http://w
ww.fcw.com/article92737-03-24-06-Web
By Matthew Weigelt
Mar. 24, 2006
Taxpayers' financial and personal information remains at
risk because
the Internal Revenue Service has not yet strengthened its
information
security measures, according to a new Government
Accountability Office
report.
The IRS fixed 41 of the 81 faults GAO discovered last year,
the report
states. Nevertheless, "GAO identified new information
security control
weaknesses that threaten the confidentiality, integrity and
availability of IRS' financial information systems and the
information
they process," according to the report, which was
released today.
The IRS has not established effective electronic access
controls
related to network management, user accounts, file
permissions and
logging and monitoring of security-related events, the
report states.
The agency has also failed to install other controls to
secure
computers physically.
"Collectively, these weaknesses increase the risk that
sensitive
financial and taxpayer data will be inadequately protected
against
disclosure, modification or loss, possibly without
detection, and
place IRS operations at risk of disruption," the
report states.
GAO recommends that the IRS align policies related to
password age and
configuration settings with federal guidelines, review
system security
plans, give specialized training to contractors, and update
emergency
action plans.
For emergency plans, the report suggests training non-IRS
staff
members to restore operations and updating disaster recovery
plans. It
also recommends installing UNIX-based hardware and equipment
for
processing applications and data at the IRS' disaster
recovery hot
site, an alternative processing place to use in an
emergency. Until
the agency acts on these recommendations, "it is at
risk of not being
able to appropriately recover in a timely manner," the
report states.
IRS Commissioner Mark Everson expressed agreement with
GAO's
assessment in a Feb. 27 letter to GAO's director of
information
technology, Gregory Wilshusen.
"Because the IRS' solution extends beyond the
specific findings and
addresses the root cause of the weaknesses at an
enterprisewide level,
a majority of the weaknesses remain open," Everson
wrote. "However, as
a result of this agencywide approach and other initiatives
we have
under way, the IRS now has stronger controls to protect
taxpayer
data."
He said IRS officials share the responsibility for IT
security.
_________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org
|