The Internal Revenue Service is trying to decide whether to let its employees bring their own smartphones to work to access their email and other services, but a new report suggests that the IRS first needs to perform a better cost-benefit analysis and put in place more stringent security measures, including a ban for now on Android devices.
The
As a test, the IRS purchased 1,000 mobile device management software licenses in June 2012 for use by employees with personally owned iPhones, iPads, and Android smartphones. As of May 2013, 519 licenses were being used, all but two for iPhones and iPads.
But TIGTA found that the IRS has not developed a complete cost-benefit analysis to fully justify the implementation of the BYOD concept. While the IRS did compare the estimated cost of BYOD to the cost of the IRS’s existing mobility programs prior to starting the BYOD pilot project, it has not updated the cost-benefit analysis. The initial analysis overestimated the number of existing smartphone users. The January 2013 IRS analysis was based on 5,000 BlackBerry users and 15,000 cell phone users. The IRS has approximately 4,300 BlackBerry users and about 10,500 cell phone users.
The IRS’s initial analysis assumed that all employees with IRS-provided cell phone or smartphones would willingly choose to participate in BYOD. However, TIGTA found that nearly half the mobile device management software licenses purchased by the IRS for use in the test are not being used.
TIGTA expressed concern that the IRS allows BYOD devices access to resources on the IRS network in addition to email access. This increases the risk that privacy and taxpayer data could be compromised. TIGTA also raised concerns about allowing devices based on the Android operating system to participate in the BYOD pilot, because these devices are more subject to malware than the Apple devices tested in earlier phases.
“A Bring Your Own Device program could provide significant benefits and even potential cost savings,” said TIGTA Inspector General J. Russell George in a statement. “However, the IRS must conduct a thorough, realistic cost-benefit analysis before such a program’s benefit can be appropriately ascertained.”
TIGTA made five recommendations, including that the IRS ensure that a cost-benefit analysis for BYOD is completed that complies with federal guidance. TIGTA also suggested that the IRS allow access only to email and defer allowing the use of Android devices until a security risk assessment has been conducted.
IRS management agreed with four of TIGTA’s five recommendations and proposed some corrective actions that it plans to take only if the BYOD pilot is expanded or funding is identified. IRS management disagreed with the recommendation to defer admitting Android devices into the pilot until a security-risk assessment is completed.
The IRS noted that the BYOD test was a technology demonstration and the IRS is evaluating various devices through a controlled secure environment. IRS executive management had gone through a cybersecurity mobile computing security technology review and issued an authorization to conduct a BYOD technology demonstration that includes Android devices.
“We appreciate TIGTA’s concerns about the Bring Your Own Device (BYOD) technology demonstrator as acknowledged in your draft report,” wrote IRS chief technology officer Terence Milholland in response to the report. “The BYOD technology demonstrator explores the full possibilities of mobile device options for IRS employees. We consider some of the recommendations in your report more appropriate for a BYOD program in production. While BYOD remains in an exploratory mode, we will continue to evaluate the pros and cons of the technology with due diligence to data security and cost effectiveness.”
But TIGTA said it believes that some of the corrective actions proposed by the IRS are inadequate because they are contingent on BYOD expansion or additional funding. The report recommended that the relevant controls should be put in place for the existing BYOD effort, which does not have a clear end date and is being used by hundreds of employees and devices within the production environment.
