The Treasury Inspector General for Tax Administration (TIGTA) initiated an audit of the IRS because the IRS relaxed its long-standing internal policy prohibiting employees from transmitting Sensitive But Unclassified (SBU) data to taxpayers in emails.
The objective of the review was to determine whether IRS controls, policies, and procedures for sensitive email messages to taxpayers adequately protected taxpayers’ data, guarded against email threats to the IRS network, and ensured email practices were compliant with Federal regulations.
What they found
Although some controls for the Secure Email With Taxpayers program are in place, such as the installation of antivirus software on employees’ computers, other security controls were not implemented.
The IRS has not implemented an automated control to detect and prevent SBU data in unencrypted emails from being transmitted outside the IRS. In addition, some employees and taxpayers are not encrypting their emails that contain SBU data.
These violations of the program were not reported to IRS management. Furthermore, IRS procedures and training lacks adequate guidance for employees to report the violations. In addition, the IRS does not timely correct persistent medium-risk security vulnerabilities detected on email servers, the audit reported.
What TIGTA recommended
- TIGTA recommended that the Large Business and International Division and Office of Appeals coordinate with the Office of Privacy, Information Protection, and Data Security to develop additional procedures for employees participating in the Secure Email With Taxpayers program to address how, when, and to whom employee and taxpayer secure email violations should be reported
- Update guides and training materials to include these procedures
- Amend the Memorandum of Understanding to apprise the taxpayer of the specific risks associated with transmitting unencrypted email with SBU data
- Issue a memorandum to all employees advising them of the disciplinary actions that will be taken against employees who violate IRS email policies by sending unencrypted emails to taxpayers who have not signed a Memorandum of Understanding to participate in the program
TIGTA also recommended that the Associate Chief Information Officer, Cybersecurity, ensure data leakage prevention software is implemented by April 2012, and update the annual Information Systems Security briefing to include the new Secure Email With Taxpayers procedures.
Lastly, TIGTA recommended the Associate Chief Information Officer, Enterprise Operations, ensure medium-risk vulnerabilities detected on email servers are appropriately tracked and, if the vulnerabilities cannot be corrected within two months, follow security requirements to post the vulnerabilities to the appropriate Plan of Actions and Milestones.
In their response to the report, IRS officials agreed with six of the recommendations and partially agreed with three. For the three partially agreed recommendations, TIGTA continues to believe that the IRS should fully implement the recommendations.
A technology system that can monitor for insecure emails could prevent these types of violations. But the IRS will not be able to install such a tool until July 2012. Until then, “the IRS cannot stop these types of emails from occurring other than by relying on employee compliance,” wrote Michael R. Phillips, deputy inspector general for audit at TIGTA. “