Government auditors slam IRS for IT security risks

Computerworld - Auditors from the U.S. Department of the Treasury have issued two reports about IT security risks at the Internal Revenue Service, one saying that contractors working on IRS systems "committed numerous security violations" and the other taking the agency to task over unauthorized use of PDAs.
The security violations by IT contractors "significantly increased" the potential for the spread of viruses and unauthorized disclosures of taxpayer information, according to the Treasury Department's inspector general for tax administration. The inspector general said contracting officers and IT managers at the IRS didn't do enough to ensure that the contractors adhered to the agency's security procedures.
For example, the auditors found that some contractors from one firm were given obsolete PCs that couldn't support the IRS's security settings. The contractors also were able to add unauthorized software to the computers, according to the auditors' report, which was issued internally on March 22 but has yet to be publicly released.
Computerworld obtained a copy of the report today from the Washington-based National Treasury Employees' Union, which was given an edited version after filing a Freedom of Information Act request. Before releasing the report to the group, which opposes having federal jobs go to private contractors, Treasury officials removed the names of contractors and other sensitive data.
The auditors, who conducted their review last year from March to September, recommended that the IRS limit the computer access privileges of contractors to only what they need to do their jobs. In addition, the auditors said IRS officials should closely monitor the activities of contractors via system audits and ensure that contracting officers and security administrators carry out their oversight responsibilities.
IRS officials didn't return phone calls seeking comments about the report at deadline. But in a written response that was included in the report, the IRS disagreed with the findings and said it hadn't received enough evidence to support the auditors' conclusion that contractors put its systems at risk.
However, IRS officials said they agreed with the report's recommendations and promised that they would take "corrective actions" to limit contractors' system access privileges and track their activities.
The report about PDA usage was posted on the Treasury Department's Web site July 16. In that report, the auditors said the IRS has bought about 425 PDAs that support data encryption and are certified as secure. But they added that more than 2,000 uncertified PDAs purchased by business units without the IT department's approval pose "significant" security risks, including unencrypted data and the creation of network back doorsthat could be used to bypass security controls.
In response, IRS officials said as part of the report that they would take action to ensure that PDAs connected to the agency's network comply with security controls. They added that they also would install security software with password and encryption capabilities and establish a process for removing or replacing all uncertified PDAs.