Your own people may be the problem

A recent independent audit of computer systems at five Internal Revenue Service field offices found dozens of security lapses. Five out of 12 systems administrators and security specialists, for instance, did not know who was responsible for maintaining Microsoft Corp. Windows workstations and servers or for applying and testing security patches.

At least eight out of 12 administrators whom the auditors interviewed said they had not been checking computers under their control for unauthorized changes to systems that were supposed to be kept securely configured.

Auditors also discovered that 28 out of 206 user accounts for employees who no longer worked for the IRS were active, meaning those former employees could still gain access to agency computer systems. An average of 139 days had elapsed since the 28 employees had worked for the IRS.

Some employees with frontline responsibility for computer security said they had received no security training in at least three years.

The audit report, which the Treasury Inspector General for Tax Administration released in January, states that the agency has a plan for fixing those and other security problems by March 31.

Although the independent audit found significant computer security weaknesses within some of the IRS' offices, the tax agency is not exceptional. Federal managers and security analysts say that maintaining secure computer systems and networks has grown to be a time-consuming and expensive activity for every government organization.

Even so, some organizations need to do more than others to protect themselves from external attacks. "High-profile agencies like the IRS need to put more resources into perimeter security than a low-profile agency, which can focus on internal security," said Peggy Begg, assistant inspector general for information systems programs for the Treasury Inspector General for Tax Administration.

IRS officials, aware of the agency's visibility as a potential target, have rolled up all of its internal security operations, including computer and information security activities, into a single organization called the Office of Mission Assurance. That reorganization is nearly completed, said Daniel Galik, the new chief of mission assurance.

In other federal agencies, security managers have tackled the security threat by contracting with outside experts for managed security services. In some cases, the agencies pay service providers to manage their firewalls or monitor their intrusion-detection system logs.

With few exceptions, however, a surprising number of federal officials say that employees are the primary cause of computer security lapses, and therefore, managers who want to spend their limited resources most effectively should offer appropriate levels of security training and awareness for all of their workers.

Although good security policy and adequate security technology are both important, effective computer security depends on employees' familiarity with those policies and knowing how to use the technology they have, said Begg, who had a primary role in the IRS audit.

A strong believer in the value of security training and awareness activities, she said she has found from her years of auditing that most employees who violate security policies do so because they are uninformed about good computer security procedures and unaware of their agency's security policies. Begg knows of hackers, for example, who have successfully bypassed an Internet gateway firewall by pretending to work on the help desk and then asking employees to divulge their passwords.

Even the most sophisticated technical security systems can be breached, she said, if employees are naive or fail to follow good rules of behavior.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.