IRS Told to Step Up E-mail Server Security

August 16, 2006 ( - The Internal Revenue Service said it would better monitor its e-mail servers after a review found that a high number of the IRS employees were misusing e-mail.

The Treasury Inspector General for Tax Administration, which oversees IRS activities, found the employee mailboxes for 71 out of 96 employees (74%) contained inappropriate e-mail messages. This included nearly 2,000 chain letters; 528 with offensive content; 55 with sexually oriented content; 22 containing prohibited activities, including e-mail that relates to work on for-profit projects or other outside employment; and 18 with large graphics or video files.

The TIGTA review found that on top of poorly monitoring employees’ e-mails, the agency had not taken a hardline approach toward disciplining those who had violated company policies, with 283 IRS employees being disciplined for abusing e-mail from 2003 to 2005, four of them leading to resignations, the report found.

In response to the report, IRS Chief Information Officer W. Todd Grams said his office will ensure the agency will step up disciplinary action in response to abuse of e-mail policies. Grams also said his security chief will review the agency’s policy on e-mail content monitoring and recommend a content monitoring program by May 15, 2007.

Other findings of the report were that the agency had unsecured and unauthorized e-mail servers on its internal computer network, which means its computers and data maintained on the network could be at risk of being compromised, destroyed or shutdown, according to the report. The report suggested the agency limit the number of e-mail servers needed for email operations to the lowest possible number.

In addition to inadequate monitoring of e-mail, the agency’s 228 authorized e-mail servers are not properly secured, the report said. A scan of 28 servers found 687 security vulnerabilities, with 250 of them considered high risk. The agency’s network hosts 4,913 unauthorized Internet Protocol addresses, with devices or servers configured to act as e-mail servers, according to the report. Any of the e-mails received by these servers have to pass through the security software.

The agency will enforce security patches by November 1, 2007 and by August 1, 2007, system administrators will conduct periodic scans to identify unauthorized e-mail servers, Grams said in response to the report.

Aware of the security dangers of allowing employee e-mail go unmonitored, employers have began stiffening their disciplinary approach. One recent survey found that 26% of employers terminated employees for e-mail misuse; 2% dismissed workers for inappropriate instant messenger (IM) chat; and nearly 2% fired workers for offensive blog content, including posts on employees’ personal home-based blogs (See Employers Tightening Controls on Employees’ At-Work Computer Use ).

Another government agency that has also tightened its security measures is the Thrift Savings Plan (See TSP Takes New Measure to Enhance Data Security ). The move was triggered in March, after plan participants reported receiving suspicious e-mail. The bogus e-mail directed recipients to a site that asked them to type in their Social Security number and TSP personal identification code, or PIN ( See Scammers ‘Phish’ for TSP Participant Info).

For the full TIGTA report go here .