IRS would prepare this action plan to implement recommendations by Government Accountability Office (GAO). In a letter dated 1 April 2014 to GAO, RRS says: “we will review all of GAO's reported recommendations to ensure that our actions include sustainable fixes that implement appropriate security controls. We will provide the detailed corrective action plan addressing each of the recommendations with our response to the final report.”

GAO has annexed this letter to its report released on 8th April 2014. GAO has identified significant risks over misuse of confidential tax payers' data due to unsatisfactory implementation of security management risks by Internal Revenue Service (IRS).

In a report captioned ‘Information Security -IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk', GAO has advised IRS to update access request policies and procedures to ensure that they contain sufficiently detailed information of access requests and access assignments to facilitate effective review and verification of appropriate access privileges.

GAO's other recommendations include: “Update procedures to specify the information required to be recorded in the internal system documentation for important mainframe system processes. Develop a remedial action plan to address known information system weaknesses or deficiencies in the workload automation software environment.”

GAO says: “We are also making 23 detailed recommendations in a separate report with limited distribution. These recommendations consist of actions to be taken to correct specific information security weaknesses related to identification and authentication, authorization, cryptography, and configuration management.”

GAO found that IRS has not always installed appropriate patches on all databases and servers to protect against known vulnerabilities. It has also not sufficiently monitored database and mainframe controls.

IRS has also not appropriately restricted access to its mainframe environment. In addition, IRS had allowed individuals to make changes to mainframe data processing without requiring them to follow established change control procedures to ensure changes were authorized, and did not configure all applications to use strong encryption for authentication, increasing the potential for unauthorized access.

As put by the report, “Until IRS takes additional steps to (1) more effectively implement its testing and monitoring capabilities, (2) ensure that policies and procedures are updated, and (3) address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure.”