The IRS, caught in a thicket of IT security problems, is hoping to be mostly out the woods by fall.
The agency’s shortcomings in cybersecurity management put taxpayer and other financial data at risk, the Government Accountability Office said in a recent report.
“Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored and transmitted on its systems will remain vulnerable,” said Gregory Wilshusen, director of GAO’s information security issues.
GAO again will review the IRS’ progress in securing its systems this summer, Wilshusen said.
“Most weaknesses we identified were management-related issues in terms of how IRS configured systems and assured that established procedures were followed,” Wilshusen said. “Managing the security risk is the key to securing your systems.”
The IRS already is fixing the vulnerabilities and anticipates having most problems corrected by September, a Treasury Department official said.
By then, officials said, they expect to have certified and accredited all systems to comply with the Federal Information Security Management Act.
“The IRS anticipates significantly improved performance in this summer’s FISMA annual systems security review,” said Arnold Havens, Treasury’s acting deputy secretary, in a response to GAO earlier this month.
Treasury received a D+ as its most recent overall FISMA grade, and IRS systems constitute the bulk of Treasury’s systems.
Completing certification and accreditation will be a big step forward for the IRS, said a spokesman for House Government Reform Committee chairman Tom Davis (R-Va.).
Certification and accreditation lets agencies assess controls for each system and lets management sign off on acceptance of risk and authorize system operations. But “it does not necessarily mean that a system is secure,” Wilshusen said.
Other threats could emerge, new vulnerabilities could be identified and changes could occur in the operating environment that would not necessarily be covered by certification and accreditation, he said.
Digg
De.licio.us
Slashdot
Technorati
