The Bring Your Own Device Program’s Security Controls Need Improvement

To reduce the risk to the BYOD program, the Chief Information Officer should identify a viable solution or take mitigation actions to prevent data leakage through the screen capture function on personally owned iPhones in the BYOD program.

To reduce the risk to the BYOD program, the Chief Information Officer should coordinate with other IRS offices, such as Labor Relations, to ensure that the employee's manager considers employee Personally Identifiable Information and Internal Revenue Code Section 6103 violations prior to approving participation.

The Chief Information Officer should ensure that the IRM requirement is met and vulnerabilities found on BYOD servers are timely remediated.

The Chief Information Officer should ensure the retention of BYOD program application audit logs for the appropriate period and periodic review of the application audit logs by an independent source.

The Chief Information Officer should ensure the creation and review of an application change log for BYOD program application configuration changes.