I love the fact that someone is auditing the Internal Revenue Service. I guess I have to be careful not to pick on the agency too much before my taxes are due, but I just can't help myself. Last week, Deputy Inspector General for Audit Michael Phillips issued four recommendations to the chief information officer of the IRS. The recommendations are so basic that if these people worked in industry, they would be fired for letting them happen. According to the report, the IRS is doing virus scans on 89 percent of its servers. Why wouldn't they scan 100 percent? Do they really need someone to tell them to scan 100 percent of their servers? The report went on to say that the auditors found that the reason was because the administrators failed to carry out this responsibility. My reaction is what "The Donald" Trump says, "You are fired!"
The second recommendation was that the administrators should not use their privileged accounts to access the Internet. During the week that the auditors monitored account use, 63 administrator accounts accessed the Internet a total of 820 times. I say: "Fired!"
The third recommendation I really had to laugh at. I'm sorry, but do you really need someone to tell you that when an employee blatantly violates IRS Internet access policies that you have to tell him or her? Isn't that a manager's job? To pour more salt into the wound, the IRS does not have a policy on how to deal with such rule-breaking. I know you are saying that I am enjoying this.
The last recommendation I have to agree with. Training users on proper computer, Internet, and e-mail use is very important. However, the IRS claims to have a training program in place that every employee and contractor must certify that they have taken on a yearly basis. This training, The IRS Information Protection Mandatory Briefing, includes a security-awareness refresher and covers common ways users can infect their system. I'm not sure what the problem is here.
I chose this topic for multiple reasons: first, to show readers that even large organizations that have money are no better off than any other organization. In other words, money won't fix all problems. Second, to show you that organizations suffer with similar problems. Granted, you would expect to see the problems outlined in smaller organizations. Finally, if this were to happen in industry, the people responsible would probably be fired or have to go before the audit committee and explain why it happened. I guess that's probably why no one was fired. There is no one holding these people responsible.
I guarantee that next year, or the year after, there will be more findings like this, or worse. We can only hope that now that Vivek Kundra, the new federal CIO, is back on the job that he has the authority to fire people who do not follow some basic IT principles. However, I know that he will be too busy working on way more important projects rather than working on mundane problems like developing IT policies. If they are struggling with these basic issues, it makes you wonder what other problems there are; and I just mean at the IRS. Don't be surprised if you see more break-ins on government servers, an increase in internal threats and more identity theft. I believe that this will happen because it's a year in transition. We have a new administration, a new federal CIO and soon a new federal CTO. Hackers know the best time to attack is in an atmosphere of change.