Computer security at the Internal Revenue Service might be most appropriately described as Swiss cheese, according to a Treasury Inspector General for Tax Administration report (PDF).
The report found that most IRS employees used e-mail inappropriately, putting the organization at risk of computer viruses and other malware, that out of 228 authorized e-mail servers, all that were examined contained security vulnerabilities, and that 4,913 additional unauthorized e-mail servers were found on the IRS internal networks.
The report found that IRS employees were regularly violating the personal use policy, forwarding chain letters, sexually explicit jokes and other inappropriate e-mail messages. “Specifically, we found inappropriate email messages in 74 percent of the employee mailboxes reviewed,” the report said. “Opening these types of emails can activate [a] computer virus, which in turn could destroy data on computers, enable the hacker to gain unauthorized access to the computer and any sensitive information stored on the computer, and disrupt email and computer operations.”
While the IRS has a policy on this type of e-mail message, it does not effectively enforce the policy, the report said. And while IRS has conducted training and awareness sessions on the proper use of e-mail, improper use continues. Apparently IRS employees have better things to do than collect taxes.
Auditors examined 28 of the 228 authorized e-mail servers and found that all of them contained security vulnerabilities, 687 of them in all. They also checked 30 of the 4,913 unauthorized servers and found a total of 363 security problems on all of them.
“The majority of the security vulnerabilities on the email servers cited above occurred because system administrators had not installed current security patches to the email servers,” the report said. That’s right, system administrators aren’t doing their jobs.
The report recommended that the IRS monitor e-mail usage and that system administrators patch authorized e-mail servers and remove unauthorized ones, and while IRS management agreed with the recommendations, it hasn’t yet figured out how to effectively stop people from forwarding jokes, chain letters and funny pictures to each other, or how to get them to take security seriously.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works license.
Video published by this site is licensed under a Creative Commons Sampling+ license.
Bad Behavior has blocked 3231 access attempts in the last 7 days.
Facebook
Digg
del.icio.us
reddit.com
Newsvine
Oliver Crangle
Aug 11, 2006
Is there any reason why most IRS employees would even need access to anything but an intranet and possibly some .gov sites??
Why can’t the network be set-up to block access to the outside and to reject any e-mail from anything originating from a valid .gov domain?
Michael Hampton
Aug 12, 2006
Among other things, they have to be able to read this web site to see what I’m saying about them.
JeanetteWilke
Aug 13, 2006
I agree with Mr. Crangles, Aug 11, 2006 comments posted at 11:52pm. The IRS computer system should be set up to control employee access and limit the access to only what is required for them to do their jobs, nothing more. Will this ever happen? Probably not. This would mean that supervisors, managers, directors etc. would have their access limited also. If this control really did happen, what if it was discovered that many positions did not even need a computer?
Magus
Aug 14, 2006
I like the part where the authorized mail servers were *more* vulnerable than the unauthorized ones. It’s probably just because they were newer so they older vulnerabilities would have been patched, but the numbers are interesting.
Jon Grinols
Sep 12, 2006
All intelligent and sane citizens in the United States understand that ALL laws, rules, and regulations apply only to citizens and that the benevolent US government and all of its agencies are NEVER included as governed or controlled parties.
DD
Dec 13, 2006
IRS + Technology = Joke
Dan
Apr 03, 2007
Want to get them to follow the security policy? Start firing those who don’t…the ones that are still there will start to get the message.
IRS_Agent
Jan 11, 2008
Yeah.. some of our applications are outdated, but our email policy and personal use policy is VERY explicit.
Additionally, we do have to visit all kinds of sites, like websites used by taxpayers who accept payments online and don’t report those sales as taxable income on their tax returns, among other, necessary, work related sites.
Yeah… you may hate us, but we really don’t care.
BTW, you’re all under audit! LOL… Just kidding.
nick
Jan 25, 2008
they use internet for research such as 411.com zillow.com accurint.com business and individual research, beleive it or not, some people actually try to evade taxes.. can you beleive that? amazing.
deb
Jun 09, 2011
In response to the IRS agent who with all the total disreguard for the American people that you have shown with your statement that we may all hate you but you don’t care, I say this…Your illegal agency is out to finish the job of distroying the middle class. Your agency is auditing women, single women, middle class people who have already lost all in this economy. Your agency is NOT auditing the wealthy, congressmen who are yrs behind in thir taxes. Funny thing is though…when you finish distroying the middle class…YOU WILL BE UNEMPLOYED! The very people you are after PAY your salary…HA HA HA…The rich pay no taxes as you well know and ALLOW them to get by with. Those of us who are so angry may decide to find rants and return to school and beome lawyers spendin the rest of our lives seeing that all of you are held accountable for how you have distroyed this country…