Insider Threats and IRS Network Security Controls

Wednesday, March 16, 2011



The Government Accountability Office (GAO) has released a report that is critical of the lack of consistent application of security controls at the Internal Revenue Service (IRS).

The report indicates that the IRS fails to limit employee access to sensitive systems and information in accordance with employee's job duties, leaving the agency vulnerable to malicious insider threats.

The report also found that the IRS had failed to update critical database software and enable key auditing capabilities.

Vulnerabilities persist because the IRS has not completely implemented its own comprehensive security policies.

Less than half of the security vulnerabilities identified by the agency have been resolved, and of those less than one-fifth have actually been mitigated.

"Although IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended," the report stated.

The GAO recommendations for improved security include:

  • Update risk assessments whenever there is a significant change to the system, the facilities where the system resides, or other conditions that may affect the security or status of system accreditation.
  • Revise the risk assessment for the mainframe environment supporting the general ledger for tax-related activities and tax processing applications to include all portions of the environment that could affect security.
  • Update policies and procedures pertaining to password controls to ensure they are consistent.
  • Document and implement policy and procedures for how systems-managed storage as an access control mechanism should be administered, managed, and monitored.
  • Revise the application security plan to describe controls in place in its current mainframe operating environment.
  • Perform comprehensive testing of the key network component considered to be a high-risk system, at least annually.
  • Test the application security for the general ledger system for tax-related activities in its current operating environment.
  • Perform comprehensive testing of security controls over the mainframe environment to include all portions of the operating environment.

A similar lack of access control regarding sensitive information at the Department of Defense lead to the release of thousands of classified documents  by WikiLeaks late last year.


Possibly Related Articles:
Network Access Control
Insider Threats Access Control Security Audits Headlines Network Security IRS GAO
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked