IRS earns `C-minus' rating for security policies

The Internal Revenue Service last week received a "C-minus" grade for work on its information security policies and procedures from a consultant who said the agency's biggest challenge is to match the protection it has developed for data to employees' need for access.

Joseph Mahaffee a principal with Booz-Allen & Hamilton Inc. McLean Va. told the National Commission to Restructure the IRS that most agencies and private companies rate a "C or C-minus" for their network security weaknesses which are compounded by rapid changes in computing technology.

"Some things are being done that would clearly improve" the security of the IRS' data and systems "but we can't remain fixed on what we've done today."

Mahaffee said the agency must decide how much risk it can live with when sharing data and make investments in accordance with an overall security "support structure." Although Booz-Allen has a consulting contract with the Treasury Department the IRS has not been a client a company spokeswoman said and Mahaffee was invited to testify based on his work with national security systems.

The IRS is in the process of developing agencywide standards and policies said Leonard Baptiste Jr. director of the IRS' recently created Office of Systems Standards and Evaluation. Baptiste said security measures are not necessarily integrated across the agency's multiple networks though "a lot of people are doing a lot of good work on the ground."

The commission is reviewing all the IRS' operations and plans to recommend later this year steps that the IRS or Congress should take to improve how the agency does business. Sen. Bob Kerrey (D-Neb.) co-chairman of the commission said he thinks "there is great vulnerability" to the IRS' systems today.The agency has struggled for several years to define its security policies and last year abandoned a system to allow filing of tax returns over the Internet in part because auditors concluded the system was vulnerable to hackers. In a policy paper circulated last month the IRS said security concerns were a major reason why it has not been able to accept more tax returns electronically.

Employee Access a Hurdle

Because of the security risks commission member Josh Weston chief executive officer of Automated Data Processing Inc. questioned whether the IRS should rethink plans it has to improve customer service by providing employees with PCs that they would use to gain access to multiple databases.

Rich Pethia director of the Computer Emergency Response Team a clearinghouse for security information at Carnegie Mellon University Pittsburgh said the IRS has to decide whether its need for wide distributed access is worth the risks that come with this technology.

Pethia said PC networking and Internet technology were not originally engineered "for this unbounded environment" and for use by people who are not technical experts. He said users and systems administrators need to be better trained in how to protect systems and customers have to start demanding that information technology products include better safeguards against intruders.