A new Inspector General report faults the security of the computer connections at the Internal Revenue Service.

The report, from the Treasury Inspector General for Tax Administration, found many computer system interconnections in use at the Internal Revenue Service do not have proper authorization or security agreements.

TIGTA examined whether the proper controls are in place and operating effectively to protect IRS networks when they are connected to external information technology systems. Through such interconnections, the IRS shares federal tax information and other records with many federal, state, and local agencies, as well as private agencies and contractors. Because taxpayer and other sensitive data must be protected, the report noted, the IRS is required to ensure that external system interconnections are authorized by written agreements that specify the technical and security requirements.

The IRS was forced to disable its online Get Transcript application during tax season this year after it discovered that hackers had used it to access the tax returns of hundreds of thousands of taxpayers (see Extra 220,000 Hit by IRS ‘Get Transcript Breach’). IRS Commissioner John Koskinen said earlier this week the IRS won’t restore the service until the agency is sure it is secure.

TIGTA found that although the IRS has established an office to provide oversight and guidance for the development of security agreements, that office is not responsible for managing or monitoring agreements for all external interconnections in use in the IRS environment. TIGTA also found that improvements are needed to ensure that existing agreements contain all required elements and are renewed timely.

"These system interconnections are critical and must be properly designed and managed to meet security requirements,” said TIGTA Inspector General J. Russell George in a statement. “If not, failures could compromise the connected systems and the sensitive data that they store, process, or transmit.”

The IRS agreed with all six of TIGTA’s audit recommendations and plans to make appropriate corrective actions. The IRS agreed to identify and document external interconnections; establish a repeatable process for identifying external interconnections; ensure that policies and procedures are developed and implemented for updating the interconnections inventory; establish an escalation process to resolve agreement renewal issues; ensure that interconnection agreements meet policies and are renewed timely; and streamline and eliminate ineffective practices related to interconnection agreements.

“The IRS understands and honors the trust given to it by American taxpayers to safeguard their personal and private information,” wrote IRS chief technology officer Terence V. Milholland in response to the report. “As part of that trust, IRS is continuously improving the External Interconnections program, to ensure taxpayer and other sensitive data are protected and secure.”

Read more: