+ All Categories
Home > Documents > IRS Office of Safeguards SCSEM - Internal Revenue Service€¦ · XLS file · Web...

IRS Office of Safeguards SCSEM - Internal Revenue Service€¦ · XLS file · Web...

Date post: 17-Jun-2018
Category:
Upload: dodieu
View: 212 times
Download: 0 times
Share this document with a friend
58
IRS Office of Safeguards SCSEM document.xls Page 1 of 58 Internal Revenue Service Office of Safeguards ▪ SCSEM Subject: Fast Enterprises GenTax 8 ▪ SCSEM Version: 2.1 ▪ SCSEM Release Date: September 30, 2017 NOTICE: The IRS strongly recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a development it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the tes should match the production system configuration. Prior to making changes to the production system, agencies should back up files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if General Testing Information Agency Name: Agency Code: Test Location: Test Date: Closing Date: Shared Agencies: Name of Tester: Device Name: OS/App Version: Network Location: Device Function: Agency Representatives and Contact Information Name: Org: Title: Phone: E-mail: Name: Org: Title: Phone: E-mail: This SCSEM was designed to comply with Section 508 of the Rehabilitation Act Please submit SCSEM feedback and suggestions to [email protected] Obtain SCSEM updates online at http://www.irs.gov/uac/Safeguards-Program environment prior to deployment in production. In some cases a security setting may impact a system’s functionality and usab
Transcript

IRS Office of Safeguards SCSEM

document.xls Page 1 of 44

Internal Revenue ServiceOffice of Safeguards

▪ SCSEM Subject: Fast Enterprises GenTax 8 ▪ SCSEM Version: 2.1 ▪ SCSEM Release Date: September 30, 2017

NOTICE:The IRS strongly recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a development or test

it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configurationshould match the production system configuration. Prior to making changes to the production system, agencies should back up all critical datafiles on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.

General Testing InformationAgency Name:Agency Code:Test Location:Test Date:Closing Date:Shared Agencies:Name of Tester:Device Name:OS/App Version:Network Location:Device Function:

Agency Representatives and Contact Information

Name:Org:Title:Phone:E-mail:

Name:Org:Title:Phone:E-mail:

This SCSEM was designed to comply with Section 508 of the Rehabilitation ActPlease submit SCSEM feedback and suggestions to [email protected] SCSEM updates online at http://www.irs.gov/uac/Safeguards-Program

environment prior to deployment in production. In some cases a security setting may impact a system’s functionality and usability. Consequently,

IRS Office of Safeguards SCSEM

document.xls Page 2 of 44

Testing ResultsINSTRUCTIONS:Sections below are automatically calculated.

The 'Info' status is provided for use by the tester during test execution to indicate more information is needed to complete the test.It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of testing.

All SCSEM Test Results Overall SCSEM Statistics

Passed Failed N/A All SCSEM Tests Complete Blank

0 0 0 1 0 0% Totals 1 38

Weighted ScoreRisk Rating Test Cases Pass Fail N/A Weight

8 1 0 0 0 15007 3 0 0 0 7506 4 0 0 0 1005 9 0 0 0 504 7 0 0 0 103 3 0 0 1 52 2 0 0 0 21 0 0 0 0 1

Final Test Results (This table calculates all tests in the Test Cases tab)Additional

Information Requested

Total Number of Tests

Performed

Weighted Pass Rate

IRS Office of Safeguards SCSEM

document.xls Page 3 of 44

InstructionsIntroduction and Purpose:

Test Cases Legend:▪ Test ID Pre-populated number to uniquely identify SCSEM test cases. The ID format includes the platform, platform version

and a unique number (01-XX) and can therefore be easily identified after the test has been executed.▪ NIST ID Mapping of test case requirements to one or more NIST SP 800-53 control identifiers for reporting purposes.▪ Test Method: The test case is executed by Interview, Examine or Test methods in accordance with the test methodology specified ▪ NIST Control Name Full name which describes the NIST ID.

in NIST SP 800-53A. In test plans where SCAP testing is available, Automated and Manual indicators are added to the Test method to indicate whether the test can be accomplished through the SCAP tool.

▪ Test Objective Description of specifically what the test is designed to accomplish. The objective should be a summary of the test case and expected results.

▪ Test Procedures A detailed description of the step-by-step instructions to be followed by the tester. The test procedures should be executed using the applicable NIST 800-53A test method (Interview, Examine, Test).

▪ Expected Results Provides a description of the acceptable conditions allowed as a result of the test procedure execution.▪ Actual Results The tester shall provide appropriate detail describing the outcome of the test. The tester is responsible for identifying

Interviewees and Evidence to validate the results in this field or the separate Notes/Evidence field.▪ Status The tester indicates the status for the test results (Pass, Fail, Info, N/A). "Pass" indicates that the expected results

were met. "Fail" indicates the expected results were not met. "Info" is temporary and indicates that the test executionis not completed and additional information is required to determine a Pass/Fail status. "N/A" indicates that the test subject is not capable of implementing the expected results and doing so does not impact security. The tester must determine the appropriateness of the "N/A" status.

▪ Notes/Evidence As determined appropriate to the tester or as required by the test method, procedures or expected results, the tester may need to provide additional information pertaining to the test execution (Interviewee, Documentation, etc.)

▪ Criticality

This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented Fast Enterprises GenTax 8 for a system that receives, stores, processes or transmits Federal Tax Information (FTI).

Agencies should use this SCSEM to prepare for an upcoming Safeguards review. It is also an effective tool for agency use as part of internal periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguards review is not scheduled. The agency can also use the SCSEM to identify the types of policies and procedures required to ensure continued compliance with IRS Publication 1075.

This SCSEM was created for the IRS Office of Safeguards based on the following resources.▪ IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (October 2014)▪ NIST SP 800-53 Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations (April 2013)▪ Custom development based on collaboration with the GenTax vendor, Fast Enterprises.

The risk category has been pre-populated next to each control to assist agencies in establishing priorities for corrective action. The reviewer has the discretion to change the prioritization to accurately reflect the risk and the overall security posture based on environment specific testing.

IRS Office of Safeguards SCSEM

document.xls Page 4 of 44

Test CasesTest ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-01 SA-22 Examine

GTAX-02 SA-10 Interview

GTAX-03 AC-2 Account Management

GTAX-04 AC-6 Least Privilege Examine

Unsupported System Components

The agency schedules, performs, documents, and reviews records of routine preventative and regular maintenance (including repairs) on the components of Gentax in accordance with manufacturer or vendor specifications and/or organizational requirements. The system is still supported

Examine the system to determine if the version of the Gentax Product Suite application is a current vendor-supported version that still receives security updates/patches, and that a current maintenance contract is in place with the vendor.

The version of the Gentax application is a current vendor-supported version that still receives security updates/patches.

A current maintenance support contract is in place with the vendor.

Developer Configuration Management

Ensure agencies load their staging logs into production to be able to track access to taxpayer information in the pre-production environment.

1. Interview the administrator and determine if the agency loads their staging logs into production to be able to track access to taxpayer information in the pre-production environment.

1. The agency eitherA. loads staging logs into production to be able to track access to taxpayer information in the pre-production environment.

OR

B. does not replace tracking logs in the pre-production environment via a regular production data refresh.

TestInterview

Checks to see if the organization manages information system accounts, including establishing, activating, modifying, reviewing, and disabling accounts. The organization reviews information system accounts to ensure that existing accounts are being controlled properly.

1. Test the following query-[GTSYS]select * from tblUser where flngVer = 0 and fdtmStart < GetDate() and fdtmEnd > GetDate()

Randomly choose users from the scripted list of results. Verify the selected users are still active users that require GenTax® application access.

2. Interview the system or security administrator to verify how often the GenTax® account list is reviewed for potential revision.

1. No accounts exist for individuals that are no longer associated with the organization, or no longer require access to the GenTax® application.

2. User accounts are reviewed at least annually to ensure accounts are necessary and that account privileges are assigned correctly.

Account managers are notified when information system users are terminated or transferred and associated accounts are removed, disabled, or otherwise secured. Account managers are also notified when users’ information system usage or need-to-know/need-to-share changes.

Checks to see if the information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.

Examine the user or group role structure that is set up within the GenTax® application. Verify access to functions or areas in GenTax® are protected by access controls.

The application uses role-based security to grant privileges to individuals.

Roles are assigned for a particular set of users and then that role/group is given only the rights that are required to perform that duty.

IRS Office of Safeguards SCSEM

document.xls Page 5 of 44

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-05 AC-5 Separation of Duties

GTAX-06 AC-3 Access Enforcement Test

InterviewExamine

Checks to see if the information system enforces separation of duties through assigned access authorizations.

1. Interview the administrator to determine how user and group access is assigned.

2. Examine the accounts granted direct DBMS access to execute queries.

3. Examine the accounts granted access to the GenTax® Configuration Tool.

1. User and group access is assigned using the principle of least privilege by job function and need-to-know.

Verify the user or group structure separates privilege levels for personnel that create, modify, and delete access control rules and personnel that perform either data entry or application programming.

Verify the user or group structure separates privilege levels for personnel that review and clear audit logs and personnel that perform non-audit administration.

Users listed, if any, with security equal to a "root user" are documented.

2. Direct access to the DBMS is restricted to database administrators only.

3. Access to the GenTax® Configuration Tool is restricted to application administrators only.

Checks to see if the information system enforces assigned authorizations for controlling access to FTI for only those accounts necessary

1. Verify security setting specifically for Data Warehouse manager:

[GTREF]select fintFunction from rfrManager where fstrManager = 'Dwh'or GenTax® TOOLS, Reference Editor

2. Verify security on individual data stores in Data Warehouse manager. Function's returned evaluated for how restrictive its policy is.

[GTGLB]select fstrDataStoreName, fstrDescription, flngFunctionfrom tblDWhDataStore where flngVer=0 and fblnActive=1 and fdtmProductionLoaded<'31-Dec-9999'

*Note above query will return all datastores defined in the data warehouse, some of which may not be FTI sourced. Only look at FTI datastores. The name or description of the datastore will identify if it is an FTI datastore.

Access to the Data Warehouse Manager and the individual FTI data stores is restricted to authorized agency personnel with a valid need-to-know and a job function that requires access to FTI.

IRS Office of Safeguards SCSEM

document.xls Page 6 of 44

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-07 AC-4 Test

GTAX-08 AC-4 Examine

GTAX-09 SC-4 Interview

GTAX-10 AC-7 Test

GTAX-11 AC-8 Examine

Information Flow Enforcement

Checks to see if the information system clearly identifies datastores which contain FTI.

1. Verify each datastore containing FTI is labeled as containing FTI:

[GTGLB]select fstrDataStoreName, fstrDescription, flngFunctionfrom tblDWhDataStore where flngVer=0 and fblnActive=1 and fdtmProductionLoaded<'31-Dec-9999'

*Note above query will return all datastores defined in the data warehouse, some of which may not be FTI sourced. Only look at FTI datastores. The name or description of the datastore will identify if it is an FTI datastore.

FTI datastores are clearly marked to prevent commingling of data.

Information Flow Enforcement

FTI data that is commingled with other agency data in a data warehouse is properly labeled in the database.

1. Examine the results of the query in Test #5 above and ask the administrator to identify database tables that contain FTI commingled with other agency data.

1. In situations where FTI is commingled with other agency data in the database the FTI within database tables, columns, rows and data elements is back-end labeled and tagged with an IRS identifier.

Information in Shared Resources

Initial FTI extract does not remain on initial receipt machine after imported into the Data Warehouse.

Interview the administrator and/or network personnel and determine what happens to the original FTI extract after it has been loaded into the Data Warehouse.

The agency has documented procedures in place for the removal or backing up of the original FTI extract, after it has been loaded into the Data Warehouse.

Unsuccessful Logon Attempts

Failed Login Minimum Requirement

1. If LDAP off:[GTREF]select fintLoginAttempts from rfrPasswordConfigor GenTax® TOOLS, Reference Editor

If LDAP is used the GenTax® application relies on the control implemented by Windows® Active Directory. The Account Lockout setting will need to be verified on the Windows® AD Domain Controller.

fintLoginAttempts < 3

User account lockout feature disables the user account after 3 unsuccessful login attempts.

Account lockout duration is set to 15 minutes or greater.

System Use Notification

Checks to ensure the IRS approved login banner is used.

1. Start GenTax® 2. Enter valid user id and authentication values for logon3. Review legal notice on startup screen.

Expected Results:The warning banner is compliant with IRS guidelines and contains the following 4 elements:

- the system contains US government information- users actions are monitored and audited- unauthorized use of the system is prohibited - unauthorized use of the system is subject to criminal and civil penalties

IRS Office of Safeguards SCSEM

document.xls Page 7 of 44

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-12 AC-11 Session Lock Test

GTAX-13 AC-12 Session Termination

GTAX-14 AC-14 Test

GTAX-15 AC-17 Remote Access Examine

GTAX-16 AC-3 Access Enforcement

GTAX-17 AU-12 Audit Generation Examine The agency has auditing enabled.

GTAX-18 AU-2 Audit Events Test

Checks to ensure that the application automatically locks sessions after 15 minutes of inactivity.

1. Test the following query-[GTREF]select * from [CodeTable].rfrProcessValues where fstrParent = 'GENTAX' and fstrTextKey = 'InactivityTimeout' and fblnActive=1

1. Value returned is in seconds (e.g. 15 minutes = 900). The value for InactivityTimeout should be 900 or less.

InterviewExamine

Checks to ensure that the application automatically disconnects sessions after 30 minutes of inactivity.

Interview the Administrator to ensure sessions terminate after 30 minutes

For the web version, elicit how the session disconnect is handled

For non web-version, elicit the method the client and application time out sessions.

1. Value returned is in seconds (e.g. 30 minutes = 1800). The value for InactivityTimeout should be 1800 or less.

Permitted Actions without Identification or Authentication

Checks to see if the organization identifies and documents specific user actions that can be performed on the information system without identification or authentication

Attempt to access any module of the GenTax® application without logging in.

No actions can be performed within GenTax® without user identification and authentication first being required.

The agency authorizes, monitors, and controls all methods of remote access to the information system.

Examine the mechanism used for remote access to the GenTax® application.

Note: Most agencies perform remote access to GenTax® through Remote Desktop sessions. The application can be made available over the Internet by installing an executable on the client. The application may also be accessible through a corporate VPN.

The remote access mechanisms are part of an enterprise service offering either by the agency or a consolidated data center function. Remote access is properly limited.

Note: All remote access mechanisms must be reviewed using appropriate networking SCSEM.

Remote access is defined as any access to an agency information system by a user communicating through an external network, for example: the Internet.

Interview / Examine

Access control of FTI data store security key.

Verify that data store(s) containing FTI, are secured with a separate security key from the rest of the warehouse and they are only accessible by individuals with authorized access.

Data Store(s) containing FTI, are secured with a separate security key from the rest of the warehouse and they are only accessible by individuals with authorized access.

Confirm the existence of GenTax® TOOLS and ensure the logs are not empty.

GenTax® TOOLS is present and the audit logs contain audit event entries.

Checks to ensure successful and unsuccessful login and logout activity is logged.

1. Test the following query-[GTSYS]select * from tblUserLogor GenTax® TOOLS, Login Activity

2. Test the following query-[GTSYS]select * from tblUserLog where fdtmLogOff = fdtmLogOnor GenTax® TOOLS, Login Activity

1. Successful logins and logouts are logged.

2. Unsuccessful logins are logged.

IRS Office of Safeguards SCSEM

document.xls Page 8 of 44

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-19 AU-8 Time Stamps Test Audit data contains time stamps.

GTAX-20 AU-2 Audit Events Test

GTAX-21 AU-2 Audit Events N/A

GTAX-22 AU-3 Examine

GTAX-23 AU-4 Examine

Review the log data generated in the previous teste case or in the GenTax TOOLS, Login Activity Screen.

Time stamps (including date and time) of audit records are generated using internal system clocks.

Check to ensure FTI data access via the information system is being logged appropriately.

1. Test the following query-[GTSYS]select * from tblTableLog where fblnFederal=1or GenTax® TOOLS, Table Log Activity

1. FTI data store access authorizations are tracked and reviewed.

TestInterview

Check to ensure user tracking table is enabled to log internal access to taxpayer accounts.

1. Test the following query-[GTREF]select * from [CodeTable].rfrUserTrackingType where fblnActive=1

2. Interview Administrator and request them to explain how user tracking is being used and why each entry has been setup?

1. Results should output data tables which contain FTI.

2. The Administrator should explain how user tracking is enabled and confirm it is implemented on all data tables containing FTI.

Test is not applicable at this time. Test case is still under development.

Content of Audit Records

Check to ensure auditing is enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user.

1. Examine the results of the query in Test #19 above.

2. Examine the audit events in the log to verify access, modification, deletion and movement of FTI in and out of the data warehouse is captured.

1. Within the data warehouse and/or application auditing is enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user. This auditing requirement also applies to data tables or databases embedded in or residing outside of the application.

Audit Storage Capacity

The organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.

1. Examine example log tables

[GTSYS]select * from tblUserLogselect * from tblUserselect * from tblTableLogor GenTax® TOOLS, Login Activityor GenTax® TOOLS, Table Log Activity

2. Verify there is a mechanism in place to notify the administrator in the event audit logs near storage capacity, or the audit process has failed. Examine automated alerts that have been previously received by the administrator.

3. Verify the duration audit logs are retained in archive.

1. Complete log history is maintained in DBMS in appropriate table(s). Allocation storage is maintained as part of DBMS maintenance. Audit security logs are archived to a central log server.

2. There is an automated mechanism in place to ensure the administrator is notified when the application logs are near capacity, or when the application audit process has failed or has an error condition. The administratorhas configured the percentage full at which the audit trail must be for this notification to be triggered.

IRS Office of Safeguards SCSEM

document.xls Page 9 of 44

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-24 AU-6 Examine

GTAX-25 AU-9 Examine

GTAX-26 AU-11

Audit Review, Analysis, and Reporting

Checks to see if table and/or security logs are reviewed on a periodic basis.

Verify table and/or security logs are reviewed on a daily basis for:- logon attempt failures by user- logons at unusual/non-duty hours- access to restricted system or data files indicating a possible pattern of deliberate browsing- System failures or errors- Unusual or suspicious patterns of activity

[GTSYS]select * from tblTableLogselect * from tblUserLogor GenTax® TOOLS, Login Activityor GenTax® TOOLS, Table Log Activity

Agencies routinely review audit records for indications of unusual activities, suspicious activities or suspected violations, and report findings to appropriate officials for prompt resolution.

Protection of Audit Information

Checks to see if the information system protects audit information and audit tools from unauthorized access, modification, and deletion.

1. Locate the table(s) that store the application audit log files within the DBMS. Examine the properties of the log files.

2. Verify the table permissions to ensure read, write and delete access is only granted to personnel responsible for maintaining and reviewing the audit logs.

1. The application does not permit modification of logged or historical information.

2. Access to the application audit logs is restricted to personnel responsible for maintaining and reviewing the audit logs (e.g., security administrator).

Audit Record Retention

Interview Examine

The agency retains audit records for 7 years in an encrypted format to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Interview the system administrator and examine examples of labeled storage media that The agency retains audit records for 7 years in an encrypted format to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

The agency retains audit records for 7 years in an encrypted format to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

The database audit logs itself is not purged.

All backups are sent to tape on a rotating basis. (full and incremental backups)

IRS Office of Safeguards SCSEM

document.xls Page 10 of 44

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-27 IA-2

GTAX-28 IA-5 Test

Identification and Authentication (Organizational Users)

Check to determine if default authentication has been overridden.

1. Check authentication method. [GTSYS]select * from [CodeTable].rfrPasswordConfig pwd, [System].tblUser uwhere u.flngVer=0and u.fdtmEnd > GETDATE()and u.fdtmStart < GETDATE()and pwd.fstrEnvironment = < ENVIRONMENT >and u.fintAuthenticationMethod <> 0 -- remove entries that use "default setup"and ((pwd.fblnUseLDAP = 0 and u.fintAuthenticationMethod = 1) -- looking for users setup as "LDAP" method where default configuration is NOT LDAP or (pwd.fblnUseLDAP = 1 and u.fintAuthenticationMethod = 2)) -- looking for users setup as "Password" method where default configuration is LDAP

1. The intention of this functionality is to highlight individual exceptions to the default configuration. Review exception-based authentication rules and check if authentication requirements align with agency I&A and access control policies..

Authenticator Management

Agency has defined appropriate rules for password management in GenTax® (e.g. length, numeric, mixed case, etc.)

If LDAP off, verify password configuration strength based on number of column settings on rfrPasswordConfig:

[GTREF]select * from rfrPasswordConfig - fintMinLength - fblnRequireNumeric - fblnRequireMixedCase - fblnRequireOther - fblnNoUserIDAsPwd - fblnPasswordReuseAllowedor GenTax® TOOLS, Reference Editor

If LDAP is used the GenTax® application relies on the control implemented by Windows® Active Directory. The password minimum length, complexity and history settings will need to be verified on the Windows® AD Domain Controller.

Passwords are a minimum length of 8 characters in a combination of alpha and numeric or special characters.

IRS Office of Safeguards SCSEM

document.xls Page 11 of 44

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-29 IA-5 Test

GTAX-30 IA-5 Test

GTAX-31 IA-5 Examine

Authenticator Management

Users shall be prohibited from using their last 24 passwords to deter reuse of the same password.

If LDAP off:[GTREF]select fintNumberOfRequired from rfrPasswordConfigor GenTax® TOOLS, Reference Editor

Verify password history maintained:

[GTSYS]select fstrUser,fstrPassword from tblUser where flngVer<>0

If LDAP is used the GenTax® application relies on the control implemented by Windows® Active Directory. The password history setting will need to be verified on the Windows® AD Domain Controller.

Users are prohibited from using their last 24 passwords to deter reuse of the same password.

Authenticator Management

Maximum Password Age is enforced.

If LDAP off:[GTREF]select flngPWDExpireDays from rfrPasswordConfigor GenTax® TOOLS, Reference Editor

If LDAP is used the GenTax® application relies on the control implemented by Windows® Active Directory. The maximum password age setting will need to be verified on the Windows® AD Domain Controller.

flngPWDExpireDays <= 90 (standard users)flngPWDExpireDays <= 60 (privileged users)

Passwords are changed every 60 days, at a minimum, for privileged user accounts, and every 90 days for standard user accounts.

Authenticator Management

Minimum Password Age is enforced.

GenTax® v6 does not have the capability to enforce a minimum password age if the LDAP is off.

If LDAP is used the GenTax® application relies on the control implemented by Windows® Active Directory. The minimum password age setting will need to be verified on the Windows® AD Domain Controller.

Users shall be prohibited from changing their passwords for at least 1 day after a recent change.

3/3/14: Updated to 1 day.

IRS Office of Safeguards SCSEM

document.xls Page 12 of 44

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-32 IA-5 Test

GTAX-33 AC-2 Account Management Test

GTAX-34 IA-5 Test

GTAX-35 IA-6

Authenticator Management

Checks to ensure Password Expiration is configured properly.

Select one or more defined GenTax® users and navigate to their security profile screen to verify the "password never expire" option is not checked.

1. This test is to verify that password expiration is enabled.[GTSYS]select * from tblUser where flngVer = 0 and fdtmStart < GetDate() and fdtmEnd > GetDate()and fblnPasswordNeverExpires = 1

2. This test is for any active user who's password expire date is greater than 60 (non-privileged user) or 90 (privileged user) days. Change the parameter in the command to 60 for non-privileged users.[GTSYS]Select *from tbluserwhere flngver = 0and fdtmend = '9999-12-31 00:00:00.000'and fdtmPasswordExpires > dateadd(day,90,Getdate());

If LDAP is used the GenTax® application relies on the control implemented by Windows® Active Directory. The "password never expires" setting will need to be verified on the Windows® AD Domain Controller.

"Password never expire" box is not checked.

The second command should return no output indicating there are no privileged accounts with a password expire date greater than 60 days and no non-privileged accounts with a password expire date greater than 90 days.

Checks to ensure all accounts have unique user names.

Test the uniqueness of user names by performing the following query-[GTSYS]select fstrUser,count(*) from tblUser where flngVer=0 group by fstrUser having count(*)>1

Every GenTax® application account name is unique. Accounts do not have the same user or account name.

Authenticator Management

Checks to ensure new users must change their password upon initial login to the application.

1. Create a new demonstration user for test purposes.

2. Verify the following flag is set: '- new users default flag of "next logon change password" = True;

3. Login using the newly created test user account and verify the password change prompt.

1. The "next logon change password" flag is set to True.

2. The test user account is prompted for a password change upon initial login.

Authenticator Feedback

ExamineTest

Checks to see if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

1. Examine during login to the application that the user's password is obscured on screen during input.

2. Test the application by forcing a bad login through entering an invalid password and observe the onscreen feedback.

1. Passwords are masked during input.

2. Invalid login reports message of bad login or password, thus not providing information of what was wrong (the password or the login).

IRS Office of Safeguards SCSEM

document.xls Page 13 of 44

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

GTAX-36 SC-8 Test

GTAX-37 SC-2

GTAX-38 SC-4

GTAX-39 SC-13 Examine

Transmission Confidentiality and Integrity

Checks to ensure passwords are encrypted on the client, in transmission, and while stored in the DBMS

Test the password encryption method using the following query-1. [GTREF]select fstrEncryptionType from rfrPasswordConfigor GenTax® TOOLS, Reference Editor

2. [GTSYS]select fstrPwdEncryptionType, fstrPassword from tblUser

GenTax® supports SHAXXX password hashing. Passwords encrypted on tblUser within the DBMS

Passwords are encrypted on the client, in transmission and while stored in the DBMS using NIST FIPS 140-2 validatedencryption.

Application Partitioning

ExamineInterview

Checks to see if the information system separates user functionality (including user interface services) from information system management functionality.

Examine the GenTax® application architecture to determine how system management and user interface services are separated.

Interview the application administrator or examine the application documentation to determine the location of the application code. Examine the directory where the application code is located.

The application data is not located in the same directory as the code.

Separation may be accomplished through the use of different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate.

Information in Shared Resources

ExamineInterview

Checks to ensure the application prevents unauthorized and unintended information transfer via shared system resources.

Examine the system architecture and interview the system administrator to verify the application does not store FTI in a system cache, registers, main memory, or secondary storage after a user session is terminated.

Temporary files/objects that may contain FTI, including encrypted files, are not released to any system cache, registers, main memory or secondary storage when a user session is terminated.

Cryptographic Protection

Checks to ensure the application uses an approved cryptographic module.

If the application does not utilize encryption, key exchange, digital signature or hash, FIPS 140-2 cryptography is not required this check is not applicable.

Examine and verify that all cryptography functions used by the application are FIPS-140 validated cryptographic modules.

The National Institute of Standards and Technology’s FIPS 140-1 and FIPS 140-2 Vendor List is http://csrc.nist.gov/cryptval/.

The application uses approved FIPS 140-2 compliant modules.

IRS Office of Safeguards SCSEM

document.xls Page 14 of 44

Change LogVersion Date Description of Changes Author0.1 5/30/2008 First Release Booz Allen Hamilton0.2 7/21/2008 Updated test ID #5 to include language from Pub 1075 on commingling. Added language to Test ID #8 note Booz Allen Hamilton0.3 10/30/2008 Updated test ID #23 to include a second test step to test for the password expire interval. Booz Allen Hamilton0.4 1/27/2009 Booz Allen Hamilton

0.5 11/10/2009 Booz Allen Hamilton

0.6 2/11/2010 Added test cases based on discussions with GenTax. Added IDs are: 7, 13, 14, 15, 17 Booz Allen Hamilton0.7 7/30/2010 Booz Allen Hamilton

1.1 11/7/2012 Updates made based on GenTax Version 8. Booz Allen Hamilton1.2 2/12/2013 Booz Allen Hamilton

1.3 9/26/2013 Update test cases based on NIST 800-53 R4 Booz Allen Hamilton1.4 4/11/2014 Updates based on Publication 1075. See SCSEM notes column for specific updates. Booz Allen Hamilton1.5 3/16/2015 Booz Allen Hamilton

Updates:-Cover: Reorganized the Tester and Agency POC information cells, to better reflect possible multiple POCs.-Test Cases: a. Changed Column G header to "Pass / Fail / N/A", to more accurately reflect the four possible status indicators.b. Added conditional formatting to the status cells, and included summary cells at the bottom of the checks. c. Added control names to the NIST ID cells. Primary control is listed in black; any secondary controls are listed in GRAY.-Legend: Updated the Pass/Fail row to reflect the three possible status indicators (above).-Test IDs: None.

Updated the following;1.) NIST mapping per test case - Clarification of one NIST control per test case.2.) Added NIST 800-53A Test Methods (e.g. Test, Examine, Interview).3.) Added Out-Of-Scope controls tab.4.) Added Dashboard tab to automatically calculate the Test Case results.5.) Added Sources tab to identify sources for the Test Case material.6.) Added SCSEM disclaimer language

Updates based on NIST 800-53 rev 3 releaseUpdated for new Publication 1075 version

Minor update to correct worksheet locking capabilities. Added back NIST control name to Test Cases Tab.

Added baseline Criticality Score and Issue Codes, weighted test cases based on criticality, and updated Results Tab

Issue CodeHAC1HAC2HAC3HAC4HAC5HAC6HAC7HAC8HAC9HAC10HAC100HAC11HAC12HAC13HAC14HAC15HAC16HAC17HAC18HAC19HAC20HAC21HAC22HAC23HAC24HAC25HAC26HAC27HAC28HAC29HAC30HAC31HAC32HAC33HAC34HAC35HAC36HAC37HAC38HAC39HAC40 HAC41HAC42HAC43HAC44HAC45

HAC46HAC47HAC48HAC49HAC50HAC51HAC52HAC53HAC54HAC55HAC56HAC57HAC58HAC59HAC60HAC61HAC62HAT1HAT100HAT2HAT3HAT4HIA1HIA2HIA3HIA4HIA5HAU1HAU2HAU3HAU4HAU5HAU6HAU7HAU8HAU9HAU10HAU100HAU11HAU12HAU13HAU14HAU15HAU16HAU17HAU18HAU19

HAU20HAU21HAU22HAU23HAU24HAU25

HAU26

HAU27HCA1HCA100HCA2HCA3HCA4HCA5HCA6HCA7HCA8HCA9HCA10HCA11HCA12HCA13HCA14HCA15HCM1HCM10HCM100HCM11HCM12HCM13HCM14HCM15HCM16HCM17HCM18HCM19HCM2HCM20HCM21HCM22HCM23HCM24HCM25HCM26HCM27HCM28

HCM29

HCM3HCM30HCM31HCM32

HCM33

HCM34HCM35HCM36HCM37HCM38HCM39

HCM4

HCM40HCM41HCM42HCM43HCM44HCM45HCM46HCM47HCM48HCM5

HCM6

HCM7HCM8HCM9HCP1HCP100HCP2HCP3HCP4HCP5HCP6HCP7HCP8HCP9HCP10HIR1HIR100HIR2HIR3

HIR4

HIR5HMA1HMA100HMA2HMA3HMA4HMA5HMT1HMT2HMT3HMT4HMT5HMT6HMT7HMT8HMT9HMT10HMT100HMT11HMT12HMT13HMT14HMT15HMT16HMT17HMT18HMT19HPW1HPW2HPW3HPW4HPW5HPW6HPW7HPW8HPW9HPW10HPW100HPW11HPW12HPW13HPW14HPW15HPW16HPW17

HPW18HPW19HPW20HPW21HPW22HPW23HRA1HRA100HRA2HRA3

HRA4

HRA5HRA6HRA7HRA8HRA9HRM1HRM10HRM100HRM11HRM12HRM13HRM14HRM15HRM16HRM17HRM18HRM19HRM2HRM3HRM4HRM5HRM6HRM7HRM8HRM9HSA1HSA100HSA2HSA3HSA4HSA5HSA6HSA7

HSA8

HSA9

HSA10

HSA11

HSA12HSA13HSA14 HSA15HSA16HSA17HSA18HSC1HSC2HSC3HSC4HSC5HSC6HSC7HSC8HSC9HSC10HSC100HSC11HSC12HSC13HSC14HSC15HSC16HSC17HSC18HSC19HSC20HSC21HSC22HSC23HSC24HSC25HSC26HSC27HSC28HSC29HSC30HSC31HSC32HSC33

HSC34HSC35HSC36HSC37HSI1HSI2HSI3HSI4HSI5HSI6HSI7HSI8HSI9HSI10HSI100HSI11HSI12HSI13HSI16HSI17HSI18HSI19HSI20HSI21HSI22HSI23HSI24HSI25HSI26HSI27HSI28HSI29HSI30

HSI31

HSI32HSI33HSI34HTW1HTW100HTW2HTW3HTW4HTW5HTW6HMP1HPE1

HPM1HTC1HTC10HTC100HTC11HTC12HTC13HTC14HTC15HTC16HTC17HTC18HTC19HTC2HTC20HTC21HTC22HTC23HTC24HTC25HTC26HTC27HTC28HTC29HTC3HTC30HTC31HTC32HTC33HTC34HTC35HTC36HTC37HTC38HTC39HTC4HTC40HTC41HTC42HTC43HTC44HTC45HTC46HTC47HTC48HTC49HTC5

HTC50HTC51HTC52HTC53HTC54HTC55HTC56HTC57HTC58HTC59HTC60HTC61HTC62HTC63HTC64HTC65HTC66HTC67HTC68HTC69HTC70HTC71HTC72HTC73HTC74HTC75HTC76HTC77HTC78HTC79HTC80HTC81HTC82HTC83HTC84HTC85HTC86HTC87HTC88HTC6HTC7HTC8HTC9

DescriptionContractors with unauthorized access to FTIUser sessions do not lock after the Publication 1075 required timeframeAgency processes FTI at a contractor-run consolidated data centerFTI is not labeled and is commingled with non-FTIFTI is commingled with non-FTI data in the data warehouseCannot determine who has access to FTIAccount management procedures are not in placeAccounts are not reviewed periodically for proper privilegesAccounts have not been created using user rolesAccounts do not expire after the correct period of inactivityOtherUser access was not established with concept of least privilegeSeparation of duties is not in placeOperating system configuration files have incorrect permissionsWarning banner is insufficientUser accounts not locked out after 3 unsuccessful login attemptsNetwork device allows telnet connections Account lockouts do not require administrator actionNetwork device has modems installedOut of Band Management is not utilized in all instancesAgency duplicates usernamesAgency shares administrative account inappropriatelyAdministrators do not use su or sudo command to access root privilegesUnauthorized disclosure to other agenciesUser roles do not exist within the data warehouse environmentAgency employees with inappropriate access to FTIInappropriate access to FTI from mobile devicesDefault accounts have not been disabled or renamedDatabase trace files are not properly protectedAccess to system functionality without identification and authenticationRACF access controls not properly implementedThe database public users has improper access to data and/or resourcesMainframe access control function does not control access to FTI dataFTI is accessible to third partiesImproper access to DBMS by non-DBAsInappropriate public access to FTIAgency allows FTI access from unsecured wireless networkAccount management procedures are not implementedWarning banner does not existAccess to wireless network exceeds acceptable rangeThe system does not effectively utilize whitelists or ACLsAccounts are not removed or suspended when no longer necessarySystem configuration files are not stored securelyManagement sessions are not properly restricted by ACLSystem does not have a manual log off featureSplit tunneling is enabled

Access to mainframe product libraries is not adequately controlledFiles containing authentication information are not adequately protected Usernames are not archived and may be re-issued to different usersUse of emergency user IDs is not properly controlledPrint spoolers do not adequately restrict jobs Unauthorized access to FTI Wireless usage policies are not sufficientMobile device policies are not sufficientFTI is not properly labeled in the cloud environmentFTI is not properly isolated in the cloud environmentMobile device does not wipe after the required threshold of passcode failuresMobile devices policies governing access to FTI are not sufficientAccess control parameter thresholds are reset The guest account has improper access to data and/or resourcesAgency does not centrally manage access to third party environments User rights and permissions are not adequately configuredHost-based firewall is not configured according to industry standard best practiceAgency does not train employees with FTI accessOtherAgency does not train contractors with FTI accessAgency does not maintain training recordsAgency does not provide security-specific trainingAdequate device identification and authentication is not employedStandardized naming convention is not enforcedAuthentication server is not used for end user authenticationAuthentication server is not used for device administrationSystem does not properly control authentication processNo auditing is being performed at the agencyNo auditing is being performed on the systemAudit logs are not being reviewedSystem does not audit failed attempts to gain accessAuditing is not performed on all data tables containing FTISystem does not audit changes to access control settingsAudit records are not retained per Pub 1075Logs are not maintained on a centralized log serverNo log reduction system existsAudit logs are not properly protectedOtherNTP is not properly implementedAudit records are not time stampedAudit records are not archived during VM rollbackRemote access is not loggedVerbose logging is not being performed on perimeter devicesA centralized automated audit log analysis solution is not implementedAudit logs do not capture sufficient auditable eventsAudit logs are reviewed, but not per Pub 1075 requirementsAudit log anomalies or findings are not reported and tracked

Audit log data not sent from a consistently identified sourceSystem does not audit all attempts to gain access Content of audit records is not sufficientAudit storage capacity threshold has not been definedAdministrators are not notified when audit storage threshold is reachedAudit processing failures are not properly reported and responded to

Audit trail does not include access to FTI in pre-productionSystems are not formally certified by management to process FTIOtherUndocumented system interconnections existAgency does not conduct routine assessments of security controlsNo third party verification of security assessmentsPOA&Ms are not used to track and mitigate potential weaknessesThe agency's SSR does not address the current FTI environmentSSR is not current with Pub 1075 reporting requirementsRules of behavior does not existRules of behavior is not sufficientAssessment results are not shared with designated agency officialsInterconnection Security Agreements are not sufficientPOA&Ms are not reviewed in accordance with Pub 1075System authorizations are not updated in accordance with Pub 1075 A continuous monitoring program has not been establishedThe continuous monitoring program is not sufficient Information system baseline is insufficientSystem has unneeded functionality installedOtherSNMP is not implemented correctlyOffline system configurations are not kept up-to-dateSystem component inventories do not existSystem component inventories are outdatedHardware asset inventory is not sufficientSoftware asset inventory is not sufficientHardware asset inventory does not existSoftware asset inventory does not existFirewall rules are not reviewed or removed when no longer necessary FTI is not properly labeled on-screenApplication interfaces are not separated from management functionalityPermitted services have not been documented and approvedApplication code is not adequately separated from data setsSystem is not monitored for changes from baselineAgency network diagram is not completeZoning has not been configured appropriatelyStatic IP addresses are not used when neededInformation system baseline does not exist Boundary devices are not scanned for open ports and services

System/service provider is not held accountable to protect and share audit records with the agency

Operating system does not have vendor supportSystem reset function leaves device in unsecure state Default SSID has not been changedThe device is inappropriately used to serve multiple functions

Significant changes are not reviewed for security impacts before being implemented

Agency does not control significant changes to systems via an approval processServices are not configured to use the default/standard portsThe required benchmark has not been applied Configuration settings and benchmarks have not been defined Agency does not adequately govern or control software usageRACF security settings are not properly configured

ACF security settings are not properly configuredTop Secret security settings are not properly configuredUNISYS security settings are not properly configuredIBMi security settings are not properly configuredAgency does not properly test changes prior to implementationSystem configuration provides additional attack surfaceAgency does not centrally manage mobile device configurationSystem error messages display system configuration informationLow-risk operating system settings are not configured securelyWeb portal with FTI does not have three-tier architecture

Configuration management procedures do not existThe ability to make changes is not properly limitedSystems are not deployed using the concept of least privilegeNo contingency plan exists for FTI dataOtherContingency plans are not tested annuallyContingency plan does not exist for consolidated data centerFTI is not encrypted in transit to the DR siteBackup data is not adequately protectedContingency plan is not updated annuallyContingency plan is not sufficientContingency training is not conductedContingency training is not sufficient Backup data is located on production systemsIncident response program does not existOtherIncident response plan is not sufficientAgency does not perform incident response exercises in accordance with Pub 1075

Application architecture does not properly separate user interface from data repository

Routine operational changes are not reviewed for security impacts before being implemented

Agency does not control routine operational changes to systems via an approval process

Incident response plan does not existExternal maintenance providers not escorted in the data centerOtherMaintenance not restricted to local accessMaintenance tools are not approved / controlledMaintenance records are not sufficientNonlocal maintenance is not implemented securelyRisk Assessment controls are not implemented properlyPlanning controls are not implemented properlyProgram management controls are not implemented properlySystem acquisition controls are not implemented properlySA&A controls are not implemented properlyContingency planning controls are not implemented properlyConfiguration management controls are not implemented properlyMaintenance controls are not implemented properlySystem and information integrity controls are not implemented properlyIncident response controls are not implemented properlyOtherAwareness and training controls are not implemented properlyIdentification and authentication controls are not implemented properlyAccess controls are not implemented properlyAudit and accountability are not implemented properlySystem and communications protection controls are not implemented properlyDocumentation does not existDocumentation is sufficient but outdatedDocumentation exists but is not sufficientManagement Operational and Technical controls are not implemented properlyNo password is required to access an FTI systemPassword does not expire timelyMinimum password length is too shortMinimum password age does not existPasswords are generated and distributed automaticallyPassword history is insufficientPassword change notification is not sufficientPasswords are displayed on screen when enteredPassword management processes are not documentedPasswords are allowed to be storedOtherPassword transmission does not use strong cryptographyPasswords do not meet complexity requirementsEnabled secret passwords are not implemented correctlyAuthenticator feedback is labeled inappropriatelyPasswords are shared inappropriatelySwipe-based passwords are allowed on mobile devicesDefault passwords have not been changed

Agency does not provide support resource for assistance in handling and reporting security incidents

No password is required to remotely access an FTI system More than one Publication 1075 password requirement is not metUser is not required to change password upon first usePasswords are allowed to be stored unencrypted in config filesAdministrators cannot override minimum password age for users, when requiredPasswords cannot be changed by usersRisk assessments are not performedOtherVulnerability assessments are not performedVulnerability assessments do not generate corrective action plans

Vulnerabilities are not remediated in a timely mannerScope of vulnerability scanning is not sufficientRisk assessments are performed but not in accordance with Pub 1075 parametersPenetration test results are not included in agency POA&MsApplication source code is not assessed for static vulnerabilitiesMulti-Factor authentication is not requiredClient side cache cleaning utility has not been implementedOtherSite to site connection does not terminate outside the firewallAn FTI system is directly routable to the internet via unencrypted protocolsThe agency does not blacklist known malicious IPs The agency does not update blacklists of known malicious IPsMulti-factor authentication is not enforced for local device management VPN access points have not been limitedSSH is not implemented correctly for device managementRemote access policies are not sufficientAgency cannot remotely wipe lost mobile deviceMulti-Factor authentication is not required to access FTI via personal devicesFTI access from personal devicesFTI access from offshoreUser sessions do not terminate after the Publication 1075 period of inactivityThe mainframe is directly routable to the internet via Port 23The agency does not adequately control remote access to its systemsDirect root access is enabled on the systemVPN technology does not perform host checkingLive FTI data is used in test environments without approvalOtherUsage restrictions to open source software are not in placeNo agreement exists with 3rd party provider to host FTISoftware installation rights are not limited to the technical staffConfiguration changes are not controlled during all phases of the SDLCSecurity test and evaluations are not performed during system developmentThe external facing system is no longer supported by the vendor

Vulnerability assessments are not performed as frequently as required per Publication 1075

The internally hosted operating system's major release is no longer supported by the vendor

The internally hosted software's major release is no longer supported by the vendor

The internally hosted software's minor release is no longer supported by the vendor

Internal networking devices are no longer supported by the vendorIT security is not part of capital planning and the investment control processFTI systems are not included in a SDLC FTI contracts do not contain all security requirementsDocumentation is not properly protectedSecurity is not a consideration in system design or upgradeCloud vendor is not FedRAMP certifiedFTI is not encrypted in transitFTI is emailed outside of the agencyFTI is emailed incorrectly inside the agencyVOIP system not implemented correctlyNo DMZ exists for the networkNot all connections to FTI systems are monitoredNAT is not implemented for internal IP addressesNetwork architecture is flatDatabase listener is not properly configuredFTI is not properly deleted / destroyedOtherNo backup plan exists to remove failed data loads in the data warehouseOriginal FTI extracts are not protected after ETL processFTI is transmitted incorrectly using an MFDVM to VM communication exists using VMCIEncryption capabilities do not meet FIPS 140-2 requirementsSystem does not meet common criteria requirementsDenial of Service protection settings are not configuredSystem communication authenticity is not guaranteedNetwork perimeter devices do not properly restrict trafficPublicly available systems contain FTINumber of logon sessions are not managed appropriatelyVPN termination point is not sufficientSite survey has not been performedDigital Signatures or PKI certificates are expired or revokedNetwork sessions do not timeout per Publication 1075 requirementsEmail policy is not sufficientTraffic inspection is not sufficientThe network is not properly segmentedCryptographic key pairs are not properly managed VLAN configurations do not utilize networking best practicesCollaborative computing devices are not deployed securelyPKI certificates are not issued from an approved authorityData warehouse has insecure connections

The internally hosted operating system's minor release is no longer supported by the vendor

The production and development environments are not properly separatedProcedures stored in the database are not encryptedSystem is configured to accept unwanted network connectionsNetwork connection to third party system is not properly configuredSystem configured to load or run removable media automaticallySystem patch level is insufficientSystem is not monitored for threatsNo intrusion detection system existsOS files are not hashed to detect inappropriate changesIntrusion detection system not implemented correctlyFTI can move via covert channels (e.g., VM isolation tools)All VM moves are being tracked in the virtual environmentNetwork device configuration files are not kept offlineHash sums of ISO images are not maintained in the virtual environmentOtherAntivirus is not configured to automatically scan removable mediaNo antivirus is configured on the systemAntivirus does not exist on an internet-facing endpointAgency network not properly protected from spam emailAntivirus is not configured appropriatelyVM rollbacks are conducted while connected to the networkData inputs are not being validatedAgency does not receive security alerts, advisories, or directives FTI is inappropriately moved and shared with non-FTI virtual machinesData remanence is not properly handledAgency has not defined an authorized list of softwareAgency does not monitor for unauthorized software on the networkAgency does not monitor for unauthorized hosts on the networkNo host intrusion detection/prevention system existsCritical security patches have not been applied Security alerts are not disseminated to agency personnelData inputs are from external sourcesSystem output is not secured in accordance with Publication 1075

Agency does not properly retire or remove unneeded source code from production

Virtual Switch (Vswitch) security parameters are set incorrectlyMemory protection mechanisms are not sufficientA file integrity checking mechanism does not existTumbleweed client is not configured properlyOtherTumbleweed certificate is assigned to the wrong personNo written procedures for using TumbleweedFTI is left on the device running the Tumbleweed applicationAxway does not run on a dedicated platform The data transfer agreement is not in placeMedia sanitization is not sufficientPrinter does not lock and prevent access to the hard drive

A senior information officer does not exist The Windows 2000 server is unsupportedThe ASA firewall is not configured securelyOtherThe RACF Mainframe is not configured securelyThe ACF2 Mainframe is not configured securelyThe Top Secret Mainframe is not configured securelyThe Unisys Mainframe is not configured securelyThe i5OS Mainframe is not configured securelyThe VPN concentrator is not configured securelyThe Citrix Access Gateway is not configured securelyThe Windows XP Workstation is not configured securelyThe Windows 7 Workstation is not configured securelyThe Windows 2003 Server is not configured securelyThe Windows 8 Workstation is not configured securelyNetwork protection capabilities are not configured securelyThe MFD is not configured securelyThe GenTax application is not configured securelyThe data warehouse is not configured securelyThe RSI data warehouse is not configured securelyThe Teradata data warehouse is not configured securelyThe DB2 database is not configured securelyThe Oracle 9g database is not configured securelyThe Oracle 10g database is not configured securelyThe Windows 2008 Standard Server is not configured securelyThe Oracle 11g database is not configured securelyThe SQL Server 2000 installation is unsupportedThe SQL Server 2005 installation is not configured securelyThe SQL Server 2008 installation is not configured securelyThe SQL Server 2012 installation is not configured securelyThe VMWare Hypervisor is not configured securelyThe Tumbleweed client is not configured securelyThe internet browser is not configured securelyThe storage area network device is not configured securelyThe voice-over IP network is not configured securelyThe Windows 2012 Standard Server is not configured securelyThe wireless network is not configured securelyThe custom web application is not configured securelyThe IVR system is not configured securelyThe web server is not configured securelyThe cloud computing environment is not configured securelyThe Apple iOS device is not configured securelyThe Google Android device is not configured securelyThe Blackberry OS device is not configured securelyThe Microsoft Windows RT device is not configured securelyThe mobile device is not configured securelyThe Solaris server is not configured securely

Agency has not notified IRS of this technologyTechnology is not properly sanitized after useThe AIX server is not configured securelyThe custom application is not configured securelyThe SuSE Linux server is not configured securelyThe Adabas database is not configured securelyThe Windows 10 operating system is not configured securelyThe Oracle 12c database is not configured securelyThe Red Hat Enterprise Linux 6 operating system is not configured securelyThe Red Hat Enterprise Linux 7 operating system is not configured securelyThe Windows 2016 Server is not configured securelyThe Windows 2012 R2 Server is not configured securelyThe SQL Server 2014 database is not configured securelyThe Windows 2008 R2 Server is not configured securelyThe High Volume Printer is not configured securelyThe system was not assessed during the onsite reviewThe VMWare ESXi 5.5 Hypervisor is not configured securelyThe VMWare ESXi 6.0 Hypervisor is not configured securelyThe IBM z/OS version 1.13.x is not configured securelyThe IBM z/OS version 2.1.x is not configured securelyThe IBM z/OS version 2.2.x is not configured securelyThe Checkpoint R76 firewall is not configured securelyThe Checkpoint R77 firewall is not configured securelyThe Checkpoint R80 firewall is not configured securelyThe Oracle 11.2.0.4 database is not configured securelyThe Cisco IOS v12.x is not configured securelyThe Cisco IOS v15.x is not configured securelyThe AIX 6 server is not configured securelyThe AIX 7 server is not configured securelyThe CentOS 6 server is not configured securely The CentOS 7 server is not configured securely The OEL 6 server is not configured securely The OEL 7 server is not configured securelyThe Solaris 10 server is not configured securely The Solaris 11 server is not configured securely The SuSE 11 server is not configured securely The SuSE 12 server is not configured securely The VMWare Horizon 6 VDI solution is not configured securelyThe VMWare Horizon 7 VDI solution is not configured securely The Red Hat Linux server is not configured securelyThe CentOS server is not configured securelyThe Cisco networking device is not configured securelyThe Cisco pix firewall is not configured securely

Weight 9-30-17 v46412242555254415818677755566475581585524556545

67364522555536343323335365476535424442363655535

254224

5442452564542233543524165334463564544456

57616

6646345

35555556436

5355423355234225233

3542143444234244432144442114756523172526464647

8656145265

4554457435854456568684866642255448

7

6

8

764451476553655655214536454664635434545445

655665664543232767654244524458344

4555424143544

51121111111111111111111111111111111111111111111

5411111111111118111111111111111111111111111


Recommended