By Jason Bramwell, Staff Writer
The IRS is piloting a program that would allow employees access to work e-mail and other services on their personal smartphones, but according to a report released publicly by the Treasury Inspector General for Tax Administration (TIGTA), the IRS bring-your-own-device (BYOD) program should be cost effective and a full cost-benefit analysis is needed.
BYOD is a popular trend in mobile computing that allows users to access network resources on their personal mobile devices, such as smartphones and tablets. While BYOD has the potential to provide organizations with cost savings, increased productivity, and improved employee satisfaction, mobile devices often need additional protection due to threats of identity theft and malware exposure.
For its report, Better Cost-Benefit Analysis and Security Measures Are Needed for the Bring Your Own Device Pilot, TIGTA evaluated the IRS' costs, administration, and security for its BYOD effort.
The IRS purchased 1,000 mobile device management software licenses in June 2012 for use by employees with personally owned iPhones, iPads, and Android smartphones. As of May 2013, 519 licenses were being used – all but two for iPhones and iPads.
TIGTA found that the agency has implemented several noteworthy actions for its BYOD pilot, including taking a phased approach and considering security. However, even though the IRS has spent more than $900,000 on mobility, the agency has not developed a complete cost-benefit analysis to fully justify the implementation of the BYOD concept. The White House BYOD Toolkit document states that BYOD should be cost effective, and a cost-benefit analysis is essential.
"While the IRS did prepare a simple cost analysis that compared the estimated cost of BYOD to the cost of the IRS' existing BlackBerry and cell phone programs prior to starting the BYOD pilot, the analysis was not updated with complete information on assumptions and costs", TIGTA stated in the report. "Consequently, as the pilot expanded, IRS managers relied on the original assumptions and cost projections in the analysis, which did not provide a sufficient basis for informed decision making."
The initial analysis overestimated the number of existing smartphone users. The January 2013 IRS analysis was based on 5,000 BlackBerry users and 15,000 cell phone users. However in February 2013, the IRS told TIGTA it has about 4,300 BlackBerry users and about 10,500 cell phone users.
The initial analysis also assumed that all employees with IRS-provided cell phones or smartphones would willingly choose to participate in BYOD. However, nearly half of the mobile device management software licenses purchased by the IRS for use in the test are not being used.
Additionally, increased attention is still needed to address security concerns related to the 460 users participating in the BYOD pilot. The IRS allows BYOD devices access to resources on the IRS network in addition to providing e-mail access, increasing the risk that privacy and taxpayer data could be compromised.
The IRS also allows devices based on the Android operating system to participate in the BYOD pilot, even though these devices are more subject to malware than the Apple devices tested in earlier phases. Audit trails and training also need to be improved, according to TIGTA.
"The IRS estimates that it has spent more than $900,000 on its phased mobility efforts, including the BYOD pilot", the report stated. "While some issues existed with its analysis, the IRS estimated that a fully deployed program could cost about $3.9 million to start up and about an additional $2.2 million a year in ongoing costs for up to 20,000 users. This compares favorably to the IRS' estimate of about $7.6 million in annual costs for 20,000 users in the existing program."
TIGTA made the following five recommendations to IRS Chief Technology Officer Terence Milholland:
- Ensure that a cost-benefit analysis for BYOD is completed that complies with federal guidance.
- Ensure that BYOD users are allowed access to e-mail functions only.
- Take additional steps before admitting Android devices into the BYOD pilot.
- Retain and review audit trails in compliance with existing policies.
- Provide periodic training for BYOD participants on threats and recommended security practices specific to BYOD.
The IRS agreed with four of the five recommendations and proposed some corrective actions that it plans to take only if the BYOD pilot is expanded or funding is identified. The IRS disagreed with the recommendation to defer admitting Android devices into the pilot program until a security risk assessment is completed.
TIGTA contends that some of the corrective actions proposed by the IRS are inadequate because they are contingent on BYOD expansion or additional funding.
"The BYOD technology demonstrator explores the full possibilities of mobile device options for IRS employees", Milholland wrote in response to the report. "We consider some of the recommendations in [the TIGTA report] more appropriate for a BYOD program in production. While BYOD remains in an exploratory mode, we will continue to evaluate the pros and cons of the technology with due diligence to data security and cost effectiveness."