IRS to beef up monitoring of employee e-mails

The Internal Revenue Service has pledged to step up monitoring of its e-mail servers in response to a recent review that found a high percentage of misuse among employees surveyed.

In response to the report from the Treasury inspector general for tax administration, IRS Chief Information Officer W. Todd Grams said his office will ensure that the agency's next annual security training sessions will include reminders that abuse of e-mail policies has resulted in, and will result in, disciplinary action.

Grams also said his security chief will review the agency's policy on e-mail content monitoring and recommend a content monitoring program by May 15, 2007.

The TIGTA review of employee mailboxes found that those for 71 out of 96 employees contained inappropriate e-mail messages. This included nearly 2,000 chain letters; 528 with offensive content; 55 with sexually oriented content; 22 containing prohibited activities, including e-mail that relates to work on for-profit projects or other outside employment; and 18 with large graphics or video files.

The reviewers also found the IRS does not effectively monitor employee e-mail and is lax in disciplining violators. From fiscal 2003 through fiscal 2005, 283 IRS employees were disciplined for abusing e-mail, the report stated. This included four resignations.

Failure to follow e-mail policies puts IRS systems at risk for computer viruses that are often contained in messages sent by hackers with subject lines designed to entice the recipient to open them, the report said. Opening could result in destruction of data, enable hacker access to computer systems and sensitive information, and disrupt computer operations in other ways.

In addition to inadequate monitoring of e-mail, the agency's 228 authorized e-mail servers are not properly secured, the report concluded. An IG scan of 28 servers found 687 security vulnerabilities, with 250 of them considered high risk.

The agency's network hosts 4,913 unauthorized Internet Protocol addresses with devices or servers configured to act as e-mail servers, the report stated. This puts the system at risk because e-mails received by these servers circumvent any security software installed for screening purposes.

Grams said by Nov. 1 security patches will be installed and by Aug. 1, 2007, agency systems administrators will conduct periodic scans to identify unauthorized e-mail servers. Such servers will be disabled unless a business case to leave them operating is approved.

In January 2005, the IG office found that the process used by IRS officials to monitor network security was "flawed and ineffective," and in June 2003, the IG reported that agency employees were visiting inappropriate Web sites while at work and spent too much personal time online.