Treasury IG Finds ‘Significant Vulnerabilities’ in IRS’ BYOD Program

A Treasury Department Inspector General audit released this week “identified significant vulnerabilities” within the IRS’ revamped bring-your-own-device program.

The audit, conducted across several IRS offices from August 2018 to May 2019, found its BYOD servers contained 68 “critical and high-risk vulnerabilities,” 18 of which were classified as “easily exploitable.” Other issues identified in the audit included increased risk of “data leakage,” particularly with personally-owned iPhones, due to enabled screenshot capabilities.

TIGTA also found audit log issues—including rarely updated or reviewed change logs that did not properly capture administrator actions—as well as unclear policies on lost or stolen devices. Lastly, the audit found the BYOD program did not enforce required annual security training for participants.

To mitigate these issues, TIGTA made seven recommendations, and the audit makes clear IRS agreed to adhere to all seven. They include: taking mitigation actions to prevent data leakage from personally-owned iPhones; considering disapproving employees with personality identifiable information violations; ensuring BYOD servers are remediated in timely fashion; reviewing and maintaining audit logs, and making sure lost or stolen devices are reported.

IRS’ BYOD program, which began as a proof of concept in 2010, has grown in recent years. As of March 2019, the audit states IRS has more than 1,200 registered BYOD program users. In recent years, after a cost-benefit analysis, the IRS upgraded its platform, which ultimately “enhanced security” of the program. The cost-benefit analysis also showed “reduced costs and a potential increase in productivity due to the BYOD program.”