Inappropriate Email on 74% of IRS Employees' Computers

TaxProf blog reports:

The Treasury Inspector General for Tax Administration has released Inappropriate Use of Email by Employees and System Configuration Management Weaknesses Are Creating Security Risks (2006-20-110):

This report presents the results of our review to determine whether the IRS's email system was being used properly by employees and was secured by system administrators.

Email allows an organization and its employees to better communicate with each other, customers, and business partners. The risk of computer viruses, however, has prompted the IRS to screen for questionable incoming emails, issue a personal use policy on what an employee can and cannot do with email, and conduct awareness training to all employees on the importance of complying with the email use policy. While these efforts established a good foundation for email security, employees are not following the IRS' personal email use policy. In addition, the IRS has unsecured and unauthorized email servers on its computer network. As a result, the IRS' internal network, its computers, and the data maintained on the network could be at risk of being compromised, destroyed, or shutdown.

* IRS employees are violating provisions of the personal use policy with their email usage. Specifically, we found inappropriate email messages in 74% of the employee mailboxes reviewed. These inappropriate email messages contained chain letters, jokes, offensive content, and sexually explicit content. The IRS' personal use policy protects the organization from employee actions that might harm or bring unnecessary risk to the organization. For example, hackers have designed email messages containing computer viruses to entice recipients to open them because of their interesting subject lines. Opening these types of emails can activate the computer virus, which in turn could destroy data on computers, enable the hacker to gain unauthorized access to the computer and any sensitive information stored on the computer, and disrupt email and computer operations. While the IRS has conducted awareness presentations and distributed communications to encourage employees to comply with its personal use policy, it does not effectively monitor the email of its employees to ensure compliance with the policy.

Special people.