From the U.S. Government Accountability Office, www.gao.gov

Transcript for: AskGAOLive Chat on IRS Securing Financial and Taxpayer
Data

Description: Online video chat with Gregory Wilshusen, Director,
Information Technology 

Related GAO Work: GAO-14-405: Information Security: IRS Needs to Address
Control Weaknesses That Place Financial and Taxpayer Data at Risk

Released: April 2014

[First Screen]
Ask GAO Live

>>[ Background Music ] Welcome to Ask GAO Live.

>>Good afternoon and welcome to AskGAOLive, the Government
Accountability Office's live-streaming video program. Thank you so much
for tuning in and joining us today. My name is Sarah Kaczmarek. I'm in
our Office of Public Affairs. I'm joined today by Greg Wilshusen, a
director in GAO's Information Technology team. Greg, thanks so much for
joining us.

>>Thank you for having me Sarah.

>>Always a pleasure. Today we're going to be talking about a report that
Greg's team recently did on IRS's securing financial and sensitive
taxpayer data. To find the report, you can look on our website [ Screen:
GAO.gov website ], its GAO.gov, under reports and testimonies for the
reports that came out on the 8th. The report number is GAO-14-405 [
Screen: GAO.gov website and report number GAO-14-405 ]. You can also
look for the report by searching for it on our website [ Screen: Screen
shot of online highlights for GAO-14-405 ] and, again, the report number
is GAO-14-405. So, Greg, before we get started, could you tell us a
little bit about yourself and your work at GAO?

>>I'd be happy to. I have the distinct honor and pleasure of leading a
group of highly-talented analysts and specialists in reviewing
information security issues across the federal enterprise. The scope of
our work can include anything from conducting studies of issues related
to the protection of critical infrastructure throughout our whole
nation, to examinations of specific issues related to information
security across the federal government as a whole, to looking at
agencies' information security programs, and to include examining the
security controls over specific systems.

>>Thanks Greg. And could you also give us an introduction to our topic
today, how well IRS is securing financial and our sensitive taxpayer
data?

>>Certainly. This audit is, was conducted as part of our audit of IRS's
financial statements. And this is an audit that we've been performing
for at least the last 17 years. In this review, we help our financial
auditors evaluate internal control over the financial systems by
performing various different procedures and audits over IRS's
information tax processing systems and their financial information.

>>Let me ask you then as we get started, does IRS have effective
information security measures in place to protect financial and taxpayer
information?

>>Well, they've spent a lot of money and effort in trying to improve the
security over their systems and taxpayer financial information. They,
over the last couple years, they've made significant progress in
protecting that, but what we found as part of our audit is that there is
still much more that needs to be done. We've identified weaknesses in a
number of different areas, and made some recommendations related to
those weaknesses.

>>Thanks Greg. And we've got our first question here over e-mail. The
e-mail comes in from Chris, and Chris would like to know, how safe is my
tax data?

>>Well that's an excellent question Chris, and probably one that many
viewers and listeners have today. We've noted that IRS has implemented
many controls that are intended to protect your information, but we also
noted, this is actually that we reported in a report back in December on
federal data breaches, that IRS, in fiscal year 2012, had about 3,700
incidents involving personal information where information might have
been leaked or compromised, but it should be noted that most of those
incidents were inadvertent, one-on-one types of incidents, for example,
IRS mailed out information or taxpayer personal information to the wrong
addressee, for example. But relative to their information systems and
its security, IRS has made a number of improvements in securing those
systems, but, as we note in our report, there are still a number of
vulnerabilities that place taxpayer information at risk.

>>You mentioned that they do have some controls in place. Could you give
us a couple of examples of what those controls are?

>>Sure. IRS has implemented a number of different what we call access
controls, which are intended to prevent, limit, and detect access,
unauthorized access, to taxpayer systems, and taxpayer information. And
these include, for example, passwords and firewalls, and audit
mechanisms to try to defer or to detect, and then to prevent
unauthorized access. In addition, it also configures many of its systems
to, to allow for greater security over the information, and so while
they've implemented a number of, of controls to help protect
information, there are a number of vulnerabilities.

>>We have a really good follow-up question for this that came in over
e-mail from Sam, and Sam would like to know, based on the weaknesses
that you identified in the report, is IRS prone to hacking?

>>That's an excellent question Sam, and, indeed, what we had noted is
that we did not identify any specific incidents of a hack during our
audit, but the focus of our audit was not actually examining controls
over external hacking, rather the focus of our audit was evaluating and
focusing on the threats emanating from within IRS, and what we found is
that the weaknesses that we identified relative to access controls,
configuration management, and the controls over its mainframe computers,
for example, could lead to individuals within IRS to, to elevate their
access privileges, which could allow them to gain unauthorized access to
information. Those same control vulnerabilities could also help and
facilitate an external hack, hacker who happens to penetrate into IRS's
systems, and also furthering its aims to gain access to unauthorized
information.

>>I'm going to turn now to our first question that came in over Twitter,
and Amanda sent in a question over Twitter and she would like to know,
has a special prosecutor investigated IRS's data security?

>>Not that we know of. As I, what we have done, there are a number of
different groups that do review information security at IRS, in addition
to GAO, which we examine their security on a regular basis as part of
our annual audits there, the Treasury IG for tax administration also
examines computer security at the Internal Revenue Service, but as far
as a special prosecutor, I have no knowledge of that occurring.

>>Okay, thanks Greg. I'm going to go to a question now from Peter over
e-mail, and Peter wants to know, what does it mean when we say IRS has a
significant deficiency related to internal control, and how does that
relate to information security?

>>That's an excellent question, or two questions, Peter. I'll answer the
first one first. And that is a deficiency exists when the control, or
the design and operation of a control does not allow either IRS
management or employees, in the normal course of performing their
functions, to either prevent or detect and correct its, misstatements on
a timely basis. A significant deficiency is one that where a deficiency
or a collection, a combination of deficiencies is less severe than a
material weakness, but, nonetheless, requires and warrants the attention
of management's that, that's in charge for governance at the
organization. So it's a much higher level threshold of, of risk
associated with those weaknesses than a regular deficiency. And the
second part of the question is how does that relate to information
security? Is as part of a financial statement audit, GAO is responsible
for opining and, on the internal control implemented by an organization,
over its financial reporting processes. Of course, in today's
environment, just about all financial information is processed by, by
information systems, IT systems, and, and data in the electronic format,
so we have to examine the security controls over those systems in order
to be able to review the, and opine on the internal control of our
financial reporting. And so consequently, we looked at those types of
controls that are intended to protect and the data and systems at the
IRS.

>>We've got an interesting question here from Linda over e-mail who's
sort of asking about IRS's report card in our point of view. Her
question is, GAO continues to find and report on information security
control deficiencies at IRS year after year. What's preventing IRS from
getting a better report card from us?

>>Well Linda that is also a very good question. And, indeed, this is, as
you note, IRS has had long-standing challenges in adequately protecting
its information. What we've noted is that IRS’ computing environment is
highly complex and it changes on a regular basis. You know, it's
responsible for processing over 241 million returns on an annual basis,
and helps to collect nearly, I think, nearly $3 trillion in taxes, and
as a result, its systems are very complex, and several of them are quite
old, even though IRS is in the process of updating their information
systems, but one of the key issues that we also have found is that IRS
has not yet fully implemented all aspects of this information security
program, and until it does that, to include ensuring that it
appropriately assessed risk, tests and evaluate its controls, and
promptly address known vulnerabilities, it will continue to have
difficulties in protecting its information.

>>Certainly a lot of data that IRS has to protect and go through. We
have an interesting question here from Twitter from @GovBizCouncil, and
@GovBizCouncil would like to know, how can IRS use big data to better
secure tax data?

>>That's a very good question, and that's one that we, I must say we
haven't fully addressed as part of our audit over the existing systems
that IRS has, and is using to process its financial reporting. That may
fall more closely into some of its other operational procedures and
processes, the focus and objective of our review was to assess the
security controls over the financial systems that, and information that
are used to develop and prepare the agency’s financial statements. So
that particular issue, I'm sorry to say, was not included in the scope
of our review.

>>Well let me ask you Greg, we've talked about a lot of weaknesses here,
and what did your team find as some of the main reasons for these
weaknesses?

>>Well one is that IRS’s security, testing, and evaluation processes
were not that thorough or comprehensive, in that it didn't identify many
of the control weaknesses that we identified or, and, and that's
something that IRS, we've been, needs to improve on, it's something that
we've been reporting on for a number of years. In addition, IRS has had
challenges in actually correcting vulnerabilities that we have
identified as part of our annual audits, even though they are making
strides in this respect, for example, this past year, they corrected 42,
or implemented 42 of the 91 recommendations that we had unresolved as a
result of our last audit. In addition, 6 other recommendations that we
made were more or less mitigated because of changing conditions at the
IRS in terms of their environment where they modified certain systems.
But at the same time, we've noted that there are 23 new ones that we’re
reporting as well. And then that also leaves about 43 recommendations
that, from our last audit, that IRS needs to resolve.

>>Well can you talk a bit more about these recommendations, are they
from previous reports or this report, what are the same of the main
things that you're looking for IRS to do.

>>One is to improve its access controls over its information,
information systems to improve, for example, its controls in identifying
and authenticating users. We know that in many instances, passwords were
not very strong, and, and for contractors, which IRS relies upon, they
granted access to contractors beyond the point of which the contract
terminates. And one of the key principles in information security is to
limit access to the level necessary to perform one's duties, so once
that access is no longer needed, that access, user IDs, should be
cancelled to prevent someone from coming back in and accessing after
they no longer have a need. In addition, we've recommended that IRS
takes additional steps to improve the patching over its various
different servers and databases to ensure that known vulnerabilities are
promptly addressed. Un-patched systems and software is one of the key
avenues that hackers and others use to try to gain unauthorized access.

>>That was a really helpful explanation of some of the key
recommendations we're looking at in this report. I want to remind folks
how you can continue to send in your questions and thanks again to
everyone who has sent in your questions. You can send them in on e-mail
to askgaolive@gao.gov, and for those of you on Twitter, you can send
them in using the hashtag, #askgaolive. So thanks for your questions,
and please do keep sending them in. I'm going to go to our next question
now over e-mail, the question comes from Melissa, and Melissa says GAO's
reporting that because of information security control deficiencies at
IRS, the agency's financial and taxpayer data is vulnerable to
inappropriate or undetected use, modification, or disclosure, what steps
does IRS need to take to reduce some of these risks?

>>Well, IRS can take a number of steps Melissa. For example, one of the
things that we've recommended is that it fully implements its
information security program. IRS has a number of pretty good policies
and procedures in place, but it doesn't consistently implement them on a
regular basis. Another key one is in addition to the current policies
and procedures, we noted that they also need to update some of their
policies and procedures as it relates to governing access to mainframe
computers. These computers are where much of the taxpayer information
and financial information of the department and of the agency is
located. So, adequately having strong policies and procedures over
access to those systems will help if those controls are appropriately
implemented. Another key control that needs to be performed by IRS is to
take prompt actions to resolve known vulnerabilities. This is one of the
continuing weaknesses that we have identified over the years and it
remains an issue with IRS today. But very good question Melissa.

>>Well we have an interesting question from Corey over e-mail getting at
the scope of the report, and Corey would like to know, why is the scope
of your report limited to only key financial and taxpayer processing
systems?

>>That's a very good question Corey, and the answer is because that's
our objective, as part of a financial audit is to examine the security
controls over the financial systems and information. Clearly though, IRS
has a number of other very important programmatic and operational
systems that could also impact the security over taxpayer information,
as well as other programmatic information that IRS may have such as
investigations and, and other, and other types of data that they
maintain, the Treasury IG for tax administration often will examine the
security controls over those types of systems as part of its regular
program of audits. But for GAO, our work is just limited strictly to the
audits of financial systems and information.

>>Well we have another question about the audit itself. Elyse asks over
e-mail, why does GAO audit the IRS every year?

>>Because IRS, well first of all, Elyse, the, the reason is because GAO
is mandated by law to audit the consolidated financial statements of the
United States government, and at our prerogative, we choose to audit
IRS's financial statements because of the materiality of the operations
at IRS to the overall consolidated financial statements. Basically that
they, they collect and process almost 90 percent of the entire revenues
to the U.S. government, so because of its materiality to the overall
consolidated financial statements, we choose to audit the IRS's
financial statements as part of that. And as a part of that, we then
examine the security controls over their financial systems on an annual
basis.

>>Let me ask you, how many years has GAO been doing these audits and
what are some of the major changes or differences you've seen over the
years?

>>Well we've been auditing IRS ever since I've been at GAO, which is
going on 17 years now, and so, ever since 1997, which, when I first came
here, we've been auditing IRS's financial statements and their
information security controls. IRS has made some progress over the
years. When I first started out, many of the security controls and
systems were being managed and maintained by, at each of the local
service centers and computing centers. Over the years, IRS has
consolidated and centralized the management of many of their systems,
and that has helped it lead to more consistent and standardized
management and security over those systems, and so that's been one of
the improvements that has been made over the years. In addition, IRS is
in the process of, of developing and implementing a continuous
monitoring capability, and that too, if it's effectively designed and
implemented, will further improve its ability to protect systems, but at
the same time though, we've, IRS has had long-standing challenges in, in
securing its information system based on a number of the factors which I
discussed earlier, but, you know, include relative to their access
controls, testing their controls on a regular basis, and acting upon
those test results to improve the security.

>>Our next question comes from Natasha over e-mail, and Natasha would
like to know, what type of criteria or standards or sort of benchmarks
does GAO use to measure whether the IRS is meeting its information
security goals?

>>That's a, Natasha, we use a number of different criteria to manage in,
our work, and, and what we use to measure IRS against. Some of it is
IRS's own policies and procedures. IRS has done a pretty good job on
terms of identifying standards for securing various different systems,
and we use that to evaluate how well they actually implement those
policies and procedures. We also use guidelines and standards from the
National Institutes of Standards and Technology, or NIST. NIST has
statutory authority for developing federal and government-wide policies
and standards for protecting information systems. So we use criteria
that they have developed and published in various different special
publications and standards. And so that's pretty much the criteria that
we use in addition to the specific criteria that vendors may establish
in terms of securing their specific products or operating systems that
may being used at the IRS. So we look at the security settings that
vendors recommend to appropriately and securely configure their devices
and software as another source of criteria.

>>Well definitely an interesting about criteria, and now turning back a
little bit to the recommendations, we have a question from Catherine
over e-mail, it's a really interesting question, Catherine would like to
know how long and how much money would it take for IRS to implement
effective information security? You know, what would it take for them to
address all the recommendations in our report?

>>And that is an excellent and interesting question. One thing we don't
really do that much is actually assess the budgets and the actual cost
of implementing some of the controls. What we do look at and, indeed,
many of the security controls that we recommend IRS implement really
wouldn't cost much in the way of additional budgeting or, or dollars,
because it's primarily making sure that existing systems are
appropriately and securely configured. In certain instances, IRS do, or
does need to acquire additional capabilities, such as with monitoring
and, and detecting incidents to help it in that respect, but for the
most part, in terms of the budgeting, we, I can't really give you a good
answer in terms of how much it would cost to do that.

>>We have an interesting question here from Andrew over e-mail, and
Andrew is asking about the Federal Information Security Act of 2002, and
Andrew would like to know, is IRS required to follow what's set out in
the Federal Information Security Act of 2002? And if so, what's required
under this law?

>>Okay, well, FISMA, which is the Federal Information Security
Management Act of 2002 is IRS does, does adhere to the provisions of
FISMA, even though within the law it's the head of each agency that has,
or each department, that has responsibilities under that law, which, in
this case, would be the Department of Treasury, because IRS is a
component of the Department of Treasury, but indirectly, IRS does
implement and follow the provisions of FISMA. And what FISMA requires is
for agencies to implement an agency-wide information security program
that is to ensure 8 different components. And these components include
developing, documenting, and implementing procedures for assessing their
risks, developing policies and procedures based on those risks that cost
effectively reduce risks to an acceptable level, that they develop
system security plans, some subordinate security plans that identify the
controls that need to be implemented on, on their systems and networks,
that they provide appropriate training to their individuals to make sure
that they're aware of their responsibilities in protecting their systems
and information, and also for detecting, responding to, computer
security incidents. In addition, agencies under this program are
responsible for testing and evaluating their, the security over their
systems on a regular basis, but no less than annually, and also then to
take remedial actions to correct known vulnerabilities. And finally, the
eighth component is that agencies should develop procedures to ensure
the continuity of operations in the event of a service disruption.

>>Amazing that you have all of that so well in mind [laughing].

>>Well, we use it on a daily basis.

>>I would imagine! We have a really interesting question here from Ben
over e-mail, and Ben would like to know, what do you see as the biggest
sort of most important information security weakness?

>>At the Internal Revenue Service, Ben? I would say that one of the key
things that they need to do is improve, strengthen, and bolster their
access controls. This is a issue that we've been reporting for years,
but particularly into strengthening the controls over their passwords,
to implement a multifactor authentication whenever possible, because
that would help to improve the password, or actually the ability to
assure that individuals are who they claim to be. In addition, the,
assuring that individuals only receive the level of access necessary to
perform their jobs and no more. We often find that IRS grants excessive
access permissions to individuals. Another key access control relates to
just assuring that their auditing and monitoring capabilities are up to
snuff. We noticed, for example, that IRS's monitoring capabilities,
particularly over its mainframe computing environment, have been
deficient, so, clearly, that would be one of the key issues to address
as well.

>>Let me ask you, is IRS alone in these issues or are other large
federal agencies facing the same types of challenges here?

>>Well, sadly, yes. Just about most of the federal agencies face issues
related to securing their systems. You know, just, for example, 18 out
of the 24 CFO Act agencies, and these are those major departments and
federal agencies within the government, have reported either a
significant deficiency, like IRS, or material weakness in their
information security controls for financial reporting purposes, and
finding material weaknesses are even worse than significant
deficiencies. And so, it's, and also like 21 out of the 24 IGs at these
agencies have also identified information security as a major management
challenge. So, unfortunately, the fact is that most federal agencies
experience challenges in implementing and securing their information,
information systems.

>>Well, finally, I have to ask as we all get ready to file our
individual tax returns later this month, what do you see as the bottom
line of this report?

>>Well the bottom line of this report is that IRS continues to make
significant progress in improving the security over its systems, and the
protection over taxpayer data, but at the same time, much more needs to
be done. We noted that IRS needs to take several actions, and until they
take actions to update their policies and procedures, remediate known
vulnerabilities, and improve the testing over their systems, that
taxpayer information and their financial systems will remain at
unnecessary risk of unauthorized access, disclosure, or modification.

>>Well Greg, thank you so much for taking the time to join us for
another AskGAOLive Chat.

>>Well thank you for having me, it's been a pleasure.

>>Absolutely. And thank you everyone who tuned in today to watch and
view our chat, and thanks especially to those of you who sent in your
questions and comments, we really appreciate it. For any feedback on
this chat [ Screen: AskGAOLive@gao.gov, www.gao.gov, facebook.com/usgao,
twitter: @usgao, blog.gao.gov; ], you can send that to
askgaolive@gao.gov, and for more from the Government Accountability
Office, you can stay connected with us online at gao.gov. We're on
Facebook at Facebook.com/USGAO. We're on Twitter @usgao. We're on
LinkedIn also, and we recently launched a blog at the beginning of the
year. You can find that at blog.gao.gov, and you can even subscribe to
get the latest blog posts right from the homepage there. So, thanks
everyone again for tuning in, we really appreciate it, and we hope you
tune in again next time. 

[Background Music] 

[ Screen Shot and Audio]
>>Thanks for watching AskGAOLive. 

[ Screen Shot and Audio ]
AskGAOLive
>>Stay connected with GAO for information about future AskGAOLive chats.

[ Music ]