GAO Reports  
AIMD-97-49 April 08, 1997

IRS Systems Security: Tax Processing Operations &
Data Still at Risk Due to Serious Weaknesses

Pursuant to a congressional request, GAO reviewed the Internal Revenue Service's (IRS) computer security, focusing on whether IRS is effectively: (1) managing computer security; and (2) addressing employee browsing of electronic taxpayer data.

GAO noted that: (1) over the last 3 years, GAO has reported on a number of computer security problems at IRS and has made recommendations for strengthening IRS' computer security management effectiveness; (2) nevertheless, IRS continues to have serious weaknesses in the controls used to safeguard IRS computer systems, facilities, and taxpayer data; (3) GAO's recent on-site reviews of security at five facilities disclosed many weaknesses in the areas of physical security, logical security, data communications management, risk analysis, quality assurance, internal audit and security, security awareness, and contingency planning; (4) for example, the five facilities could not account collectively for approximately 6,400 missing units of magnetic storage media, such as tapes and cartridges, which could contain taxpayer data; (5) in addition, printouts containing taxpayer data were left unprotected and unattended in open areas of two facilities where they could be compromised; (6) also, none of the facilities visited had comprehensive disaster recovery plans, which threaten the facilities' ability to restore operations following emergencies or natural disasters; (7) one area of unauthorized access that has been the focus of considerable attention is electronic browsing of taxpayer data by IRS employees; (8) despite this attention, IRS is still not effectively addressing the problem via thorough employee monitoring, accurate recording of browsing violations, or consistent application and publication of enforcement actions; (9) for example, IRS currently does not monitor all employees with access to automated systems and data for electronic browsing activities; (10) in addition, when instances of browsing are identified, IRS does not consistently investigate them or publicize them to deter others from browsing, and does not consistently punish browsers; and (11) until these serious weaknesses are corrected, IRS runs the risk of its tax processing operations being disrupted and taxpayer data being improperly used, modified, or destroyed.

Click here for the full GAO Report, PDF Version, 35pgs. 527K

1997 GAO Reports | GAO Reports Main | Home

  to download the Adobe Acrobat PDF Reader