The Government Accountability Office (GAO) uncovered a list of new information system security weaknesses at the IRS in a report released July 18.
GAO found, in examining audits of the IRS’s fiscal years 2017 and 2018 financial statements, 14 new deficiencies in security controls that oversee certain IRS financial and tax processing systems that are part of the agency’s internal control over financial reporting.
“Of the 14 new deficiencies, eight were related to access controls, four were related to configuration management, one was related to segregation of duties, and one was related to continency planning,” GAO said.
More specifically, the eight access control deficiencies in 2018 were related to user identification and authentication, access permission authorization, and sensitive information encryption – all three areas of which had enforcement insufficiencies.
In configuration management controls, the IRS failed to:
- “Implement mandatory access controls for an application.
- Update unsupported database software and apply vendor-supplied patches for certain applications,
- Update third-party software on workstations consistently, and
- Upgrade certain outdated and unsupported software network devices.”
In the segregation of duties, GAO found that the IRS permitted a non-administrator account to be included in an administrator group of accounts in one of its databases, while the contingency plan deficiency came from the IRS’s assignment of “only one individual to administer the email service.”
GAO issued 20 new recommendations in a private report to the IRS based on these findings, “a total of 127 recommendations to IRS for addressing information system security deficiencies.” The IRS agreed with the 20 recommendations.