Taxpayer data is vulnerable to inappropriate use, modification or disclosure, perhaps without being detected, according to a new government report that found problems with the Internal Revenue Service’s technology for configuration management and identity and access management.

The report, from the Treasury Inspector General for Tax Administration, reviewed the IRS’s compliance with the Federal Information Security Management Act, of FISMA, and found the agency to be compliant in most areas. However, it cautioned that until the IRS takes steps to fully implement all 11 security program areas covered by FISMA, taxpayer data will remain vulnerable.

Under the FISMA legislation, the Offices of Inspectors General are required to perform an annual independent evaluation of each federal agency’s information security programs and practices. The report released Monday by TIGTA presents the results of its FISMA evaluation of the IRS’s information security program for fiscal year 2013.

Based on the evaluation, TIGTA found that nine out of 11 security program areas were generally compliant with the FISMA requirements. In addition, six of the nine security program areas included all of the program attributes specified by the Department of Homeland Security’s fiscal year 2013 Inspector General Federal Information Security Management Act Reporting Metrics, including continuous monitoring management, risk management, a plan of action and milestones, contingency planning, contractor systems and security capital planning.

Three of the nine security program areas, while generally compliant, were not fully effective due to one program attribute that was missing or not working as intended. These areas were incident response and reporting, security training, and remote access management.

However, two of the 11 security program areas were not compliant with FISMA requirements and did not meet the level of performance specified by the DHS’s FY 2013 Inspector General Federal Information Security Management Act Reporting Metrics due to the majority of the DHS-specified attributes being missing or not working as intended. These were in the areas of configuration management and identity and access management.

TIGTA did not include recommendations in the report, and no response from the IRS was included either.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access