Federal Manager's Daily Report

Report cited significant vulnerabilities with IRS program allowing employees to use personal devices for work.

An audit has raised concerns about “data leakage” and other security-related issues arising from the “bring your own device” policy at the IRS, which like many other agencies allows employees to use their own smart phones and other devices for work-related purposes under certain circumstances.

BYOD programs “allow organizations to provide their employees with the means to work and communicate away from the traditional office and workstation environment,” the report said; the IRS’s program allows registered users to access select IRS applications and data through their personal mobile devices using secure managed mobile applications provided by the program.

However, it warned that mobile devices can be easily lost or stolen. “When that occurs, IRS data on the device can be subject to unauthorized access and the device itself can be used as an avenue to attack IRS systems. The risk is high because various systems and databases managed by the IRS contain significant amounts of tax data and Personally Identifiable Information,” it said.

The report said the agency has strengthened security by upgrading to a new server but there are still “significant vulnerabilities”–which the report redacted for security reasons–related to both the phones and to the servers.

Among other things, the report recommended that the agency consider disapproving employees with personally identifiable information and Internal Revenue Code violations from participating in the program; and that it update policies regarding configuration, malware prevention, reporting lost or stolen BYOD devices, tracking and wiping application data, and maintaining and reviewing audit logs.