Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] GAO: IRS security is weak

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] GAO: IRS security is weak
Date: Mon, 27 Mar 2006 03:18:21 -0600 (CST) 
http://www.fcw.com/article92737-03-24-06-Web

By Matthew Weigelt
Mar. 24, 2006 

Taxpayers' financial and personal information remains at risk because
the Internal Revenue Service has not yet strengthened its information
security measures, according to a new Government Accountability Office
report.

The IRS fixed 41 of the 81 faults GAO discovered last year, the report
states. Nevertheless, "GAO identified new information security control
weaknesses that threaten the confidentiality, integrity and
availability of IRS' financial information systems and the information
they process," according to the report, which was released today.

The IRS has not established effective electronic access controls
related to network management, user accounts, file permissions and
logging and monitoring of security-related events, the report states.  
The agency has also failed to install other controls to secure
computers physically.

"Collectively, these weaknesses increase the risk that sensitive
financial and taxpayer data will be inadequately protected against
disclosure, modification or loss, possibly without detection, and
place IRS operations at risk of disruption," the report states.

GAO recommends that the IRS align policies related to password age and
configuration settings with federal guidelines, review system security
plans, give specialized training to contractors, and update emergency
action plans.

For emergency plans, the report suggests training non-IRS staff
members to restore operations and updating disaster recovery plans. It
also recommends installing UNIX-based hardware and equipment for
processing applications and data at the IRS' disaster recovery hot
site, an alternative processing place to use in an emergency. Until
the agency acts on these recommendations, "it is at risk of not being
able to appropriately recover in a timely manner," the report states.

IRS Commissioner Mark Everson expressed agreement with GAO's
assessment in a Feb. 27 letter to GAO's director of information
technology, Gregory Wilshusen.

"Because the IRS' solution extends beyond the specific findings and
addresses the root cause of the weaknesses at an enterprisewide level,
a majority of the weaknesses remain open," Everson wrote. "However, as
a result of this agencywide approach and other initiatives we have
under way, the IRS now has stronger controls to protect taxpayer
data."

He said IRS officials share the responsibility for IT security.



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] GAO: IRS security is weak, InfoSec News <=
Previous by Date:  [ISN] Israeli Software Firm Abandons U.S. Deal, InfoSec News
Next by Date:  [ISN] Terrorist 007, Exposed, InfoSec News
Previous by Thread:  [ISN] Israeli Software Firm Abandons U.S. Deal, InfoSec News
Next by Thread:  [ISN] Terrorist 007, Exposed, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]