The Internal Revenue Service’s (IRS) bring-your-own-device (BYOD) policy opens the agency up to more vulnerabilities, data exfiltration, and uneducated users accessing sensitive information, according to a September 12 report from the Treasury Inspector General for Tax Administration (TIGTA).
The report found that while the BYOD program is making progress, the IRS is still vulnerable to risk. The report centers on the risk of screenshots on personal devices, gaps in procedures and guidelines, and issues with patching agency servers and audit logs.
“The BYOD program enhanced security by upgrading to a newer platform … However, TIGTA identified significant vulnerabilities within the BYOD program,” the report states.
On data exfiltration, TIGTA notes that iPhone users could take screenshots of information, a feature that is disabled on agency-owned devices. The report recommends finding a solution to prevent data leakages, and limit the participation of employees who have already violated policies on sensitive data disclosure. The IRS agreed with both of those.
“The IRS is relying on policy alone to ensure the employee’s compliance, but in our opinion, this rule of behavior restriction is not enough to deter a BYOD program user from taking advantage of this capability because there is no way to monitor or detect when this function is used,” TIGTA notes.
On policy gaps, the report notes that National Institute of Standards and Technology (NIST) guidance encourages organizations to assume employee devices will be stolen and to plan for limiting access. But, the report says, IRS policy is not clear on the ability to wipe data remotely from an employee-owned device. The report also found that few user-owned devices had any mobile malware protection, and the IRS couldn’t monitor if users are taking security trainings. TIGTA recommended that the IRS address these gaps, and the agency concurred.
The report also highlights weaknesses in servers used for the BYOD program, finding 68 critical and high-risk vulnerabilities on the servers, and slow remediation procedures. The review also found that application audit log files were only retained for two weeks, and were not archived. TIGTA recommended that the agency remediate vulnerabilities in a timely manner, ensure the retention of audit logs, and create an application change log. The IRS agreed with those recommendations.