The Government Accountability Office took the Internal Revenue Service to task in a report Monday, saying the tax agency has not implemented a number of information security protocols related to systems storing taxpayer data.
According to the GAO report, the IRS has failed to integrate multi-factor authentication; restrict access to servers severely enough; ensure sensitive user authentication data were encrypted; and properly limit access to restricted areas.
The audit found that a host of the problems are a result of the agency failing to adhere to its information security plan.
“IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring access,” the report reads. “In addition, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate. Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective.”
The IRS has taken several lumps from auditors in past 18 months. Last November, the GAO released a report saying the IRS isn’t managing and safeguarding its financial IT systems properly. Last year’s “Get Transcript” hack was a key example cited in a government-wide report that criticized the government on its cybersecurity operations.
An internal watchdog, the Treasury Inspector General for Tax Administration, has also been critical of the agency information security policies. In October 2014, TIGTA found that IRS would not meet the government’s user authentication standards until 2018.
The IRS agreed with the GAO’s recommendations.
You can read the full report here.