DOCUINIT RESUME 00050 - [A0591tO00 safeguarding Taxpayer Information: An Evaluation Coaputerized Tax Admieistration System. B-115369; of the Proposed January 17, 1977. LCD-76-115. 44 pp, Report to the Congress; by Blmer B. Staats, Comproller General. Issue Area: Automatic Data Processing: AcquiGring eand Using Resources (102); Tax Administration (2700). Contact: Logistics and Commaunications Div. Budget Function: iscellaneous: Autoatic Data Processing (1001). organization Concerned: Department of tLe Treasury; Internal Revenue Service. Con..essional Relevance: Congress; House Committei on ays and leans; Senate Committee on Appropriations: Service, General overnment Subcommittee; Treasury, Postal on Finance. Senate Committee authority: Privacy Act of 1974 (5 U.S.C. 552a(e) (Supp. IV)). H. Rept. 90-1842. Internal Revenue Code of Internal Revenue Code of 1954, sec. 7213.1954, sec. 6103. The proposed IRS computer Administration System, was xamined system, the Tax to determine safeguards for personal taxpayer information. ajor threats this type are from untrustworthy users or to a network of frcm access. Fadings/Conclusions: Although absoluteunauthorized securitr is not practicable, the Tax Administration computer provide a igh level of protection through System will administrative, and physical controls. Some technical, the present system havre weaknesses which of the safeguards in within the framework of existing security should e corrected crytographic devices will depend on an IRS procedures. The use of determination based on its "risk and threat analysis," but present evidence indicate that the cost is warranted. Recommendations: does not Consideration should be given to: establishing a national data processing security office, guarding gainst access, controlling employee access, improvingunauthorized and control of information media, and seeking hysical security legal and other means to limiting disclosure of information. (T#) n / REPORT TO THE CONGRESS - - BY THE COMPTROLLER GENERAL OF THE UNITED STATES Safeguarding Taxpayer Information--An Evaluation Of The Proposed Computerized Tax Administration System Department of the Treasury Inrternal Revenue Service The proposed Tax Administration System can provide a high level of protection for taxpayer information if the system is properly designed and implemented and if the weaknesses in the safeguards cited in this report are corrected. LCD-76-115 1:'. , 977 COMPTROL.L GEONERAL OF THE UNITED STATE. WANIMTON. D.. B-115369 To the President of the Senate and the Speaker of the House of Representatives This report assesses the concepts of the Internal Revenue Service's proposed computer system known as the Tax Administration System and its potential for providing protection for personal information. Further, the report evaluates the existing safeguards that have been identi- fied for continuation under the proposed system. We made this review because of the extensive congressional con- cern for protection of individual privacy. We made our review pursuant to the Budget and Accounting Act, 1921 (31 U.S.C. 53) and the Accounting and Auditing Act of 1950 (31 U.S.C. 67). Copies of this report are being sent to the Director, Office of Management and Budget; the Secretary of the Treasury; the Commissioner of Internal Revenue! and the Administrator of General Servic Comptroller General of the United States C o n t e n t s Page DIGEST i CHAPTER 1 INTRODUCTION 1 Mission and organization of the Internal Revenue Service 1 Overview of current information handling activities 1 The proposed Tax Administration System (TAS) 2 Legal Requirements 2 2 THE TAX ADMINISTRATION SYSTEM CONCEPT AND DATA SECURITY 4 The TAS operating concept 4 Computer security in the TAS environment 6 Analyzing the threats 7 Security in a realtime transaction system 8 Conclusions 9 3 TECHNICAL CONTROLS 10 Data terminal access controls 10 Controls over access to tax information 11 Controls over assignment and use of command codes 13 Computer program integrity 14 Data processing documentation 15 Conclusion 15 Recommendations to the Commissioner of Internal Revenue 16 Agency comments and actions 17 4 ADMINISTRATIVE CONTROLS 18 Background investigations 18 Controls over information storage 20 Conclusion 21 Recommendations to the Commissioner of Internal Revenue 22 Agency comments and actions 22 I Page 5 PHYSICAL PROTECLTON OF IS OMPUTER FACILITIES 24 Perimeter protection 24 Access controls 25 Physical control over trash disposal 26 Conclusion 27 Recommendation to the Commissioner of Internal Revenue 27 Agency comments and actions 27 6 NETWORK SECURITY AND INTERSERVICE CENTER ACTIVITY 29 Data encryption 29 Batch transfer of data 31 Conclusion 32 Recommendation to the Commissioner of Internal Revenue 32 Agency comments and actions 32 7 THE IRS SECURITY PROGRAM 34 Conclusion 35 Recommendation 35 Agency comments and actions 35 8 OBSERVATIONS AND MATTERS FOR CONSIDERATION BY THE CONGRESS 36 Observations 36 Conclusions and matters for consideration by the House and Senate Committees on Appropriations 37 9 SCOPE OF REVIEW 39 APPENDIX I Letter dated July 16, 1976, from the Commissioner of Internal Revenue 40 II Principal officials responsible for administration of activities discussed in this report 44 ABBREVIATIONS ADP automated data processing GAO General Accounting Office IDRS Integrated Data Retieval System TRS Internal Revenue Service RPA residert programmer-analyst ThS Tax Administration System GLOSSARY Algorithm A statement of the steps to be followed in the solution of a problem. Application A computer program designed to accom- program plish a specific job or application such as payroll, inventory, etc. Audit trail A means of identifying and tracing actions taken in processing data. It encompasses the logging of selected events as tney oc- cur at specified points within a system. Batch processing A technique of data = sing in which jobs are collected ad grouped before processing. Data bse (1) The entire collection of information available to a computer system and (2) a structured collection of information as an entity or collection of related files treated as an entity. Data links The interconnecting circuits operating on a particular method permitting exchange of information between installations. Encryption The transformation of data into secret coded symbols. Flowchart A graphic representation of the defini- tion. analysis, or solution of a problem or situation. Interactive Pertaining to exchange of information and control between a user and a computer process, or between computer processes. Machine A language a computer can use without lr9PanS~u~.~ translation. Memory The storage that is considered integral, internal, and primary to the computing system. Object deck A collection of punched cards representing a computer program in machine language. f Offline Pertaining to operations that are indepen- dent of the main computer. One-way The transformation of data into coded encryption symbols without the ability to decipher or reverse the process. Online Pertaining to (1) equipment or devices under control of the central processing unit or (2) a user's ability to work with a computer. Operating_srystem Software that controls computer operations including scheduling, debugging, input and and output control, accounting, storage assignments, data management and related services. Sometimes called the supervisor, executive, monitor, or master control program. Parameter A variable that is assigned a constant value for a specific purpose or process. For example, parameters may determine the number of characters in a field. Realtime Computation made while the related physi- cal process is going on so that the re- sults of the computation can be used in guiding the process. Source deck A collection of punched cards representing a computer program in a language designed for ease and convenience of expression. A generator, assembler, compiler, or trans- lator must be used to transform the source language to machine language. Switching point A center where messages are relayed or oL center routed according to data contained in the message or according to specific operat-- ing instructions or programs. Trdnsaction- As used herein, a transaction-oriented orlienteid iystem system is one that permits a user only to input and receive data. The input and receipt of data is controlled by applica- tion programs. The users' interaction with application programs is achieved by means of macroinstructions which isolate the user from direct access to such pro- grams, COMPTROLLER GENERAL'S SAFEGUARDING TAXPAYER REPORT TO THE CONGRESS INFORMATION--AN EVALUATION OF THE PROPOSED COMPUTERIZED TAX ADMINISTRATION SSTEM DIGEST This report assesses the capability of proposed Tax Administration System of the the Internal Revenue Service to provide appr%- priate technical, administrative, and ical safeguards on taxpayer informationph:,s- required by the Privacy Act of 1974 and as other legislation. Congress may wish to consider restricting linking or interfacing of the system with other systems and pro- hibiting ter inals outside of the Internal Revenue Serv e. (See p. 38.) A separate report has been issued on GAO's evaluation of the reasonableness of the cost-benefit analysis for the proposed sys- tem. The Internal Revenue Service collects vir- tually all Federal taxes. It has over 80 thousand employees and processes approxi- mately 125 million returns annually. The Service converted to the crrent automated data processing system uring the 1960s cause the workload was increasing at suchbe- a rate that conventional manual and macnine processing could not do the job. The system has been changed and adapted over the to meet frequent legislative changes, years work- load growth, and increasing program demands. (See p. 1.) According to Internal Revenue officials, the automated data processing system was based on early technology; later ments have been largely piecemeal.improve- This development resulted in considerable dupli- cation of effort and inefficient operations. Consequently, in November 1973, the Commis- sioner of Internal Revenue advised the De- partment of the Treasury that the existing system needed to be completely redesigned. The Office of Management and Budget granted ITeLsart. Upon moval, the report cover d * should be oted hereon. i LCD-76-115 program approval in September 1975 to ac- ,n ire a new computer system, to be known as the T'ax Administration System. (See p. 2.) GAO evaluated the Tax Administration System concept and its potential for protecting taxpayer information. Existing technical, administrative, and physical safeguards were analyzed under the assumption that they car. and should be continued. (See p. 4.) Absolute computer security is not now tech- nically possible, but even if it were, the highest level of protection attainable is rarely practicable, considering the cost involved. (See p. 6.) Through proper design and implementation, the Tax Administration System will be able to provide a high level of protection for taxpayer information. (See p. 9.) How- ever, selected technical, administrative, and physical safeguards now used have a number of weaknesses which should be cor- rected within the framework of existing security procedures, methods, and controls. Evidence does not show a present threat to taxpayer information that would warrant the cost of pccuring special cryptographic de- vices. IRS has begun a "risk and threat analysis" which must be completed before any decision is made as to use of crypto- graphic technology. (See p. 31.) To rovide the security needed for the pro- posed system, GAO recommends that the Com- iiss 4 oner of Internal Revenue: -- Establish a national data processing se- curity office and a similar office at each data processing facility responsible for administrative, physical, and tech- nical security. (See p. 35.) -- Consider ays and means to protect tax- payer data from improper access by ii non-IRS employees with access to a facil- ity where taxpayer information is main- tained. (See p. 22.) -- Require mandatory periodic updating of background investigations of employees using or having access to taxpayer infor- mation, to make sure that their activities warrant the Government's continued trust. (See p. 22.) -- Initiate procedures to provide appropri- ate accountability and cozntrol of all magnetic tapes, microfilm, and other in- formation media. (See p. 22.) -- Require periodic evaluations by the na- tional office (IRS headquarters) of the effectiveness of physical security at each service center and the National Com- puter Center. (See p. 27.) -- Eliminate, where possible, lists of em- ployee identification data used to gain access to the computer system and use one- way cryptographic messages to safeguard the data files containing that identifi- cation information. (See p. 16.) -- Provide additional restrictions on com- puter terminal users, to permit them ac- cess r.nly to those functions and data ne- cessary to their duties. (See p. 16.) -- Initiate controls over the activities of employees with the technical training ne- cesrajy to circumvent security safeguards. (See p. 16.) -- SeeK lecal authority to withhold from public disclosure data processing docu- mentation that would aid illegal access to taxpayer information. (See p. 16.) -- Establish appropriate controls to make sure that only authorized interservice center activity is permitted. (See p. 32.) iii -- Require supervisory approval for all out- of-district inquires (1) to taxpayer accounts by taxpayer compliance employees and (2) to inactive accounts by taxpayer service representatives. (See p. 16.) -- Study the feasibility of further system constraints such as additional require- ments a terminal user must meet before gaining access to a taxpayer's account. (See p. 16.) -- Insure that communication risks and threats are completely analyzed before deciding whether to purchase sophisti- cated security devices. (See p, 32.) AGENCY COMMENTS AND ACTIONS The Commissioner of Internal Revenue gen- erally agrees with GAO's recommendations and has taken various actions to correct the reported weaknesses in safeguards for taxpayer information. (See pp. 16, 22, 27, 32, 35, and app. I.) iv CHAPTER 1 INTRODUCTION MISSION AND ORGANIZATION OF THE INTERNAL REVENUE SERVICE The Internal Revenue Service (IRS) is under the Depart- ment of Treasury with a mission of administering and enforc- ing the internal revenue laws. The Service has the respon- sibility of collecting virtually all Federal tax revenues. The IRS organizational structure is decentralized with the national office in Washington, D.C.; the Data Center in Detroit, Michigan; the National Computer Center in Martins- burg, West Virginia; and seven regional offices located in major cities across the country. The regional offices su- pervise and coordinate the activities of 58 district offices and 10 service centers. In addition, there are approximately 900 local offices functioning as satellites of the district offices. To accomplish its mission, IRS has more than 80.000 em- ployees and processes approximately 125 million returns annu- ally. OVERVIEW OF CURRENT INFORMATION HANDLING ACTIVITIES IRS converted to automated data processing (ADP) because statistics showed that the Service's workload was increasing beyond the capacity of conventional manual and machine proc- essing capabilities. The Commissioner, in February 1959, presented an ADP program to the Congress and received House and Senate budget approval in June 1959. The system was im- plemented during the 1960s and has been changed and adapted over the years according to frequent legislative changes, workload growth, and increasing program demands. Although the IRS organizational structure is decentral- ized, the data processing structure within the Service is centralized with all taxpayer master files maintained at the National Computer Center. Under the current system, taxpayers file returns directly with the service center in their geographic area. The cen- ters put tax data on magnetic tapes and perform certain edit- ing and verification checks. The tapes are sent to the Na- tional Computer Center tor further processing. In addition, substantial offline activity occurs at the centers which 1 includes the preparation and processing of taxpayer corre- spondence and accounting for tax returns and moneys re- ceived. According to IRS officials, the original ADP system was based on early technology, and subsequent enhancements have consisted largely of piecemeal improvements. This develop- ment has resulted in considerable duplication of effort and inefficient perations. The heart of the problem, according to IRS, lies in the master files of the present system which prohibit ready access to tax account data equired to answer taxpayer inquiries and meet other IRS program needs. Consequently, in November 1973, the Commissioner of In- ternal Revenue advised the Department of the Treasury that the ADP structure of their existing system needed complete redesigning. Program approval to acquire a new computer sys- tem was granted by the Office of Management and Budget in September 1975. THE PROPOSED TAX ADMINISTRATION SYSTEM (TAS) The proposed new system calls for extensive use of in- teractive online processing and the decentralization of the tax account master files from the National Computer Cen- ter to the 10 existing service centers. The National Com- puter Center is to be redesignated the National Communica- tions Center. It will maintain a centralized account direc- tory and backup master files, and serve as a switching point for transmission of data between service centers. User ter- minals are to be located in the service centers and various field offices. The Service's principal objective of the redesigned sys- tem is to provide more responsive service to taxpayers and IRS functional activities by accelerating return processing and by providing increased information for taxpayer inquiries and operational needs of the Service. An essential element of the new service-oriented system is quicker access than in the past to more current information by employees of more IRS offices. LEGAL REQUIREMENTS The Internal Revenue Code of 1954 imposes certain re- sponsibilities upon taxpayers and others to furnish tax re- turns and related information to the IRS. The code requires the Service to determine the correctness of returns and other 2 information received, to secure or prepare delinquent returns, and to collect unpaid taxes. It also imposes criminal sanc- tions such as imprisonment and/or a fine plus dismissal of Federal employees guilty of unauthorized disclosure of tax- payer information. The Privacy Act of 1974 requires the Service to estab- lish appropriate technical, administrative, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm embarrassment, inconvenience, or unfair- ness to any individual on whom information is maintained. 3 CHAPTER 2 THE TAX ADMINISTRATION SYSTEM CONCEPT AND DATA SECURITY The capability of an information processing system to protect personal data is contingent upon the use of adequate technical, admninistrative, and physical safeguards. The pro- tection of data must be considered from a total system per- spective; that is, the protection of data must be considered from its origination to its final destruction. Since the pr,- posed Tax Administration System has not been implemented, a complete evaluation cannot be made as to its ability to pro- tect the privacy of individual taxpayer information. What is possible is to evaluate the concepts of TAS and their potential for providing high-level protection of per- sonal information. Further, the existing technical, adminis- trative, and physical safeguards can be analyzed to identify pertinent safeguards to be continued under TAS. This chapter discusses the TAS operating concept and its ability, if pro- perly designed and implemented, to protect personal informa- tion. However, the conclusions drawn from this review should lot be construed to apply to other computer systems operated by IRS, such as those supporting the Service's administrative and intelligence functions. THE TAS OPERATING ONCEPT The TAS concept envisions a batch and realtime transaction- oriented computer network employing a decentralized data base. The network will consist of over 8,000 terminals, 10 service centers, and 1 communication center as shown in figure 1. Each service center will maintain selected information pertaining to taxpayers with a primary address within the center's geographic area of responsibility. High volume in- put to the data base will be through the Direct Data Entry System currently in use with approximately 5,000 terminals b!it without access to taxpayer accounts. I:.formation from tax returns and tax payments will be entered through the Di- rect Data Entry System terminals and the output will be used to post and update the master file maintained in the data base. Terminals located in the service centers and IRS re- gional, district, and local offices will have direct access to taxpayer information in the data base maintained for their 4 FIGURE 1 OVERVIEW OF THE PROPOSED TAX ADMINISTRATION SYSTEM NETWORK l 'T Ii Rl geographic area. Controlled access to taxpayer data main- tained at other service centers will e possible through use of the communication network and the facilities of the proposed National Communications Center. The processing will primarily involve inquiries and transactions, such as adjustments to taxpayer accounts. Mathematical verification, validity checks, balancing, and other data controls occur prior to or during posting operations. The accounting function will be accomplished as the transactions are processed and files updated. Over 45 types of tax returns and more than 300 different trans- action categories are included in this extremely complex operation. COMPUTER SECURITY IN THE TAS ENVIRONMENT The state-of-the-art in computer security is such that absolute security has not been achieved. However, absolute security would rarely be practicable in any environment re- gardless of whether humans or computers are used considering the costs that could be involved in attempting to achieve the highest level of protection. Decisions on security must essentially identify and define the level of protection which makes the cost greater than the benefits--either in monetary or punitive terms-- of subverting a system. We believe reasonable protection can be provided for taxpayer information by increasing the cost to an unacceptable level of subverting the system and by imposing heavy penalf-4 s for those who make unauthorized or inappropriate disclosures of taxpaye: information. The various system safeguards discussed in this report will make it more difficult to successfully subvert a system. Further, there are a number of aws, not discussed in this report, that have been enacted by various jurisdictions which pro- vide criminal sanctions for such acts. In analyzing the potential for TAS to provide an ac- ceptable level of protection for taxpayer information, it is important to review the type and nature of the major threats to a transaction-oriented, dedicated computer net- work. In addition, the ability of a transaction system to cope with these threats must also be evaluated, particularly where the system employs a decentralized data base. 6 ANALYZING THE THREATS The major threats to a dedicated computer network such as TAS stem from two sources--(1) authorized, but untrust- worthy users and (2) malicious penetrators. Their motives are the same, but the Untrustworthy user is an individual has authorized access rto the data of interest while the who mali- cious penetrator, whether an employee or not, is not author- ized access. The problem of the untrustworthy or dishonest employee is not unique to automated data processing ystems. Only the concentration of data in such systems increases the risk over noncomputerized systems. Protection against the untrustworthy user can be accomplished through well-designed security safeguards which include personnel screening, ac- tivity monitoring, and effective auditing. These and other controls are discussed below and in subsequent chapters of this report. The malicious penetrator presents a different threat than the untrustworthy employee in that technical security measures must be circumvented. In order to place the threat from this source in perspective, it is necessary to under- stand how a penetrator would achieve his objective and what skills he must possess. According to the technical community, a penetrator circumvents computer security by calling on an operating system function in a way unanticipated by the designers. is frequently aided by the fact that designers of operatingHe systems normally assume that users will not deliberately attempt to force a malfunction of the system. The penetrator may achieve his objectives by either (1) acquiring a list of terminal user identifiers and cor- responding passwords or other identification and confirma- tory information maintained within a computer file or (2) obtaining supervisory (executive or master) control of the computer system. Using the first method, the penetrator is able to masquerade as any of the authorized users, while use of the second method gives him direct access and control of any file or program in the system. In order for a penetrator to accomplish his objective either method it is necessary that he be moderately skilled by in programming, expend time and effort to understand rather complex operating systems, and have knowledge of the limita- tions that occur in the design and implementation of the systems. Such knowledge suggests to a penetrator where to 7 look for possible errors and design flaws. If he has access to system documentation, his ability is considerably enhanced. Against such individuals, contemporary systems generally fail to provide adequate computer operating personal or sensitive information because protection for ability to exploit design flaws. How of the penetrator's then can TAS provide protection against such a threat? SECURITY IN A REALTIME TRANSACTION SYSTEM Generally, the risk of a succ ,l1 penetration increases with the flexibility provided the -rs of the system. The system user constraints needed in TAS are summarized below and are discussed in more detail in Chapters It is these constraints the penetrator 3, 4, and 5. must circumvent to gain access to taxpayer information. In order to significantly reduce the cept sharply curtails the users' ability risk, the TAS con- system by removing their capability to to manipulate the enter a program over a terminal. Such systems, if properly designed and imple- mented, can effectively isolate the system posed by ndividuals with programming from the threat knowledge (i.e., the penetrator). Under the TAS concept, a terminal taining access to the system, may enter,operator, after ob- data according to a limited number of change, and retrieve command command code performs a specific function codes. Each information entered and the data maintained in relation to the For example, one command code used in on the system. conjunction with ap- propriate input data may cause a taxpayer's be displayed while another may effect account data to an adjustment to a specific data element. The flexibility of the transaction reduced in TAS through use of employee system is further and terminal profiles. Such profiles can restrict terminal users mand codes and terminals necessary for to only those com- them to perform their specific duties. By limiting the terminal user to transaction processing, application programs and their modifications on the system under tightly controlled must be placed conditions, at the computer center. Here it is necessary preferably programmer from the system by requiring to isolate the all programs gram changes to be submitted to an independent and pro- uation group. This group provides an test and eval- interface between the 8 application and systems programmers and the computer opera- tions. They review, validate, and approve all programs to be placed on the system and therefore act as a control over the activities of the programming function. As with any system, a transaction system such as TAS must be well designed with security as an objective. Access controls must be adequate, parameter checks should be ex- tensive, and audit trails must be employed. Physical iden- tification is also desirable, and under TAS, an identifica- tion badge which can be read and validated by the computer will be used as one step in activating a terminal and iden- tifying the user. This approach provides a high level of protection to taxpayer information by isolating the system from the pro- grammer and reducing the risk by restricting the terminal user to only those functions necessary to process authorized transactions. Security of a transaction system such as TAS is not dependent on vendor-supplied features and mechanisms but rather on good system design, operating procedures, and program testing. CONCLUSIONS While absolute security is generally not achieveable in contemporary operating systems, we have concluded that the TAS concept is capable of providing a high level of protection against the technical threat posed by the mali- cious penetrator. However, providing only technical pro- tection will not adequately safeguard taxpayer information and thus will not comply with the Privacy Act of 1974. Consideration must also be given to the administrative and physical safeguards as well as the technical controls. The following chapters in this report discuss our review of selected technical, administrative, and physical safeguards provided by the current IRS information system since these constitute the environment in which TAS, also, will operate. The improvements considered necessary under TAS will also be discussed in those chapters. 9 CHAPTER 3 TECHNICAL CONTROLS The major elements of security in a transaction system such as the proposed Tax Administration System lie with the ability of the system to control access, limit user privilege, and maintain program integrity. The capability of TAS to adequately perform these functions cannot be conclusively evaluated prior to system design and implementation. However, IRS Integrated Data Retrieval System (IDRS) is a transaction system currently in use that has security requirements similar to TAS. IDRS is a data terminal system used at each of the 10 service centers and certain field offices. This system is intended to be replaced by TAS. IDRS, through the use of computer terminals, provides immediate access to selected in- formation in about 10 percent of the taxpayer master records. The selection of records to be placed on this system is based on the probability of taxpayer inquiry and IRS need. IDRS also provides a user the capability to gain access to any of the remaining taxpayer master records by having the informa- tion extracted from the master files at the National Computer Center. An evaluation of the technical security design and im- plementation of IDRS disclosed the need for security improve- ments that should be considered during the development of TAS. DATA TERMINAL ACCESS CONTROLS Access to IDRS through a data terminal is controlled through use of terminal and employee profiles. Such profiles are tables maintained on the computer system that contain the specific attributes for each terminal and each authorized user. The terminal profiles restrict he use of a terminal to certain functions. The employee profiles contain the in- formation necessary to identify authorized users of the system and to restrict those users to executing only authorized com- man's. One of the major elements of the identification proc- ess is the unique employee password which is used in activa- ting a terminal. A special computer program generates the passwords for all authorized terminal users and produces a list of alternate passwords to be used in the event a password is lost or com- promised. Passwords are periodically changed and new pass- words are furnished to the employees in sealed envelopes by the security administrators at each service center. 10 A master password list is maintained by the security ad- ministrator and each employee's password is contained on the computer system in the employee profile security file. A backup copy of this file is maintained on magnetic tape for recovery purposes in the event of an emergency. Access to an employee's name and password through either the assignment and distribution process, master paskwor:d list, or the employee profile security file would permit a penetra- tor or dishonest employee to gain access to the computer system by masquerading as that employee. It is the initial step in gaining access to information in the system. Currently the security administrators and their staffs, the resident programmer-analysts (RPAs), and the computer operators either have access to listings of this information or can readily ob- tain such listings. Protection of password and other identification data can be enhanced by IRS eliminating the ability to produce listings of assigned employee passwords. This enhancement can be ac- complished by fully automating the password generation, as- signment, and distribution process, thus providing for computer-generated passwords with the record maintained in the computer. Further, the employee profile security file can be protected by employing a one-way encryption scheme whereby identification data is maintained and used by the computer system in a form that would be unintelligible t an individual even if purposely or inadvertently printed. CONTROLS OVER ACCESS TO TAX INFORMATION Under the current system, an IDRS terminal user has ac- cess to information on virtually any taxpayer in the country. At any one time, IDRS provides online access to selected in- formation in about 10 percent of the master file. However, a request for tax information on almost any taxpayer can be made through the system and the information will be extracted from the centralized data base at the National Computer Center and forwarded to the requesting service center. TAS will decentralize the data base and each service cen- ter will maintain selected information pertaining to taxpayers with a primary address within the center's geographic area of responsibility. This will automatically restrict data access without supervisory or second party intervention to addresses in that servain center area--about 10 percent of the total in- formation currently available through IDRS. The transfer of 11 information between data bases maintained at the service cen- ters will require supervisory approval under TAS. This ap- proval process can be automated and provide even more effec- tive control over interservice center activity. (See p. 32.) In our opinion, IRS district and local office terminal users' access to information can be further constrained under TAS without seriously impeding operations. The two functional areas affected by additional constraints would be taxpayer service and taxpayer compliance. Each of these functional areas has different information requirements and therefore must be considered separately. The following is an example of how each can be further limited as to the taxpayer infor- mation they may have access to without supervisory approval. Taxpayer compliance includes such areas as audit and collecticns. The preponderance of taxpayer information needed by IRS employees to perform this function is confined to the geographic district in which they are assigned. Therelore, TAS can restrict employees working in the compliance area only those taxpayer accounts with a primary address within to the IRS district involved. Out-of-district inquiries should require supervisory approval. Since there are 58 districts, this would limit a district or local office employee to an average of less than 2 percent of the total taxpayer accounts. Taxpayer service presents a different problem as the con- tact is normally initiated by the taxpayer. Typical inquiries would include status of refunds or amounts due the Government. Here, the taxpayer service representative can be restricted to two categories of taxpayer accounts--(l) those active ac- counts maintained by the host service centei where . ey is either due to or due from the taxpayer and taxpayer .latact can reasonably be expected and (2) those inactive or zero balance accounts with a primary address within the servicing IRS district. Out-of-district inquiries on inactive accounts should require supervisory approval. There are 58 districts, and only about 10 percent of the files have been maintained in an 'active account" status. Therefore, the taxpayer serv- ice representative at a district or local.c ffice, within each of the 10 service center areas, would be limited to an average of less than 3 percent of the total taxpayer accounts. In those instances where supervisory approval would be required, automation of the validation process would, in our opinion, provide the most effective control. A supervisor would be required to enter into a terminal the validation data that would release each individual request, thus preclud- ing an eployee from obtaining taxpayer information without independent confirmation as to need. 12 CONTROLS OVER ASSIGNMENT AND USE OF COMMiAND CODES Command codes activate computer routines for processing of data and inquiries. Each code performs a specific func- tion in relation to the transaction entered and the data main- tained in the system. The numoer and combinations of command codes an employee is permitted to execute determines the capa- bility of the user to process or obtain data from the system. One of the major elements of security in a transaction system is the limitation of the privileges given a user. This has been recognized by IRS and its regulations stipulate that IDRS users possess only those command codes required by them to perform their specific duties. Our review at the Brookhaven and Covington Service Centers disclosed numerous instances where employee profiles contained codes in excess of those re- quired. For example, our review of the distribution of five command codes at "-he Brookhaven service center disclosed 67 employees having command codes in excess of the authorized. An interview of 21 employees at the Covington Service Center revealed that over half did not use or need one or more of the command codes in their profiles. The administrative procedures were not being followed for authorizing changes to command codes contained in employee profiles. IRS regulations require that all changes be docu- mented and approved by the IDRS security administrator. Out of 361 changes to employee profiles at the Covington Service Center, 344 cases were rot properly documented. A similar situation was found at the Brookhaven Service Center where documentation was not n file with the security administrator for over 50 percent of the changes examined. Failure to properly implement IRS regulations in this area can result not only in employees having excessive system privilEges hut places the security administrator at a disadvantage :.n at- tempting to identify those users with excessive system priv- ileges and in initiating appropriate action to limit their access only to those parts of the system needed to perform their assigned duties. We were informed that, in part, possession of excessive command codes by employees resulted from the operational necessity to transfer employees from one branch to another because of workload. This was particularly true where an employee was temporarily loaned to another branch. In such situations, additional codes were often authorized without full regard for the codes the employee already possessed. This resulted in employees not only having excessive command 13 codes in their profiles but also combinations of codes that permitted extensive access and processing capability. Partially automating the process can significantly en- hance the security in this area under TAS as wtll as under IDRS. Since the IRS employee number contains a designationbe of the branch in which an individual works, the system can programmed to (1) automatically delete the command codes con- Lained in an employee profile upon change in employee number and (2) add to the profile those command codes which are com- mon to all employees of the new branch. Additional command codes would require manual approval and processing. Further, compatibility tests should be included that would prevent an individual employee from holding certain combinations of com- mand codts that would provide excessive system privileges. COMPUTER PROGRAM INTEGRITY System and application programmere can do more damage to a system with less chance of being caught than almost any other person involved with data processing. It is there- fore necessary to isolate the system from the programmer in order to provide any degree of security. IRS computer pro- grams are developed by the national office and distributed to the service centers and the National Computer Center. RPAs are assigned to each location to maintain the production pro- grams for IDRS as well as other computer operations. The maintenance is in the form of corrections of program errors, changes to program variables and constraints, and modifica- tions to processing logic. All changes and modifications to programs require approval of the national office. We found the controls exercised over the activities of the RPAs to be practically nonexistent. For example, the following conditions were observed at one or more of the data processing facilities visited. -- RPAs had access to the computer, tape library, object decks, flow charts, program listing, and source decks. --No controls were exercised over the data an RPA could list or the use made of the listing. -- RPAs are not restricted in their ability to obtain list- ings of information containeJ in the computer memory. -- Independent reviews and evaluations of program changes were not conducted. 14 -- A program change was made without the required approval from the national office. -- Periodic comparisons of master programs at the national office were not made smith those at the computer facili- ties. While considerable effort has been devoted to controlling access to the computer system through data terminals, little attention has been given to controlling the activities of the RPAs. Under current procedures, the RPAs have both the tech- nical ability and the opportunity to manipulate the data sys- tem without readily being detected. Proper control procedures should require that the RPAs be isolated from the data system by (1) requiring all computer programs and program changes to be approved, submitted for an independent test and evaluation, and placed on the system only under tightly controlled procedures, (2) preventing all RPAs from handling computer-room hardware, and (3) monitoring all programmer activity to include periodic verification of the programs residing on the system files. DATA PROCESSING DOCUMENTATION IRS has publicly disclosed a large volume of data proc- essing documentation in accordance with the Freedom of In- formation Act. Included in this category are manuals on the description and operation of the data system a the data elements and codes used. Such disclosure of the data processing documentation permits a potential penetrator to study the system for pos- sible flaws that could be exploited to gain unauthorized ac- cess to taxpayer data. Further, possession of this docu- mentation permits anyone to interpret any taxpayer information they are able to obtain. The need to protect system documentation that would aid a potential penetrator can be illustrated by the nationally publicized case nvolving the theft of equipment from the Paci- fic Telephone & Telegraph Company. In this case, access to the company's computer was gained from studying an outdated manual found in a trash container that detailed how the com- puter inventory system worked. CONCLUSION The use of terminal and employee profiles limits the general access to the data system and permits the terminal 15 users to address only that data necessary to perform their duties. The effectiveness of these controls has been dimin- ished by weaknesses in implementation of IRS regulations relating to limitations to be placed on user capability. Further, the lack of control over the activities of techni- cally trained employees and the public release of data proc- essing documentation are major weaknesses in the overall security of the current data processing system. The secur- ity deficiencies and weaknesses found in the present system and discussed in this and the two succeeding chapters are shortcomings that, in our opinion, can be corrected within the framework of existing security procedures, methods, and controls. RECOMMENDATIONS TO THE COMMISSIONER OF INTERNAL REVENUE We recommend that all human interaction with the data system be evaluated by IRS and appropriate controls estab- lished in the existing system and under TAS to preclude any individual from obtaining unlimited or excessive system capa- bility. Specifically, eliminate, where possible, lists of employee identification data used to gain access to the com- puter system and use one-way cryptographic messages to safe- guard the data files containing that identification informa- tion. Further, the assignment and deletion of command codes from employee profiles should be automated to the maximum extent practical under both the present system and TAS. Ap- propriate controls should be programmed to prevent an author- ized user from holding certain combinations of command codes which would, in that combination, violate the principle of segregation of duties. Constraints should be imposed under TAS on the individ- ual terminal operator's ability to gain access to taxpayer information. A a minimum, we recommend that TAS be designed to require supervisory approval for (1) all out-of-district inquiries on inactive accounts by taypayer service represen- tatives and (2) all out-of-district inquiries by taxpayer compliance employees. The use of further constraints such as additional information a terminal user must know in order to gain access to an account should be studied by IRS. The objective of such a study should be to identify practical methods that can be used to control access to individual tax- payer accounts. We further recommend that positive controls be exercised over the activities of those employees that have the techni- cal training necessary to circumvent the security safeguards. In addition, IRS should seek legal authority to withhold from 16 public disclosure those elements of system documentation that would substantially enhance the ability of unauthorized in- dividuals to gain illegal access to taxpayer information. AGENCY COMMENTS AND ACTIONS The Commissioner of Internal Reverue stated that, as a result of their own internal audit findings and the GAO rec- ommendations, they had eliminated the lists of employee access identification data and were encrypting such data in the com- puter files as a further safeguard. In addition, they have taken steps to automate the assignment and deletion of command codes assigned to terminal operators. Techniques of fully automating the password generation, assignment and distribu- tion process, and the more secure one-way encryption of all access data and files were being explored for possible use in the future. The Commissioner agreed with the principle that terminal users should not have access to more tax account data than is necessary to perform their assigned duties. He stated that IRS had initiated a study to thoroughly explore all aspects of the subject. The objective of the study is to identify prac- tical ways to limit access to data without adversely affecting service to the public or productivity of the terminal users or their supervisors. Further, IRS is t continue to evaluate the use of additional positive identifiers of terminal users (beyond badge, password, and employee profile controls). Also being considered is a requirement for supervisory terminal validations and counter authorization for access based on geo- graphic areas or levels of account activity. IRS recognized the vulnerability of the ADP system to those employees that have the technical training necessary to circumvent security safeguards. They are considering various methods and procedures to control the activities of such em- ployees and balance security concerns with the need for em- ployee efficiency. In addition, IRS has initiated a review of ADP documentation to identify materials which, for security reasons, should not be publicly disclosed. The Commissioner stated that if the Service finds that current exemptions of the Freedom of Information Act do not offer sufficient protec- tion to sensitive ADP material, appropriate legislation will be sought. 17 CHAPTER 4 ADMINISTKTIVf CONTROLS The general objective of an agency's system of cor trols is to make sure that the duties and responsibilities imposed by law are executed as effectively, efficiently, and economi- cally as possible. To meet this objective, certain principles and requirements must be observed in establshinao ualifica- tions and obtaining suitable employees. All otht elements of administrative controls are designed to control the activities of officials and employees of the agency. Personnel controls should reflect the need for careful selection of mature and trustworthy employees. Within IRS, new employees are subjected to pre-employment screening. This is accomplished through a routine investigation required for all prospective Federal employees. Where sensitive positions are involved, IRS's investigative organization is required to conduct appropriate background checks. The extensiveness of the screening is dependent, in part, on the sensitivity of the positions being filled. Once employed, the activities of IRS employees are con- trolled through internal checks and balances. The current system provides: -- Extensive data and accounting controls to make sure that (1) tax returns and related documents are prop- erly processed, (2) tax data accuracy is maintained throughout the various processes, and (3) errors are promptly detected and corrected. -- Audit trails disclosing who had access to the system and what taxpayer records were involved. -- Internal reviews of operations. A review of selected administrative controls employed at the IRS service centers and the National Computer Center disclosed the following areas where improvements are con- sidered necessary. BACKGROUND INVESTIGATIONS IRS regulations state that the security investigation program is designed to provide information about an individ- ual's background commensurate with the degree of responsibil- ity and trust imposed by the position to be held. The scope 18 of investigation varies from local police checks to complete background investigations. The investigations are performed either through the Office of the Assistant Commissioner (In- spection) or by the Civil Service Commission. New employees, with the exception of those applying for temporary employment of 90 days or less, receive a National Agency Check and Inquiry investigation conducted by the Civil Service Commission. This includes a check of the Federal Bureau of Investigation, civil Service Commission, military, and other Government agency records. IRS also verifies that new employees have paid their Federal taxes for the 3 years prior to their application. Applicants for specified positions and those on whom derogatory information was uncovered receive, in addition to the above, an extensive character investigation. The investi- gation covers the 10 years preceding the date of the request for investigation or from the individual's 18th birthday, whichever is shorter. It includes interviews with neighbors, former employers, supervisors, co-workers, references, and ed- ucators; a check of police and credit agencies; and foreign travel verification through the State Department. IRS also au- dits their income tax returns for any 2 years prior to the date of application for which the statute of limitations has not been invoked. Specified positions are defined as (1) grades GS-9 and above--employees earning $6.78 or more per hour, (2) all com- puter personnel, and (3) all personnel in inspection and in- telligence. Seasonal employees holding these positions re- ceive the same type of investigation. Applicants for temporary positions of 90 days or less receive only a police and an FBI name check. This involves a search by local police and FBI for arrest records of incidents that should be known to IRS. While the above procedures appear to be adequate, peri- odic reinvestigations are not conducted on any service center or National Computer Center employee after the initial inves- tigation. We believe such updates should be made to insure that the activities of the individual employees have been such as to warrant the Government's continued trust. Such periodic updating is required by many agencies for employees handling national security information. The major discrepancy in the personnel screening process does not lie with the background investigations afforded IRS employees but rather with the absence of security investiga- tion for non-IRS employees such as the computer equipment 19 maintenance personnel. Many of these individuals are per- mitted unescorted access to the service centers and the Na- tional Computer Center and have the same, or possibly greater, opport sty as the IRS employees working in the facilities to extrac- nsitive taxpayer information. We were informed that IRS had addressed, on several oc- casions, the lack of security clearance for non-IRS employees. They presently take no position as to whether or not they have the authority to require background investigations for non- federal employees. We believe that the Privacy Act of 1974 and the statutes limiting disclosure of taxpayer information and returns provide sufficient authorization for IRS to in- clude provisions in their contracts requiring appropriate background investigations of contractor employees having ac- cess to facilities where taxpayer information is maintained. The authority for such nvestigations is found in sections 6103 and 7213 of the Inteinal Revenue Code of 1954, as well as provisions of the Privacy Act of 1974, 5 U.S.C. 552a(e) (supp. IV, 1974). CONTROLS OVER INFORMATION STORAGE IRS information is stored in various ways--documents, magnetic tapes, magnetic disks, and microfilm. TAS will use these same types of storage. Controls exercised over such storage need improvement at several of the locations visited. The master -nd associated records are maintained on over 100,00. e, - magnetic tape at the National Com- puter Center. To rea,. the possibility of loss or com- promise, it is necessary that strict accountability be main- tained at all times. The National Computer Center maintains a computer inventory list for this purpose which included all reels at the Center. However, under current procedures, the Center cannot prepare an inventory of tapes by location such as the tape library, storage vault, etc. Thus, when a search for a tape is made, all possible locations must be checked until the tape is located. Such a system does not permit positive control over magnetic tapes as evidenced by the Cen- ter's May 1975 physical inventory which disclosed 33 missing reels. In addition, we found that tape library operations at some of the service centers were deficient. Computer branch personnel had virtually unlimited access to the tape library and the library was not locked on the weekends when the li- brarians were not on duty. In a test of tape library controls at the Covjington Service Center, we found that tapes could be removed with little or no possibility of detection. Further, 20 inventories on magnetic tapes in the library were not con- ducted on a semiannual basis as required by the Library Opera- tions Handbook. For example, the Chamblee Service Center did not inventory tapes between December 1972 and July 1974. Selected information from each taxpayer's return i con- verted to microfilm at the National Computer Center and ur- nished to the service centers for their use. Additional copies of the microfilm are produced at the service centers according to need. Appropriate procedures have not been im- plemented to account fully for the microfilm cartridges at all service centers. We conducted an inventory of microfilm cartridges in the input perfection branch of the Covington Service Center and compared our count with the records maintained by the branch. The results were as follows: Category GAO IRS Business Master File 735 738 Individual Master File 2,691 2,802 Federal Tax Deposits 256 127 Residual Master File 21 21 Total 3,703 3 688 An examination by IRS disclosed errors in the records that accounted for the discrepancies between the totals but did not resolve the discrepancies within categories. The differ- ences in the ctegory may have been due to misclassification, but it is indicative of poor accounting procedures. Further, the number of cartridges that should have been on hand within the input perfection branch could not be independently veri- fied by reference to records other than those of the branch. This was because no master record was maintained by the center of the microfilm cartridges reproduced, distributed, and des- troyed. CONCLUSION The controls for document and information flow were con- sidered generally adequate to insure the proper processing of tax returns and related documents and should be continued under TAS. However, improvements are needed in the areas of personnel screening and information storage. 21 RECOMMENDATIONS TO THE COMMISSIONER OF INTERAL REVENUE We recommend that IRS: -- Consider ways and means to protect taxpayer data from improper access by non-IRS employees having access to a facility where taxpayer information is maintained. This would include contractual provisions requiring either appropriate background investigations or escort service to non-IRS employees without a current back- ground investigation. -- Require mandatory periodic updating of personnel in- vestigations. -- Initiate procedures to provide appropriate account- ability and control of all magnetic tapes, microfilms, and othez information media. AGENCY COMMENTS AND ACTIONS The Commissioner of Internal Revenue expressed the Serv- ice's concerr about protection of taxpayer data from improper access by non-IRS employees working in the data processing facilities. With regard to appropriate background investiga- tions on these individuals, the Commissioner is requesting advice from the IRS chief counsel. If the Service has statu- tory authority, it will determine the type of investigations that are appropriate, based on the degree to which non-IRS employees have access and other risk factors, as well as the cost of conducting the investigations. He further stated that internal controls which limit the access and movement of non-IRS employees are presently prescribed, including a manda- tory provision for escorting all nonfederal personnel in restricted areas. A small number of nonfederal personnel who have a clearance of confidential or higher, issued under aus- pices of the DefenFe Industrial Security program, are allowed unescorted access to some restricted areas. The use of es- corts in nonrestricted areas is left to the discretion of the center directors. The adequacy of these safeguards is being measured by ongoing security tests performed by the organiza- tional elements under IRS Assistant Commissioner for inspec- tion. The Commissioner agreed that background investigations of some IRS employees who use or have access to taxpayer in- formation should be updated periodically. The Service is studying which positions require full-scale investigations due to their sensitivity. 22 The Commissioner indicated that the IRS internal auditors had also noted weaknesses n the accountability and control of information and stated that the Service had taken specific corrective action which included issuance of revised proce- dures providing for tighter controls on magnetic tes, discs, and-printouts as well as on access to tape libraries. 23 CHAPTER 5 PHYSICAL PROTECTION OF IRS COMPUTER FACILITIES Physical protection of an automated data processing facility involves permitting access to the facility by author- ized individuals while denying access to others. In order to accomplish this objective, Internal Revenue Service computer facilities are equipped with electronic .ntrusion detection devices, silent trouble alarms, and related industrial protec- tion systems, that are monitored at protection consoles. All but one of the service centers have a perimeter security fence. Guard services are either furnished by the General Services Administration or on a contract basis. Exterior security lighting is provided for buildings, parking lots, and the perimeter fence. Within the data processing facilities, physical security of tax data is further provided by a system of restricted and secured areas as part of the IRS physical and document secur- ity program. Access to a facility and the designated re- stricted areas is controlled through the use of a personnel identification system. Under this system color coded photo- graph badges are used to control the movement of IRS person- nel, contract support personnel, and visitors. The system is intended to limit access to those persons who have need to enter a given area in the performance of their duties. We consider the above physical protective measures em- ployed by the Service to be generally adequate in safeguard- ing their computer facilities. However, the effectiveness of the measures has been diminished by a lack of proper implemen- tation and maintenance. This chapter discusses those areas where improvements are considered necessary in order to meet the overall physical security objective. In addition to the physical safeguards covered by this review, special procedures relating to the transportation, storage, and disposal of IRS records, including tax returns, have been developed jointly with the National Archives and Records Service of the General Services Administration and the U.S. Postal Service. PERIMETER PROTECTION IRS' perimeter protection at its computer facilities is designed to deter trespassing and to direct employees and 24 visitors to selected entrances. Our examination of the physi- cal protection features used disclosed the following deficien- cies resulting from improper maintenance. Perimeter fencing at the Brookhaven Service Center was in need of repair and strengthening. Spaces existed that would permit unauthorized access under fencing and numerous areas were found where barbed wire strands at the top of fence were broken. In addition, locks to perimeter doors the of the Center had not been changed since the facility was opened in October 1S92. While officials said that there was no re- quirement to periodically change locks on access doors, we believe that good security practices necessitate such This procedure would help maintain an appropriate levelactions. of facility protection when the employees given access to peri- meter door keys are changed. It is essential that IRS provide for the spection and maintenance of protective devices continuous in- to insure that they fulfill their intended purpose. Improper maintenance can significantly reduce their effectiveness and impede the overall security of the facility. ACCES CONTROLS Access to computer facilities is con;tolled through use of identification badges. Employees must show their badges to a security guard upon entering and display them at all times in the facility. Visitors are issued badges and gen- erally require escort by IRS personnel. Certain critical areas within each service cnter have been designated as "restricted" with access limited to au- thorized individuals. Access to a restricted area is con- trolled through use of identification badges that are dis- tinctive in color. For example, the normal badge for an employee may be yellow, a visitor's red, and a restricted IRS area badge such as the computer room may be brown. The effectiveness of the badge contro. system is depend- ent upon the willingness of security guards and IRS employees to challenge any individual not displaying a proper identifi- cation badge while in the facility. Further, it is necessary that all badges be properly accounted for and controlled as they not only represent the principal means of identification but under TAS will e used as one step in activating computer terminals. 25 In a test of the badge system at the Covington Center, access was gained to several restricted areasService while displaying a "visitor's escort only" badge. Such a not authorize access to any of the restricted areas badge did within the Center. During a further test, movement was permitted challenged without badge or escort through many of the un- ter's work areas. Cen- Administrative controls over employee and visitor iden- tification badges were ineffective at both the Brookhaven and Chamblee Service Centers. Lost or missing badges were not always accounted for, and reconciliations were not as required. Procedures were generally inadequate to made insure that badges were collected upon furlough or termination employment. For example at the Chamblee Service Center, of badges had not been returned to the badge unit by mid-June for 110 temporary employees whose employment was terminated on May 11, 1975. In seven instances, former employees permitted to clear the Center without surrendering theirwere identification badges. The remaining 103 badges were being held in the branches where the tormer employees had worked. No form of disciplinary action was taken where employ- ees of the Brookhaven Service Center repeatedly forgot their identification badges. An IRS official estimated or lost approximately 15 to 20 badges were lost and 400 instancesthat forgotten badges occurred each month. Such laxity in of ministration of the badge control system has, in our the ad- opinion, significantly weakened the overall security of the service center. PHYSICAL CONTROL OVER TRASH DISPOSAL Large quantities of waste material information must be disposed of daily andcontaining taxpayer therefore must be protected to prevent disclosure; within IRS, this is plished in various ways. In general, trash containingaccom- tax- payer information is segregated and destroyed by incinerating, pulping, shredding, or otherwise disintegrating the The destruction is accomplished by IRS or by contractmaterial. under IRS supervision. While the above process would appear to provide adequate protection, a basic weakness exists. The effectiveness safeguard depends on the individual IRS employee properlyof the segregating trash containing taxpayer information sensitive waste. During our review at the Covingtonfrom non- Service Center, taxpayer information was found in general use waste- baskets and trash containers. At the National Computer Center, 26 taxpayer information was found exposed at a sanitary landfill. These findings point to a need to review the disposal process and to consider requiring all trash to be destroyed in the same manner, thus eliminating the segregation process. CONCLUSION The physical protection measures and procedures employed by IRS are considered adequate, in concept, to properly pro- tect taxpayer data maintained by IRS ADP facilities. However, the lack of proper implementation and pplication has resulted in several of the controls being less tn effective. These conditions should be corrected in the present system and the controls continued in TAS. 'ECOMMENDATION TO THE COMMISSIONER OF INTERNAL REVENUE We recommend that the national office exercise respon- sibility for periodically evaluating the effectiveness of physical security at each of the 10 service centers and the National Computer Center. While all aspects of physical pro- tection should be evaluated, particular attention should be given to correcting tne discrepancies cited herein with em- phasis on obtaining proper implementation of effective badge control and trash disrosal systems. The results of the eval- uations should be analyzed and where warranted, uniform pro- cedures should be developed for application at all locations and continued under TAS. AGENCY COMMENTS AND ACTIONS The Commissioner of Internal Revenue informed us that plans are now being made to increase evaluations of physical security and to conduct them on a systematic, regular basis. He stated that protective programs branch has responsibility for this program but has been unable to make frequent eval- uations because of their small staff. Independent tests will continue by the organizational elements under the Assistant Commissioner for Inspection. According to the Commissioner, corrective action has been nitiated regarding those protective measures which are prescribe] but not effective because of lack of proper mai:n- tenance o: implementation. The Service had studied its trash disposal procedures and had issued new Service-wide guidelines which will require all trash to be processed in the same manner and should overcome the deficiencies noted during our review. He further stated that administrative control over badges in 27 certain service centers should improve with the recent assign- ment of new security officers who will receive strong manage- ment support in the administration of the badge system. The Service is testing a new photograph badge with computer read- able encoding which, if successful, will replace the present badge system which relies on visual checks by guards and IRS employees. 28 CHAPTER 6 NETWORK SECURITY AND INTERSERVICE CENTER ACTIVITY The proposed Tax Administration System is envisioned as a totally integrated data system involving processing, stor- age, data communications, and terminal facilities. A decen- tralized data base will be used and each service center will process and maintain tax accounts for taxpayers in its geo- graphic area. The National Communications Center will control data exchange between centers and will maintain a directory of each center's records so that a taxpayer's account will not be maintained at more than one center. Data communications will be provided by a dta communica- tion subsystem. This subsystem will link the data terminals located i field offices with the host service center. Serv- ice centers will be interconnected through the National Com- munications Center. Information that must be transferred be- tween service centers will be batch processed to the National Communications Center for relay to the appropriate service center. Data will be transmitted between centers and the National Communication Center over encrypted data links. Through this design, a local office terminal will communicate only with its servicing center, and no direct terminal-to- terminal or center-to-center communications will take place. Encryption of the data links and the batch transfer of data were recommended by the Office of Management and Budget and cited by IRS as data communication safeguards in their notification of proposed system changes required by the Pri- vacy Act of 1974 and submitted to the Congress and the Office of Management and Budget on October 15, 1975. DATA ENCRYPTION The GAO report entitled, Computer-Related Crimes in Fed- eral Programs" (FGMSD-76-27, Apr. 27, 1976), observed that most of the cases examined did not involve sophisticated attempts to use technology for fraudulent purposes, but rather they were uncomplicated acts which were made easier because manage- ment controls over the systems involved were inadequate. While wiretapping and lectronic interception of communica- tions are technically possible, the extent of the threat to taxpayer data from such sources has not been established. For example, our discussions with the Federal criminal and intel- ligence agencies and with IRS have disclosed no known cases of 29 unauthorized disclosure of taxpayer information data communications. traceable to When a risk and threat analysis indicates the necessity for safeguarding the communication links, be used to secure the network. An algorithmcryptography can the primary technical requirements of th t satisfies a data encryption stan- dard was published in the Federal Register by the National Bureau of tandards. of March 17, 1975, This be used by Federal agencies where encryptionalgorithm is to ications is considered necessary. However, of data commun- the National Bureau of Standards recommends that other such as identification, access control, security safeguards and be implemented before sophisticated encryptionaccess auditing procured for the protection of personal devices are employing the algorithm are not generallydata. The devices cost has been estimated to range from available and their a few hundred to sev- eral thousand dollars. For planning purposes, IRS is considering of the encryption devices to be approximately the unit cost equal amount representing maintenance $2,500 with an system life. Forty-two devices will cost over a 10-year be required to provide partial network protection representing tions between the service centers and the data communica- the National tions Center. Eight hundred ninety-three additionalCommunica- would be required to provide encryption devices between the field of- fice terminal control units and the service end-to-end encryption at each field centers. Full terminal approximately 3,350 devices 1/ to secure would require estimated incremental cost o encrypting the network. The the munications network is shown in the following IRS data com- chart. 1/Of the approximately 8,000 terminals to be connected to the system, about 2,900 will be located service centers and will require use outside he 10 IRS of commercial commun- ications. Devices for encryption/decryption quired at each of these terminals and would be re- essary at the various service centers others would be nec- to provide for full end-to-end encryption. 30 Estimated Cost of Encryption of'IRS Data Communication Network Inter- Estimated cost mediate Full of encryption Partial protec- protec- devices protection tion tion - 000 omitted) Between service centers and National Communications Center $105 $ 105 $ 105 Between field office terminal control units and host erv- ice center - 2,233 Between field office data terminals and host service centers - - 8,375 Total estimated equipment cost 105 2j338 8,480 Total estimated maintenance cost 105 2,338 8,480 Total estimated cost $210 $4,676 $16i960 Although we recognize that a potential for wiretapping or electronic interception exists, our inquiries disclosed no evidence of a present threat to taxpayer information that would warrant the cost of procuring encryption devices to secure the communication network. A\ risk nd threat analysis has been initiated by IRS and its completion is considered necessary prior to any decision to employ this techno ogy. BATCH TRANSFER OF DATA Under TAS, data is to be transmitted over high-speed com- munication lines from a service center to the National Commun- ications center for processing or relaying to another service center in batch form. These procedures preclude direct com- munication between the computers located at the service cen- ters. While prohibiting realtime interservice center activity may be desirable for economy or other considerations, it does not provide communications security and does not significantly add to the overall security of TAS. This is due to the fact 31 that batch processing delays, but does not control, the trans- fer of data. For example, the delay may discourage, but will not prevent, an IRS employee at one location from browsing the tax information maintained at another service center. Interservice center activity should be controlled at the source through supervisory intervention. This would require a supervisor to validate all requests for taxpayer informa- tion maintained by another service center. While a manual review and approval of requests as currently planned by IS would provide a degree of control, such a procedure could be circumvented. Automation of the validation process would, in our opinion, provide the most effective control to prevent unauthorized transfer of data between centers. A supervisor would be required to enter into a terminal, validation data that would release each individual request. Such a process would preclude an employee from obtaining taxpayer informa- tion from another center without independent confirmation as to need. CONCLUSION The internal threat to taxpayer information from unau- thorized use of the communication network is considered greater than the external threat posed by covert electronic interception. Therefore, the need to control interservice center activity is evident while the need to encrypt the communication links has not been established. RECOMMENDATION TO THE COMMISSICNER OF INTERNAL REVENUE We recommend that appropriate controls be established in the design and implementation of TAS to insure that only authorized transfers of taxpayer information between centers are permitted. Further, the need to provide sophisticated communication security should be subjected to a thorough risk and threat analysis prior to any decision to incure the cost for encryption devices. AGENCY COMMENTS AND ACTIONS The Commissioner of Internal Revenue informed us that IRS was carefully considering the recommendation concerning a requirement for supervisory terminal validations and counter authorization for data that was accessed, based on geographic areas or levels of account activity. The Commissioner stated that a need may exist for certain exceptions in applying geo- graphic restraints. 32 The Commissioner also stated that the Service was devel- oping a risk analysis to reevaluate the need or communication line encryption devices prior to any contract award and, if not fully justified, would re-examine the issue with the Of- fice of Management and Budget. 33 CHAPTER 7 THE IRS SECURITY PROGRAM The IRS national office has the overall responsibility for the formulation and implementation of the security pro- gram. Policy responsibility has been assigned to the Internal Revenue Service Security Council. The Council is chaired by the Assistant Commissioner for Administration with five addi- tional Assistant Commissioners serving as members. The chief of the protective programs branch of the facilities management divisior has been designated executive secretary. IRS regulations direct the Council to deal with all se- curity issues within IRS. The Council is authorized to as- sess security status, identify important issues and problems, and determine which items are to e referred to the Deputy Commissioner or Commissioner for final decision. The Council has the authority to obtain the expertise necessary to deal with any and all security issues. It can also recommend meth- ods for evaluating security to insure that prescribed policies and procedures are being followed. Similar councils exist at several regional offices and service centers. The facilities management division, through its protec- tive programs branch, oversees the Service-wide implementa- tion of the physical and document security program at the national level. Its counterparts at the National Computer Center and the service center protective programs offices are responsible for developing and carrying out the program within their respective areas of responsibility. Similar responsibility for data processing security has not been defined. At the national level, there is no single office or organizational element responsible for the overall implementation of the technical security measures that are necessary and integral to the data processing operations and programs. Each data processing project or operational func- tion considers only those controls and security measures re- lated to its system or subsystem. Such an organizational approach to security does not insure uniform implementation of the security policies established by the Internal Revenue Service Security Council. A security administrator is assigned to each of the IRS service centers. However, their area of responsibility has been limited to the Integrated Data Retrieval System, a subsystem of a center's operation. Overall responsibility for data processing security has not been vested in an in- dividual or office at the local level. 34 CONCLUSION Establishing an organizational structure to independently monitor and evaluate data processing security would, in our opinion, significantly contribute to oercoming the weaknesses in controls cited in this report. Responsibility and author- ity must be clearly defined a a continuing program estab- lished to insure that taxpayer data is properly safeguarded in accordance with the Privacy Act of 1974. RECOMMENDATION We recommend that the Commissioner of Internal Revenue establish a national data processing security office respon- sible for technical, administrative, and physical security to include all data processing facilities. Such an office should be independent of those organizational elements re- sponsible for the development and operation of the computer systems and facilities and have authority sufficient to assure appropriate security. A similar position should be established at each data processing facility. The data process ng security officer should be independent of day-to-day lii e operations. Such independence can be achieved by either making this position a field extension of the national office or placing it under the head of the facility with direct communication authorized with the national data processing security office. AGENCY COMMENTS AND ACTIONS The Commissioner of Internal Revenue stated that IRS recognized the merits of this proposal and that a study would be initiated to thoroughly evaluate the national se- curity office concept and determine its organizational and resource implications. 35 CHAPTER 8 OBSERVATIONS AND MATTERS FOR CONSIDERATION BY THE CONGRESS OBSERVATIONS A widespread concern has often been expressed about the theory that large computer projects could be expanded and linked to other computer systems and thus pose a serious threat to the privacy of the individuals involved in various Government operations or programs. The first attempt to centralize Government-held computerized information was made in the mid-1960s with the proposal to establish a National Data Center. This proposal met with concern over the poten- tial misuse of a large concentration of data accumulated from the various Federal agencies which could result in an in- vasion of individual privacy. The congressional sponse to the proposed National Data Center was summa. q in a 1968 report by the House Com- mittee on Government Operations. 1/ The committee concluded that the data center concept poses serious problems regarding the collection, use, and security of personal information. It strongly advised against establishing a National Data Cen- ter until the technical feasibility of protecting automated files could be fully explored and privacy guaranteed. More recently, the Joint Agriculture-GSA New Equipment Project (commonly known as FEDNET) met similar opposition. As a result, the scope of the project was reduced in July 1974 by canceling the telecommunications network and GSA participation in the project. Agriculture canceled its pro- curement action in October 1975. IRS' proposed Tax Administration System differs signi- ficantly from the National Data Center and FEDNET concepts in that direct linkage, or sharing of equipment, with other agencies is not involved. Further, TAS provides for the de- centralization of the data base in contrast tc the consoli- dation of information as was proposed for the National Data Center. 1/House Committee on Government Operations Report, "Privacy and the National Data Center Concept," 90th Congress, 2nd sess., House Report No. 1842, (1968), p. 8. 36 Under the current IRS computer system, the Service sends and receives data by way of magnetic tapes tc other organiza- tions to facilitate tax administration. This practice will continue under TAS. The following are examples uf such in- direct interfaces with other computer systems. -- The Service receives a substantial portion of the data concerning interest and dividends paid by business tax- payers (as required by sections 6041 and 6042, Internal Revenue Code of 1954) on magnetic tapes, thereby per- mitting the matching of such data with its master file accounts and avoiding the expense of transcribing and converting it to machine readable form. -- Magnetic tapes received from the Social Security Ad- ministration are usedl to verify the social security numbers required by section 6109, Internal Revenue Code of 1954, to be furnished on individual income tax returns. Such verification helps to assure the accuracy of the master file accounts. -- The Service extracts self-employment income data and sends this information by way of magnetic tapes to the Social Security Administration so that agency can credit the individuals' social security accounts as provided in 42 U.S.C. 401. -- The Service sends data, which is authorized by section 6103 of the Iternal Revenue Code of 1954, cn mdgnetic tapes to other Government agencies such as the Bureau of Census for statistical purposes, and to various states to assist in the tax administration of their residents. CONCLUSIONS AND MATTERS FOR CONSIDERATION BY THE HOUSE AND SENATE COMMITTEES ON APPROPRIATIONS It is our opinion that as the user population of tax information expands, the risk of unauthorized disclosure also increases. Therefore, we believe the Congress may wish to consider certain restrictions in any legislation authorizing or funding the development and implementation of TAS. Such legislative restrictions would involve (1) direct linkage between TAS and any other computer systems, (2) location of TAS input and output devices, and (3) interface of TAS with other systems. 37 Although the current IRS computer system is not directly linked with any other system and such linkage hs not been included in any TAS planning document we examined, we believe the Congress may wish to consider making such direct linkage unlawful, Another prohibition that could clude a computer terminal, or other be considered is to pre- input or output d vices with direct access to the tax account data base, from being located at other than IRS operating locations unless specifi- cally authorized by law. The Service currently receives data on computer media such as magnetic tapes, from the public and private sectors to facilitate tax administration It sends data via computer media to other Government agencies and to various States authorized by law, resulting in a cost savings to both as the Government and the taxpayer. The Congress may wish to con- sider legislation restricting the use of such indirect inter- faces for new purposes unless specifically authorized by statute. 38 CHAPTER 9 SCOPE OF REVIEW This report provides our assessment of the proposed Tax Administration System's capability to provide appro- priate safeguards to protect taxpayer information as re- quired by the Internal Revenue Code and the Privacy Act of 1974. A separate report is being issued on our evaluation of the reasonableness of the cost/benefit analysis for the proposed new system. We interviewed IRS officials and examined records and documents pertaining to the proposed Tax Administration Sys- tem. We evaluated selected technical, administrative, and physical safeguards currently in the present system which are planned to be retained in TAS. We plan to continue our assessment of the privacy and security aspects o the current system and may issue future reports if appropriate. Section 6103 of the Internal Revenue Code of 1954 au- thorizes certain Government officials, Federal agencies, and the States access to taxpayer information maintained by IRS. We did not review the safeguards on the taxpayer information provided those recipients since that access is authorized by law and has no impact on the ability of TAS to safeguard tax- payer information. However, those officials and agencies with statutory authority to gain access to taxpayer informa- tion are required to safeguard that nformation against un- authorized or inappropriate disclosure. In addition, the Commissioner of Internal Revenue has stated that he will require a review of the agreements with the States and re- iegotiate those that do ot provide adequate safeguards ftr taxpayer information. We conducted our review at the IRS (1) national office in Washington, D.C., (2) National Computer Center at Martins- burg, West Virginia, (3) Cincinnati, Ohio, district office, and (4) service centers in Chamblee, Georgia; Brookhaven, New York; and Covington, Kentucky. 39 APP:LDIX I APPENDIX I Department of the Treasury / internal Rnue Service / iashington, D.C. 20224 Commissioner JUL o1976 Mr. Victor L. Iowe Director, General vrmwent Division Ulited States eneral Aounting Offioe Ishingon, D.C. 20548 Dear Mr. ase: e appreciate the omprehsive review made by yu staff of the Internal iReveue Srvice's prent autmatic data processing system ad te proposed Tax Aiinstration System ('IS). We fald the periodic briefings and en discussions dhich you arranged throuht&the audit to be particularly helpful. he on-line a Eroach gave us a oorb to take early orrective action where needed within the esting s :ity system; and it allowed us to release (with yur cxnanRt) GQD's overallrit favorable coclusion to ose in the S clearanoe pEros. Our oaments n your rat listed on pgw iii and iv in the draft report, "Evaluation of the Ability of the Internal Evmu Service's Propoeed Cputer System to Safeguard Taxpayer Infotmtn," are Oatained in ATACMEN A to this letter. We rl sted veral diial changes which you may wish to nsider also. heee are cited N!W B. amedial actioas have been or are being taken in thoseinaras ATal- whid can be corrected within the frmework of the edsting secrwity procedures, methods or aontrols. caever, a f r_ will reauire further study. As stated in yo recent report omcerning the adeqcy of physioal security and risk unagwnt policies and practi (E(aO -76-40), "Perfect security is generally regarded as mattaiable; tfreore, tm aim of a good physical security system Should be to reduce the pdtbilty of loes to an acceptable low level at reasonable ost and to insure adequate recovery in case of loss." We strorgly adore this .e. You may be assured that as the TRS design effort contns and ipimita- tin takes place, every effort will e de to pnovide the hijst reasonable level of security and protection for taxpar infmtjiM, and thtt all of the raem datios made by the will be carefully or.idered. With kind regards, Sincerely, Commitsoer Attachents 40 APPENDIX I APPENDIX I M'&I M A FWpOns to ( inat & ou' to the Cissinr~ 1. ~tblish a natlmal data Mvoesing Musity offic- and a similar position at emh data ing ility rspqXnsai/,, for afdnistrative, jsice1 and _temiral security." lb riiuge ti nearits of this ;prposul and, thersre, a suy will be initiated to toraly evaluate the natiral security office aonpt and deterMine its' rg at al ad rsoure iupltt ins. 2. "Cosider ays and m to protec tpqer~ daca frcm iBproper ames by nn-MS dloym8 having ions to a facility where tpye infrnatian is intainsd." he Service is eonoead about protection of taxpayer data frn izper acc by n-6 iployee woriing in aour data processing facilitis. With regard to apazrita bagro inetJ on these irdiviuals, we are reqauting advia frmn the IS Chief Ounuel cn Service autlhrity and intigative jurisdictin . If the Service has statutory authority, we will detnoaLr the type of estiat s that are aropriate, based an the dgee to hic rmc-IIS np1oyeas have acces and othr risk factrs, as wll as the cost of c&ting the intiatian . Internal ontrol0s which limit the access andoe m anit of na-IS plys are pres-atly prescribed, inclulnd a andatory provision for eoorting all m-Fedecal peramnel in restricted areas. small nulmber of non- Federal permel io have a clearance of confidttial or higher, issued mler autpices of the Define Industrial Security Program, are alloaed Iusm.sd access to sae restricted areas. The use of escarts in nm-restricted area is left to the discretian of the center directors. lhe adeqcy of these safguards is being measured bty nhspectmo's a-going security tests. 3. "Require menatory periodic tpdating of b rd investigtions of Uplyees using or haviw access to taxpayr inforMtinm to enare that their activities wmrrant the (rnemrrt's oontined trust." We agree that the backgrand investigations of ae mS sloyes wo use or ha aooess to taxpayer infrmation hould be updated periodically. Preently, we are stdying which positins require full scale investiga- tians due to their sansitivity, and we believe once these are clearly identified w can analyze and re a final oonclusion regarding yaw zommnation. 4. "Initiate prcedurs to provide qaprriate acmitabity and xontrol of all m&ast-c tapes, microfilm, and other information mia." Our internal auditors have also indica.d that _ajaes exist in this area. W have take specific correcive actia n hich includes the iuan of revised pooedures (Rvision to Handbook 12010, ecurity) providing for tigtr ontrols on agnetic tape, discs and print-uts as wll as scam to taps libaries. As yo suje ssW, whev studied our trash disposl ur. l.hs stuy Wms taed to ireltu all offioe Wnd lIa resltd in Ser -wide guidelins. 41 APPENDIX I APPENDIX I -2- .. "'aquireperiodic evaluatice of te effsctivhnes of fptsil seurity at each service center ar the Natimnal roputer Cnter.' Plans are now being nie to increase such evaluatio-s ad to 2xduact then on a systemtic, regular basis. our Protcti Progesa ,nch, hich has responsibility for this peogp , has been uable to mks frquent evaluations because of their amll staff. meparEndt testa by Inspection will contine. Corrective action has been initiated with regard to tae pOtectVw neasures hic are prescribed, but wee not effective becum of ladc of prowr mainteance or ianWentation. Prcblem in Qisetatiw control over bges in certain service cuters uuld be orrec by the recent assigmnt, of new seity officers wd will reeive strong mnnagemt support in the ainitratin of the bdge systa. Furtherre, the Service is testing a n, tog badge with a.p-ter readable e ding. If successful, it will replae th Erment badge system which relis on visual- ccks by guards and S mql -yees. 6. 7. "Eliminate listings of e e access ltifioation data 1Dre possible and employ one-way encryptin to safeguard data files containing sxuch info timc." "Provide additional restricticns on trminal users of the auttic data processing systen to pemt access only to ,oe functions mnd related data that are necessary to perfom their duties." As a result of Inspection's internal audit findings and your reoinda- tions, e have eliminated the listings of employese acre idtifimtin data, and we are enxrypting eployee acors identificaticn data as a further safeguard. Also, we hae taken steps to autoste the assignment and deletion of commnd codes assigned to terminal operators. Specifically, when eployees are transferred to new furcticnal units, their previou comman odes are deleted, and the nw codes necessary to perform their new duties are generated upon input of a proper "key" command oode. we believe these nmasures which have already been iplemnmtea substan- tially stragthen our system safeguards. The schisticated t4ehdqums of fully automating the paseaord generation, assignent an distribution process, and "one-iay" encryption of all aceass data and files is being explored for possible use in the future. 8. "Iritiate controls over the activities of those employee that have techmical training necessary to circumvent security safeguards." we recognize the vulnerability of the ADP systen in this area. hue, cnaideration is being given to various nmethods and procedres to control the activities of technical employees, particularly resident progrmmer analysts, and balance security concerns with the need for eployee efficiency. 42 APPENDIX I APPENDIX I -3- 9. *Sk l.gl MrL ity to Witih*ld f pmiio disolkuS data pormsing Iiato that VA ane the ability to gain wtutialy ilegal aCM to trYmer inf -at"im*" a a remut of dlis _io with GO auditors, a ocVrehnsive reim of -a bMitat1n 14 in YLOS to identify nterials hthi, for =ascity rmmon Iuld Wt bn ptlicly disclose. If the Service fins tat cuzrrt xmrip.ims of the lr, of InoNta im act do nt offe: sufficint rotsction to umitive qA sytt. mntm-al, ftLopriSt lagiulaticm will be sught. 1t.. & 1. "Btablis apMopriata oontols to onae that only autrised inter- m 4rvioe nter activity is peaoitted." Isuide enwmvisory a wl fm all ut-of-districtt inquiris to payems tmw=myr amunts by tayayer oplianoe anrd inctiV ao~ta by tap.Pyer Service rI.IntAti" lb agie with the prixple implid in these r -nraticno that tz l ur n uld not have acs to mr tax account data than is IRary to pe or thei assied dutia. Isu, as yu a a , w have initiatd a study to thoaighly qrde all aspects of thi tt ject. " *jectiw of the is to iantify practical s tlmt o t ~ to iata without dv affecting sevic to the ptlic or pduttivity of the t l ur r their eprsvisors. hn additi.a, ve will contiueto evaluate the ue of additioal positive idntifiers of tranuil uses (yo bdge, peasd, and exployee profile aontzovs). a carefully ouide~ring yor rm dation croerning a rure- t for apsrviecry taninal validations aid eta anriatim fr aooeses based on gmograhicl area or levels of acamt activity. Our initial reis irdicatis that w my be able toaue the amnt linkag data as a control aid. oC the other hrd, ned my edst for crtain ,,qtlts in applying geogradcal restraints. 12. "In[are that o inCaiatUM risks aid threats are capletaly analyzed prior to wc decisir to i=ur the cost for scetisticated security dvices." io Service is d 1oping a risk amlysis to reval.uate the rd for "Plc mcati' Limn an'ryption devices prior to any ontrt aard. If sd quipmat is not fully justifLad, the Service will r-enalne the issue with theh ffioe of lmgnmnt and audget (CM). 43 APPENDIX II APPENDIX II PRINCIPAL OFFICIALS RESPONSIBLE FOR ADMINISTRATION OF ACTIVITIES DISCUSSED IN THIS REPORT Tenure ofcoffice From To SECRETARY OF THE TREASURY: William E. Simon Apr. 1974 Present George P. Shultz June 1972 Apr. 1974 COMMISSIONER OF INTERNAL REVENUE: Donald C. Alexander May 1973 Present ASSI TANT COMMISSIONER, ACCOUNTS, COLLECTION, AND TAXPAYER SERVICE: James I. Owens (acting) Aug. 1976 Present Robert H. Terry Aug. 1973 July 1976 ASSISTANT COMMISSIONER, PLANNING AND RESEARCH: Anita F. Alpern Jan. 1975 Present Dean J. Barron Aug. 1973 Dec. 1974 DIRECTOR, TAX SYSTEMS REDESIGN DIVISION: Patrick J. Ruttle Dec. 1975 Mar. 1976 Donald G. Elsberry Nov. 1973 Dec. 1975 DIRECTOR, TAX ADMINISTRATION SYSTEMS DIVISION: Patrick J. Ruttle Mar. 1976 Present Note: In March 1976, the responsibility for TAS was trans- ferred from the Office of the Assistant Commissioner (Planning and Research) to the Assistant Commissioner (Accounts, Collection, and Taxpayer Service). With the transfer, the Tax Systems Redesign Division was abolished and the Tax Administration Systems Division established. 44
Safeguarding Taxpayer Information: An Evaluation of the Proposed Computerized Tax Administration System
Published by the Government Accountability Office on 1977-01-17.
Below is a raw (and likely hideous) rendition of the original report. (PDF)