Appendix I Material Weaknesses, Significant Deficiency, and Compliance Issues Page 101 GAO-11-142 IRS’s Fiscal Years 2010 and 2009 Financial Statements (IFS) 18 servers, decreasing the risk that known vulnerabilities may be exploited; (2) discontinued the use of unencrypted protocols on the servers suppo rting its procurement system, decreasing the risk that malicious users could capture sensitive information; and (3) limited access to certain key financial documents used for input into IFS, decreasing the risk that users could intentionally or unintentionally corrupt data. Despite these actions, most of the previousl y identified weaknesses in internal control over information security remain unresolved and continue to place IRS systems at risk. For example, IRS continued to allow individuals more access to sensitive information contained on the network than needed to perform their assigned duties. In addition, IRS had not completed actions to address a vulnerability in its procurement system that allowed users to enter commands that bypassed normal application security controls. Further, at one data center, visitors continued to be provided unnecessary access to secured areas. During our fiscal year 2010 audit, we identified additional defici encies in internal control over information security that, along with previously identified deficiencies that remain unresolved, continued to jeopardize the confidentiality, integrity, and availability of information processed by IRS’s key systems, and increased the risk of material misstatement for financial reporting. For example, the database associated with the online system IRS used to support and manage its computer access request, approval, and review processes was not appropriately secured. Weak control of powerful database IDs and insecure configurations reduce the confidence in the integrity of individuals’ access privileges assigned to key IRS systems. In addition, IRS had not appropriately restricted permissions on the database that supported an application used for cost allocation of rent-related data, allowing database users to run operating system commands. Also, IRS used unencrypted protocols on a server supporting the Electronic Federal Tax Payment System (EFTPS) 19 and several internal routers, potentially exposing user IDs and passwords transmitted in clear text across the 18 IFS is IRS’s administrative accounting system, which IRS uses to facilitate core financial management activities, including general ledger, budget formulation, accounts payable, accounts receivable, funds management, cost management, and financial reporting. IFS does not process or report IRS’s tax related transactions, including tax revenues, tax refunds, and taxes receivable. 19 The Electronic Federal Tax Payment System (EFTPS) is a tax payment system provided free by the U.S. Department of the Treasury, through which businesses and individuals can pay federal taxes electronically via the Internet or by phone. This is trial version www.adultpdf.com . and continue to place IRS systems at risk. For example, IRS continued to allow individuals more access to sensitive information contained on the network than needed to perform their assigned. continued to jeopardize the confidentiality, integrity, and availability of information processed by IRS’s key systems, and increased the risk of material misstatement for financial reporting 101 GAO- 11-142 IRS’s Fiscal Years 2010 and 2009 Financial Statements (IFS) 18 servers, decreasing the risk that known vulnerabilities may be exploited; (2) discontinued the use of unencrypted