Your own people may be the problem

A recent independent audit of computer systems at five Internal Revenue Service field offices found dozens of security lapses. Five out of 12 systems administrators and security specialists, for instance, did not know who was responsible for maintaining Microsoft Corp. Windows workstations and servers or for applying and testing security patches.

At least eight out of 12 administrators whom the auditors interviewed said they had not been checking computers under their control for unauthorized changes to systems that were supposed to be kept securely configured.

Auditors also discovered that 28 out of 206 user accounts for employees who no longer worked for the IRS were active, meaning those former employees could still gain access to agency computer systems. An average of 139 days had elapsed since the 28 employees had worked for the IRS.

Some employees with frontline responsibility for computer security said they had received no security training in at least three years.

The audit report, which the Treasury Inspector General for Tax Administration released in January, states that the agency has a plan for fixing those and other security problems by March 31.

Although the independent audit found significant computer security weaknesses within some of the IRS' offices, the tax agency is not exceptional. Federal managers and security analysts say that maintaining secure computer systems and networks has grown to be a time-consuming and expensive activity for every government organization.

Even so, some organizations need to do more than others to protect themselves from external attacks. "High-profile agencies like the IRS need to put more resources into perimeter security than a low-profile agency, which can focus on internal security," said Peggy Begg, assistant inspector general for information systems programs for the Treasury Inspector General for Tax Administration.

IRS officials, aware of the agency's visibility as a potential target, have rolled up all of its internal security operations, including computer and information security activities, into a single organization called the Office of Mission Assurance. That reorganization is nearly completed, said Daniel Galik, the new chief of mission assurance.

In other federal agencies, security managers have tackled the security threat by contracting with outside experts for managed security services. In some cases, the agencies pay service providers to manage their firewalls or monitor their intrusion-detection system logs.

With few exceptions, however, a surprising number of federal officials say that employees are the primary cause of computer security lapses, and therefore, managers who want to spend their limited resources most effectively should offer appropriate levels of security training and awareness for all of their workers.

Although good security policy and adequate security technology are both important, effective computer security depends on employees' familiarity with those policies and knowing how to use the technology they have, said Begg, who had a primary role in the IRS audit.

A strong believer in the value of security training and awareness activities, she said she has found from her years of auditing that most employees who violate security policies do so because they are uninformed about good computer security procedures and unaware of their agency's security policies. Begg knows of hackers, for example, who have successfully bypassed an Internet gateway firewall by pretending to work on the help desk and then asking employees to divulge their passwords.

Even the most sophisticated technical security systems can be breached, she said, if employees are naive or fail to follow good rules of behavior.