Presentation is loading. Please wait.

Presentation is loading. Please wait.

AGENDA ■Department of Child Support Services Information Security Office (DCSS-ISO) Responsibilities ■Definition of Federal Tax Information (FTI) ■Requirements.

Similar presentations


Presentation on theme: "AGENDA ■Department of Child Support Services Information Security Office (DCSS-ISO) Responsibilities ■Definition of Federal Tax Information (FTI) ■Requirements."— Presentation transcript:

1

2 AGENDA ■Department of Child Support Services Information Security Office (DCSS-ISO) Responsibilities ■Definition of Federal Tax Information (FTI) ■Requirements for Handling FTI ■Restrictions for Access to FTI ■Internal Safeguard Review Overview

3 DCSS ISO Responsibilities ■Establish and maintain the Department of Child Support Services (DCSS) Security policy, standards, and guidelines, for the protection of Child Support Information and IT Assets used in support of the Child Support Program. ■Provide guidance, support and oversight for activities, such as; Business Continuity, Policy, Incident Management, Risk, and Compliance Monitoring. ■Perform onsite reviews determining adequacy of physical and technical controls of organizations within Child Support Program that include DCSS, California Child Support Automation Systems (CCSAS), and Local Child Support Agencies (LCSAs). ■Conduct these tasks in a professional manner that leads to superior customer satisfaction and deliver services that meet or exceed our customer’s expectations. 1

4 Definition of FTI ■Federal Tax Information (FTI) is any Return or Return Information received directly or indirectly from the Secretary of the Treasury. ■FTI received from Office of Child Support Enforcement (OCSE) is stored in CCSAS. ■Most FTI provided to the child support program is received from OCSE. Important to Note – Return or Return information received from a participant is not considered FTI. This data is confidential and security controls still apply to protect it from unauthorized access. 2

5 FTI Data Elements Authorized users have access to FTI through use of CCSAS applications - Child Support Enforcement (CSE) and the State Disbursement Unit (SDU). Examples of FTI data elements include:  Name  Address  Social security number  Earnings  Wages  Payments of retirement income  Filing status  Tax refund information For specific description, refer to IRC 6103, Confidentiality and Disclosure or Returns and Return Information or contact the ISO mailbox at: info.security@dcss.ca.gov. info.security@dcss.ca.gov 3

6 Restrictions for Access to FTI Access to FTI should be limited to authorized employees with a legitimate business needs. ■Internal Revenue Service (IRS) defined a number of physical and technical requirements that control access, even for authorized persons. ■CCSAS implements tracking and logging consistent with IRS requirements for information electronically stored in CSE and SDU, including the Data Repository. ■FTI received outside of CCSAS must be manually logged and tracked from date of receipt, during handling, and destruction. Important to Note – A manual log is required if FTI is printed, downloaded or ‘saved’ outside of CSE, SDU or Data Repository. 4

7 Requirements for Handling FTI ■Every employee granted access to handle or process FTI must certify their understanding of security policy and procedures for protecting IRS information and the penalties for unauthorized disclosure. This includes contractors, consultants and temporaries employed by the LCSA. ■Initial certification (within 30 days of employment) should be documented using forms such as :  UNAX Certification (DCSS 0570)  Confidentiality Statement (DCSS 0593) ■Conduct annual certification through DCSS Information Security Training module or equivalent LCSA security awareness training program using the form below or a equivalent acknowledgment:  Acknowledgment of Understanding (DCSS ASD 011) 5

8 Internal Safeguard Review Overview 6

9 What is a Safeguard Review? ■A safeguard review is an on-site evaluation of the use of personal, confidential, and sensitive child support information, including FTIand the measures employed to protect the data from unauthorized access. 7

10 Why Safeguard Reviews are Conducted? ■Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states;  “As a condition of receiving FTI, the receiving agency must show, to the satisfaction of the IRS, the ability to protect the confidentiality of that information.”  “Agencies must ensure its safeguards will be ready for immediate implementation upon receipt of FTI.”  “The public must maintain a high degree of confidence that the personal and financial information furnished to us is protected against unauthorized use, inspection, or disclosure.” 8

11 When Safeguard Reviews are Conducted? ■Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states;  “Agencies should establish a review cycle so that all local offices receiving FTI are reviewed within a three year cycle.”  “Headquarters, other facilities housing FTI and the agency computer facility should be reviewed within a 18 month cycle.” 9

12 Safeguard Review Objectives ■Ensure the safeguarding of personal, confidential, and sensitive child support information, including FTI. ■Ensure compliance with DCSS Information Security Manual, National Institute of Standards and Technology (NIST) 800-53, IRS Publication 1075 and Child Support Services (CSS) Letters pertaining to the safeguarding child support information and IT assets. ■Ensure IT Best Practices for privacy and security of information is followed. 10

13 Safeguard Review Scope ■The review consists of questions pertaining to physical & technical security safeguards of personal, confidential, and sensitive Child Support Information, including FTI in seven subject requirement areas:  Record Keeping ……….. “a record of receipt and handling of FTI.”  Secure Storage ………... “ building security, badges, containers, etc.”  Restrict Access ………... “ procedures to grant/limit employee access.”  Employee Awareness... “annual security training of employees.”  Incident Reporting …….. “ procedures to report a security breach.”  Disposal ……………….… “ confidential destruction procedures.”  IT Security …………….… “ computer security provisions.” 11

14 Safeguard Review Scope Additional Requirements also cover: ■NIST SP 800-53 – which cover additional computer management, operational and technical security controls. ■DCSS Information Security Manual – compilation of departmental policies, standards and guidelines. 12

15 Safeguard Review Activities ■Notification letter (via e-mail, 30 days prior to arrival) (via e-mail, 30 days prior to arrival) ■Entrance conference (discuss agenda with Director and staff) (discuss agenda with Director and staff) ■On-site review (meet w/key staff, conduct walkthroughs) (meet w/key staff, conduct walkthroughs) ■Exit conference (overview of days events and findings w/Director and staff) ■Preliminary Report (issue approx. 45 days after to LCSA for review) (issue approx. 45 days after to LCSA for review) ■Response and/or Plan to Address Findings (LCSA submits response for consideration approx. 45 days) ■Final Report (incorporates response and issues final) (incorporates response and issues final) 13

16 Questions ?????? 14

17  To obtain a copy of today’s presentation or any documents mentioned please go to the DCSS Information Security, Safeguard Review Toolbox located on the California Child Support Central website.  Please contact us at: (916) 464-5045 or info.security@dcss.ca.gov or info.security@dcss.ca.govnfo.security@dcss.ca.gov 15

18

19 Remaining LCSA Safeguard Reviews ■Tulare ■San Diego ■Santa Clara ■Siskiyou ■Shasta ■Madera ■Modoc ■Inyo ■Lake ■Yuba 16

20 Proposed Review Schedule – 2011 ■San Joaquin ■Santa Barbara ■Placer ■Mendocino ■Humboldt ■Imperial ■San Luis Obispo ■Ventura ■San Francisco ■San Mateo ■Riverside ■Solano ■Sonoma ■Kern ■Monterey ■Napa ■Sutter ■Sierra ■Nevada ■Yolo 17


Download ppt "AGENDA ■Department of Child Support Services Information Security Office (DCSS-ISO) Responsibilities ■Definition of Federal Tax Information (FTI) ■Requirements."

Similar presentations


Ads by Google