"Specifically, the [IRS] continues to face challenges in controlling access to its information resources," states the Government Accountability Office in its report published Friday. "For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas."
The GAO also notes its audit found the IRS did not always "promptly correct known vulnerabilities" in its systems, saying that "76 out of 105 previously reported weaknesses open at the end of the GAO's prior year audit had not yet been corrected."
Taken collectively, these failings "impair IRS's ability to ensure that its financial and taxpayer information is secure from internal threats," or that it's being "safeguarded from unauthorized disclosure or modification."
The GAO handed the IRS a list of six recommended actions for improvement that include monitoring access control and ensuring appropriate security patches have been applied, saying it would be looking at actions taken and reporting back to Congress on it in the future.
The IRS drew similar criticisms from a GAO audit three years ago.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.
This story, "IRS Tech Security Lax, Watchdog Agency Says" was originally published by Network World.