How to Pass Your Assessment

Successfully – Leading Practices in

Implementing IRS 1075 Guidelines

• Erin Frisch, IV-D Director, Michigan

• Vik Bansal, Managing Director, Deloitte &

Touche LLP, Cyber Risk Services

• Ed Pagett, Chief Information Security Officer,

MAXIMUS

• Liesa Stockdale, IV-D Director, Utah

Introductions

• We are not representatives of the IRS

• The views expressed are ours and do not

reflect those of any employer or the IRS

• IRS 1075 Security Requirements continues

to evolve

Disclaimer

• The IRS Safeguards Program is responsible for ensuring that FTI is protected at all points where it is received, processed, stored and maintained and secured as if it never left the possession of the IRS.

• An agency must ensure that its safeguards will be ready for immediate implementation upon receipt of FTI.

• Publication 1075 requires applicable agencies to complete a Safeguard Procedures Report (SPR) and an annual Safeguard Activity Report (SAR) and to submit the reports to the IRS for review.

IRS Publication 1075 Overview

• Oct. 2014 - Last major release of IRS 1075. – Added 800-53 r4 controls

– Added encryption requirements for FTI in transit and VOIP encryption requirements

• Dec. 2015

– Memo released clarifying encryption requirements

– Notification Requirements

• Dec. 2015 Notification Requirements (forms)

– Notification requirements for Data warehouse uses of FTI

– Live Data Testing

– Protection of FTI virtual environments

– Protection of FTI in Cloud Computing environments

• Dec. 2015 Safeguards Technical Assistance

- IVR

– IVR System Architecture

– System Hardening

– Independent Security Testing

– Customer Authentication

• Dec. 2015 Safeguards Technical Assistance

- Mobile Device Environment

• Announcement of pending update

June 1, 2016

Understanding the Requirements

1. Record Keeping Requirements: Maintain a persistent system of all FTI records and

anything related to it, including access rights.

2. Secure Storage: Details about the physical and electronic security of place where FTI data is

kept. It includes things like restricted area, authorized access, locks & keys, safes/vaults,

transportation security, security of computers and storage media.

3. Restricting Access: Details related to access of FTI data.

4. Reporting Requirements: Periodic reports like SAR (Safeguard Activity Report) and SPR

(Safeguard Procedures Report) need to be sent to IRS.

5. Training and Inspections: Awareness about security and annual certification of employees.

Annual inspections are also needed to validate proper implementation.

6. Disposal: Proper standards related to FTI data disposal for physical and electronic media.

7. Computer System Security: Probably the most complex and detailed section of this

regulation related to everything from access control, cryptography, emails, networking to

wireless technologies and any emerging technologies.

Understanding the Requirements -

Quick View

• Inventory Existing Use

• Reduce Surface Area – Minimize & Isolate FTI

• Apply Controls Post Reduction

Your FTI Use

• Understanding Your Use of FTI

• Understanding the Requirements

• Preparation/Posture vs Project/Perfection

• Communication & Negotiation

• Security vs Compliance vs Privacy

Planning & Preparation

• Keep the data as isolated and segmented as

your business process will allow.

• “Digital sprawl” of data expands the amount

of controls, resources, and therefore costs to

maintain compliance to these (and any other)

security requirements.

Audit Preparation –

Be Kind to Yourself

• Policies/Standards

• Technical Reports

• Personnel Reports

• Operational Reports

• Risk Reports

Audit Preparation -

The Basics

Preparation, Preparation, Preparation:

What are the leading practices?

Business Commentary Break

• Operating Systems

• Applications

• Databases

• Network

• Other Devices (Mobile, Printers, Virtualization, etc.)

Technical –

System Configurations

https://www.irs.gov/uac/safeguards-program#alertmemo

• Identification of Configuration Management &

Patch Management deficiencies

• Nessus & Nessus Audit Files

• Qualys, Tripwire, Rapid7, et al.

Technical –

Vulnerability Management

• Scenario Discussion:

– Microsoft Office 365 / SharePoint / Email

– Web Application in the Cloud

– Vulnerability Management

– Monitoring & Incident Response

Technical –

Could Service Provider Utilization

• Multifactor Authentication – required for

remote access

• Account Management - disable inactive user

accounts after 120 days, limit of three consecutive

invalid logon attempts

• Access Control – Mobile Devices

Child Support Systems Security

• Encryption for FTI data at rest

• FTI Labeling

• Warning Banner

• Commingling

• No Offshore Access to FTI

• Cloud Computing Notification and Technical Requirement

Child Support Systems Security

Interstate & Inter-Agency Communication:

What can we share?

Business Commentary Break

• Response Plan Capability

• Incident Identification

• Notification Activities

• Media Releases

• Contractor usage

• Data warehouse with FTI

• Data exchanges

• Live data for testing

Notification Changes

• Safeguard Security Report (SSR) replaces

the existing SPR and the SAR. Submit the

SSR annually to encompass any changes

that impact protection of FTI.

Reporting Changes

• The agency should submit the report for approval at least 90 days prior to the agency receiving FTI.

• The agency must update and submit the SSR annually to encompass any changes that impact the protection of FTI.

• The SSR submission and all associated attachments must be sent annually to identify changes to safeguarding procedures.

• Correspondence, reports, and attachments sent electronically to the Office of Safeguards using Secure Data Transfer or via email to the SafeguardReports@irs.gov mailbox.

Safeguard Security Reporting

Access & Destruction Logs:

What works?

Business Commentary Break

• Fingerprinting

• Credit Checks

• Citizenship Checks

• Local Law Enforcement Checks

Personnel –

Background Checks

• Incorporate FTI training into organization’s

existing security awareness training

• Updated IRS Awareness Videos (6/7/2016)

Personnel –

Security Awareness

Finger Printing:

What is the operational impact?

Business Commentary Break

• IRS Disclosure Policy Guidance (3/10/2014)

• Disclosures to…– Custodial parent/guardian

– Another state’s child support agency

– Judges, Officers, Clerks of the Court

– Federal Child Support Auditors

– Noncustodial parent

Operational – Using FTI

for Child Support Enforcement

https://www.irs.gov/pub/irs-utl/Using-Federal-Tax-Info-for-Child-Support-Enforcement.pdf

Other Compliance and Security Regulations:

How do we leverage these practices?

Business Commentary Break

• Communication

• Logic

• Patience

• Negotiation

– Example Scenarios

• Anti-Virus

• Vulnerability Scanner

Summary –

All Auditors Are Not Created Equal

Questions?

Q&A

Appendix

Understanding Key Changes and Regulatory

Impact of IRS 1075 for Child Support Systems

IRS Publication 1075 Overview

• Federal Taxpayer Information (FTI): Federal tax returns and return information is known as FTI. For example: Name of Taxpayer, Mailing Address, Taxpayer ID Number, Email Address, Telephone Numbers, Social Security Numbers, Bank Account Numbers etc.

• FTI data: IRS 1075 applies to agencies or agents that receive FTI directly from either the IRS or from secondary sources (e.g., Health and Human Services, Federal Office of Child Support Enforcement, Social Security Administration, Center for Medicare and Medicaid Services).

IRS Publication 1075 Overview

• Voluntary Termination of Receipt of FTI: When an agency no longer requires FTI, notify at SafeguardReports@irs.gov, terminate all agreements for FTI data receipt, and Head of Agency to certify that FTI has been destroyed.

• Archiving FTI: Agencies must retain FTI in accordance with Publication 1075 Security standards; provide copies of notifications as above, submit annual SSR, and be subject to periodic Safeguard Reviews.

Key Changes – IRS 1075 (2016)

• FTI Background Investigation Requirements: For new

and existing employees and contractors with access

to or use of FTI:

• Must have a favorable background investigation

completed

• Should include FBI fingerprinting (FD-258), local

law enforcement checks, and citizenship

/residency checks

Key Changes – IRS 1075 (2016)

• Consolidated Data Centers: Service level agreement (SLA) between the agency and the consolidated data center must cover the following:

• Shared responsibility to safeguard FTI

• Written notification to data center management for meeting IRS 1075 provisions

• IRS’ right to inspect consolidated data center, and use of manual and/or automated scanning tools

• Consolidated data center’s responsibilities to address corrective action recommendations identified by IRS inspections

• Agency to conduct an internal inspection of the data center every 18 months

Key Changes – IRS 1075 (2016)

• Report Consolidation: Security Safeguard Report

(SSR) replaces the existing Safeguards Procedures

Report (SPR) and the Safeguards Activity Report

(SAR).

• Policy and Procedure: The Computer System Security

related policies (Section 9) must be updated every (3)

years. The procedures linked to each section must be

updated at least annually.

Key Changes – IRS 1075 (2016)

• Secure Off-Site Storage: If the agency uses an off-site

storage facility, additional off-site safeguards are not

required to be met if the media is encrypted and

locked in a case, not on open shelf, and the agency

retains the key to the case.

Key Changes – IRS 1075 (2016)

• Audit Logs and Record Retention: Audit trail logs that

detail what type of event occurred, when it happened,

where it occurred, the source and outcome of the event,

and the identity of any individuals associated with the

event, must be retained for (7) years. FTI logs, visitor

access logs, and disclosure awareness certification must

be retained for (5) years. Internal Inspection reports must

be retained for (3) years.

Key Changes – IRS 1075 (2016)

• Data Encryption In-Transit

• Within Internal Network: Encryption of FTI transfers within an agency’s LAN is not currently required.

• External (Outside Agency VLAN): FTI that is transmitted over the internet, including via e-mail to external entities must be encrypted. This includes FTI data transmitted across an agency’s Wide Area Network (WAN).

Key Changes – IRS 1075 (2016)

• Multifactor Authentication: Remote access to FTI by privileged or non-privileged accounts must be performed using multi-factor authentication. Implement multi-factor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. NIST SP 800-63 allows the use of software tokens.

Child Support Systems Security

•Account Management: Disable inactive user accounts after 120 days. (Earlier requirement was to disable inactive user accounts in a timely manner). Enforce a limit of three consecutive invalid logon attempts by a user during a 120-minute period; and automatically lock the account until released by an administrator.

Child Support Systems Security

• Access Control – Mobile Devices: Purge/wipe information from mobile devices based on 10 consecutive unsuccessful device logon attempts.

• Encryption for FTI data at rest is NOT required if it resides on a system (e.g., in files or in a database) that is dedicated to receiving, processing, storing or transmitting FTI, is configured in accordance with the IRS Safeguards Computer Security Evaluation Matrix (SCSEM) recommendations and is physically secure restricted area behind two locked barriers.

Child Support Systems Security

• FTI Labeling: The agency must label removable media (CDs,

DVDs, diskettes, magnetic tapes, external hard drives and flash

drives) andinformation system output containing FTI (reports,

documents, data files, back-up tapes) indicating “Federal Tax

Information”.

• A Warning Banner is required when access is provided to any

information system that receives, stores, process or transmits

FTI.

Child Support Systems Security

•Commingling: Maintain FTI separate from other information. If FTI is recorded on electronic media with other data, it must be protected as if it were entirely FTI. Establish and maintain service level agreement with the consolidated data centers to protect FTI, once every 18 months.

Child Support Systems Security

•No Off-shore Access to FTI: FTI cannot be accessed by agency employees, agents, representatives, or contractors located off-shore – outside of the United States territories, embassies or military installations. FTI may not be received, processed, stored, transmitted, or disposed of by IT systems located off-shore.

Child Support Systems Security

• Cloud Computing Notification and Technical Requirement: To utilize a cloud computing model [Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS)] the agency must be in compliance with all IRS 1075 requirements in addition to mandatory requirements of IRS notification, data isolation, Service Level Agreement (SLA), persistence of data relieved assets.

Child Support Systems Security

• Response Plan Capability: Develop and test incident response plan capability and review it annually.

• Incident Identification: Contact Treasury General for Tax Administration (TIGTA) and the IRS immediately upon identification of incidents involving FTI.

• Notification Activities: Inform the Office of Safeguards of notification activities undertaken before release to the impacted individuals.

Notification Changes

• Media Releases: Inform the Office of Safeguards of any pending media releases, including sharing the text, prior to distribution.

• Contractor usage: 45-day notification of the use of contractors or sub-contractors with access to/disclosure of FTI

• If an existing contractor employs the services of a subcontractor, a notification is required 45-days prior to the disclosure of FTI.

Notification Changes

• Data warehouse with FTI: 45-day notification prior to IRS Office of Safeguards implementation of data warehouse

• Data exchanges: Agencies entering into new data exchange agreements that authorize the receipt of new data sets containing FTI not previously received by the agency

• Submit SSR to the IRS at least 45 days before the scheduled/requested receipt of FTI.

Notification Changes

• Live data for testing: Submit a request to the IRS Office of Safeguards for authority to use live data for testing, providing a detailed explanation of the safeguards in place to protect the data and the necessity for using live data during testing.

• Cyber Incident: Any agency reporting a cyber incident such as data breach may report directly to IRS Electronic Crimes & Intelligence Division (240-613-5228; cybercrimes@tigta.treas.gov)

Notification Changes

• Safeguard Security Report (SSR) replaces the existing SPR and the SAR. The agency should submit the SSR annually to encompass any changes that impact protection of FTI (Earlier requirement was (6) years for SPR unless major changes).

• SSR Submission: Submit the SSR for approval at least 90 days prior to receiving FTI (Prior requirement for SPR was 45 days).

Reporting Changes

• CAP Submission: Submit the CAP semi-annually, as an attachment to the SSR. If submitting CAP only, the due date is March 31. (Prior requirement for CAP due date varied per agency type)

• Plan of Action and Milestones: must be developed and updated on a quarterly basis based on findings from security controls assessments, security impact analyses and continuous monitoring activities. (Prior requirement was based on organization defined frequency)

Reporting Changes

• Submit notification to the Office of Safeguards: at least 45 days ahead of planned implementation for the activities – cloud computing, consolidated data center, contractor access, data warehouse processing, non-agency owned information systems, tax modelling, test environment, virtualization of IT systems. (Earlier requirement was to email safeguard office in case more detailed information needed)

Reporting Changes

• Exhibit 7-Contract Language for Technology Services:

Additional requirements:

• Section I “Performance”: The contractor and the

contractor’s employees with access to or who use FTI must

meet the background check requirements defined in IRS

Publication 1075.

• Section III “Inspection”: The IRS’ right of inspection to

include the use of manual and/or automated scanning

tools.

Contract Language Changes

Operational Efficiency:

Addressing compliance and cyber risk

for Child Support Systems

• There are a number of regulatory and legislative requirements for CSS, for

example:

─ Federal Office of Child Support – System Certification Security and

compliance requirements (OCSE)

─ Internal Revenue Service (IRS) 1075 compliance requirements and

Corrective action plan for IRS compliance

─ Social Security Act, the Privacy Act of 1974

─ Federal Regulation at 45 CFR 303.21 requires that CSS safeguard and

properly disclose confidential information

• Demonstrating adoption of common practices [e.g., National Institute of

Standards and Technology (NIST), Federal Information Security

Management Act (FISMA), etc.]

• Tackling a variety of internal practices (e.g., policies, procedures,

standards, etc.)

• Interacting with internal compliance and assurance functions

• Interacting with third-party assurance inspectors and auditors

Compliance drivers

Child Support System Compliance Requirements

State agencies are challenged with operating in program silos, and overlapping requirements which

cause increased complexity, along with duplication of effort leading to increased costs

State agencies are not leveraging risk and compliance efforts, which increases inefficiencies and testing costs

Silo approach to risk &

compliance activities

Struggle to get a holistic view of risks that focus on “icebergs, not ice cubes”Duplication of effort due to a

lack of a streamlined practices

Excessive Cost and Burden on

the Business

Program Silos

Complex Compliance Landscape

Solutions tend to be created at division or department level and struggle to integrate into entire operational structure

Struggle to scale risk and

compliance solutions

A general approach to addressing compliance needs

Financial Reporting SOX Privacy HR … Information Security 3rd Party Contracts HIPAAAnti Money

Laundering/ FraudPCI

Functional Leads Compliance Managers Legal Audit Information Security Service/Arch Leads Compliance Managers

Lines of Business Corporate IT

Regulatory convergence – compliance, IT security and risk framework

Authoritative

Sources

NIST SP 800-

53

SSA

IRS

Publication

1075

HIPAA

Agency

Policies,

Standards

.

.

A

A

A

A

AIntegrated

Requirement

Assess Once,Satisfy Many

Over 4,000 requirements rationalized to

350+ integrated requirements

Simplified Regulatory ComplianceTracking

Integrates several regulations, standards and policiesAccelerator Tool

A

Automation helps with:

• Transforming traditional document/paper-based audit process to an enterprise system

• Maintaining the library of rationalized security and privacy requirements

• Centralizing authoritative repository to retain and access audit information

• Facilitating continuous risk, remediation monitoring and report assessment results

Before – Information in silos

Audit Calendar

(None)

Assign stakeholders

(Email)

Track Findings

(Documents/Access database)

Corrective Action Plan

(Documents)

Audit reports

(Documents/Print)

Automated solution

Online portal

DBConsolidated repository

Automating the compliance, IT security and risk framework