E-mail a threat to IRS network: IG

The IRS is at risk for computer viruses because employees are e-mailing chain letters, jokes, sexually oriented content and large graphic or picture files in violation of the agency's personal e-mail use policy.

Additionally, some e-mail servers are unsecured and unauthorized, said the Treasury Inspector General for Tax Administration in a recent report. A major contributor to the vulnerabilities of the e-mail servers was that system administrators had not installed current security patches to them, TIGTA said.

'As a result, the IRS' internal network, its computers and the data maintained on the network could be at risk of being compromised, destroyed or shut down,' said Michael Phillips, deputy inspector general for audit, in the report.

The auditor found inappropriate e-mail messages in 74 percent of the employee mailboxes that it reviewed. TIGTA based its findings on a statistical sample of 96 employees from the IRS' list of e-mail addresses and a review of 46,551 e-mails.

IRS' personal use policy is designed to protect it from employee actions that might harm or put the organization at risk. For example, hackers may design e-mail messages, which contain viruses, with interesting subject lines to entice recipients to open them.

IRS has conducted awareness presentations and communicated the importance of the personal use policy, but it does not effectively monitor the e-mail of its employees to ensure compliance with the policy, TIGTA said.

IRS also needs to reduce the number of e-mail servers. TIGTA identified 228 e-mail servers and an additional 4,913 Internet addresses with devices or servers that have been configured to operate as unauthorized e-mail servers.

'Any e-mail received through unauthorized e-mail servers would circumvent the security screening established to identify malicious software,' TIGTA said. If the e-mail contains a virus, it could infect the computers as well as the network.

The IRS agreed with TIGTA recommendations that the IRS continue educating employees about the risks associated with inappropriate e-mail use, including reminders that other employees have suffered disciplinary actions as a result. The IRS will consider a program for monitoring e-mail message content.

For server vulnerabilities, the IRS will ensure adherence to procedures to install security updates and patches on all e-mail servers, and hold system administrators accountable for enabling only authorized computers to perform as e-mail servers.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.