The Internal Revenue Service (IRS), and other Department of Treasury agencies, continue to have "material weaknesses" in security controls designed to protect the confidentiality, integrity and availability of their systems, a new General Accounting Office (GAO) report concludes.

According to the GAO, the investigative arm of Congress, the security weaknesses and inconsistent implementation of security controls exist, in part, because of Treasury's department-wide program, "while evolving, has not yet been fully institutionalized across the entire department."

Treasury's bureaus have 708 information systems supporting its operations with a centralized data communications network and management system interconnecting networks and systems at the bureaus and departmental offices.

"Protecting the computer systems that support critical operations and infrastructures has never been more important because of concerns about attacks from individuals and groups withmalicious intent, including terrorists," the report states. "These concerns are well founded for a number of reasons, including the dramatic increase in reported security incidents, the ease of obtaining and using hacking tools, the steady advance in the sophistication and effectiveness of attack technology, and the dire warnings of new and more destructive cyber-attacks to come."

Since 1997, GAO audits have discovered "persistent computer security weaknesses" that place a variety of critical federal operations at risk.

"It remains so today," the report states.

The security weaknesses identified at Treasury include all six general control areas addressed in the GAO's information security audit methodology, including security program management, access controls, software development and change controls, segregation of duties, operating systems controls, and service continuity.

Security problems were further compounded earlier this year when Treasury underwent significant organizational change with several departments transferred to the newly created Department of Homeland Defense and the Department of Alcohol, Tobacco and Firearms moving to the Department of Justice.

During a three-year period ending in July 2002, the GAO conducted 14 information security reviews at 11 IRS tax processing facilities throughout the country. The reviews identified 765 general control weaknesses. In addition, the GAO conducted five application control reviews and found 112 weaknesses.

"While the majority of general control weaknesses identified fell into the area of logical access controls, weaknesses in physical security, software change controls, segregation of duties, and service continuity also posed significant risk to IRS systems and taxpayer information," the report states.

The report notes that Treasury has taken the initial steps necessary to implement a department-wide information security program, key elements of such a program -- those need to help mitigate Treasury's longstanding information security weaknesses -- have not been fully implemented."

The report concludes, though, that "Until Treasury can fully implement its department-wide program and adequately mitigate known weaknesses, increased risk exists that individuals could gain unauthorized access to critical hardware and software, and intentionally or inadvertently use, disclose, disrupt, modify, or destroy sensitive data or computer programs."

The GAO prepared the report at the request of Representatives Adam Putnam (R.-FL) and William Lacy Clay (D.-MO), the chairman and ranking member of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.