AGENDA ■Department of Child Support Services Information Security Office (DCSS-ISO) Responsibilities ■Definition of Federal Tax Information (FTI) ■Requirements.

Slides:

Advertisements

Similar presentations

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Advertisements

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Rule Training

HIPAA Regulations What do you need to know?.

Mental Health Data Workbook and Training Ann Arneill-Py, PhD, Executive Officer CA Mental Health Planning Council Stephanie Oprendek, PhD, Senior Associate.

Monthly THP-Plus/THP+FC Conference Call Thursday, September 12 th : 10:00 to 11:00 a.m.

Treasury Offset Program State of Wisconsin Pam James Integrity Conference - March 2012.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

1 California and U.S. Teen Birth Rates, U.S. California Year Sources: Teen births: Birth Statistical Master File, years , Office of.

Coordinator: Karina Castañeda

PRESENTATION TO BOARD OF SUPERVISORS MARCH 8, 2011 VICTOR E. SALAZAR County Clerk/Registrar of Voters.

Data Classification & Privacy Inventory Workshop

Special Education Accountability Reviews Let’s put the pieces together March 25, 2015.

FY2011 Other Education and General Program Accounts OVERVIEW OF “E” FUNDS.

Departmental Cash Handling By: Maria Sussy Palomo.

1 FERPA and Student Privacy in Records of University Research ECURE March 1, 2005 Richard Rainsberger, Ph.D. Consultant, Education Records Law and Privacy.

EMERGENCY MEDICAL SERVICE FOR CHILDREN (EMS-C) Cynthia Frankel EMS-C Coordinator Alameda County EMS.

7/1/2010 CHDP DIRECTOR/DEPUTY DIRECTOR TRAINING SECTION XIV Resources/Networking 1.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

Financial Resource Management Recommended Best Practices Training for Volunteers and Support Groups.

Learning Objectives Discuss measures to address: –Physical Security –Technical Security –Administrative Security.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Best Practices: Financial Resource Management February 2011.

State Program Review Process Presented by GSFC Compliance Team.

General Awareness Training Security Awareness Module 3 Take Action! Where To Go for Help.

JOHN BURTON FOUNDATION Beyond Data Collection: Using the Tracking System to Measure Progress THP-Plus Institute July 27, 2009.

JOHN BURTON FOUNDATION Statewide THP-Plus Data Collection and Outcomes: Results from the First Year California Connected by 25 Initiative Convening May.

California and U.S. Teen Birth Rates, U.S. California Year Sources: Teen births: Birth Statistical Master File, years , Health Information.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

NESTOA September 20, 2011 Safeguards Program Briefing.

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

Research & Economic Development Office of Grants and Contracts Administration Data Security Presented by Debbie Bolick September 24, 2015.

Division of Risk Management State of Florida Loss Prevention Program.

Waste Tire Enforcement Grant Program Integrated Waste Management Board –Georgianne Turner (916) $30 Million Waste Tire Recycling Fund –$1.75 per.

California Competes: Higher Education for a Strong Economy 50 California St., Suite 3165, San Francisco, CA v:(415) f:(415)

What Are We Doing With Our Biosolids: Is it Sustainable? Presented by: Natalie Sierra, SFPUC Bob Gillette, Carollo Engineers June 2, 2008 BACWA Biosolids.

Technology Services Division Rebecca Stilling Deputy Director.

Navigating the Challenges of FTI Sammi Shultz Project Manager IRS Office of Safeguards Flexi-place phone Blackberry

Basic Budgeting for New Fiscal Officers Presenters –Mark Beckley, Deputy Director, State DCSS –Justina Green, State DCSS –Steve Smith, Sutter County.

Child Support Director’s Association 2007 Training Conference Administrative Audits Presentation #107 September 18, 2007.

TASFAA 2016 Legacy of Leadership. TASFAA 2016 Legacy of Leadership Family Educational Rights and Privacy Act (FERPA) An Overview Molly Thompson Associate.

Fresno County Department of Child Support Services Employer Workshop Welcome.

Information Management and the Departing Employee.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

March 23, SPECIAL EDUCATION ACCOUNTABILITY REVIEWS.

Managed Care: What is it and how can I make it work for me and my family? Family Voices 14th Annual Health Summit Monday, March 14, 2016 Gregory S. Buchert,

Department of Child Support Services OFFICE OF AUDITS AND COMPLIANCE.

Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.

HIPAA Privacy Rule Training

Nassau Association of School Technologists

Work-Based Learning Tools

Essex 5% Grant Products Presenting Sapphire & HELP CA & Nevada

California Competes: Higher Education for a Strong Economy

Red Flags Rule An Introduction County College of Morris

Stepping Forward Together Financially

Disability Services Agencies Briefing On HIPAA

RECORDS AND INFORMATION

A+ A+ CORPORATION PRESENTS: INFORMATION TECHNOLOGY DEPARTMENT

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Neopay Practical Guides #2 PSD2 (Should I be worried?)

California Competes: Higher Education for a Strong Economy

HQ Expectations of DOE Site IRBs

OSU Controlled Substances Training Module for Researchers

Presentation transcript:

AGENDA ■Department of Child Support Services Information Security Office (DCSS-ISO) Responsibilities ■Definition of Federal Tax Information (FTI) ■Requirements for Handling FTI ■Restrictions for Access to FTI ■Internal Safeguard Review Overview

DCSS ISO Responsibilities ■Establish and maintain the Department of Child Support Services (DCSS) Security policy, standards, and guidelines, for the protection of Child Support Information and IT Assets used in support of the Child Support Program. ■Provide guidance, support and oversight for activities, such as; Business Continuity, Policy, Incident Management, Risk, and Compliance Monitoring. ■Perform onsite reviews determining adequacy of physical and technical controls of organizations within Child Support Program that include DCSS, California Child Support Automation Systems (CCSAS), and Local Child Support Agencies (LCSAs). ■Conduct these tasks in a professional manner that leads to superior customer satisfaction and deliver services that meet or exceed our customer’s expectations. 1

Definition of FTI ■Federal Tax Information (FTI) is any Return or Return Information received directly or indirectly from the Secretary of the Treasury. ■FTI received from Office of Child Support Enforcement (OCSE) is stored in CCSAS. ■Most FTI provided to the child support program is received from OCSE. Important to Note – Return or Return information received from a participant is not considered FTI. This data is confidential and security controls still apply to protect it from unauthorized access. 2

FTI Data Elements Authorized users have access to FTI through use of CCSAS applications - Child Support Enforcement (CSE) and the State Disbursement Unit (SDU). Examples of FTI data elements include:  Name  Address  Social security number  Earnings  Wages  Payments of retirement income  Filing status  Tax refund information For specific description, refer to IRC 6103, Confidentiality and Disclosure or Returns and Return Information or contact the ISO mailbox at: 3

Restrictions for Access to FTI Access to FTI should be limited to authorized employees with a legitimate business needs. ■Internal Revenue Service (IRS) defined a number of physical and technical requirements that control access, even for authorized persons. ■CCSAS implements tracking and logging consistent with IRS requirements for information electronically stored in CSE and SDU, including the Data Repository. ■FTI received outside of CCSAS must be manually logged and tracked from date of receipt, during handling, and destruction. Important to Note – A manual log is required if FTI is printed, downloaded or ‘saved’ outside of CSE, SDU or Data Repository. 4

Requirements for Handling FTI ■Every employee granted access to handle or process FTI must certify their understanding of security policy and procedures for protecting IRS information and the penalties for unauthorized disclosure. This includes contractors, consultants and temporaries employed by the LCSA. ■Initial certification (within 30 days of employment) should be documented using forms such as :  UNAX Certification (DCSS 0570)  Confidentiality Statement (DCSS 0593) ■Conduct annual certification through DCSS Information Security Training module or equivalent LCSA security awareness training program using the form below or a equivalent acknowledgment:  Acknowledgment of Understanding (DCSS ASD 011) 5

Internal Safeguard Review Overview 6

What is a Safeguard Review? ■A safeguard review is an on-site evaluation of the use of personal, confidential, and sensitive child support information, including FTIand the measures employed to protect the data from unauthorized access. 7

Why Safeguard Reviews are Conducted? ■Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states;  “As a condition of receiving FTI, the receiving agency must show, to the satisfaction of the IRS, the ability to protect the confidentiality of that information.”  “Agencies must ensure its safeguards will be ready for immediate implementation upon receipt of FTI.”  “The public must maintain a high degree of confidence that the personal and financial information furnished to us is protected against unauthorized use, inspection, or disclosure.” 8

When Safeguard Reviews are Conducted? ■Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states;  “Agencies should establish a review cycle so that all local offices receiving FTI are reviewed within a three year cycle.”  “Headquarters, other facilities housing FTI and the agency computer facility should be reviewed within a 18 month cycle.” 9

Safeguard Review Objectives ■Ensure the safeguarding of personal, confidential, and sensitive child support information, including FTI. ■Ensure compliance with DCSS Information Security Manual, National Institute of Standards and Technology (NIST) , IRS Publication 1075 and Child Support Services (CSS) Letters pertaining to the safeguarding child support information and IT assets. ■Ensure IT Best Practices for privacy and security of information is followed. 10

Safeguard Review Scope ■The review consists of questions pertaining to physical & technical security safeguards of personal, confidential, and sensitive Child Support Information, including FTI in seven subject requirement areas:  Record Keeping ……….. “a record of receipt and handling of FTI.”  Secure Storage ………... “ building security, badges, containers, etc.”  Restrict Access ………... “ procedures to grant/limit employee access.”  Employee Awareness... “annual security training of employees.”  Incident Reporting …….. “ procedures to report a security breach.”  Disposal ……………….… “ confidential destruction procedures.”  IT Security …………….… “ computer security provisions.” 11

Safeguard Review Scope Additional Requirements also cover: ■NIST SP – which cover additional computer management, operational and technical security controls. ■DCSS Information Security Manual – compilation of departmental policies, standards and guidelines. 12

Safeguard Review Activities ■Notification letter (via , 30 days prior to arrival) (via , 30 days prior to arrival) ■Entrance conference (discuss agenda with Director and staff) (discuss agenda with Director and staff) ■On-site review (meet w/key staff, conduct walkthroughs) (meet w/key staff, conduct walkthroughs) ■Exit conference (overview of days events and findings w/Director and staff) ■Preliminary Report (issue approx. 45 days after to LCSA for review) (issue approx. 45 days after to LCSA for review) ■Response and/or Plan to Address Findings (LCSA submits response for consideration approx. 45 days) ■Final Report (incorporates response and issues final) (incorporates response and issues final) 13

Questions ?????? 14

 To obtain a copy of today’s presentation or any documents mentioned please go to the DCSS Information Security, Safeguard Review Toolbox located on the California Child Support Central website.  Please contact us at: (916) or or 15

Remaining LCSA Safeguard Reviews ■Tulare ■San Diego ■Santa Clara ■Siskiyou ■Shasta ■Madera ■Modoc ■Inyo ■Lake ■Yuba 16

Proposed Review Schedule – 2011 ■San Joaquin ■Santa Barbara ■Placer ■Mendocino ■Humboldt ■Imperial ■San Luis Obispo ■Ventura ■San Francisco ■San Mateo ■Riverside ■Solano ■Sonoma ■Kern ■Monterey ■Napa ■Sutter ■Sierra ■Nevada ■Yolo 17