Appendix IMaterial Weaknesses, Significant Deficiency, and Compliance Issues Page 101 GAO-11-142 IRS’s Fiscal Years 2010 and 2009 Financial Statements IFS18 servers, decreasing the risk
Trang 1Appendix I
Material Weaknesses, Significant Deficiency,
and Compliance Issues
Page 101 GAO-11-142 IRS’s Fiscal Years 2010 and 2009 Financial Statements
(IFS)18 servers, decreasing the risk that known vulnerabilities may be exploited; (2) discontinued the use of unencrypted protocols on the servers supporting its procurement system, decreasing the risk that malicious users could capture sensitive information; and (3) limited access to certain key financial documents used for input into IFS, decreasing the risk that users could intentionally or unintentionally corrupt data
Despite these actions, most of the previously identified weaknesses in internal control over information security remain unresolved and continue
to place IRS systems at risk For example, IRS continued to allow
individuals more access to sensitive information contained on the network than needed to perform their assigned duties In addition, IRS had not completed actions to address a vulnerability in its procurement system that allowed users to enter commands that bypassed normal application security controls Further, at one data center, visitors continued to be provided unnecessary access to secured areas
During our fiscal year 2010 audit, we identified additional deficiencies in internal control over information security that, along with previously identified deficiencies that remain unresolved, continued to jeopardize the confidentiality, integrity, and availability of information processed by IRS’s key systems, and increased the risk of material misstatement for financial reporting For example, the database associated with the online system IRS used to support and manage its computer access request, approval, and review processes was not appropriately secured Weak control of powerful database IDs and insecure configurations reduce the confidence in the integrity of individuals’ access privileges assigned to key IRS systems In addition, IRS had not appropriately restricted permissions on the database that supported an application used for cost allocation of rent-related data, allowing database users to run operating system commands Also, IRS used unencrypted protocols on a server supporting the Electronic Federal Tax Payment System (EFTPS)19 and several internal routers, potentially
exposing user IDs and passwords transmitted in clear text across the
18
IFS is IRS’s administrative accounting system, which IRS uses to facilitate core financial management activities, including general ledger, budget formulation, accounts payable, accounts receivable, funds management, cost management, and financial reporting IFS does not process or report IRS’s tax related transactions, including tax revenues, tax refunds, and taxes receivable.
19
The Electronic Federal Tax Payment System (EFTPS) is a tax payment system provided free by the U.S Department of the Treasury, through which businesses and individuals can pay federal taxes electronically via the Internet or by phone
This is trial version
www.adultpdf.com