[ISN] IRS rife with security weaknesses

From: InfoSec News (isnat_private)
Date: Mon Jun 02 2003 - 23:20:21 PDT

  • Next message: InfoSec News: "RE: [ISN] This computer security column is banned in Canada"

    http://www.fcw.com/fcw/articles/2003/0602/web-irs-06-02-03.asp
    
    By Diane Frank 
    June 2, 2003
    
    Critical information security weaknesses at the Internal Revenue
    Service demonstrate the importance of moving past the development of
    an information security program to actually implement the measures
    outlined in the plan.
    
    The General Accounting Office found almost 900 weaknesses across the
    11 IRS organizations included in its review, particularly in the areas
    of access and authorization. All of the weaknesses can be traced to
    IRS' incomplete implementation of its agencywide security program,
    according to the report dated May 30.
    
    The IRS has made progress toward addressing security, including
    developing a milestone-based plan to fix vulnerabilities -- a step
    required by the Office of Management and Budget under the Government
    Information Security Reform Act of 2000 and continued under the
    Federal Information Security Management Act of 2002.
    
    The tax agency also has increased the number of resources and people
    devoted to information security and created an around-the-clock
    incident response team.
    
    But the many weaknesses that still exist and the lack of an agencywide
    process to identify and address future vulnerabilities leave sensitive
    personal data open to unauthorized users.
    
    "Such individuals could possibly obtain personal taxpayer information
    and use it to commit financial crimes in the taxpayer's name (identity
    fraud), such as establishing credit and incurring debt," the report
    states.
    
    Beyond the need to meet all of the standard requirements, such as
    performing risk assessments and certifying and accrediting systems,
    GAO also strongly recommended incorporating accountability for
    security controls into employee performance appraisals.
    
    "Until such performance standards and measures are developed and
    incorporated into the appraisal process, agency personnel may not
    devote sufficient attention and effort to implementing effective
    security controls," the report states.
    
    In a written response to GAO, new IRS Commissioner Mark Everson said
    that his agency plans to address each of the report's recommendations
    this year, although incorporating security into performance appraisals
    will have to wait until fiscal 2004 because of legal constraints.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jun 03 2003 - 01:05:51 PDT