IRS Security Weaknesses Mean COTS Opportunities

by Chris Wiedemann, Senior Analyst

Tax day is tomorrow, but the IRS may have more to worry about than an explosion of last-minute returns: This Tuesday, Government Accountability Office (GAO) released a report identifying the agency’s internal control over financial reporting systems a “significant weakness.” This marks the second year running that the office has commented on material weaknesses in the IRS security posture, and while some progress has been made, there are still three critical areas where COTS vendors could help secure taxpayer data. Specifically, the GAO has called out weaknesses in:

• Configuration management: Although the report indicates that IRS has a patch and configuration management policy in place, it was not effectively documented or universally followed. During the GAO-audited time period, no changes made to the mainframe environment were requested or approved – meaning that, although some patches were being rolled out, they were not documented in IRS systems and were not detected by system monitoring processes. Moreover, critical patches were not installed within the IRS-mandated timeframe to several important servers, including those housing IRS procurement systems.
• Continuous monitoring: Despite working on their enterprise-wide mainframe security monitoring system (Enterprise Security Audit Trails or ESAT) since 2007, IRS is currently unable to deliver automated mainframe security monitoring reports to system owners or stakeholders.
• Identity and access management: Much like their configuration management weakness, IRS’ issues with Identity and Access Management (IAM) can be traced to inconsistent or ineffective implementation of existing policies. Specifically, the GAO has identified weaknesses in password controls (noting that 31 out of 81 mainframe service accounts were configured to never require password changes), as well as weaknesses in access control and role management – many users were given access well beyond “least privilege,” and at least 9 contractors were given mainframe security software user profiles that extended beyond the scope of their current contract.

All told, there are clear opportunities within IRS for vendors who provide any of the technology solutions described above. Furthermore, the underlying issue of compliance with internal and external policies needs to be addressed – COTS vendors who manufacture and sell compliance tools should find a willing audience within IRS’ cybersecurity group.