GAO Report Targets IRS Security Weaknesses

[InfoSec News <isn () c4i org>]

http://dc.internet.com/news/article.php/3109851

By Roy Mark 
November 17, 2003

The Internal Revenue Service (IRS), and other Department of Treasury
agencies, continue to have "material weaknesses" in security controls
designed to protect the confidentiality, integrity and availability of
their systems, a new General Accounting Office (GAO) report concludes.

According to the GAO, the investigative arm of Congress, the security
weaknesses and inconsistent implementation of security controls exist,
in part, because of Treasury's department-wide program, "while
evolving, has not yet been fully institutionalized across the entire
department."

Treasury's bureaus have 708 information systems supporting its
operations with a centralized data communications network and
management system interconnecting networks and systems at the bureaus
and departmental offices.

"Protecting the computer systems that support critical operations and
infrastructures has never been more important because of concerns
about attacks from individuals and groups withmalicious intent,
including terrorists," the report states. "These concerns are well
founded for a number of reasons, including the dramatic increase in
reported security incidents, the ease of obtaining and using hacking
tools, the steady advance in the sophistication and effectiveness of
attack technology, and the dire warnings of new and more destructive
cyber-attacks to come."

Since 1997, GAO audits have discovered "persistent computer security
weaknesses" that place a variety of critical federal operations at
risk.

"It remains so today," the report states.

The security weaknesses identified at Treasury include all six general
control areas addressed in the GAO's information security audit
methodology, including security program management, access controls,
software development and change controls, segregation of duties,
operating systems controls, and service continuity.

Security problems were further compounded earlier this year when
Treasury underwent significant organizational change with several
departments transferred to the newly created Department of Homeland
Defense and the Department of Alcohol, Tobacco and Firearms moving to
the Department of Justice.

During a three-year period ending in July 2002, the GAO conducted 14
information security reviews at 11 IRS tax processing facilities
throughout the country. The reviews identified 765 general control
weaknesses. In addition, the GAO conducted five application control
reviews and found 112 weaknesses.

"While the majority of general control weaknesses identified fell into
the area of logical access controls, weaknesses in physical security,
software change controls, segregation of duties, and service
continuity also posed significant risk to IRS systems and taxpayer
information," the report states.

The report notes that Treasury has taken the initial steps necessary
to implement a department-wide information security program, key
elements of such a program -- those need to help mitigate Treasury's
longstanding information security weaknesses -- have not been fully
implemented."

The report concludes, though, that "Until Treasury can fully implement
its department-wide program and adequately mitigate known weaknesses,
increased risk exists that individuals could gain unauthorized access
to critical hardware and software, and intentionally or inadvertently
use, disclose, disrupt, modify, or destroy sensitive data or computer
programs."

The GAO prepared the report at the request of Representatives Adam
Putnam (R.-FL) and William Lacy Clay (D.-MO), the chairman and ranking
member of the House Government Reform Committee's Subcommittee on
Technology, Information Policy, Intergovernmental Relations and the
Census.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.