United States General Accounting Office GAO Testimony Before the Committee on Governmental Affairs U.S. Senate For Release on Delivery Expected at 10 a.m. IRS SYSTEMS SECURITY Thursday, April 10, 1997 Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses Statement of Dr. Rona B. Stillman Chief Scientist, Computers and Telecommunications Accounting and Information Management Division GAO/T-AIMD-97-76 Mr. Chairman and Members of the Committee: We appreciate the opportunity to participate in this hearing on Internal Revenue Service (IRS) computer security weaknesses. Computer security problems are not unique to IRS. In fact, since June 1993, we have issued over 30 reports describing serious information security weaknesses at major federal agencies. Moreover, we reported in September 1996 that in the previous 2 years, serious information security control weaknesses had been reported for 10 of the 15 largest federal agencies.1 This means that literally billions of dollars worth of assets are at risk of loss and vast amounts of sensitive data are at risk of unauthorized disclosure, modification, and destruction. Accordingly, we designated information security as a governmentwide high-risk issue in our 1997 report series on high-risk programs.2 Over the past several years, we have reported that IRS’ management of computer security is ineffective and have made recommendations to strengthen computer security. Nevertheless, the GAO report that Senator Glenn has just released shows that IRS continues to have serious weaknesses in the controls used to safeguard IRS computer systems, facilities, and taxpayer data. These weaknesses could result in the disruption of tax processing operations or in the improper use, modification, or destruction of taxpayer data. Computer security control weaknesses make IRS’ computer resources and taxpayer data unnecessarily vulnerable to external threats, such as natural disasters and individuals or organizations with malicious intentions. They also increase IRS’ vulnerability to internal threats, such as IRS employees accessing taxpayer files for purposes unrelated to their jobs (e.g., reading the files of celebrities or neighbors) or making unauthorized changes to taxpayer data, either inadvertently or deliberately for personal gain (e.g., to initiate unauthorized refunds or abatements of tax). These unauthorized and improper activities by IRS employees, which are commonly referred to as browsing, have been the focus of considerable attention in recent years, and have been of particular interest to this Committee. We found that despite this attention and interest, IRS is still not effectively addressing its browsing problem. IRS still does not effectively monitor employee activity, accurately record browsing violations, consistently punish offenders, or widely publicize reports of incidents detected and penalties imposed. 1 Information Security: Opportunities for Improved OMB Oversight of Agency Practices (GAO/AIMD-96-110, Sept. 24, 1996). 2 High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997). Page 1 GAO/T-AIMD-97-76 Before discussing each of these areas in greater detail, it is important to note that neither my statement nor our report that Senator Glenn just released quantifies the total number of weaknesses that we found or the number of weaknesses found in each of the eight functional categories of security that we reviewed. Additionally, neither my statement nor the report details the most serious weaknesses that we found. IRS officials were concerned that public disclosure of this information would increase the risks to their operations and employees. All of our findings have been reported in detail to the appropriate congressional committees. IRS relies on automated information systems to process over 200 million Background taxpayer returns and collect over $1 trillion in taxes annually. IRS operates 10 facilities throughout the United States to process tax returns and other information supplied by taxpayers. These data are then electronically transmitted to a central computing facility, where master files of taxpayer information are maintained and updated. A second computing facility processes and stores taxpayer data used by IRS in conducting certain compliance functions. There are also hundreds of other IRS facilities (e.g., regional and district offices) that use information systems to support tax administration. IRS Computer Security The Department of the Treasury requires IRS to have C2-level safeguards to Requirements protect the confidentiality of taxpayer data.3 C2-level safeguards ensure “need-to-know” protection and controlled access to data. Similarly, IRS’ Tax Information Security Guidelines require that all computer and communication systems that process, store, or transmit taxpayer data adequately protect these data, and the Internal Revenue Code prohibits the unauthorized disclosure of federal returns and return information. Prior GAO Work on IRS Over the past 3 years, we testified and reported numerous times on serious Computer Security weaknesses in security and other internal controls used to safeguard IRS computer systems and facilities. For instance, in August 1993, we identified weaknesses in IRS systems that hampered the Service’s ability to effectively protect and control taxpayer data.4 Subsequently, in 3 The Department of Defense defines a hierarchy of security levels (i.e., A1, B3, B2, B1, C2, C1, and D), with A1 currently being the highest level of protection and D being the minimum level of protection. 4 Financial Management: First Financial Audits of IRS and Customs Revealed Serious Problems (GAO/T-AIMD-93-3, Aug. 4, 1993). Page 2 GAO/T-AIMD-97-76 December 1993, IRS identified taxpayer data security as a material weakness in its Federal Managers’ Financial Integrity Act report. In 1994, we reported, and IRS acknowledged, that while IRS had made some progress in correcting computer security weaknesses, IRS still faced serious and long-standing control weaknesses over automated taxpayer data. Moreover, we reported that these long-standing weaknesses were symptomatic of broader computer security management issues. With respect to employee browsing, we reported in September 1993 that IRSdid not adequately (1) restrict access by computer support staff to computer programs and data files or (2) monitor the use of these resources by computer support staff and users.5 As a result, personnel who did not need access to taxpayer data could read and possibly use this information for fraudulent purposes. Also, unauthorized changes could be made to taxpayer data, either inadvertently or deliberately for personal gain (for example, to initiate unauthorized refunds or abatements of tax). In August 1995, we reported that the Service still lacked sufficient safeguards to prevent or detect unauthorized browsing of taxpayer information.6 Our on-site reviews of security at five facilities disclosed many Serious Computer weaknesses in eight functional areas. These areas are (1) physical security, Security Weaknesses (2) logical security,7 (3) data communications management, (4) risk Persist analysis, (5) quality assurance, (6) internal audit and security,8 (7) security awareness, and (8) contingency planning. Of these eight, the primary weaknesses were in the areas of physical and logical security. Examples of weaknesses are discussed below. Physical Security Physical security and access control measures, such as locks, guards, fences, and surveillance equipment, are critical to safeguarding taxpayer data and computer operations from internal and external threats. We found many serious weaknesses in physical security at the facilities 5 IRS Information Systems: Weaknesses Increase Risk of Fraud and Impair Reliability of Management Information (GAO/AIMD-93-34, Sept. 22, 1993). 6 Financial Audit: Examination of IRS’ Fiscal Year 1994 Financial Statements (GAO/AIMD-95-141, Aug. 4, 1995). 7 Logical security measures are safeguards incorporated in computer hardware and software. 8 The phrases “internal audit” and “internal security” refer to functional disciplines, not IRS organizational entities. Page 3 GAO/T-AIMD-97-76 visited. IRS has approved for public release only the following examples of physical security weaknesses: • Collectively, the five facilities could not account for approximately 6,400 units of magnetic storage media, such as tapes and cartridges, which could contain taxpayer data. The number per facility ranged from a low of 41 to a high of 5,946. • Fire suppression trash cans were not used in several facilities. • Printouts containing taxpayer data were left unprotected and unattended in open areas of two facilities where they could be compromised. Logical Security Logical security controls limit access to computing resources to those personnel and programs with a need to know. Logical security control measures include the use of safeguards incorporated in computer hardware, system and application software, communication hardware and software, and related devices. We found numerous weaknesses in logical security at the facilities visited. Again, IRS has approved public disclosure of only the following examples: • Tapes containing taxpayer data were not overwritten prior to reuse, providing the potential for unauthorized disclosure. • Access to system software was not limited to individuals with a need to know. For example, at two facilities, we found that data base administrators9 had access to system software, although their job functions and responsibilities did not require it. • Application programmers were allowed to move development software into the production environment without adequate controls. In addition, these programmers were allowed to use taxpayer data for testing purposes, which places these data at unnecessary risk of unauthorized disclosure and modification. Examples of Weaknesses Weaknesses were also found in the remaining six functional areas. For in Other Functional Areas example, none of the facilities visited had conducted a complete risk analysis to identify and determine the severity of all the security threats to which they were vulnerable. Without these analyses, systems’ vulnerabilities may not be identified and appropriate controls may not be implemented to correct them. 9 The data base administrator is responsible for overall control of the data base, including its content, storage structure, access strategy, security and integrity checks, and backup and recovery. Page 4 GAO/T-AIMD-97-76 Also, we found that two of the facilities had not performed an audit of operations within the last 5 years. Such internal audit and security reviews are needed to ensure that safeguards are adequate and to alert management to potential security problems. Additionally, three of the five facilities did not have an adequate security awareness program. For example, one site had no process in place to ensure that management was made aware of security violations and security-related issues. An effective security awareness program is the means through which management communicates to employees the importance of security policies, procedures, and responsibilities for protecting taxpayer data. Last, none of the five facilities visited had comprehensive disaster recovery plans. Specifically, we found that disaster recovery procedures at two of the five facilities had not been tested, while plans for the remaining locations were incomplete—i.e., they failed to include instructions for restoring all mission-critical applications and reestablishing telecommunications. Further, none had completed business resumption plans, which should specify the disaster recovery goals and milestones required to meet the business needs of their customers. IRS employee browsing of taxpayer information is another security threat Electronic Browsing that requires effective counter measures. To address this threat, IRS Is Not Being developed the Electronic Audit Research Log (EARL), an automated tool to Addressed Effectively monitor and detect browsing on the Integrated Data Retrieval System (IDRS).10 IRS has also taken legal and disciplinary actions against employees caught browsing. However, EARL has shortcomings that limit its ability to detect browsing. In addition, IRS does not have reliable, objective measures for determining whether or not the Service is making progress in reducing browsing. Further, IRS facilities inconsistently (1) review and refer incidents of employee browsing, (2) apply penalties for browsing violations, and (3) publicize the outcomes of browsing cases to deter other employees from browsing. EARL’s Ability to Detect EARL cannot detect all instances of browsing because it only monitors Browsing Is Limited employees using IDRS. EARL does not monitor the activities of IRS employees using other systems, such as the Distributed Input System, the Integrated Collection System, and the Totally Integrated Examination System, which 10 IDRS is the primary computer system IRS employees use to access and adjust taxpayer accounts. Page 5 GAO/T-AIMD-97-76 are also used to create, access, or modify taxpayer data. In addition, information systems personnel responsible for systems development and testing can browse taxpayer information on magnetic tapes, cartridges, and other files using system utility programs, such as the Spool Display and Search Facility,11 which also are not monitored by EARL. Further, EARL has some weaknesses that limit its ability to identify browsing by IDRS users. For example, because EARL is not effective in distinguishing between browsing activity and legitimate work activity, it identifies so many potential browsing incidents that a subsequent manual review to find incidents of actual browsing is time-consuming and difficult. IRS is evaluating options for developing a newer version of EARL that may better distinguish between legitimate activity and browsing. IRS Progress in Reducing IRS’management information systems do not provide sufficient and Disciplining Browsing information to describe known browsing incidents precisely or to evaluate Cases Is Unclear their severity consistently. IRS personnel refer potential browsing cases to either the Labor Relations or Internal Security units, each of which records information on these potential cases in its own case tracking system. However, neither system captures sufficient information to report on the total number of unauthorized accesses. For example, neither system contains enough information on each case to determine how many taxpayer accounts were inappropriately accessed or how many times each account was accessed. Without such information, IRS cannot measure whether it is making progress from year to year in reducing browsing. A recent report by the IRS EARL Executive Steering Committee12 shows that the number of browsing cases closed has fluctuated from a low of 521 in fiscal year 1991 to a high of 869 in fiscal year 1995.13 However, the report concluded that the Service does not consistently count the number of browsing cases and that “it is difficult to assess what the detection programs are producing . . . or our overall effectiveness in identifying IDRS browsing.” Further, the committee reported that “the percentages of cases resulting in discipline has remained constant from year to year in spite of the Commissioner’s ’zero tolerance’ policy.” IRS browsing data for fiscal years 11 This utility enables a programmer to view a system’s output, which may contain investigative or taxpayer information. 12 Electronic Audit Research Log (EARL) Executive Steering Committee Report, (Sept. 30, 1996). 13 We did not verify the accuracy and reliability of these data. Page 6 GAO/T-AIMD-97-76 1991 to 1995 show that the percentage of browsing cases resulting in IRS’ three most severe categories of penalties (i.e., disciplinary action, separation, and resignation/retirement) has ranged between 23 and 34 percent, with an average of 29 percent.14 Browsing Incidents Are IRSprocessing facilities do not consistently review and refer potential Reviewed, Referred, browsing cases. The processing facilities responsible for monitoring Disciplined, and Publicized browsing had different policies and procedures for identifying potential violations and referring them to the appropriate unit within IRS for Inconsistently investigation and action. For example, at one facility, the analysts who identify potential violations referred all of them to Internal Security, while staff at another facility sent some to Internal Security and the remainder to Labor Relations. IRS has taken steps to improve the consistency of its review and referral process. In June 1996, it developed specific criteria for analysts to use when making referral decisions. A recent report by the EARL Executive Steering Committee stated that IRS had implemented these criteria nationwide. Because IRS was in the process of implementing these criteria during our work, we could not validate their implementation or effectiveness. IRSfacilities are not consistently disciplining employees caught browsing. After several IRS directors raised concerns that field offices were inconsistent in the types of discipline imposed in similar cases, IRS’ Western Region analyzed fiscal year 1995 browsing cases for all its offices and found inconsistent treatment for similar types of offenses. For example, one employee who attempted to access his own account was given a written warning, while other employees in similar situations, from the same division, were not counseled at all. The EARL Executive Steering Committee reported widespread inconsistencies in the penalties imposed in browsing cases. For example, the committee’s report showed that for fiscal year 1995, the percentage of browsing cases resulting in employee counseling ranged from a low of 0 percent at one facility to 77 percent at another. Similarly, the report showed that the percentage of cases resulting in removal ranged from 0 percent at one facility to 7 percent at another. For punishments other 14 The mix among these three categories has remained relatively constant each year with disciplinary action accounting for the vast majority of penalties. Page 7 GAO/T-AIMD-97-76 than counseling or removal (e.g., suspension), the range was between 10 percent and 86 percent. IRS facilities did not consistently publicize the penalties assessed in browsing cases to deter such behavior. For example, we found that one facility never reported disciplinary actions. However, another facility reported the disciplinary outcomes of browsing cases in its monthly newsletter. By inconsistently and incompletely reporting on penalties assessed for employee browsing, IRS is missing an opportunity to more effectively deter such activity. In conclusion, IRS’ approach to computer security has not been effective. Serious weaknesses persist in security controls intended to safeguard IRS computer systems, data, and facilities. These weaknesses expose tax processing operations to the risk of disruption and taxpayer data to the risk of unauthorized use, modification, and destruction. Further, although IRS has taken some action to detect and deter browsing, it is still not effectively addressing this area of continuing concern because (1) it does not know the full extent of browsing and (2) it is addressing cases of browsing inconsistently. Because of this, our report contains a series of specific recommendations, which if implemented, should greatly strengthen IRS computer security and effectively address its security risks. In summary, the report recommends that the IRS Commissioner (1) prepare a plan by April 30, 1997, for correcting all the weaknesses we identified at the five facilities we visited and for identifying and correcting security weaknesses at the other IRS facilities, (2) provide this plan to selected congressional committees, including the Senate Committee on Governmental Affairs, (3) report IRS’ progress against this plan in its fiscal year 1999 budget submissions, (4) until corrected, report the security control weaknesses that we identified as material weaknesses in Treasury’s Federal Managers’ Financial Integrity Act reports, (5) by June 1997, reevaluate IRS’ approach to computer security and report the results to selected congressional committees, including the Senate Committee on Governmental Affairs, (6) ensure that IRS completely and consistently monitors, records, and reports the full extent of electronic browsing, and (7) report IRS’ progress in eliminating browsing in IRS’ annual budget submission. IRShas concurred with these recommendations and stated that it will implement them. We plan to monitor its progress in doing so to ensure that Page 8 GAO/T-AIMD-97-76 security weaknesses are corrected and security management is strengthened. Mr. Chairman, this concludes my statement. Lynda Willis, Director, Tax Policy and Administration Issues, and I will be happy to respond to any questions you or Members of the Committee might have at this time. (511537) Page 9 GAO/T-AIMD-97-76 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20884-6015 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (301) 258-4066, or TDD (301) 413-0006. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses
Published by the Government Accountability Office on 1997-04-10.
Below is a raw (and likely hideous) rendition of the original report. (PDF)