IG: IRS employees abusing e-mail privileges
- By Matthew Weigelt
- Aug 10, 2006
IG report on email abuses
A recent audit found inappropriate e-mail, including pornography, on more than half of Internal Revenue Service employees’ computers, according to a report from the Treasury Inspector General For Tax Administration. The audit also uncovered security holes in many of the agency’s e-mail servers.
The IG reviewed 96 IRS employees’ electronic mailboxes and found that 71 had messages violating the agency’s personal use policy, according to the July 31report. The inspectors found chain letters, jokes, offensive content and sexually explicit content. The report said 74 percent of employees have such prohibited e-mail messages on their computers.
Such content is often used to lure people into opening e-mail messages that contain viruses and other malicious software.
The risk of computer viruses had earlier prompted the IRS to issue a personal-use policy for e-mail. The agency also gave employees awareness training on the policy’s importance.
“While these efforts established a good foundation for e-mail security, employees are not following the IRS’ personal e-mail use policy,” the IG’s report states.
The IG recommended monitoring e-mail message content, which could lead to more employees being disciplined for abusing their privileges. Systems administrators should be held accountable for ensuring that only authorized computers are allowed to perform as e-mail servers, the report recommends.
Moreover, the IRS’ chief information officer should make sure that technology employees follow existing procedures for installing security updates and patches on all e-mail servers.
The IRS maintains 228 authorized e-mail servers. The IG’s office evaluated security on 28 servers and found 687 vulnerabilities.
“People can exploit security vulnerabilities to shut down the servers and disrupt e-mail service or to use the servers to access or attack other computers in the network, which could disrupt other critical operations in the IRS,” the report states.
The report also recommends that the IRS cut down on the number of e-mail servers. The audit found an additional 4,913 IP addresses linked to devices that had been configured to operate as unauthorized e-mail servers. Messages entering through such servers skirt the security screening that identifies malicious software.