GAO Rips IRS Taxpayer Data Security

  /     /     /  
Publicated : 22/11/2024   Category : security


GAO Rips IRS Taxpayer Data Security


Auditors find holes in the federal revenue agencys database access control and security.



A new report from the Government Accountability Office (GAO) ripped into the IRS once again for insufficient access controls, database maintenance, and monitoring necessary to keep taxpayer information safe. The reports findings echo many of the issues seen in database and application security across many large enterprises today, experts say. Released last week, the
GAOs financial audit
(PDF) reported that during the past fiscal year, the IRS still had glaring holes in internal controls over information security, in spite of initiating efforts to address concerns levied by the GAO in past years.
IRS improved several system-level controls, including the encryption of data transferred between some accounting systems, upgrades to critical network devices on the agencys internal network, and strengthening of the architecture of an important financial system to eliminate identified areas of weakness, the report read. However, despite these efforts and enhanced management attention toward controls, a majority of the known weaknesses in the agencys systems and internal network and physical security controls remained unresolved in fiscal year 2011.
According to Don Gray, chief security strategist for Solutionary, an Omaha-based managed security service provider, the IRS isnt special in the fact that it hasnt been able to keep up with regulator demands.
Theyve partially addressed the findings that were found before, and theyve somewhat implemented some controls. Quite frankly, we see that a lot in large organizations, he says. For instance, the IRS has this system it was supposed to put in place to collect and analyze user activity. Theyve got it in a couple of applications, but they dont have it in all the key financial applications. That is something we see time and time again at the corporate level.
Gray says he often sees organizations incorporate monitoring, for instance, on network devices and platforms, but then fail to monitor applications and databases.
On network devices and platforms, thats easy. Everybody can do it on a Cisco device or a Windows OS, he says. Its when you actually get down to wanting to tailor that and give yourself visibility on the applications and database side that it gets hard.
Read the rest of this article on
Dark Reading
.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
GAO Rips IRS Taxpayer Data Security