IRS plagued by computer vulnerabilities five consecutive years

[InfoSec News <alerts () infosecnews org>]

http://www.nextgov.com/nextgov/ng_20120319_2120.php

By Aliya Sternstein
Nextgov
03/19/2012

During the past year, the Internal Revenue Service did not install 
critical fixes for software vulnerabilities, allowed unauthorized access 
to accounting programs and failed to ensure contractors received 
security training, according to the auditors' auditors.

Around tax time in 2007, 2008, 2009, 2010, 2011 and now this year, the 
Government Accountability Office has identified similar, recurring 
weaknesses that could expose sensitive taxpayer information and agency 
financial data, according to archived GAO reports.

"IRS had never installed numerous patch releases for the Unix operating 
system" that had been in operation since March 2009, stated the most 
recent report, released Friday. By not patching security holes on a 
timely basis, the "IRS increases the risk that known vulnerabilities in 
its systems may be exploited."

The key reason IRS computers are susceptible to tampering is the tax 
agency has yet to institute a mandatory information security program, 
GAO officials have said for five years. Under federal cybersecurity law, 
agencies must deploy a departmentwide initiative that, among other 
things, trains personnel to comply with security policies and tests 
technical protections.

[...]


______________________________________________________________________________
CISSP and CEH training with Expanding Security is the fastest, easiest way
to grock the relevant data you need now.   A free class invite is in every
PainPill.  Sign up for the free weekly PainPill .  It's that easy.
http://www.expandingsecurity.com/PainPill