Advertisement

GAO hits IRS (again) over bad IT security

​The Government Accountability Office took the Internal Revenue Service to task in a newly released report, saying the agency responsible for collecting taxes has not implemented a number of information security protocols related to taxpayer systems.

The Government Accountability Office took the Internal Revenue Service to task in a report Monday, saying the tax agency has not implemented a number of information security protocols related to systems storing taxpayer data. 

According to the GAO report, the IRS has failed to integrate multi-factor authentication; restrict access to servers severely enough; ensure sensitive user authentication data were encrypted; and properly limit access to restricted areas.

The audit found that a host of the problems are a result of the agency failing to adhere to its information security plan. 

“IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring access,” the report reads. “In addition, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate. Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective.” 

Advertisement

The IRS has taken several lumps from auditors in past 18 months. Last November, the GAO released a report saying the IRS isn’t managing and safeguarding its financial IT systems properly. Last year’s “Get Transcript” hack was a key example cited in a government-wide report that criticized the government on its cybersecurity operations. 

An internal watchdog, the Treasury Inspector General for Tax Administration, has also been critical of the agency information security policies. In October 2014, TIGTA found that IRS would not meet the government’s user authentication standards until 2018. 

The IRS agreed with the GAO’s recommendations. 

You can read the full report here

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts