Navigating the Challenges of FTI

Sammi Shultz Project Manager IRS Office of Safeguards Flexi-place phone Blackberry

Navigating the Challenges of FTI Office of Safeguards

IRS Data Exchanges ■Internal Revenue Code (IRC) Section 6103 provides authority for disclosing federal tax information (FTI) to local, state and federal agencies ■Protecting FTI is a condition of receipt ■IRS Office of Safeguards responsible for ensuring compliance with Publication 1075, Tax Information Security Guidelines for Federal, State & Local Agencies

Publication 1075 Requirements Originate through several different regulatory sources: ■IRC Section 6103(p)(4) ■IRC Section 6103 disclosure authorities ■NIST SP , revision 3 ■IRS Policy and Procedures

Key Tenets of Safeguarding ■Recordkeeping ■Secure Storage ■Restricting Access ■Employee Awareness & Internal Inspections ■Reporting Requirements ■Disposal ■Need and Use ■Computer Security

Requirements Compliance Office of Safeguards ensures protection of FTI through multi-pronged approach ■Initial Safeguard Procedures Report (SPR) analysis plus required updates ■Annual Safeguard Activity Report (SAR) analysis ■On-site review every three years ■Corrective Action Plan (CAP) and POAM monitoring ■Technical inquiries and outreach

Agency Guidance and Technical Inquiries ■IRS.gov web site ✷ Posting Q&A to common questions or technical inquiries ✷ Posting evaluation matrixes ■Safeguards’ Mailbox ✷ ■Pub 1075 Link:

Navigating the Challenges of FTI Jesse M. Saenz Information Security Office California Department of Child Support Services P.O. Box , MS 10, Rancho Cordova, CA (916)

DCSS ISO Responsibilities ■Establish and maintain the Department of Child Support Services (DCSS) Security policy, standards, and guidelines, for the protection of Child Support Information and IT Assets used in support of the Child Support Program. ■Provide guidance, support and oversight for activities such as; Business Continuity, Policy, Incident Management, Risk, and Compliance Monitoring. ■Perform onsite reviews determining adequacy of physical and technical controls of organizations within Child Support Program that include DCSS, California Child Support Automation Systems (CCSAS), and Local Child Support Agencies (LCSAs). ■Conduct these tasks in a professional manner that leads to superior customer satisfaction and deliver services that meet or exceed our customer’s expectations.

Requirements for Handling FTI ■Every employee granted access to handle or process FTI must certify their understanding of security policy and procedures for protecting IRS information and the penalties for unauthorized disclosure. This includes contractors, consultants and temporaries employed by the LCSA. ■Initial certification (within 30 days of employment) should be documented using forms such as:  UNAX Certification (DCSS 0570)  Confidentiality Statement (DCSS 0593) ■Conduct annual certification through DCSS Information Security Training module or equivalent LCSA security awareness training program using the form below or a equivalent acknowledgment:  Acknowledgment of Understanding (DCSS ASD 011)

Internal Safeguard Review Overview

What is a Safeguard Review? ■A safeguard review is an on-site evaluation of the use of personal, confidential, and sensitive child support information, including FTI and the measures employed to protect the data from unauthorized access.

Why Safeguard Reviews are Conducted? ■Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states;  “As a condition of receiving FTI, the receiving agency must show, to the satisfaction of the IRS, the ability to protect the confidentiality of that information.”  “Agencies must ensure its safeguards will be ready for immediate implementation upon receipt of FTI.”  “The public must maintain a high degree of confidence that the personal and financial information furnished to us is protected against unauthorized use, inspection, or disclosure.”

When Safeguard Reviews are Conducted? ■Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states;  “Agencies should establish a review cycle so that all local offices receiving FTI are reviewed within a three year cycle.”  “Headquarters, other facilities housing FTI and the agency computer facility should be reviewed within a 18 month cycle.”

Safeguard Review Objectives ■Ensure the safeguarding of personal, confidential, and sensitive child support information, including FTI. ■Ensure compliance with DCSS Information Security Manual, National Institute of Standards and Technology (NIST) , IRS Publication 1075 and Child Support Services (CSS) Letters pertaining to the safeguarding child support information and IT assets. ■Ensure IT Best Practices for privacy and security of information is followed.

Safeguard Review Scope ■The review consists of questions pertaining to the physical and technical security safeguards of personal, confidential, and sensitive Child Support Information, including FTI in seven subject requirement areas:  Record Keeping ……….(record of receipt and handling of FTI)  Secure Storage ………. (building security, badges, containers, etc.)  Restrict Access ………. (procedures to grant/limit employee access)  Employee Awareness... (annual security training of employees)  Incident Reporting ……. (procedures to report a security breach)  Disposal ……………….. (confidential destruction procedures)  IT Security …………….. (computer security provisions)

Safeguard Review Scope Additional Requirements also cover: ■NIST SP – which cover additional computer management, operational and technical security controls. ■DCSS Information Security Manual – compilation of departmental policies, standards and guidelines.

Restrictions for Access to FTI Access to FTI should be limited to authorized employees with a legitimate business need. ■Internal Revenue Service (IRS) defined a number of physical and technical requirements that control access, even for authorized persons. ■CCSAS implements tracking and logging consistent with IRS requirements for information electronically stored in CSE and SDU, including the Data Repository. ■FTI received outside of CCSAS must be manually logged and tracked from date of receipt, during handling, and destruction. ■Important to Note – A manual log is required if FTI is printed, downloaded or ‘saved’ outside of CSE, SDU or the Data Repository.

Safeguard Review Activities ■Notification letter (via , 30 days prior to arrival) ■Entrance conference (discuss agenda with Director and staff) ■On-site review (meet w/key staff, conduct walkthroughs) ■Exit conference (overview of days events and findings w/Director and staff) ■Preliminary Report (issue approx. 45 days after for LCSA review) ■Response and/or Plan to Address Findings (LCSA submits response for consideration approx. 45 days later) ■Final Report (incorporate response and issue final report)

 To obtain a copy of today’s presentation or any documents mentioned please go to the DCSS Information Security, Safeguard Review Toolbox located on the California Child Support Central website.  Please contact us at: (916) or or

Navigating the Challenges of FTI Chris Paltao, CISSP Departmental Information Security Officer Child Support Services Department County of Los Angeles Executive Offices

AGENDA ■Risk Assessment ■IRS Findings (Moderate and Significant) ■Information Security Threats ■Information Security Awareness

LA County Child Support Services ■LA CSSD - Statistics ✷ Office locations = 9 ✷ Total Divisions = 22 ✷ Users = 1700 (Approx.) ✷ Computers = 2300 (Approx.) ✷ Case load = 350,000 (Approx.)

Risk Assessment ■Three categories to review: ✷ Technical ✷ Physical ✷ Administrative ■Identify and understand policies ■Identify information/assets to be protected ■Perform walk through (at least annually) ✷ Identify vulnerabilities and areas for improvement

Risk Assessment ■Provide recommendations ✷ Reduce Risk ✷ Transfer Risk ✷ Avoid/Remove Risk ✷ Accept Risk ■Approval of recommendations ■Implement, follow up, and start over…

IRS Findings (Moderate) ■Finding (Administrative) – Visitor access logs must be updated to include the requirements outlined in the Publication ✷ Corrective/compensating control – include the following columns on the access logs Name and organization of the visitor Signature of the visitor Form of identification Date of access Time of entry and departure Purpose of visit Name and organization of person visited ■Finding (Physical) – The agency does not label back-up tapes as “Federal Tax Information” ■Finding (Technical) - Screen saver time out grace periods have not been configured.

IRS Findings (Significant) ■Finding (Physical) - Agency does not implement Minimum Protection Standards (MPS) to protect FTI. ✷ Corrective/compensating control Emergency exit only ■Finding (Administrative) – The agency does not have a Service Level Agreement (SLA), which includes the required safeguard language. ■Finding (Technical) – Windows Server 2000 is no longer supported by Microsoft and therefore must be replaced with a newer version.

Information Security Threats ■Threat Categories: ✷ External CP/NCP “Hackers” Computer Viruses/Malware Phishing scams Robbery, etc. ✷ Internal Disgruntled employees Mishaps/accidents Device not configured properly Unintentional access, etc.

Information Security Threats ■Insider Threat Study – Illicit Cyber Activity in the Government Sector (2008). ✷ Nearly 70% of security incidents are perpetrated by an insider ✷ Majority of insiders were current employees in administrative and support positions that required limited technical skills ✷ Perpetrators did not share a common demographic characteristics ✷ Nearly half of the insiders exhibited some inappropriate behavior that was noticed by others ✷ Financial gain was the primary motive for most insiders

Information Security Awareness ■Have a top-down approach to information security ■In additional to the annual information security training: ✷ Monthly reminders ✷ News ✷ Visual aids/Posters/Internal Webpage ✷ Risk Assessments ■Information Security is everyone’s responsibility.

Questions ??????