U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

October 31, 2011
TIGTA - 2011-74
Karen Kraushaar
karen.kraushaar@tigta.treas.gov
TIGTACommunications@tigta.treas.gov
(202) 622-6500

TIGTA: IRS Needs To Improve Security Over Wireless Technology

WASHINGTON - As the Internal Revenue Service (IRS) expands its use of wireless

technology, it needs to improve its oversight of the protection of IRS computer systems and

taxpayer data, according to a report released today by the Treasury Inspector General for Tax

Administration (TIGTA).

The IRS currently uses a wireless local area network (WLAN) at its National Distribution Center

in Bloomington, Indiana, and allows some employees to use wireless technology to connect to

the IRS network from remote locations.

TIGTA reviewed whether the IRS has implemented effective controls to detect the unauthorized

use of wireless technology and reviewed its plans for increasing use of WLAN technology.

TIGTA found that the IRS: established a wireless security policy that was generally in

compliance with Federal standards; deployed continuous monitoring procedures for detecting

rogue wireless access points and other computing devices; and used a virtual private network

(VPN) to facilitate the secure transfer of sensitive data during remote access using wireless

technology.

However, TIGTA also found that some IRS employees were using personal unauthorized

wireless devices on their laptops to connect to the IRS network. Although these employees were

authorized to access the network, the use of personal wireless devices is prohibited.

Further, the IRS developed software to enable laptops to wirelessly connect to the IRS network

from non-IRS facilities (home, airport, or hotel) and allowed its use by approximately 300 users

before the software was properly tested and approved for use enterprise-wide.

"While wireless communications can allow IRS employees to operate more efficiently,

protecting the security of taxpayer data must always be the top priority," said J. Russell George,

Treasury Inspector General for Tax Administration.

TIGTA recommended that the IRS: 1) implement automated nationwide network scans for

unauthorized wireless activity, devices, and software; 2) ensure that a security assessment and

authorization is completed for all wireless technologies prior to use in the IRS environment; and

3) resume monitoring of the WLAN at the National Distribution Center at appropriate intervals

to ensure all files are set in accordance with IRS security policy.

The IRS agreed to take corrective actions to address two of TIGTA's recommendations, but

disagreed that IRS policy requires completion of a security assessment and authorization on

wireless technologies that it is piloting or demonstrating. TIGTA maintains that prior to placing

wireless technologies on the live IRS network, the IRS should ensure that it has completed the

required security assessment and authorization.