Summary

The Internal Revenue Service (IRS) is making significant progress to improve computer security at its facilities. IRS has acknowledged the seriousness of its computer security weaknesses, consolidated overall responsibility for computer security management within one office under its Chief Information Officer, reevaluated its approach to computer security management, and developed a high-level plan for mitigating weaknesses cited by GAO. (See GAO/AIMD-97-49, Apr. 1997.) GAO found that IRS has addressed the risks associated with 63 percent of the weaknesses discussed in that report. Despite this progress, serious weaknesses persist at five facilities GAO visited during its earlier audit, and GAO identified additional weaknesses at those locations and at a sixth facility included in this review. These weaknesses affect the agency's ability to control physical access at its facilities and sensitive computing areas, control electronic access to sensitive taxpayer data and computer programs, prevent and detect unauthorized changes to taxpayer data or computer software, and restore essential IRS operations following an emergency or natural disaster. Until these weaknesses are corrected, IRS tax processing centers are at risk of disruption. Moreover, sensitive taxpayer data could be revealed to unauthorized persons, improperly used or modified, or destroyed, thereby exposing taxpayers to loss or damages arising from identity fraud and other financial crimes.

GAO noted that:(1) IRS is making significant progress to improve computer security over its facilities; (2) since GAO's April 1997 report, IRS has acknowledged the seriousness of its computer security weaknesses, consolidated overall responsibility for computer security management within one executive-level office under its Chief Information Officer, reevaluated its approach to computer security management, and developed a high-level plan for mitigating the weaknesses GAO identified; (3) GAO found that IRS has corrected or mitigated the risks associated with 63 percent of the weaknesses discussed in its prior report; (4) while progress has been made, serious weaknesses continue to exist at the five facilities visited during GAO's prior audit, and it identified several additional weaknesses at those locations and at a sixth facility included in this review; (5) these weaknesses exist primarily because IRS has not yet fully institutionalized its computer security management program; (6) these weaknesses affect IRS' ability to control physical access to its data processing facilities and sensitive taxpayer data and computer programs, prevent or detect unauthorized changes to taxpayer data or computer software, and restore essential IRS operations following an emergency or natural disaster; (7) until these weaknesses are mitigated, IRS continues to run the risk of its tax processing operations being disrupted; (8) furthermore, sensitive taxpayer data entrusted to IRS could be disclosed to unauthorized individuals, improperly used or modified, or destroyed, thereby exposing taxpayers to loss or damages resulting from identity fraud and other financial crimes; (9) in comments agreeing with GAO's recommendations, IRS stated that since the end of GAO's review, it had also specified actions planned and under way to address the remaining weaknesses; and (10) GAO will review those actions as part of its audit of IRS' fiscal year 1998 financial statements.