[ISN] GAO Report Targets IRS Security Weaknesses

From: InfoSec News (isn@private)
Date: Tue Nov 18 2003 - 04:11:57 PST

  • Next message: InfoSec News: "[ISN] Attack code surfaces for latest Windows vulnerability"

    http://dc.internet.com/news/article.php/3109851
    
    By Roy Mark 
    November 17, 2003
    
    The Internal Revenue Service (IRS), and other Department of Treasury
    agencies, continue to have "material weaknesses" in security controls
    designed to protect the confidentiality, integrity and availability of
    their systems, a new General Accounting Office (GAO) report concludes.
    
    According to the GAO, the investigative arm of Congress, the security
    weaknesses and inconsistent implementation of security controls exist,
    in part, because of Treasury's department-wide program, "while
    evolving, has not yet been fully institutionalized across the entire
    department."
    
    Treasury's bureaus have 708 information systems supporting its
    operations with a centralized data communications network and
    management system interconnecting networks and systems at the bureaus
    and departmental offices.
    
    "Protecting the computer systems that support critical operations and
    infrastructures has never been more important because of concerns
    about attacks from individuals and groups withmalicious intent,
    including terrorists," the report states. "These concerns are well
    founded for a number of reasons, including the dramatic increase in
    reported security incidents, the ease of obtaining and using hacking
    tools, the steady advance in the sophistication and effectiveness of
    attack technology, and the dire warnings of new and more destructive
    cyber-attacks to come."
    
    Since 1997, GAO audits have discovered "persistent computer security
    weaknesses" that place a variety of critical federal operations at
    risk.
    
    "It remains so today," the report states.
    
    The security weaknesses identified at Treasury include all six general
    control areas addressed in the GAO's information security audit
    methodology, including security program management, access controls,
    software development and change controls, segregation of duties,
    operating systems controls, and service continuity.
    
    Security problems were further compounded earlier this year when
    Treasury underwent significant organizational change with several
    departments transferred to the newly created Department of Homeland
    Defense and the Department of Alcohol, Tobacco and Firearms moving to
    the Department of Justice.
    
    During a three-year period ending in July 2002, the GAO conducted 14
    information security reviews at 11 IRS tax processing facilities
    throughout the country. The reviews identified 765 general control
    weaknesses. In addition, the GAO conducted five application control
    reviews and found 112 weaknesses.
    
    "While the majority of general control weaknesses identified fell into
    the area of logical access controls, weaknesses in physical security,
    software change controls, segregation of duties, and service
    continuity also posed significant risk to IRS systems and taxpayer
    information," the report states.
    
    The report notes that Treasury has taken the initial steps necessary
    to implement a department-wide information security program, key
    elements of such a program -- those need to help mitigate Treasury's
    longstanding information security weaknesses -- have not been fully
    implemented."
    
    The report concludes, though, that "Until Treasury can fully implement
    its department-wide program and adequately mitigate known weaknesses,
    increased risk exists that individuals could gain unauthorized access
    to critical hardware and software, and intentionally or inadvertently
    use, disclose, disrupt, modify, or destroy sensitive data or computer
    programs."
    
    The GAO prepared the report at the request of Representatives Adam
    Putnam (R.-FL) and William Lacy Clay (D.-MO), the chairman and ranking
    member of the House Government Reform Committee's Subcommittee on
    Technology, Information Policy, Intergovernmental Relations and the
    Census.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Nov 18 2003 - 07:00:19 PST