The Treasury Inspector General for Tax Administration said in a recent report that the Internal Revenue Service has done much to secure security for its Taxpayer Digital Communications platform, but nonetheless pointed out that, during the course of its inspection, there were still hundreds of people with unauthorized access.
The TDC platform enables faster communication with the IRS as well as offering taxpayers and their authorized representatives the ability to securely send and receive electronic messages and documents to and from IRS agents and customer service representatives. The platform was developed by the eGain Corp., which also maintains it as dedicated managed service provider. The IRS has been using the company's services for this purpose since 2016.
The good new was that all servers maintained by the company for the IRS are encrypted and in compliance with the proper information processing standards. The bad news is that, despite this, hundreds of unauthorized users have access to this system. In total, the TIGTA inspection found 681 unauthorized users on the platform, out of 3,939 total users. This accounts for 17.3% of users. The proportion was even grimmer when it came to those with access to privileged information: While only 7 people had authorization to access that information, the system had a total of 70 people with the ability to access the system; 57 of those 70 had authorization but not at the proper level, while 12 had no authorization at all.
On top of this, TIGTA also found that 498 TDC platform user accounts actually were authorized, yet still did not have access to the platform, encompassing 12.6% of users. And among those who once had authorization and needed to continue it for legitimate business purposes, many could not get it renewed. TIGTA said that 735 of users with authorizations who needed it extended were not renewed in a timely manner.
TIGTA recommended:
- Ensuring that the standard operating procedures are updated to require continuous monitoring security reviews, and that the security reviews are conducted;
- Having eGain MSP personnel upgrade antivirus software on a timely basis and in accordance with requirements;
- Making sure that users are both authorized and have access to the TDC platform; and,
- Developing a process to identify, quarantine, and remove user accounts for inactivity on a timely basis in accordance with requirements.
The IRS agreed with the recommendations.
