Advances in information technology have caused the daily activities of the Internal Revenue Service (IRS) to become increasingly automated and inter-linked. These advances, while improving efficiency, have also increased the risk that hackers or dishonest employees could misuse taxpayer data. Recent events have demonstrated the risk of hackers gaining inappropriate access to other government agencies and private businesses. Malicious acts by employees present an even greater risk since they already have access to data via networks. The Houston District has over 800 employees connected to its Windows NT local area network (LAN), approximately 150 of whom have access to taxpayer information through the Examination Returns Control System (ERCS).

The overall objective of this review was to determine whether the Houston District has effective security controls over its computer systems to safeguard information against unauthorized access or use, disclosure, damage, modification, and loss. We reviewed controls over the District’s LAN with emphasis on the ERCS to help define our scope and demonstrate the impact of security weaknesses. This review was part of a series of reviews initiated to assess the overall effectiveness of security controls over the IRS’ information systems.

The District has various computer security controls in place which reduce the risk, to some degree, of unauthorized access and destruction of data. For example, logical access controls, such as user identification and passwords, were properly set up at the minicomputer and LAN level, and logical access to sensitive system areas, such as the ERCS, was correctly limited. In addition, physical access to the working area and computer facilities was properly restricted. However, additional steps in the following areas can further strengthen the computer security program.

Following prescribed controls can reduce information systems security weaknesses in the following three areas:

• User Account Management: The level of system access was inappropriate for several users. Special capabilities to research the ERCS had been granted to 41 Examination employees, 30 of whom, in our opinion, had no need for it. Those employees had the capability to run production reports by group and by employee. The use of such reports for evaluative purposes is specifically prohibited by law and IRS policy. We were unable to determine if evaluative production reports were actually generated because controls were insufficient to detect this activity.

• Security Surveillance: Activity logs (audit trails) were deactivated on some minicomputers. When audit trails were run on other minicomputers and the LAN, there was no indication they had been reviewed. Essentially, the District did not use audit trails to detect improper activity on its computer systems.
• Physical Security: There was no library log to record the removal and return of computer tapes. Also, access to the library was not sufficiently restricted.

The Chief Information Officer and IRS executives responsible for systems in the Houston District need to take steps to address the specific weaknesses identified in this report. Actions management should take include: allowing only appropriate system permissions and monitoring the use of the permissions; ensuring system access is promptly removed for departing employees; training and monitoring responsible employees on performing audit trail reviews; and reinforcing backup tape inventory controls.

Management's response was due on July 10, 2000. As of July 18, 2000, management has not responded to the draft report.