IRS to rein in unapproved PDA use
- By Mary Mosquera
- Jul 23, 2004
The IRS has more than 2,000 unapproved personal digital assistants that can connect to the tax agency's network, which could allow loss or theft of sensitive information, such as taxpayer data, the Treasury Inspector General for Tax Administration said.
The IRS purchased 427 PDAs for key personnel who would be involved in continuity of operations during an emergency. The CIO's office approved those PDAs, which can encrypt data for security, the IG said in a report last week.
But IRS business units could not account for the unapproved PDAs, which managers and employees use while traveling. So the Treasury IG located the PDAs by scanning the network to identify computers depicting PDA synchronization software.
The business units did not provide employees with guidance on how to use the handhelds in a secure manner. A few IRS employees and contractors had connected their personal PDAs to the IRS network and had installed their own synchronization software onto IRS computers, the report said.
'When synchronized to a network computer, the PDAs provide a back door into the network and bypass many of the existing security detection controls,' said Gordon Milbourn III, Treasury's acting deputy inspector general for audit. In general, employees were not aware of the sensitivity of the information they had placed on their PDAs, he said.
Earlier this month, IRS CIO Todd Grams told the IG's office that 'it was clear that we must take a more aggressive approach to the management of PDAs.' Grams will select a security package with password and encryption capabilities and establish a process for removing or replacing existing PDAs that are not certified.
The IRS will also inventory all PDAs in use and scan the network to confirm that connected PDAs comply with security controls. IRS will remove unauthorized synchronization software from networked computers.
IRS' Assurance Programs director has incorporated PDA training into the annual security awareness program beginning last month. The office will coordinate with procurement offices to remind contractors that they cannot connect personal equipment to the IRS network.
Mary Mosquera is a reporter for Federal Computer Week.