Embed Size (px)
Citation preview
Preparing for the IRS
Safeguarding Review
Coordinator: Karina Castañeda
California Department of Child Support ServicesJesse Saenz, Senior Information Security Analyst
Napa County Department of Child SupportJanet Nottley, Director
Sacramento County Department of Child SupportCraig Neiman, Child Support Program Planner
Housekeeping
■ Business Cards are available after the presentationOn back table.
■ There will be time for Q&A at end of presentationTo ensure we finish on time, please hold your questions.
■ LCSA contact list for SAR will be sharedPlease write down your LCSA’s information.
■ Please turn off your cell phones or put on vibratePlease take urgent calls outside for everyone’s comfort.
Agenda
■Purpose
■DCSS Role and Responsibilities
■On-Site Safeguard Evaluation Overview
■LCSA perspective
TRAINING OBJECTIVE
Ensure the safeguarding of personal, confidential, and sensitive child support information, including FTI by CSS.
Ensure IT Best Practices for privacy and security of information is shared and followed by LCSAs.
Topics
■DCSS Information Security Office Responsibilities
■Definition of FTI
■Requirements for Handling FTI
■Restrictions for Access to FTI
■On-Site Safeguard Evaluation Overview
DCSS ISO Responsibilities
Establish and maintain the DCSS Security policies which govern information security within the Child Support Program.
Provide guidance, support and oversight for information security activities, including but not limited to: compliance monitoring, business continuity, security incident, and policy.
Perform on-site safeguard evaluations to determine adequacy to safeguard child support information.
Conduct tasks in a professional manner, promotes superior customer satisfaction and deliver services that meet or exceed our customer’s expectations.
Definition of FTI
Return or Return Information received directly or indirectly from the Secretary of the Treasury.
Received from OCSE (Office of Child Support Enforcement) is stored in CSE (Child Support Enforcement) application.
Most FTI provided to the child support program is received from OCSE. (Via CSE and CMT)
Important to Note – Return or Return information received from a NCP, CP or other participants is not considered FTI. This data is confidential and security controls still apply to protect it from unauthorized access.
Requirements for Handling FTI
Every employee granted access to handle or process FTI must certify their understanding of security policy and procedure for protecting IRS information and the penalties for unauthorized disclosure. This includes contractors, consultants, and temporary employees employed by the LCSA.
All Child Support employees at time of hire, and then annually thereafter, certify their understanding of the importance to protect child support information at all times by successful completion of the mandatory Information Security Awareness Training (ISAT) available via the Child Support University (CSU).
Restrictions for Access to FTI
FTI should be limited to authorized employees with a legitimate business need.
IRS has defined a number of physical and technical requirements that control access, even for authorized persons.
CSE implements tracking and logging consistent with IRS requirements for information electronically stored in CSE and SDU, including the Data Repository.
FTI received outside of CSE must be manually logged and tracked from date of receipt, during the handling, and the destruction.
On-Site Safeguard Evaluation Overview
What does it entail?
Assessment of the LCSA use of personal, confidential, and sensitive child support information, including FTI and the measures employed to protect the data from unauthorized access and disclosure.
Why are Safeguard Evaluations Conducted?
Internal Revenue Service (IRS) Publication 1075,Tax Information Security Guidelines for Federal, State and Local Agencies states:
“As a condition of receiving FTI, the receiving agency must show, to the satisfaction of the IRS, the ability to protect the confidentiality of that information.”
“Agencies must ensure its safeguards will be ready for immediate implementation upon receipt of FTI.”
“The public must maintain a high degree of confidence that the personal and financial information furnished to us is protected against unauthorized use, inspection, or disclosure.”
Prepare the LCSA for a IRS onsite Safeguard Review
Safeguard Evaluation Authorities & Objectives
Ensure compliance with:
DCSS Information Security Manual (ISM) IRS Publication 1075 IRS Safeguard Computer Evaluation Matrixes (SCESMs) National Institute Standards and Technology (NIST) 800-
53 CSS Letters regarding safeguarding child support
information and IT assets.
Note: recent changes effective 2014 to Publication 1075 and issuance of CSS letter 15-01 related to those changes.
When are Evaluations Conducted?
Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states:
“Agencies should establish a review cycle so that all local offices receiving FTI are reviewed within a three year cycle.”
“Headquarters, other facilities housing FTI, and the agency data center should be reviewed within a 18 month cycle.”
“IRS visit California every three years.”
Safeguard Evaluation Scope
Consists of questions pertaining to the agency physical and technical security safeguards in place in the seven subject requirement areas:
Record Keeping………….log to track receipt and handling of FTI Restricting Access…….....measures taken to restrict/limit access Secure Storage…..………... building security, storage containers Incident Reporting ………....….…. procedures to report incidents Employee Awareness ……...….…… annual awareness training IT Security….………………. computer security policy/procedures Disposal……….……….… procedures for confidential destruction
Evaluation Activities
Notification letter
(30-45 days prior) Entrance
MeetingAgenda/Events
On-site Evaluation
WalkthroughInterviews
Exit Conference
Discuss Finding(s)
Preliminary Report
Approx. 30 days
Corrective Action Plan
Submit until all closed
Final Report
2015 Proposed LCSA Evaluation Schedule
GlennYoloColusaSierra/NevadaPlumasButteTehamaLake
San FranciscoSan MateoMontereyMariposaSutterMarin
RiversideFresnoSanta Cruz/San BenitoSonomaCentral Sierra
Next IRS Visit - 2017
Future DCSS ISO Questions:
Contact Information
DCSS – ISO(916) 464-5045
Napa Perspective
“I like to audit the small counties because we
always find a lot”
-IRS Auditor
Napa Evaluation Result
Napa County had no findings at their LCSA
office and limited findings at their Information
Technology Department
National Institute Standards and Technology (NIST) 800-53 Publication 800-53 Revision 4
“Organizations have the responsibility to select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying established security requirements.”
From NIST Publication 800-53
Basic Requirements
Napa LCSA Physical Environment
• The LCSA is located on the 2nd floor as are other departments: DA, Public Defender , etc. There is a shared conference room.
• We have one main entrance and all LCSA doors have alarms; FOBs are required for employee entrance to CSS Department.
• We are File-Less.
• LCSA: No other separate rooms exist for mail processing, etc.
• We have 32 FTEs and all staff has locking cabinets.
• Clean Desk policy at Close of Business (COB) actively enforced.
• Employees are required to wear County ID badge at all times and have their FOB in order to enter office. (Enables ISO tracking and report logs.)
• FAX and copy machines have FTI warning labels
• Correspondence not processed by COB is locked
• Confidential/FTI transported from one location to another must be double sealed when transported.
ACCESS to Information
Tracking Access to Restricted Area
Visitors (non-certified staff) are screened, recorded, and escorted at all times when in restricted areas.
Implementation and Monitoring
• Data Access and training is determined at: New hire, reclassification, and during case management changes.
• Mandatory Annual Staff Training & Signing• On-line training• Personal Security & Confidentiality by ISO
that include P&P.• Annual recertification and signing for all staff.• In person training for other required staff,
(i.e., ITS, Custodian, any necessary staff).
• ONLY Program Supervisors are allowed to order tax returns.
• Any FTI documentation is routed to Supervisory staff after being recorded by ISO and is then stored in FTI cabinet.
• All workers must lock up case documents in their cabinets at night and ensure a clean desk.
• No correspondence may be left on chairs when an employee is out of the office.
• Shredding carts are emptied nightly by staff. Any I&Es and related tax returns are recorded and go to a specific shredder bin. Only ISO & Director has key to open that particular bin.
• Court prep/Legal files locked in attorney’s cabinet
• CMT data that may contain FTI is not allowed to be downloaded and stored on county drives.
• IRS cabinet kept in ISO/Manager’s office to allow for 2 locked, secure doors as required by MPS. Manager records and destroys FTI.
Policies & Procedures Highlights…
• Automated system access level audited• Annual ISO training and staff signatures
obtained• Training attendance records maintained• Assets & key certification (wet
signatures)• Automated (FOB) reports to building
access records reviewed semi-annually• Visitor Log secured and stored monthly• Written policies revisited, updated, and
are redistributed to staff as appropriate.
Annual Verification and Documentation
On-Site Preparation and Process
• Received notice of audit • Complete Matrix• Advise others (ITS) of date and need for
accessibility• Review/Update procedures related to Matrix.• Prepare all staff for DCSS/IRS walk through
with daily/random checks• On-Site Review Completed• Preliminary Report and/or Findings• CAP if necessary
Napa County IRS Audit
Two Audit Teams:
• LCSA Management-Director and LCSA ISO• Program Supervisory staff• UIFSA case manager
• Information Technology• Napa’s IT Security Manager• IT staff
Napa Experience
Safeguard Review Report(FINDINGS)
Napa Findings
FINDING: The child support agency is making unauthorized disclosures of FTI to County of Napa Information Technology Services for the purpose of software maintenance, operation support, system maintenance and off-site storage. (Significant) (Held in Abeyance)…County of Napa Information Technology Services have access to more than the three FTI data elements specifically authorized for disclosure to contractors by IRC 6103(l)(6)(B)(ii) and Publication 1075 section 5.5 for the purposes of establishing and collecting child support obligations:
✷ The address; ✷ Social Security Number of an individual with respect to whom child support
obligations are sought to be established or enforced; and✷ The amount of any reduction under IRC 6402(c) in any overpayment
otherwise payable to such individual.
RECOMMENDATION: Agency corrective actions to remove unauthorized contractor access to FTI is held in abeyance pending resolution by OCSE and IRS of conflicting interpretations of federal statutes.
Napa Findings
FINDING: The agency must enhance their SLA with Napa County DCSS and County of Napa Information Technology Services by providing the safeguarding requirements for the protection of FTI. (Moderate) The agency must enhance their SLA to include Exhibit 7 language. A SLA is required when an agency utilizes services of another state agency requiring the access of FTI. In accordance with Publication 1075 section 5.4.2, to ensure safeguarding requirements follow the data the agency must implement a written agreement documenting the following:
✷ Shared responsibility for the protection of FTI ✷ Required compliance with the Publication 1075 ✷ Support to the recipient agency during an on-site Safeguard review ✷ Conducting internal inspections every 18 months ✷ Restrict access to employees on a need-to-know basis ✷ Ensure employees with access are trained and sign confidentiality statements ✷ Restrict disclosures to contractors as authorized by the internal revenue code ✷ Identify responsibility for 45-day Notification ✷ Identify responsibility and primary contacts for incident and response specific to FTI backup ✷ Include appropriate Publication 1075 Exhibit 7 language
RECOMMENDATION: The agency must enhance the current SLA with Napa County DCSS and County of Napa Information Technology Services to include the required safeguard language.
Napa Findings
FINDING: The agency does not provide annual disclosure awareness training for the safeguarding of FTI at the County of Napa Information Technology Department and SRC. (Moderate) Granting agency employees and contractors access to FTI must be preceded by each employee and contractor certifying his/her understanding of the agency's security policy and procedures for safeguarding IRS information. In accordance with Publication 1075 section 6.3, the disclosure awareness training must stipulates that:
✷ - Employees and contractors should be advised of the penalty provisions of IRC §§ 7213, 7213A, and 7431
✷ - The training must cover the incident response policy and procedures for reporting unauthorized disclosures and data breaches
✷ - Employees must be made aware that disclosure restrictions and the penalties apply even after employment with the agency ends
✷ - For both the initial certification and the annual certification, the employee or contractor must sign, either with ink or electronic signature, a confidentiality
statement certifying his or her understanding of the security requirements. The initial certification and recertification must be documented and placed in the agency's files for review and retained for at least 5 years
RECOMMENDATION: The agency must provide annual disclosure awareness training to all employees and contractors with access to FTI.
Napa Findings
FINDING: The agency does not conduct internal inspections every 18 months covering the safeguarding of FTI County of Napa Information Technology Department for the case files and disaster recovery tapes. (Moderate) Internal inspections are not conducted at 18 month intervals at County of Napa Information Technology Department. To ensure the continuous safeguarding of FTI, the agency must conduct internal inspections of all offices where FTI is resident. Agencies must establish a review cycle as follows:
✷ - Local offices receiving FTI: at least every 3 years ✷ - Headquarters office facilities housing FTI and the agency computer facility: at least every 18 months ✷ - All contractors with access to FTI, including a consolidated data center or off- site storage facility: for at least every 18 months ✷ The completed plan must be included as part of the annual SSR in accordance
with Publication 1075 section 6.4. Templates for the plan and internal inspections are available at http://www.irs.gov/uac/Safeguards-Program or may be requested by email at [email protected].
D.4 RECOMMENDATION: The agency must conduct internal inspections for the safeguarding of FTI at County of Napa Information Technology Department every 18 months.
Early Preparation
■Identify primary contacts and coordinator
■Reference most up-to-date IRS and State DCSS security materials available
■Reach out to other counties for lessons learned
Tangible Tasks (Before Audit)
Gather and review your county’s MOU (Memorandums of Understanding) and other Contracts (get them up-to-date)
Have someone ensure security documentation has been done annually by staff (new hire training as well as annuals done by existing staff, also tech support staff who can access FTI)
Complete the IRS Safeguards Disclosure Security Evaluation Matrix and obtain consensus on responses
Dig to discover discrepancies between office policy and what is done in practice
Mock Audit Run Through
Walk around the perimeter of the office and test entry points and locked doors.
When visitors come to the office, are the procedures being followed regarding escorts and badges? Does everybody agree as to the definition of visitor?
Walk around the office after normal work hours to look at things like employee work spaces, fax machines, printers.
Review the various logs (temporary badge log, master key log, FTI material logs) with management.
Day of Audit
Staff should be prepared in case the auditors request to shadow certain practices (i.e.: trainers who conduct security training, staff who handle FTI logging or materials, destruction of materials, tour of office).
For the shadowing, it was nice to have a designated room with computer and overhead projector in which selected line staff could come in and provide demonstrations for the auditors.
For staff that may respond to the questions, awareness of need to provide succinct accurate responses.
Access to servers and data is needed for their automated system tests.
Findings in Sacramento: Non-technical
Non-technical related findings in Sacramento:
Documents received from CA Central Registry containing FTI were being logged correctly but were found stored in a cabinet with wheels.
Sacramento IT Back Up Data Center did not have visitor log in place or adequate safeguards re double barrier requirements for FTI
Labelling and double sealing envelope when sending hardcopy outbound Transmittal 2 documents (CSENet helps)
Logging, scanning and destruction of inbound hardcopy Transmittal 2 documents possessing FTI
Findings in Sacramento: Technical (Part 1)
Technical related findings in Sacramento:
Controls required for remote access: county equipment (laptops) with two factor authentication required.
Security patches and latest virus protection Multi Functional Devices (MFDs) set-up and not
using email for PDF delivery…needs to be scanned directly into a restricted access folder)
Direct access to Texas Child Support System is prohibited since there are no audit controls
Findings in Sacramento: Technical (Part 2)
More technical related findings in Sacramento:
Segregate data bases holding FTI from databases that do not.
Audit controls (logging) needed when FTI info is accessed via our Local Area Data Repository (LADR)
Reports with FTI produced from LADR needed to be labelled, secured, and procedures put in place for their distribution to line staff)
Findings in Sacramento: Technical (Part 3)
Technical related findings in Sacramento needing Statewide response:
The CSE, SAT, IDB, CMT, State Repository applications does not allow for auditing to capture access and movement of FTI by each user within the application. The agency does not monitor or review access logs for inappropriate or unusual activity.
Screens that contain FTI in CSE, SAT, LADR, and IDB are not labeled. When FTI is displayed electronically, data elements or screen must be labeled to clearly identify the Federal tax information.
The warning banner that appears prior to accessing FTI does not contain the required language with respect to the CMT and IDB applications on the Secured Website.
Corrective Actions
Responses have been provided for the Sacramento County specific findings.
The two factor authentication is still an outstanding item. We are waiting for a County-wide implementation due to a requirement from the California Department of Justice regarding an unrelated audit and finding for our Sacramento Sheriff’s Department.
Access Safeguard Resources Online
The Office of Safeguards maintains Publication 1075, templates, guidance, andfrequently asked questions online at:
http://www.irs.gov/uac/Safeguards-Program.
Agencies are highly encouraged to periodically visit the website for new updates. The website is maintained with many resources to assist agencies with meeting Publication 1075 requirements. Examples of the website’s features include:
✷ Safeguard alerts and technical assistance memorandums✷ Recommendations on how to comply with Publication 1075 requirements✷ Reporting requirement templates (e.g., Safeguard Security Report [SSR]) and
guidance✷ Instructions for reporting unauthorized accesses, disclosures, or data breaches✷ Internal inspections report templates and instructions✷ IRS disclosure awareness videos and resources
All references mentioned in this presentation and additional information can be accessed by DCSS Secure Website at:
https://central.dcss.ca.gov/SysRes/infosec
Questions?
Please complete your evaluations and drop off at back table.
Thank you!
