IRS slammed for IT security risks

Auditors from the US Department of the Treasury have issued two reports about IT security risks at the Internal Revenue Service.

Auditors from the US Department of the Treasury have issued two reports about IT security risks at the Internal Revenue Service.

One report says contractors working on IRS systems "committed numerous security violations" and the other takes the agency to task over unauthorised use of handheld devices.

The security violations by IT contractors "significantly increased" the potential for the spread of viruses and unauthorised disclosures of taxpayer information, according to auditors in the office of the Treasury Inspector General for Tax Administration.

The auditors said contracting officers and IT managers at the IRS did not do enough to ensure that the contractors adhered to the agency's security procedures.

For example, the auditors found that contractors from one firm were given obsolete PCs that could not support the IRS's security settings. The contractors were also able to add unauthorised software to the computers, according to the report.

The auditors, who conducted their review from March to September of last year, recommended that the IRS limit the computer access privileges of contractors to only what they need to do their jobs.

In addition, they said IRS officials should monitor the activities of contractors via system audits and ensure that contracting officers and security administrators carry out their oversight responsibilities.

In a written response that was included in the report, the IRS disagreed with the findings and said it had not received enough evidence to support the auditors' conclusion that contractors put its systems at risk.

But IRS officials said they agreed with the report's recommendations and promised that they would take "corrective actions" to limit contractors' system access privileges and track their activities.

In the report about the use of handheld devices, the auditors said the IRS has bought about 425 handhelds that support data encryption and are certified as secure.

But they added that more than 2,000 uncertified handhelds purchased by business units without the IT department's approval pose "significant" security risks, including unencrypted data and the creation of network back doors that could be used to bypass security controls.

In response, IRS officials said they will take action to ensure that handhelds connected to the agency's network comply with security controls. They added that they will also install security software with password and encryption capabilities and establish a process for removing or replacing all uncertified devices.

Linda Rosencrance writes for Computerworld

Read more on Hackers and cybercrime prevention