Inappropriate Personal Use of the Internet Jeopardizes the Security and Privacy of Taxpayer Data
Reference Number: 2003-20-133
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
June 16, 2003
MEMORANDUM FOR ACTING CHIEF INFORMATION OFFICER
FROM: Gordon C. Milbourn III /s/ Gordon C. Milbourn III
Acting Deputy Inspector General for Audit
SUBJECT: Final Audit Report - Inappropriate Personal Use of the Internet Jeopardizes the Security and Privacy of Taxpayer Data (Audit # 200320007)
This report presents the results of our review of personal use of the Internet by Internal Revenue Service (IRS) employees. The overall objective of this review was to evaluate employee compliance with the IRS’ Internet usage policy, which was implemented in May 2002.
The IRS’ Internet usage policy permits employees to use Federal Government computers to access the Internet for limited personal reasons as long as the use involves minimal costs. Personal use is permitted during both work and nonwork time for a reasonable duration and frequency of use. The policy provides a list of inappropriate personal uses.
In summary, although the policy is comprehensive and was widely distributed, a substantial number of IRS employees continued to access prohibited sites that put IRS computer systems at risk. During a 1-week period almost 6 months after the policy was implemented, IRS employees accessed over 1 million questionable web site objects from over 19,000 computer addresses. These accesses were to seven categories of sites specifically listed in the IRS policy as inappropriate: sexually explicit web sites, personal email accounts, chat rooms, games, music, instant messaging, and sites from which programs were downloaded. Because of the manner in which the IRS assigns computer addresses and because we had no means to identify all inappropriate sites, we could not determine the exact number of employees who did not comply with the policy. However, the magnitude of the results clearly indicates significant misuse of the Internet in the IRS.
Inappropriate use of the Internet can create unnecessary security risks and result in denial of service for work-related actions. Other adverse effects include productivity losses and increased telecommunications costs. Further, by allowing access to sexually explicit sites, the IRS could be accused of fostering a hostile work environment that could lead to damages and legal costs.
The IRS established a multifaceted process to monitor compliance with its Internet usage policy. Specifically, it published the policy and distributed it to all employees. Vendor software was also purchased to block employee access to certain categories of web sites. In addition, the IRS conducted limited monitoring to identify inappropriate accesses that had avoided the blocking software. However, these actions were not completely effective.
To improve IRS employee compliance with the Internet usage policy, we recommended IRS management require employees to annually document their understanding of the policy, improve site blocking and monitoring controls, and develop a strategy for publicizing Internet abuses to deter future Internet policy violations. We also recommended that the IRS assign sufficient resources for employee Internet monitoring.
Office of Audit Comment: In his response, the Acting Deputy Commissioner for Modernization and Chief Information Officer questioned our approach for counting potential violations because we identified potentially inappropriate web site objects. He stated that if a web site contained 100 objects, then conceivably we would have counted 100 objects as potentially inappropriate when an employee accessed that web site. He further provided hypothetical examples of objects that we may have identified as inappropriate sites just by visiting The Washington Post home page and Congressional web sites.
While web sites can contain multiple objects (e.g., recent tests of the CNN and Yahoo web sites identified 81 and 18 objects, respectively), we would not have identified an object unless the object’s web address contained a key word indicating it may be inappropriate. In any event, the occurrences in our results of potentially inappropriate objects on The Washington Post home page or Congressional web sites were extremely minimal. Only 21 of the 142,359 potentially inappropriate sexually explicit objects were accessed via The Washington Post web site, and only 8 of the 373,281 chat room objects we identified were accessed from Congressional web sites.
We are also certain that we did not identify all inappropriate accesses. As we pointed out in the report, our tests could not be precise due to the mechanics of the Internet. Overall, we used essentially the same methodology to identify misuse that most content-filtering software packages use in blocking sites.
Our intention in citing the total number of potentially inappropriate objects accessed was to emphasize that misuse of the Internet by IRS employees continues to be significant and widespread. Our audit emphasis was not focused on merely demonstrating the volume, especially a precise number, of policy violations. Instead, our results indicate that the relative size of the problem is still significant, and that the IRS should have been in the position to identify and monitor the problem and to initiate appropriate corrective actions, particularly since this is our second report on Internet use.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Acting Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
In May 2002, the Internal Revenue Service (IRS) implemented an Internet usage policy for its employees. The policy allows employees to use Federal Government computers for limited personal use when such use involves minimal additional expense to the Government and does not overburden any of the IRS’ information resources. The policy states that limited personal use of the Internet should not affect the performance of official duties, interfere with the mission or operations of the IRS, or violate Federal Government ethical standards. Personal use is permitted during both work and nonwork time for a reasonable duration and frequency of use.
The policy was developed because of the expansion of information technology to an ever-increasing number of IRS employees, the issuance of Treasury Directive 87-04, “Personal Use of Government Office Equipment Including Information Technology,” and the desire of the IRS to enhance the quality of the workplace. The policy also addresses issues in the Treasury Inspector General for Tax Administration’s (TIGTA) report entitled, Employees’ Extensive Personal Use of the Internet Should Be Controlled (Reference Number 2001-20-016, dated November 2000). In that report, we discussed that the IRS’ Internet usage policy prohibited any personal use of the Internet but that there was, nevertheless, substantial nonbusiness use of the Internet by IRS employees.
This review was conducted from October 2002 to January 2003, primarily within the Office of Security Services at the IRS National Headquarters in Washington, D.C., in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
The IRS’ policy for employee Internet use clearly and comprehensively states the IRS’ position. The policy includes an appendix that lists inappropriate personal uses. It also describes sanctions for the misuse of information technology equipment and resources.
The IRS distributed the policy in an information package to all employees in May 2002. The package was accompanied by an IRS organization-wide media campaign that included a personal message from the Deputy Commissioner. An extensive Intranet web site provided additional clarification regarding access to certain categories of web sites.
Blocking software was used to prevent access to certain web sites. A web-monitoring process was implemented to identify accesses to inappropriate sites that had avoided the blocking software. In addition, the TIGTA Office of Investigations developed software that analyzes Internet logs to identify workstations accessing sexually explicit and gambling sites.
Employee abuse of the Internet is still widespread. During the week beginning October 20, 2002, over 1 million accesses to web site objects that were likely to be prohibited were made from over 19,000 computer addresses. Some employees continued to access sexually explicit materials, as well as personal email accounts, streaming news, music, and video sites. They downloaded games, music, videos, and other large files.
Inappropriate use of the Internet can create unnecessary security risks and result in denials of service. Organizations the size of the IRS have incurred system restoration costs and productivity losses of up to $11.5 million annually to recover from these security incidents.
Employees who access their personal email accounts via the Internet and those who access other inappropriate sites circumvent the controls designed to protect IRS computer systems. For example, work-related and personal emails sent to IRS employee accounts are screened for viruses and other malicious programs before entering the IRS network. However, emails accessed from personal email accounts via the Internet are not screened prior to entering the network.
Inappropriate use of the Internet could also result in productivity losses and increased costs to purchase enough telecommunications capacity to handle unnecessary traffic, particularly from streaming video and audio. Access to sexually explicit and other sites with inappropriate content can foster hostile work environments that could put the IRS at risk of legal actions and costs.
To make our assessment, we looked for key words in web site titles for seven categories considered inappropriate by the IRS’ policy: sexually explicit web sites, personal email accounts, chat rooms, games, music, programs (i.e., downloading unauthorized software), and instant messaging. For example, we searched firewall logs to identify sites that included the key word “chat” in their title to identify chat rooms accessed by IRS employees.
We recognize that some of these sites may have been accessed for legitimate business reasons. However, we judgmentally tested 283 of the sites and determined that most were obviously inappropriate. The sites we tested were accessed from over 6,000 of the 19,000 computer addresses that had accessed potentially inappropriate sites.
We could not determine the exact number of employees making the accesses. Because of how the IRS assigns computer addresses, a computer could have had more than 1 address during our 1-week test. It is also possible that one employee could have accessed more than one computer during our sample. Conversely, more than one employee could have used the same computer to access the Internet. The time lag in receiving and reviewing the data also hindered our ability to calculate the number of employees misusing the Internet.
We are confident, however, that the number of employees misusing the Internet and the amount of the misuse is significant. The following chart illustrates the activity for our test week:
Total Computer Addresses
Total Objects Accessed
Source: IRS firewall logs for week of October 20, 2002.
* Total adjusted to reflect that some computers were used to access more than one prohibited category. During the week of our review, 56,085 IRS unique computer addresses were used to access the Internet, of which 19,581 unique computer addresses were likely to have accessed inappropriate sites.
** During the week of our review, IRS employees made over 79,574,412 accesses to web objects, of which 1,067,556 were accesses to sites likely to be inappropriate.
Although a large number of employees accessed sites likely to be inappropriate, a relatively small number of employees appear to be chronic abusers. More than 300,000 (over 28 percent) of the potentially inappropriate accesses made in the 1-week period were made from 122 computer addresses.
Employees were able to continue violating the Internet usage policy because:
· Efforts made to maintain employee awareness of the policy were not sufficient.
· Blocking software was not effective or fully used.
· The monitoring of Internet use was not effective.
Efforts made to maintain employee awareness of the policy were not sufficient
As previously mentioned, the IRS initiated extensive steps to ensure employees were made aware of the new policy. From our test results, it is obvious that many employees forgot, misunderstood, or ignored the policy requirements.
Since the initial distribution of the policy to all employees, little has been done to remind employees of their responsibilities for using the Internet. The IRS also has not taken the opportunity to publicize the results of any Internet monitoring activities being performed. Widespread publicity regarding the monitoring of the policy would provide a deterrent to further inappropriate use of the Internet.
IRS employees are also required to annually acknowledge their awareness of security policies by signing an Information System User Registration/Change Request (Form 5081). However, the Form 5081 does not specifically cite the IRS’ Internet usage policy in the Information Systems Security Rules section. As a result, an opportunity to annually refresh employees’ understanding of the policy and document their acknowledgement was missed.
Blocking software was not effective or fully used
During our 1-week test, approximately 40,000 of the over 1 million inappropriate accesses were blocked by content-filtering software. We identified 294,619 accesses to game sites, but the software blocked only 12,834. We identified 142,359 accesses to sexually explicit sites, but the software blocked only 24,610. The IRS’ Computer Security Incident Response Center (CSIRC) indicated that the software had been inoperative for periods of time and had allowed prohibited traffic to bypass the filtering process during periods of high activity. The CSIRC indicated that it was working with the vendor to resolve these problems.
Also, at the time of our review, the software’s access-blocking capabilities were not in full use. The software was not set to block accesses to chat rooms, music sites, or streaming audio or video media, even though those categories are expressly prohibited by the Internet usage policy.
The monitoring of employee Internet use was not effective
Much of the inappropriate activity identified in our review was not identified by the CSIRC. We matched our results of the top five potential violators for each of our seven categories with the CSIRC’s incident reports for the same time period. Only 7 of the 35 computer addresses with the most inappropriate accesses were identified by the CSIRC.
The CSIRC indicated that resources were not always available for this monitoring due to other incident response priorities. The CSIRC has primary responsibility over intrusion detection, firewall administration, computer forensics, and incident response.
Records indicate only 126 employees were identified for disciplinary actions due to Internet abuses from May 2002 to January 2003. Eighteen cases are still open and 108 cases have been closed. Actions were taken on almost 90 percent of the cases, with dispositions including employee suspension and removal. We did not review case files to evaluate the appropriateness of actions taken. However, it appears that when cases were forwarded to IRS management, actions were taken.
The TIGTA Office of Investigations also monitors Internet usage with an automated software program it developed. This software is used for tracking the top 20 daily computer address policy violations for sexually explicit and gambling accesses. The Office of Investigations was primarily interested in these two categories because the accesses could be criminal violations. The software identified 60 percent of the same computers accessing sexual content that we identified and some additional potential computer violations that we did not identify. We attribute the disparities in identifying the computer address violations to differences in the key word criteria used to identify abuses.
To improve the IRS’ process for identifying and referring violations of the policy, we believe that the Office of Investigations program for dealing with sexually explicit and gambling accesses could be merged with our strategy for identifying and categorizing other types of abuses. The IRS’ use of the modified software could improve its identification of abuses and reduce monitoring costs.
To resolve the identified issues, the Deputy Commissioner for Modernization & Chief Information Officer should:
1. Include the Internet usage policy as part of the annual security awareness process, which requires employees to sign Forms 5081 acknowledging that they are aware of their security responsibilities, or require employees with access to IRS computers to sign statements that they have read and understand the policy provisions.
Management’s Response: Management added the Internet usage policy into this year’s annual security training. Although management did not commit to including this issue on Form 5081, the annual security training should be adequate.
2. Resolve the deficiencies with the current blocking software, or replace it with more effective content-filtering technology, and use it to prevent accesses to a wider range of inappropriate sites.
Management’s Response: Management has reconfigured system components and improved restrictions for known chat rooms and other high-risk sites. Actions are planned to analyze and implement a long-term content-filtering solution that dynamically updates sites that should be blocked.
3. Assign sufficient resources to monitor and analyze employee Internet usage.
Management’s Response: Management has assigned responsibility for monitoring Internet usage under the Chief, Security Services, and authorized the hiring of a program manager to carry out these responsibilities. Responsibility for processing inappropriate Internet access activity has been centralized to ensure consistency of treatment.
4. Expand the use of existing Office of Investigations software that identifies accesses to sexually explicit and gambling sites to the other inappropriate uses specified in the Internet usage policy.
Management’s Response: Management is evaluating the existing software for identifying accesses to sexually explicit and gambling sites to determine if it can be applied to other inappropriate uses.
5. Work with the Offices of Tax Administration Coordination and Communications and Liaison to develop a strategy, which includes publicizing Internet abuses, to deter future Internet policy violations.
Management’s Response: The Acting Commissioner issued a memorandum to all managers requiring them to ensure that all employees are familiar with the Internet usage policy and the potential disciplinary actions related to violations. Actions are planned to develop a comprehensive communication plan that includes multiple techniques, such as payroll stuffers, for presenting the Internet usage policy and related issues.
The overall objective of this review was to evaluate employee compliance with the Internal Revenue Service’s (IRS) Internet usage policy. This review is a follow-up to a previous Treasury Inspector General for Tax Administration (TIGTA) report entitled, Employees’ Extensive Personal Use of the Internet Should Be Controlled (Reference Number 2001-20-016, dated November 2000).
I. To evaluate the processes used by the IRS to disseminate the Internet usage policy to all employees, we:
A. Researched the IRS’ Intranet web site for the current Internet usage policy, which went into effect May 13, 2002.
B. Researched the methods the IRS used to provide employees with the policy and guidance on what usage is and is not allowed.
II. To evaluate the Internet usage policy to determine whether it adequately addresses all security risks arising from Internet accesses, we compared the Internet usage policy with Internal Revenue Manual 25.10, Treasury Directive (TD) Publications 71-10, TD 87-04, and other similar Federal Government guidelines to identify unallowable practices that are not addressed in the IRS’ Internet usage policy.
III. To identify the controls and processes in place to monitor compliance with the Internet usage policy and to detect/prevent inappropriate accesses, we:
A. Discussed with the Agency-Wide Shared Services’ Personnel Services staff the role they have in investigating and monitoring Internet usage, the controls and processes that they use to monitor Internet usage, the administrative actions taken for inappropriate Internet access over the 6 months prior to the start of our review, and actions they perform to curb inappropriate accesses by employees.
B. Discussed with the IRS’ Office of Security Services staff the role they have in investigating and monitoring Internet usage, the controls and processes that they use to block or monitor inappropriate Internet usage, the actions taken when inappropriate access is identified, the actions they perform to curb inappropriate Internet accesses by employees, and whether the web-monitoring product is installed at all gateways leading to the Internet.
C. Discussed with TIGTA Office of Investigations employees the role they have in investigating and monitoring Internet usage, the actions they perform to curb inappropriate Internet accesses by employees, and whether they investigated any inappropriate Internet usage cases in the 6 months prior to the start of our review.
IV. To determine whether there was Internet traffic to sites that are deemed inappropriate by the Internet usage policy, we:
A. Requested the firewall logs for all of the Internet gateways used by the IRS for a full week, approximately 6 months after policy went into effect. We judgmentally selected the week of October 20, 2002.
B. Retrieved the Domain Name Service (DNS) tables from the Department of the Treasury or IRS Internet DNS fileservers to verify whether all of the IRS’ Internet gateways listed on the DNS tables were accounted for in the firewall logs.
C. Screened the log files for seven categories of Internet web site accesses or downloads that are deemed to be inappropriate by the Internet usage policy. Judgmentally selected a total 283 sites (at least 20 from each of the 7 categories of inappropriate uses) to confirm that the sites were inappropriate. The 283 sites were visited by 6,330 computer addresses during our 1-week test period.
D. Reviewed the log files for web accesses that had been denied by the application used to stop accesses to inappropriate sites and ascertained what actions were taken by management to prevent ongoing abuses by the addresses with significant numbers of denied accesses.
E. Matched the programs downloaded from the Internet to a list of known malicious software programs based on names and file sizes.
Gary V. Hinkle, Acting Assistant Inspector General for Audit (Information Systems Programs)
Steve Mullins, Director
Leon Niemczak, Audit Manager
Richard Borst, Senior Auditor
Bret Hunter, Senior Auditor
Louis Lee, Senior Auditor
Midori Ohno, Senior Auditor
Larry Reimer, Senior Auditor
Deputy Commissioner for Operations Support N:DC
Chief, Agency-Wide Shared Services A
Chief, Security Services M:S
Chief, Tax Administration Coordination N:ADC:T
Director, Portfolio Management M:R:PM
Director, Strategic Human Resources N:ADC:H
Chief Counsel CC
National Taxpayer Advocate TA
Director, Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O
Office of Management and Controls N:CFO:AR:M
Deputy Commissioner for Modernization & Chief Information Officer M
Chief, Security Services M:S
Director, Strategic Human Resources N:ADC:H
The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.