Topics:
IRS's 'Workforce of Tomorrow' draws TIGTA security concerns
The Internal Revenue Service is expanding its use of wireless technology as part of its "Workforce of Tomorrow" strategy, bumping up into security concerns from the Treasury Inspector General for Tax Administration as it does so.
In a TIGTA report dated Sept. 26 that wasn't posted online until Oct. 31, auditors say the IRS set up a wireless local area demonstration network in two test locations (in addition to the already-authorized WLAN deployment in the National Distribution Center in Bloomington, Ill.).
But the IRS didn't intend to conduct a security assessment and authorization until after the demonstration were complete, in contravention of IRS security policy, auditors say. IRS officials told auditors security policy only requires an assessment and authorization of information systems, not technologies. In addition, IRS-specific regulations stipulate that new technology, such as a WLAN, undergo such scrutiny when it's expected to be ultimately deployed into full production.
A full security assessment and authorization for the wireless pilot would have been premature, IRS officials added, since the WLAN pilot was still in the design phase and being conducted in an area where users had little access to taxpayer data
Auditors don't back off their assertion that the IRS should have done a full A&A, since "the IRS placed the wireless pilot on the live IRS network."
Auditors also say a test of an enterprise remote access project to provide wireless access to the IRS network through publicly-available connections occurred during a May 2010 conference also occurred without a proper A&A. Auditors acknowledge that they did not identify any security vulnerabilities related to the ERAP configuration used during the conference, but that users could change the configuration settings on the ERAP software, potentially exposing vulnerabilities.
Auditors also chide the IRS for not knowing which users and computers have an ERAP configuration on them that's since been abandoned. "Unapproved and untested software is currently in use on an unknown number of IRS computers," they say.
"If security problems are discovered during testing of the new configuration that may also affect the old one, the IRS cannot ensure the removal of the old configuration," they add.
For more:
- download the audit, 2011-20-101 (.pdf)
Related Articles:
NIST highlights WLAN's weak security characteristics
IRS must cut down forests, says TIGTA
Comments