.

The unauthorized electronic access of taxpayer data by IRS employees—
commonly referred to as browsing—has been a longstanding problem for
the Service. In October 1992, IRS’ Internal Audit reported that the Service
had limited capability to (1) prevent employees from unauthorized access
to taxpayers’ accounts and (2) detect an unauthorized access once it
occurred.6 We reported in September 1993 that IRS did not adequately
(1) restrict access by computer support staff to computer programs and
data files or (2) monitor the use of these resources by computer support
staff and users.7 As a result, personnel who did not need access to
taxpayer data could read and possibly use this information for fraudulent
purposes. Also, unauthorized changes could be made to taxpayer data,
either inadvertently or deliberately for personal gain, for example, to
initiate unauthorized refunds or abatements of tax. In August 1995, we
reported that the Service still lacked sufficient safeguards to prevent or
detect unauthorized browsing of taxpayer information.8


5
  Financial Audit: Examination of IRS’ Fiscal Year 1994 Financial Statements (GAO/AIMD-95-141,
Aug. 4, 1995).
6
 Review of Controls Over IDRS Security, (IRS Internal Audit Reference Number 030103, October 23,
1992).
7
 IRS Information Systems: Weaknesses Increase Risk of Fraud and Impair Reliability of Management
Information (GAO/AIMD-93-34, Sept. 22, 1993).
8
  Financial Audit: Examination of IRS’ Fiscal Year 1994 Financial Statements (GAO/AIMD-95-141,
Aug. 4, 1995).



Page 4                                                    GAO/AIMD-97-49 IRS Systems Security
                               B-276609




IRS Organizations              Several organizations within the IRS are responsible for the security of IRS
Responsible for Managing       computer resources and the facilities that house them. For example, the
Computer Security              Office of the Chief Information Officer is responsible for formulating
                               policies and issuing guidelines for logical security, data security, risk
                               analysis, security awareness, security management, contingency planning,
                               and telecommunications. The Real Estate division within the Office of the
                               Chief for Management and Administration is responsible for formulating
                               policies and issuing guidelines for physical security. The field offices (e.g.,
                               service centers, computing centers, regional offices, district offices) are
                               responsible for implementing these policies and guidelines at their
                               locations. Compliance with the policies and procedures is assessed by
                               both the headquarters and field offices.


                               Weaknesses in IRS’ computer systems security continue to place taxpayer
Serious System                 data and IRS’ automated information systems at risk to both internal and
Security Weaknesses            external threats, which could result in the loss of computer services, or in
Persist                        the unauthorized disclosure, modification, or destruction of taxpayer data.
                               While IRS has made some progress in protecting taxpayer data, serious
                               weaknesses persist.

                               During our five on-site reviews, we found numerous weaknesses in the
                               following eight functional areas: physical security, logical security, data
                               communications management, risk analysis, quality assurance, internal
                               audit and security, security awareness, and contingency planning.9
                               Primary weaknesses were in the areas of physical and logical security.


Physical Security              Physical security and access control measures, such as locks, guards,
                               fences, and surveillance equipment, are critical to safeguarding taxpayer
                               data and computer operations from internal and external threats. We
                               found many weaknesses in physical security at the facilities visited. The
                               following are examples of these weaknesses:

                           •   Collectively, the five facilities could not account for approximately 6,400
                               units of magnetic storage media, such as tapes and cartridges, which could
                               contain taxpayer data. The number per facility ranged from a low of 41 to
                               a high of 5,946.
                           •   Fire suppression trash cans were not used in several facilities.



                               9
                                The order of the functional areas does not denote relative importance. Every area is crucial to
                               protecting the security of IRS data and facilities.



                               Page 5                                                      GAO/AIMD-97-49 IRS Systems Security
                          B-276609




                      •   Printouts containing taxpayer data were left unprotected and unattended
                          in open areas of two facilities where they could be compromised.


Logical Security          Logical security controls limit access to computing resources to only those
                          (personnel and programs) with a need to know. Logical security control
                          measures include the use of safeguards incorporated in computer
                          hardware, system and application software, communication hardware and
                          software, and related devices. We found numerous weaknesses in logical
                          security at the facilities visited. Examples of these vulnerabilities include
                          the following:

                      •   Tapes containing taxpayer data were not overwritten prior to reuse.
                      •   Access to system software was not limited to individuals with a need to
                          know. For example, at two facilities, we found that data base
                          administrators10 had access to system software, although their job
                          functions and responsibilities did not require it.
                      •   Application programmers were allowed to move development software
                          into the production environment without adequate controls. In addition,
                          these programmers were allowed to use taxpayer data for testing
                          purposes, which places these data at unnecessary risk of unauthorized
                          disclosure and modification.


Data Communications       Data communications management is the function of monitoring and
Management                controlling communications networks to ensure that they operate as
                          intended and transmit timely, accurate, and reliable data securely. Without
                          adequate data communications security, the data being transmitted can be
                          destroyed, altered, or diverted, and the equipment itself can be damaged.
                          At the five facilities, we found numerous communications management
                          weaknesses.


Risk Analysis             The purpose of risk analysis is to identify security threats, determine their
                          magnitude, and identify areas needing additional safeguards. We found
                          risk analysis weaknesses at the five facilities. For example, none of the
                          facilities visited conducted a complete risk analysis to identify and
                          determine the severity of all the security threats to which they were
                          vulnerable. Without these analyses, systems’ vulnerabilities may not be
                          identified and appropriate controls not implemented to correct them.

                          10
                            The data base administrator is responsible for overall control of the data base, including its content,
                          storage structure, access strategy, security and integrity checks, and backup and recovery.



                          Page 6                                                        GAO/AIMD-97-49 IRS Systems Security
                              B-276609




Quality Assurance             An effective quality assurance program requires reviewing software
                              products and activities to ensure that they comply with the applicable
                              processes, standards, and procedures and satisfy the control and security
                              requirements of the organization. One aspect of a quality assurance
                              program is validating that software changes are adequately tested and will
                              not introduce vulnerabilities into the system. We found many weaknesses
                              in quality assurance at the five facilities visited, including instances of
                              failing to independently test all software prior to placing it into operation.
                              In addition, when software products were tested, this testing was
                              sometimes incomplete (e.g., did not include integrity or stress testing).11
                              Such quality assurance weaknesses can result in systems not functioning
                              properly, putting federal taxpayer data at risk.


Internal Audit and Security   Internal audit and internal security functions are needed to ensure that
                              safeguards are adequate and to alert management to potential security
                              problems. We found many weaknesses in the internal audit or internal
                              security functions at the five facilities visited. For example, two of the
                              facilities had not audited operations within the last 5 years.


Security Awareness            An effective security awareness program is the means through which
                              management communicates to employees the importance of security
                              policies, procedures, and responsibilities for protecting taxpayer data.
                              Three of the five IRS facilities did not have an adequate security awareness
                              program. For example, at one site there was no process in place for
                              ensuring that management was made aware of security violations and
                              security related issues. We found several security awareness weaknesses
                              at four of the five facilities.


Contingency Planning          A contingency plan specifies emergency response, backup operations, and
                              post disaster recovery procedures to ensure the availability of critical
                              resources and facilitate the continuity of operations in an emergency
                              situation. It addresses how an organization plans to deal with the full
                              range of contingencies from electrical power failures to catastrophic
                              events, such as earthquakes, floods, and fires. It also identifies essential
                              business functions and prioritizes resources in order of criticality. To be
                              effective when needed, a contingency plan must be periodically tested and
                              personnel trained in and familiar with its use.

                              11
                                Integrity testing ensures that an application program performs only its intended functions. Stress
                              testing assesses system performance at very high workloads.



                              Page 7                                                      GAO/AIMD-97-49 IRS Systems Security
                           B-276609




                           None of the five facilities visited had comprehensive disaster recovery
                           plans. Specifically, we found that disaster recovery procedures at two of
                           the five facilities had not been tested, while plans for the remaining
                           locations were incomplete, i.e., they failed to include instructions for
                           restoring all mission-critical applications and reestablishing
                           telecommunications. Further, none had completed business resumption
                           plans, which should specify the disaster recovery goals and milestones
                           required to meet the business needs of their customers. We found many
                           weaknesses in this functional area at the five sites visited.


                           Taxpayer information can be compromised when IRS employees, who do
Electronic Browsing        not have a need to know, electronically peruse files and records. This
Is Not Being               practice, which is commonly called browsing, is an area of continuing
Addressed Effectively      serious concern. To address this concern, IRS developed an information
                           system—the Electronic Audit Research Log (EARL)—to monitor and detect
                           browsing on the Integrated Data Retrieval System (IDRS), the primary
                           computer system IRS employees use to access and adjust taxpayer
                           accounts. IRS has also taken legal and disciplinary actions against
                           employees caught browsing. However, EARL has shortcomings that limit its
                           ability to detect browsing. In addition, IRS does not know whether the
                           Service is making progress in reducing browsing. Further, IRS facilities
                           inconsistently (1) review and refer incidents of employee browsing,
                           (2) apply penalties for browsing violations, and (3) publicize the outcomes
                           of browsing cases to deter other employees from browsing.


EARL’s Ability to Detect   EARL cannot detect all instances of browsing because it only monitors
Browsing Is Limited        employees using IDRS. EARL does not monitor the activities of IRS employees
                           using other systems, such as the Distributed Input System, the Integrated
                           Collection System, and the Totally Integrated Examination System, which
                           are also used to create, access, or modify taxpayer data. In addition,
                           information systems personnel responsible for systems development and
                           testing can browse taxpayer information on magnetic tapes, cartridges,
                           and other files using system utility programs, such as the Spool Display
                           and Search Facility,12 which also are not monitored by EARL.

                           Further, EARL has some weaknesses that limit its ability to identify
                           browsing by IDRS users. For example, because EARL is not effective in
                           distinguishing between browsing activity and legitimate work activity, it

                           12
                             This utility enables a programmer to view a system’s output, which may contain investigative or
                           taxpayer information.



                           Page 8                                                     GAO/AIMD-97-49 IRS Systems Security
                            B-276609




                            identifies so many potential browsing incidents that a subsequent manual
                            review to find incidents of actual browsing is time-consuming and difficult.
                            IRS is evaluating options for developing a newer version of EARL that may
                            better distinguish between legitimate activity and browsing.

                            Because IRS does not monitor the activities of all employees authorized to
                            access taxpayer data and does not monitor the activities of information
                            systems personnel authorized to access taxpayer data for testing purposes,
                            IRS has no assurance that these employees are not browsing taxpayer data
                            and no analytical basis on which to estimate the extent of the browsing
                            problem or any damage being done.


IRS Progress in Reducing    IRS’management information systems do not provide sufficient
and Disciplining Browsing   information to describe known browsing incidents precisely or to evaluate
Cases Is Unclear            their severity consistently. IRS personnel refer potential browsing cases to
                            either the Labor Relations or Internal Security units, each of which
                            records information on these potential cases in its own case tracking
                            system. However, neither system captures sufficient information to report
                            on the total number of unauthorized accesses. For example, neither
                            system contains enough information on each case to determine how many
                            taxpayer accounts were inappropriately accessed or how many times each
                            account was accessed. Consequently, for known incidents of browsing, IRS
                            cannot efficiently determine how many and how often taxpayers’ accounts
                            were inappropriately accessed. Without such information, IRS cannot
                            measure whether it is making progress from year to year in reducing
                            browsing.

                            A recent report by the IRS EARL Executive Steering Committee13 shows that
                            the number of browsing cases closed has fluctuated from a low of 521 in
                            fiscal year 1991 to a high of 869 in fiscal year 1995.14 However, the report
                            concluded that the Service does not consistently count the number of
                            browsing cases and that “. . . it is difficult to assess what the detection
                            programs are producing. . . or our overall effectiveness in identifying IDRS
                            browsing.”

                            Further, the committee reported “the percentages of cases resulting in
                            discipline has remained constant from year to year in spite of the
                            Commissioner’s ’zero tolerance’ policy.” IRS browsing data for fiscal years
                            1991 to 1995 show that the percentage of browsing cases resulting in IRS’

                            13
                              Electronic Audit Research Log (EARL) Executive Steering Committee Report, (Sept. 30, 1996).
                            14
                              We did not verify the accuracy and reliability of these data.



                            Page 9                                                        GAO/AIMD-97-49 IRS Systems Security
                             B-276609




                             three most severe categories of penalties (i.e., disciplinary action,
                             separation, and resignation/retirement) has ranged between 23 and
                             34 percent, with an average of 29 percent.15


Incidents of Browsing Are    According to IRS, effectively addressing employee browsing requires
Reviewed and Referred        consistent review and referral of potential browsing across IRS. However,
                             IRS processing facilities do not consistently review and refer potential
Inconsistently
                             browsing cases. The processing facilities responsible for monitoring
                             browsing had different policies and procedures for identifying potential
                             violations and referring them to the appropriate unit within IRS for
                             investigation and action. For example, at one facility, the analysts who
                             identified potential violations referred all of them to Internal Security,
                             while staff at another facility sent some to Internal Security and the
                             remainder to Labor Relations.

                             The analysts handle the review and referral of potential violations
                             differently because IRS policies and procedures do not provide guidance in
                             these areas. In June 1996, IRS’ Internal Audit reported that IRS management
                             had not developed procedures to ensure that potential browsing cases
                             were consistently reviewed and referred to management officials
                             throughout the agency.16 Internal Audit further reported that analysts were
                             not given clear guidance on where to refer certain cases, especially those
                             involving potential Internal Security cases, and that procedures had been
                             developed by some facilities but varied from site to site.

                             IRS has acted to improve the consistency of its process. In June 1996, it
                             developed specific criteria for analysts to use when making referral
                             decisions. A recent report by the EARL Executive Steering Committee
                             stated that IRS had implemented these criteria nationwide. Because IRS was
                             in the process of implementing these criteria during our work, we could
                             not validate their implementation or effectiveness.


Penalties for Browsing Are   IRS policies and procedures on disciplining employees caught browsing
Inconsistent Across IRS      direct IRS management to ensure that decisions are appropriate and
                             consistent agencywide. After several IRS directors raised concern that field
                             offices were not consistent in the types of discipline imposed in similar


                             15
                              The mix among these three categories has remained relatively constant each year with disciplinary
                             action accounting for the vast majority of penalties.
                             16
                              Implementation of the Electronic Audit Research Log (EARL), (IRS Internal Audit Ref. No. 064810,
                             June 21, 1996).



                             Page 10                                                   GAO/AIMD-97-49 IRS Systems Security
                                B-276609




                                cases, IRS’ Western Region analyzed fiscal year 1995 browsing cases for all
                                its offices and found inconsistent treatment for similar types of offenses.
                                Examples of inconsistent discipline included

                            •   Temporary employees who attempted to access their own accounts were
                                given letters of reprimand, although historically, IRS terminated temporary
                                employees for this type of infraction.
                            •   One employee who attempted to access his own account was given a
                                written warning, while other employees in similar situations, from the
                                same division, were not counseled at all.

                                The EARL Executive Steering Committee also reported widespread
                                inconsistencies in the penalties imposed in browsing cases. For example,
                                the committee’s report showed that for fiscal year 1995, the percentage of
                                browsing cases resulting in employee counseling ranged from a low of
                                0 percent at one facility to 77 percent at another. Similarly, the report
                                showed that the percentage of cases resulting in removal ranged from
                                0 percent at one facility to 7 percent at another. For punishments other
                                than counseling or removal (e.g., suspension), the range was between
                                10 percent and 86 percent.


Punishments Assessed for        IRSfacilities did not consistently publicize the penalties assessed in
Browsing Not Consistently       browsing cases to deter such behavior. For example, we found that one
Publicized to Deter             facility never reported disciplinary actions. A representative at this facility
                                told us that employees were generally aware of cases involving
Violations                      embezzlement and fraud if the cases received media attention. However,
                                another facility reported the disciplinary outcomes of browsing cases in its
                                monthly newsletter. For example, it cited a management official who
                                accessed a relative’s account and was punished. This facility publicized
                                cases involving employees at all grade levels to emphasize that browsing
                                taxpayer data is a serious offense punishable by adverse administrative
                                actions or legal sanctions, including loss of job and criminal prosecution.
                                By inconsistently and incompletely reporting on penalties assessed for
                                employee browsing, IRS is missing an opportunity to more effectively deter
                                such activity.

                                The EARL Executive Steering Committee noted that during the past 3 years
                                IRShad published numerous documents intended to educate and sensitize
                                employees to the importance of safeguarding taxpayer information.
                                Nonetheless, the committee found that employees do not perceive the
                                Service as aggressively pursuing browsing violations. It recommended that



                                Page 11                                      GAO/AIMD-97-49 IRS Systems Security
                  B-276609




                  communications be more focused and highlight actual examples of
                  disciplinary actions that have been taken against employees who browse.


                  IRS’current approach to computer security is not effective. Serious
Conclusions       weaknesses persist in security controls intended to safeguard IRS
                  computer systems, data, and facilities and expose tax processing
                  operations to the serious risk of disruption and taxpayer data to the risk of
                  unauthorized use, modification, and destruction. Further, although IRS has
                  taken some action to detect and deter browsing, it is still not effectively
                  addressing this area of continuing concern because (1) it does not know
                  the full extent of browsing and (2) it is inconsistently addressing cases of
                  browsing.


                  Because of the serious and persistent security problems cited in our
Recommendations   January 30, 1997, “Limited Official Use” version of this report, we
                  recommended that the Commissioner of Internal Revenue, within 3
                  months of the date of that report, prepare a plan for (1) correcting all the
                  weaknesses identified at the five facilities we visited, as detailed in the
                  January 30, 1997 report, and (2) identifying and correcting security
                  weaknesses at the other IRS facilities. We stated that this plan should be
                  provided to the Chairmen and Ranking Minority Members of the
                  Subcommittees on Treasury, Postal Service, and General Government,
                  Senate and House Committees on Appropriations; Senate Committee on
                  Finance; Senate Committee on Governmental Affairs; House Committee
                  on Ways and Means; and House Committee on Government Reform and
                  Oversight. We also stated that the Commissioner should report on IRS’
                  progress on these plans in its fiscal year 1999 budget submission and
                  should identify the computer security weaknesses discussed in this report
                  as being material in its Fiscal Year 1996 Federal Managers’ Financial
                  Integrity Act report and subsequent reports until the weaknesses are
                  corrected.

                  Also, because long-standing computer security problems continue to
                  plague IRS operations, we reiterated our prior recommendation that the
                  Commissioner, through the Deputy Commissioner, strengthen computer
                  security management. In doing so, we recommended that the
                  Commissioner direct the Deputy Commissioner to (1) reevaluate IRS’
                  current approach to computer security along with plans for improvement,
                  and (2) report the results of this reevaluation by June 1997, to above cited
                  congressional committees and subcommittees.



                  Page 12                                     GAO/AIMD-97-49 IRS Systems Security
                     B-276609




                     Last, in light of the continuing seriousness of IRS employees’ electronic
                     browsing of taxpayer records, we recommended that the Commissioner
                     ensure that IRS completely and consistently monitors, records, and reports
                     the full extent of electronic browsing for all systems that can be used to
                     access taxpayer data. We recommended that the Commissioner report the
                     associated disciplinary actions taken and that these statistics along with
                     an assessment of its progress in eliminating browsing, be included in IRS’
                     annual budget submission.


                     In commenting on a draft of this report, IRS agreed with our conclusions
Agency Comments      and recommendations and stated that it is working to correct security
and Our Evaluation   weaknesses and implement our recommendations. However, it did not
                     commit to doing so for all recommendations within the time frames
                     specified. Specifically, we recommended that by April 30, 1997, IRS develop
                     a plan for (1) correcting all the weaknesses identified at the five facilities
                     we visited and (2) identifying and correcting any security weaknesses at
                     the other facilities. We specified this time frame because of the
                     seriousness of the weaknesses we found. In our view, it is essential that IRS
                     implement this recommendation expeditiously, and therefore we reiterate
                     that IRS should complete the above cited plan by April 30, 1997.

                     Also concerning the correction of the weaknesses identified at the five
                     facilities visited, IRS stated in its comments that “each facility is taking any
                     corrective actions required by the GAO review.” This statement is
                     inconsistent with comments provided by each facility on its own
                     weaknesses and thus evokes additional concerns about the need for a
                     more concerted security management effort to ensure a consistent and
                     effective level of security at all IRS facilities. Specifically, while the five
                     facilities agreed with many of our findings and described appropriate
                     corrective actions, they disagreed with many. In some cases, their
                     comments reflected inconsistent views on the same problems. For
                     example, some facilities acknowledged the need for fire suppression trash
                     cans for disposing of combustible material (including paper) and
                     chemicals in print rooms, while others disagreed. It is imperative that IRS
                     recognize and correct security weaknesses systematically and consistently
                     across all its facilities.

                     IRSalso commented that “a recent reevaluation of the weaknesses by GAO’s
                     contractor identified that 41% of the weaknesses originally identified in the
                     GAO report have already been corrected and closed, and an additional 12%
                     were being adequately addressed by the facilities.” Our contractor’s



                     Page 13                                       GAO/AIMD-97-49 IRS Systems Security
B-276609




reevaluation assessment is not yet complete. Given the many serious
security weaknesses yet to be fully dealt with or even addressed at this
point, any preliminary assessment of IRS progress should be viewed with
caution.

In addition, IRS stated that time did not permit it to report the weaknesses
identified in our report as material in its fiscal year 1996 Federal Managers’
Financial Integrity Act report. Instead, IRS has committed to reevaluating
the status of material weaknesses that have and should be reported so that
the fiscal year 1997 Federal Managers’ Financial Integrity Act report will
provide an accurate depiction of the agency’s material weaknesses and
coincide with its approach and plans for improvement.

The full text of IRS’ comments on a draft of this report is in appendix II.


As agreed with your office, unless you publicly announce the contents of
this report earlier, we will not distribute it until 30 days from the date of
this letter. At that time, we will send copies to the Chairman, Senate
Committee on Governmental Affairs, and the Chairmen and Ranking
Minority Members of the (1) Subcommittees on Treasury, Postal Service,
and General Government of the Senate and House Committees on
Appropriations, (2) Senate Committee on Finance, (3) House Committee
on Ways and Means, and (4) House Committee on Government Reform
and Oversight. We will also send copies to the Secretary of the Treasury,
Commissioner of Internal Revenue, and Director of the Office of
Management and Budget. Copies will be available to others upon request.

If you have questions about this report, please contact me at
(202) 512-6412. Major contributors are listed in appendix III.

Sincerely yours,




Dr. Rona B. Stillman
Chief Scientist for Computers
  and Telecommunications




Page 14                                       GAO/AIMD-97-49 IRS Systems Security
Page 15   GAO/AIMD-97-49 IRS Systems Security
Contents



Letter                                                                                            1


Appendix I                                                                                       18

Objectives, Scope,
and Methodology
Appendix II                                                                                      20

Comments From the
Internal Revenue
Service
Appendix III                                                                                     31

Major Contributors to
This Report




                        Abbreviations

                        EARL      Electronic Audit Research Log
                        GAO       General Accounting Office
                        IDRS      Integrated Data Retrieval System
                        IRS       Internal Revenue Service


                        Page 16                                  GAO/AIMD-97-49 IRS Systems Security
Page 17   GAO/AIMD-97-49 IRS Systems Security
Appendix I

Objectives, Scope, and Methodology


              The objectives of our review were to (1) determine whether IRS is
              effectively managing computer security and (2) determine whether IRS is
              effectively addressing employee browsing of electronic taxpayer data.

              To determine the effectiveness of IRS computer security, we first reviewed
              the findings from the computer security evaluation conducted by the
              public accounting firm of Ernst & Young in support of our audit of IRS’
              fiscal year 1995 financial statements. Ernst & Young’s evaluation
              addressed general controls over such areas as physical security, logical
              security, communications, risk management, quality assurance, internal
              security, and contingency planning. Ernst & Young performed its
              evaluation at five IRS facilities, as well as IRS headquarters offices where it
              examined security policies and procedures.

              Using Ernst & Young’s evaluation results as preliminary indicators, we
              then evaluated and tested general computer security controls at the same
              five facilities in more depth. The areas we reviewed included physical
              security, logical security, data communications management, risk analysis,
              quality assurance, internal security and internal audit, security awareness,
              and contingency planning. Our evaluations included the review of related
              IRS polices and procedures; on-site tests and observations of controls in
              operation over all the systems in use at these locations; discussions of
              security controls with Integrated Data Retrieval System users, security
              representatives, and officials at the locations visited. Our evaluation did
              not include computer systems penetration testing.

              We sent a letter reporting our findings to each IRS facility we visited,
              requesting comments and the outline of a plan for corrective actions. We
              then analyzed the responses and discussed the results with responsible IRS
              headquarters officials. We did not verify IRS’ statements that certain
              actions had already been completed, but will do so as part of our audit of
              IRS’ financial statements for fiscal year 1996.


              To determine the effectiveness of IRS efforts to reduce employee browsing
              of taxpayer data, we reviewed documentation and discussed issues
              relating to the development and operation of the Electronic Audit
              Retrieval Log, the system IRS implemented to identify potential cases of
              employee browsing. We also reviewed data from the two systems IRS uses
              to track identified cases of browsing in order to determine the ability of
              these systems to accurately report the nature and extent of employee
              browsing. In addition, we discussed with IRS Internal Security officials the
              actions they are taking to investigate instances of browsing, and we



              Page 18                                       GAO/AIMD-97-49 IRS Systems Security
Appendix I
Objectives, Scope, and Methodology




reviewed the Electronic Audit Research Log (EARL) Executive Steering
Committee Report dated September 30, 1996.

To evaluate IRS’ computer management and security, we assessed
information pertaining to computer controls in place at headquarters and
field locations and held discussions with headquarters officials. We did not
assess the controls that IRS plans to incorporate into its long-term Tax
Systems Modernization program.

We requested comments on a draft of this report from IRS and have
reflected them in the report as appropriate. Our work was performed at IRS
headquarters in Washington, D.C., and at five facilities located throughout
the United States from May 1996 through November 1996. We performed
our work in accordance with generally accepted government auditing
standards.




Page 19                                     GAO/AIMD-97-49 IRS Systems Security
Appendix II

Comments From the Internal Revenue
Service




              Page 20        GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 21                              GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 22                              GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 23                              GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 24                              GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 25                              GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 26                              GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 27                              GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 28                              GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 29                              GAO/AIMD-97-49 IRS Systems Security
Appendix II
Comments From the Internal Revenue
Service




Page 30                              GAO/AIMD-97-49 IRS Systems Security
Appendix III

Major Contributors to This Report


                       Randolph C. Hite, Senior Assistant Director
Accounting and         Ronald W. Beers, Assistant Director
Information            Ronald E. Parker, Senior Information Systems Analyst
Management Division,   Ronald E. Famous, Senior Information Systems Analyst
                       Gary N. Mountjoy, Assistant Director
Washington, D.C.
                       Carl L. Higginbotham, Senior Information Systems Analyst
Atlanta Field Office   Glenda C. Wright, Senior Information Systems Analyst
                       Teresa F. Tucker, Information Systems Analyst




(511529)               Page 31                                  GAO/AIMD-97-49 IRS Systems Security
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (301) 258-4066, or TDD (301) 413-0006.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested