Summary

Serious weaknesses continue to plague the controls used to safeguard the Internal Revenue Service's (IRS) computer systems, facilities, and taxpayer data. A GAO review of security at five facilities found that IRS could not account for 6,400 missing units of magnetic storage tape that possibly contained taxpayer information. Moreover, printouts containing taxpayer data were left unprotected and unattended in open areas, and none of the facilities had comprehensive disaster recovery plans, which would allow the facilities to restore operations following emergencies or natural disasters. GAO also found that IRS has not effectively dealt with unauthorized "browsing" of taxpayer records by IRS employees. For example, IRS does not monitor all employees with access to automated systems to determine whether they might be browsing. In addition, even when IRS catches browsers, IRS does not consistently investigate the incidents, publicize them to deter others from browsing, or consistently punish browsers.

GAO noted that: (1) GAO's on-site reviews of security at five facilities disclosed many weaknesses in eight functional areas; (2) these areas are physical security, logical security, data communications management, risk analysis, quality assurance, internal audit and security, security awareness, and contingency planning; (3) of these eight, the primary weaknesses were in the areas of physical and logical security; (4) collectively, the five facilities could not account for approximately 6,400 units of magnetic storage media which could contain taxpayer data; (5) printouts containing taxpayer data were left unprotected and unattended in open areas of two facilities where they could be compromised; (6) tapes containing taxpayer data were not overwritten prior to reuse, providing the potential for unauthorized disclosure; (7) access to system software was not limited to individuals with a need to know; (8) application programmers were allowed to move development software into the production environment without adequate controls and these programmers were allowed to use taxpayer data for testing purposes, which places these data at unnecessary risk of unauthorized disclosure and modification; (9) two facilities had not performed an audit of operations within the last 5 years; (10) three of the five facilities did not have an adequate security awareness program; (11) none of the five facilities visited had comprehensive disaster recovery plans or completed business resumption plans, which should specify the disaster recovery goals and milestones required to meet the business needs of their customers; (12) to address the threat of IRS employee browsing of taxpayer information, IRS developed the Electronic Audit Research Log (EARL) and has taken legal and disciplinary actions against employees caught browsing; (13) IRS does not have reliable, objective measures for determining whether or not IRS is making progress in reducing browsing; (14) IRS facilities inconsistently review and refer incidents of employee browsing, apply penalties for browsing violations, and publicize the outcome of browsing cases to deter other employees from browsing; and (15) EARL cannot detect all instances of browsing because it only monitors employees using the Integrated Data Retrieval System.