Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« How Do You Rank in Unpathed Applications? | Main | How SMBs Can Improve Security »

IRS Struggles with Security Issues

This is not a good time for the IRS. Americans are starting to pull together paper work to file tax returns, some of the presidential candidates want to shut down the agency, and now the Government Accounting Office (GAO) has issued a scathing report on security problems at the IRS. Government Executive is reporting:

A new GAO report released Tuesday (GAO-08-211) states that the agency corrected or mitigated 29 of the 98 information security weaknesses highlighted at the time of GAO's last review in 2007. Among other findings, the IRS failed to consistently enforce strong password management for identifying users, authorize user access according to job functions, encrypt sensitive data, monitor changes on the mainframe computer server that supports the agency's general ledger for tax administration, and physically protect computer resources. That, combined with failure to implement internal controls and system configuration policies, continues to threaten financial and taxpayer information, according to the report.

That list of failures sounds like a substantial portion of the list of things we all need to do. I can't help but think of the fallout from the TJX breach. What if there were such a sizable breach at the IRS? Actually, the biggest concern I see with this episode isn't so much what isn't working, it's what isn't working but the IRS thinks is working:

Also of concern to GAO were incorrect reports from the IRS about steps made to improve information security. "Our objective was to follow up on previously reported weaknesses to see progress," Wilshusen said. "Interestingly, they reported several weaknesses as being mitigated, but when we went in to do our follow-up exam, [we] found [they] had not been corrected." Wilshusen could not specify which vulnerabilities the IRS erroneously claimed to have been dealt with, saying that release of specific information could spur malicious attacks against its networks.

While the IRS has made progress in a number of areas there are clearly problems - and they are not alone:

"The guys at GAO are wonderful, but this report could have been written every year for the past eight years -- at least -- and for nearly every agency," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md.
Tags:          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on January 10, 2008 9:01 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/590

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net