Presentation is loading. Please wait.

Presentation is loading. Please wait.

Navigating the Challenges of FTI Sammi Shultz Project Manager IRS Office of Safeguards 307-634-7084 Flexi-place phone 202-550-4336 Blackberry

Published byNaomi Walton Modified over 9 years ago

Similar presentations

Presentation on theme: "Navigating the Challenges of FTI Sammi Shultz Project Manager IRS Office of Safeguards 307-634-7084 Flexi-place phone 202-550-4336 Blackberry"— Presentation transcript:

1

2 Navigating the Challenges of FTI

3 Sammi Shultz Project Manager IRS Office of Safeguards 307-634-7084 Flexi-place phone 202-550-4336 Blackberry Sammi.Shultz@irs.gov SafeguardReports@IRS.gov

4 Navigating the Challenges of FTI Office of Safeguards

5 IRS Data Exchanges ■Internal Revenue Code (IRC) Section 6103 provides authority for disclosing federal tax information (FTI) to local, state and federal agencies ■Protecting FTI is a condition of receipt ■IRS Office of Safeguards responsible for ensuring compliance with Publication 1075, Tax Information Security Guidelines for Federal, State & Local Agencies

6 Publication 1075 Requirements Originate through several different regulatory sources: ■IRC Section 6103(p)(4) ■IRC Section 6103 disclosure authorities ■NIST SP 800-53, revision 3 ■IRS Policy and Procedures

7 Key Tenets of Safeguarding ■Recordkeeping ■Secure Storage ■Restricting Access ■Employee Awareness & Internal Inspections ■Reporting Requirements ■Disposal ■Need and Use ■Computer Security

8 Requirements Compliance Office of Safeguards ensures protection of FTI through multi-pronged approach ■Initial Safeguard Procedures Report (SPR) analysis plus required updates ■Annual Safeguard Activity Report (SAR) analysis ■On-site review every three years ■Corrective Action Plan (CAP) and POAM monitoring ■Technical inquiries and outreach

9 Agency Guidance and Technical Inquiries ■IRS.gov web site ✷ Posting Q&A to common questions or technical inquiries ✷ Posting evaluation matrixes ■Safeguards’ Mailbox ✷ SafeguardReports@IRS.gov SafeguardReports@IRS.gov ■Pub 1075 Link: http://www.irs.gov/pub/irs-pdf/p1075.pdf

10 Navigating the Challenges of FTI Jesse M. Saenz Information Security Office California Department of Child Support Services P.O. Box 419064, MS 10, Rancho Cordova, CA 95741-9064 (916) 464-0525 jesse.saenz@dcss.ca.gov

11 DCSS ISO Responsibilities ■Establish and maintain the Department of Child Support Services (DCSS) Security policy, standards, and guidelines, for the protection of Child Support Information and IT Assets used in support of the Child Support Program. ■Provide guidance, support and oversight for activities such as; Business Continuity, Policy, Incident Management, Risk, and Compliance Monitoring. ■Perform onsite reviews determining adequacy of physical and technical controls of organizations within Child Support Program that include DCSS, California Child Support Automation Systems (CCSAS), and Local Child Support Agencies (LCSAs). ■Conduct these tasks in a professional manner that leads to superior customer satisfaction and deliver services that meet or exceed our customer’s expectations.

12 Requirements for Handling FTI ■Every employee granted access to handle or process FTI must certify their understanding of security policy and procedures for protecting IRS information and the penalties for unauthorized disclosure. This includes contractors, consultants and temporaries employed by the LCSA. ■Initial certification (within 30 days of employment) should be documented using forms such as:  UNAX Certification (DCSS 0570)  Confidentiality Statement (DCSS 0593) ■Conduct annual certification through DCSS Information Security Training module or equivalent LCSA security awareness training program using the form below or a equivalent acknowledgment:  Acknowledgment of Understanding (DCSS ASD 011)

13 Internal Safeguard Review Overview

14 What is a Safeguard Review? ■A safeguard review is an on-site evaluation of the use of personal, confidential, and sensitive child support information, including FTI and the measures employed to protect the data from unauthorized access.

15 Why Safeguard Reviews are Conducted? ■Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states;  “As a condition of receiving FTI, the receiving agency must show, to the satisfaction of the IRS, the ability to protect the confidentiality of that information.”  “Agencies must ensure its safeguards will be ready for immediate implementation upon receipt of FTI.”  “The public must maintain a high degree of confidence that the personal and financial information furnished to us is protected against unauthorized use, inspection, or disclosure.”

16 When Safeguard Reviews are Conducted? ■Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states;  “Agencies should establish a review cycle so that all local offices receiving FTI are reviewed within a three year cycle.”  “Headquarters, other facilities housing FTI and the agency computer facility should be reviewed within a 18 month cycle.”

17 Safeguard Review Objectives ■Ensure the safeguarding of personal, confidential, and sensitive child support information, including FTI. ■Ensure compliance with DCSS Information Security Manual, National Institute of Standards and Technology (NIST) 800-53, IRS Publication 1075 and Child Support Services (CSS) Letters pertaining to the safeguarding child support information and IT assets. ■Ensure IT Best Practices for privacy and security of information is followed.

18 Safeguard Review Scope ■The review consists of questions pertaining to the physical and technical security safeguards of personal, confidential, and sensitive Child Support Information, including FTI in seven subject requirement areas:  Record Keeping ……….(record of receipt and handling of FTI)  Secure Storage ………. (building security, badges, containers, etc.)  Restrict Access ………. (procedures to grant/limit employee access)  Employee Awareness... (annual security training of employees)  Incident Reporting ……. (procedures to report a security breach)  Disposal ……………….. (confidential destruction procedures)  IT Security …………….. (computer security provisions)

19 Safeguard Review Scope Additional Requirements also cover: ■NIST SP 800-53 – which cover additional computer management, operational and technical security controls. ■DCSS Information Security Manual – compilation of departmental policies, standards and guidelines.

20 Restrictions for Access to FTI Access to FTI should be limited to authorized employees with a legitimate business need. ■Internal Revenue Service (IRS) defined a number of physical and technical requirements that control access, even for authorized persons. ■CCSAS implements tracking and logging consistent with IRS requirements for information electronically stored in CSE and SDU, including the Data Repository. ■FTI received outside of CCSAS must be manually logged and tracked from date of receipt, during handling, and destruction. ■Important to Note – A manual log is required if FTI is printed, downloaded or ‘saved’ outside of CSE, SDU or the Data Repository.

21 Safeguard Review Activities ■Notification letter (via e-mail, 30 days prior to arrival) ■Entrance conference (discuss agenda with Director and staff) ■On-site review (meet w/key staff, conduct walkthroughs) ■Exit conference (overview of days events and findings w/Director and staff) ■Preliminary Report (issue approx. 45 days after for LCSA review) ■Response and/or Plan to Address Findings (LCSA submits response for consideration approx. 45 days later) ■Final Report (incorporate response and issue final report)

22  To obtain a copy of today’s presentation or any documents mentioned please go to the DCSS Information Security, Safeguard Review Toolbox located on the California Child Support Central website.  Please contact us at: (916) 464-5045 or info.security@dcss.ca.gov or info.security@dcss.ca.govnfo.security@dcss.ca.gov

23 Navigating the Challenges of FTI Chris Paltao, CISSP Departmental Information Security Officer Child Support Services Department County of Los Angeles Executive Offices 323-889-2732 CPaltao@cssd.lacounty.gov

24 AGENDA ■Risk Assessment ■IRS Findings (Moderate and Significant) ■Information Security Threats ■Information Security Awareness

25 LA County Child Support Services ■LA CSSD - Statistics ✷ Office locations = 9 ✷ Total Divisions = 22 ✷ Users = 1700 (Approx.) ✷ Computers = 2300 (Approx.) ✷ Case load = 350,000 (Approx.)

26 Risk Assessment ■Three categories to review: ✷ Technical ✷ Physical ✷ Administrative ■Identify and understand policies ■Identify information/assets to be protected ■Perform walk through (at least annually) ✷ Identify vulnerabilities and areas for improvement

27 Risk Assessment ■Provide recommendations ✷ Reduce Risk ✷ Transfer Risk ✷ Avoid/Remove Risk ✷ Accept Risk ■Approval of recommendations ■Implement, follow up, and start over…

28 IRS Findings (Moderate) ■Finding (Administrative) – Visitor access logs must be updated to include the requirements outlined in the Publication 1075. ✷ Corrective/compensating control – include the following columns on the access logs Name and organization of the visitor Signature of the visitor Form of identification Date of access Time of entry and departure Purpose of visit Name and organization of person visited ■Finding (Physical) – The agency does not label back-up tapes as “Federal Tax Information” ■Finding (Technical) - Screen saver time out grace periods have not been configured.

29 IRS Findings (Significant) ■Finding (Physical) - Agency does not implement Minimum Protection Standards (MPS) to protect FTI. ✷ Corrective/compensating control Emergency exit only ■Finding (Administrative) – The agency does not have a Service Level Agreement (SLA), which includes the required safeguard language. ■Finding (Technical) – Windows Server 2000 is no longer supported by Microsoft and therefore must be replaced with a newer version.

30 Information Security Threats ■Threat Categories: ✷ External CP/NCP “Hackers” Computer Viruses/Malware Phishing scams Robbery, etc. ✷ Internal Disgruntled employees Mishaps/accidents Device not configured properly Unintentional access, etc.

31 Information Security Threats ■Insider Threat Study – Illicit Cyber Activity in the Government Sector (2008). ✷ Nearly 70% of security incidents are perpetrated by an insider ✷ Majority of insiders were current employees in administrative and support positions that required limited technical skills ✷ Perpetrators did not share a common demographic characteristics ✷ Nearly half of the insiders exhibited some inappropriate behavior that was noticed by others ✷ Financial gain was the primary motive for most insiders

32 Information Security Awareness ■Have a top-down approach to information security ■In additional to the annual information security training: ✷ Monthly reminders ✷ News ✷ Visual aids/Posters/Internal Webpage ✷ Risk Assessments ■Information Security is everyone’s responsibility.

33

34 Questions ??????

35

Download ppt "Navigating the Challenges of FTI Sammi Shultz Project Manager IRS Office of Safeguards 307-634-7084 Flexi-place phone 202-550-4336 Blackberry"

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Coordinator: Karina Castañeda

Coordinator: Karina Castañeda
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.

Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
Section Four: Employee and Visitor Access Controls Note: All classified markings contained within this presentation are for training purposes only.

Section Four: Employee and Visitor Access Controls Note: All classified markings contained within this presentation are for training purposes only.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Form I-9 Process An Online Training for Supervisors and Designees Presented by Human Resources Revised November 2009.

Form I-9 Process An Online Training for Supervisors and Designees Presented by Human Resources Revised November 2009.
OEHS Academy OEHS Academy New and Aspiring Principals OEHS Responsibilities Presented by: Office of Environmental Health and Safety Modification Date:

OEHS Academy OEHS Academy New and Aspiring Principals OEHS Responsibilities Presented by: Office of Environmental Health and Safety Modification Date:
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
2015-2016 Special Education Accountability Reviews Let’s put the pieces together March 25, 2015.

Special Education Accountability Reviews Let’s put the pieces together March 25, 2015.
Implementing Human Service Worker Safety Regulations

Implementing Human Service Worker Safety Regulations
Network security policy: best practices

Network security policy: best practices
Promoting Objectivity in Research by Managing, Reducing, or Eliminating Conflicts of Interest UT HOP 7-1210 UT HOP 7-1210 The University of Texas at Austin.

Promoting Objectivity in Research by Managing, Reducing, or Eliminating Conflicts of Interest UT HOP UT HOP The University of Texas at Austin.
Stanley Estime, MSCI December 9, 2014 Record Keeping: What is Regulatory Documentation and how should it be maintained? Tel: 617-432-2164

Stanley Estime, MSCI December 9, 2014 Record Keeping: What is Regulatory Documentation and how should it be maintained? Tel:
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Ensuring Information Security

Ensuring Information Security
2011 - 20121 FOR ALL VOLUNTEERS AARP FOUNDATION TAX-AIDE PROGRAM POLICIES AND PROCEDURES AARP Foundation Tax-Aide.

FOR ALL VOLUNTEERS AARP FOUNDATION TAX-AIDE PROGRAM POLICIES AND PROCEDURES AARP Foundation Tax-Aide.

Similar presentations

Ads by Google