The Internal Revenue Service is conducting a pilot program allowing IRS employees to use personal smart phones to access government email accounts and other work related information. The program is known as Bring Your Own Device (BYOD), and the Treasury Inspector General for Tax Administration (TIGTA) has raised concerns about the security and cost-effectiveness of the program in a recent report:
TIGTA expressed concern that the IRS allows BYOD devices access to resources on the IRS network in addition to e-mail access. This increases the risk that privacy and taxpayer data could be compromised. TIGTA also raised concerns about allowing devices based on the Android operating system to participate in the BYOD pilot, because these devices are more subject to malware than the Apple devices tested in earlier phases.
“A Bring Your Own Device program could provide significant benefits and even potential cost savings,” said J. Russell George, Treasury Inspector General for Tax Administration. “However, the IRS must conduct a thorough, realistic cost-benefit analysis before such a program’s benefit can be appropriately ascertained.”
Among the recommendations made by TIGTA are restricting the program to email access only, and delaying Android-device access completely until a risk assessment addressing security concerns is conducted. The IRS agreed with all of TIGTA's recommendations except the Android device delay. TIGTA remains unsatisfied with the IRS's response to the findings in the report:
TIGTA believes that some of the corrective actions proposed by the IRS are inadequate because they are contingent on BYOD expansion or additional funding. The relevant controls should be put in place for the existing BYOD effort, which does not have a clear end date and which is being used by hundreds of employees and devices within the production environment.