A Government Accountability Office report calls into question the security of the information U.S. taxpayers are sending to the IRS.

The report says that the IRS IT system "remains unnecessarily vulnerable" and puts taxpayer information at risk, particularly to insider threats.

 

According to the report, 69 percent of 89 security weaknesses and deficiencies identified by the GAO during a 2008 fiscal year audit remain unresolved. "Information security weaknesses -- both old and new -- continue to impair the agency's ability to ensure the confidentiality, integrity, and availability of financial and taxpayer information," the GAO said.

 

The main reason the IRS lacks IT security is that the agency has no comprehensive security management system in place, the GAO said. Moreover, it has not implemented appropriate access controls when it comes to sensitive information.

 

Specifically, the IRS continues to use weak passwords, ineffectively remove accounts for employees who no longer work for the agency, and allow agency personnel excessive file and directory permissions, according to the report. The agency also allows user and administrator login information to be transmitted without encryption, fails to install patches in a timely matter, and ineffectively verifies that even the most basic security actions are complete. Moreover, it does not always do annual reviews of risk assessments, the GAO concluded.

 

Despite its overall negative evaluation, there were some bright spots in the report. The IRS has corrected 28 of the 89 IT security weaknesses identified in the 2008 audit, taking steps to change vendor-supplied user accounts and passwords, and avoid storing clear-text passwords in scripts. The agency also has enhanced policies and procedures for configuring mainframe operations and established an alternate processing site for its procurement system, according to the report.