Presentation is loading. Please wait.

Presentation is loading. Please wait.

Coordinator: Karina Castañeda

Similar presentations


Presentation on theme: "Coordinator: Karina Castañeda"— Presentation transcript:

1

2 Coordinator: Karina Castañeda
Preparing for the IRS Safeguarding Review Coordinator: Karina Castañeda Good morning everyone. My name is Karina Castaneda, and I’d like to welcome you to: Preparing for the IRS … I’d like to introduce your panel for this workshop-

3 Jesse Saenz, Senior Information Security Analyst
California Department of Child Support Services Jesse Saenz, Senior Information Security Analyst Napa County Department of Child Support Janet Nottley, Director Sacramento County Department of Child Support Craig Neiman, Child Support Program Planner TRANSITION-Before we move to today’s presentation- I’d quickly like to go over some housekeeping to ensure we get through all of the material we’ve prepared for you today:

4 Housekeeping Business Cards are available after the presentation
On back table. There will be time for Q&A at end of presentation To ensure we finish on time, please hold your questions. LCSA contact list for SAR will be shared Please write down your LCSA’s information. Please turn off your cell phones or put on vibrate Please take urgent calls outside for everyone’s comfort.

5 Purpose Agenda DCSS Role and Responsibilities
On-Site Safeguard Evaluation Overview LCSA perspective The goal for today is to ….

6 TRAINING OBJECTIVE Ensure the safeguarding of personal, confidential, and sensitive child support information, including FTI by CSS. Ensure IT Best Practices for privacy and security of information is shared and followed by LCSAs.

7 Jesse Saenz Jesse.Saenz@dcss.ca.gov
DCSS Information Security Office (next slide)

8 Topics DCSS Information Security Office Responsibilities
Definition of FTI Requirements for Handling FTI Restrictions for Access to FTI On-Site Safeguard Evaluation Overview SCRIPT As Karina mentioned I will be going over…. DCSS Information Security Office Responsibilities – talk about the role of the ISO Definition of FTI – define what is FTI (federal tax information) and data FTI Requirements for Handling FTI – IRS Publication 1075 has requirements for handling of FTI. Restrictions for Access to FTI - IRS Publication 1075 has restrict access requirements for FTI. On-Site Safeguard Evaluation Overview – as the recipient, your agency must implement safeguard in place to protect child support information, including FTI. Am on site evaluation, is conduct by the ISO and we evaluate the adequacy to protect the information from unauthorized access and disclosure. (next slide)

9 DCSS ISO Responsibilities
Establish and maintain the DCSS Security policies which govern information security within the Child Support Program. Provide guidance, support and oversight for information security activities, including but not limited to: compliance monitoring, business continuity, security incident, and policy. Perform on-site safeguard evaluations to determine adequacy to safeguard child support information. Conduct tasks in a professional manner, promotes superior customer satisfaction and deliver services that meet or exceed our customer’s expectations. SCRIPT On this slide let’s discuss the role of the ISO. Establish and maintain the DCSS Security policies which govern information security within the Child Support Program. The ISM has detailed policy related requirements. A copy of the ISM can be found on CA Child Support Central or by contacting the ISO mailbox at Provide guidance, support and oversight for information security activities, including but not limited to: compliance monitoring – provide CSE activity of a user security incident – what to report and how to report a security incident and policy – guidance and clarification to a policy requirement Perform on-site safeguard evaluations to determine adequacy to safeguard child support information, including FTI. We will discuss this later in this presentation Conduct tasks in a professional manner, promotes superior customer satisfaction and deliver services that meet or exceed our customer’s expectations. I pride myself to always be a resource to the LCSAs (next slide)

10 Definition of FTI Return or Return Information received directly or indirectly from the Secretary of the Treasury. Received from OCSE (Office of Child Support Enforcement) is stored in CSE (Child Support Enforcement) application. Most FTI provided to the child support program is received from OCSE. (Via CSE and CMT) Important to Note – Return or Return information received from a NCP, CP or other participants is not considered FTI. This data is confidential and security controls still apply to protect it from unauthorized access. SCRIPT Now, let’s discuss FTI …. Return or Return Information received directly or indirectly from the Secretary of the Treasury. Received from OCSE (Office of Child Support Enforcement) is stored in CSE (Child Support Enforcement) application. Most FTI provided to the child support program is received from OCSE. (Via CSE and CMT) Important to Note – Return or Return information received from a NCP, CP or other participants is not considered FTI. This data is confidential and security controls still apply to protect it from unauthorized access So the requirements entail * note the data is received by Locate in CSE, Financials due to payments, data extracted to CMT, and of course manual requests by LCSA that are processed back to DCSS and onto OSCE. In order to ensure you received the necessary data, we have requirements- (next slide)

11 Requirements for Handling FTI
Every employee granted access to handle or process FTI must certify their understanding of security policy and procedure for protecting IRS information and the penalties for unauthorized disclosure. This includes contractors, consultants, and temporary employees employed by the LCSA. All Child Support employees at time of hire, and then annually thereafter, certify their understanding of the importance to protect child support information at all times by successful completion of the mandatory Information Security Awareness Training (ISAT) available via the Child Support University (CSU). SCRIPT Here we will discuss requirements for handling FTI. Every employee granted access to handle or process FTI must certify their understanding of security policy and procedure for protecting IRS information and the penalties for unauthorized disclosure. Penalties include criminal and civil. This requirement applies to all employees, including contractors, consultants, and temporary employees employed by the LCSA. All Child Support employees at time of hire, and then annually thereafter, certify their understanding of the importance to protect child support information at all times by successful completion of the mandatory Information Security Awareness Training (ISAT) available via the Child Support University (CSU). Contact the ISO for ISAT for Vendors and Contractors. The powerpoint does not consist of the modules within CSU.

12 Restrictions for Access to FTI
FTI should be limited to authorized employees with a legitimate business need. IRS has defined a number of physical and technical requirements that control access, even for authorized persons. CSE implements tracking and logging consistent with IRS requirements for information electronically stored in CSE and SDU, including the Data Repository. FTI received outside of CSE must be manually logged and tracked from date of receipt, during the handling, and the destruction. SCRIPT Limiting access to individuals on a need-to-know basis reduces opportunities to “browse” or improperly view FTI. Restricting access to designated personnel minimizes improper access or disclosure. When FTI must be provided to clerical, computer operators, or others, these should only be provided the FTI that is essential to accomplish their official duties. The Publication 1075 Section 5.0 – Restricting Access provide further requirements for restricting access to FTI. NOW LET’S MOVE ONTO THE On Site EVALUATION PIECE.. (next slide)

13 On-Site Safeguard Evaluation Overview
SCRIPT Here we will discuss On Site Safeguard Evlauations (next slide)

14 What does it entail? Assessment of the LCSA use of personal, confidential, and sensitive child support information, including FTI and the measures employed to protect the data from unauthorized access and disclosure. SCRIPT What does an On Site Evaluation entail…. Assessment of the LCSA use of personal, confidential, and sensitive child support information, including FTI and the measures employed to protect the data from unauthorized access and disclosure. (next slide)

15 Why are Safeguard Evaluations Conducted?
Internal Revenue Service (IRS) Publication 1075,Tax Information Security Guidelines for Federal, State and Local Agencies states: “As a condition of receiving FTI, the receiving agency must show, to the satisfaction of the IRS, the ability to protect the confidentiality of that information.” “Agencies must ensure its safeguards will be ready for immediate implementation upon receipt of FTI.” “The public must maintain a high degree of confidence that the personal and financial information furnished to us is protected against unauthorized use, inspection, or disclosure.” Prepare the LCSA for a IRS onsite Safeguard Review As stated in CSS letter 15-01, DCSS will be conducting CONSISTENT on-site evaluation in order to Prepare LCSAs for the IRS….

16 Safeguard Evaluation Authorities & Objectives
Ensure compliance with: DCSS Information Security Manual (ISM) IRS Publication 1075 IRS Safeguard Computer Evaluation Matrixes (SCESMs) National Institute Standards and Technology (NIST) CSS Letters regarding safeguarding child support information and IT assets. Note: recent changes effective 2014 to Publication 1075 and issuance of CSS letter related to those changes. SCRIPT Let’s discuss Authorities and Objectives of an Onsite Safeguard Evaluation Ensure compliance with: DCSS Information Security Manual (ISM) DCSS Policies IRS Publication 1075 specific requirement to safeguard FTI IRS Safeguard Computer Evaluation Matrixes (SCSEMs) various IRS document of security controls in place to protect FTI from unauthorized access and disclosure National Institute Standards and Technology (NIST) listing of recommended security controls for Information Systems and Organizations CSS Letters regarding safeguarding child support information and IT assets. Note: recent changes effective 2014 to Publication 1075 and issuance of CSS letter related to those changes. (next slide)

17 When are Evaluations Conducted?
Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states: “Agencies should establish a review cycle so that all local offices receiving FTI are reviewed within a three year cycle.” “Headquarters, other facilities housing FTI, and the agency data center should be reviewed within a 18 month cycle.” “IRS visit California every three years.” SCRIPT Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states: “Agencies should establish a review cycle so that all local offices receiving FTI are reviewed within a three year cycle.” The ISO plans to visit each LCSA every three years “Headquarters, other facilities housing FTI, and the agency data center should be reviewed within a 18 month cycle.” “IRS visit California every three years.” (next slide) As you know, CSS letter provided a tentative schedule for LCSA reviews and I will visit that towards the end of the presentation- let’s go over the scope..

18 Safeguard Evaluation Scope
Consists of questions pertaining to the agency physical and technical security safeguards in place in the seven subject requirement areas: Record Keeping………….log to track receipt and handling of FTI Restricting Access…….....measures taken to restrict/limit access Secure Storage…..………... building security, storage containers Incident Reporting ………....….…. procedures to report incidents Employee Awareness ……...….…… annual awareness training IT Security….………………. computer security policy/procedures Disposal……….……….… procedures for confidential destruction SCRIPT Here we will see the scope. The IRS Publication has seven specific requirement areas. These include: Record Keeping………….log to track receipt and handling of FTI Restricting Access…….....measures taken to restrict/limit access Secure Storage…..………... building security, storage containers Incident Reporting ………....….…. procedures to report incidents to the ISO mailbox Employee Awareness ……...….…… annual awareness training. ISAT on CSU and ISAT for Vendor/Contractors IT Security….………………. computer security policy/procedures Disposal……….……….… procedures for confidential destruction. Disposal must be witnessed See the Publication 1075 for more information. (next slide)

19 Evaluation Activities
Exit Conference Discuss Finding(s) Preliminary Report Approx. 30 days Corrective Action Plan Submit until all closed Final Report Notification letter (30-45 days prior) Entrance Meeting Agenda/Events On-site Evaluation Walkthrough Interviews SCRIPT Lets now review some the activities of a On Site Evaluation Notification letter 30-45 days prior In notification we send: Internal Inspection Report – covering the Pub 1075 Requirements areas Documents requested for review prior to arrival An application located on the DCSS LCSA Secure Website. The purpose of this application is to provide an easy and secure means of file/document exchange between DCSS Information Security Office (ISO) and the LCSAs. Entrance Conference Agenda Days(s) Events On-site Evaluation Walkthrough Interviews Exit Conference Discuss Finding(s) and observation Preliminary Report Issue Approx. 30 days Corrective Action Plan (CAP) CAP submitted every 6 months until all findings have been closed Final Report (next slide)

20 2015 Proposed LCSA Evaluation Schedule
Glenn Yolo Colusa Sierra/Nevada Plumas Butte Tehama Lake San Francisco San Mateo Monterey Mariposa Sutter Marin Riverside Fresno Santa Cruz/ San Benito Sonoma Central Sierra Here is a proposed list of schedule for NOTE: IRS is scheduled to arrive in California When they visit they request to visit a S, M, L county. Again, ISO will work closely with selected LCSAs prior to arrival (next slide) Next IRS Visit

21 Future DCSS ISO Questions:
Contact Information DCSS – ISO (916) or Any specific LCSA questions on the onsite review not answered today, please contact us… Now I will turn it over Janet Nottley with Napa County…

22 Janet Nottley Janet.Nottley@countyofnapa.org Napa County CSS
LCSA perspective…

23 “I like to audit the small counties because we always find a lot”
Napa Perspective “I like to audit the small counties because we always find a lot” -IRS Auditor

24 Napa Evaluation Result
Napa County had no findings at their LCSA office and limited findings at their Information Technology Department

25 National Institute Standards and Technology (NIST) 800-53 Publication 800-53 Revision 4
“Organizations have the responsibility to select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying established security requirements.” Having stated our final result in last year’s audit, I will reiterate that: And in order to demonstrate that appropriate controls are in place… There are specific steps to take to ensure…. Categorize: Visitors, Electronic date, Paper trails, Select: how to address each one of those parts. Implement methods for security & ASSESS the effectiveness Authorize on a NEED to Know… continually monitor… So let’s talk about some basics we all have to address, Large, medium or small county…

26 From NIST Publication 800-53
Step 1: Categorize the information system based on a FIPS Publication 199 impact assessment;28 SELECTING SECURITY CONTROL BASELINES In preparation for selecting and specifying the appropriate security controls for organizational information systems and their respective environments of operation, organizations first determine the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems. This process, known as security categorization, is described in FIPS Publication Step 2: Select the applicable security control baseline based on the results of the security categorization and apply tailoring guidance (including the potential use of overlays); Note NIST direct and provides Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Step 3: Implement the security controls and document the design, development, and implementation details for the controls; IN Napa, Management developed a matarix for access depending on duties and roles. Those are implement by staff that does not report to the LCSA ISO. Step 4: Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;29 Step 5: Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable; and Step 6: Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment. We learned a lot about environment during our recent earthquake. Please we error on the side of caution, we had no security risks at our temp. sites.

27 Basic Requirements The MPS or “two barrier” rule applies to FTI, beginning at the FTI itself and extending outward to individuals without a need-to-know. The MPS provides the capability to deter, delay, or detect surreptitious entry. Protected information must be containerized in areas where other than authorized employees may have access after-hours. Using a common situation as an example, often an agency desires or requires that security personnel or custodial service workers or landlords for non-governmentowned facilities have access to locked buildings and rooms. This may be permitted as long as there is a second barrier to prevent access to FTI. A security guard, custodial services worker, or landlord may have access to a locked building or a locked room if FTI is in a locked security container. If FTI is in a locked room but not in a locked security container, the guard, janitor, or landlord may have a key to the building but not the room.

28 Napa LCSA Physical Environment
The LCSA is located on the 2nd floor as are other departments: DA, Public Defender , etc. There is a shared conference room. We have one main entrance and all LCSA doors have alarms; FOBs are required for employee entrance to CSS Department. We are File-Less. LCSA: No other separate rooms exist for mail processing, etc. We have 32 FTEs and all staff has locking cabinets. Clean Desk policy at Close of Business (COB) actively enforced. Here is what it means to Napa: We are File-less but not paperless, the benefits is : amongst other things is Disclosure of FTI to state auditors by child support enforcement and human services agencies is not authorized by statute. FTI in case files must be removed prior to access by the auditors. We simply do not have document in files to remove, because we are fileless. Necessary documentation is shred after processing, or scanned if necessary (scanners on each desk). Reduces your vulnerablity greatly because it limits the paper trail. No one has to file it, then later remove it/then shred it. Access to information is very limited in our Department--

29 ACCESS to Information Employees are required to wear County ID badge at all times and have their FOB in order to enter office. (Enables ISO tracking and report logs.) FAX and copy machines have FTI warning labels Correspondence not processed by COB is locked Confidential/FTI transported from one location to another must be double sealed when transported. FTI can not be shared with other entities. This means audits do not label IRS intercepts. Addresses, and other information obtain via CSE locate are then filtered and verified by an external source as FTI is not able to be shared. Pub Fax Equipment If FTI is prohibited from inclusion within fax communications, a policy must be written and distributed. If FTI is allowed to be included within fax communications, the agency must only transmit FTI to an authorized recipient and must adhere to the following requirements: a. Have a trusted staff member at both the sending and receiving fax machines; b. Accurately maintain broadcast lists and other preset numbers of frequent recipients of FTI; c. Place fax machines in a secured area; and d. Include a cover sheet on fax transmissions that explicitly provides guidance to the recipient,

30 Tracking Access to Restricted Area
Visitors (non-certified staff) are screened, recorded, and escorted at all times when in restricted areas. A restricted area is an area where entry is restricted to authorized personnel (individuals assigned to the area). All restricted areas either must meet secured area criteria or provisions must be made to store FTI in appropriate containers during non-duty hours. Using restricted areas is an effective method for eliminating unnecessary traffic through critical areas, thereby reducing the opportunity for unauthorized access or disclosure or theft of FTI. All of the following procedures must be implemented to qualify as a restricted area. Restricted areas will be prominently posted and separated from non-restricted areas by physical barriers that control access. The number of entrances must be kept to a minimum and must have controlled access (e.g., electronic access control, key access, door monitor) to prevent unauthorized entry. The main entrance must be controlled by locating the desk of a responsible employee at the entrance to ensure that only authorized personnel with an official need may enter. The visitor must sign, either electronically or physically, into the visitor access log. The security personnel must validate the person’s identify by examining governmentissued identification (e.g., state driver’s license or passport) and recording in the access log the type of identification validated. The security personnel must compare the name and signature entered in the access log with the name and signature of the governmentissued identification. When leaving the area, the security personnel or escort must enter the visitor’s time of departure.Each restricted area access log must be closed out at the end of each month and reviewed by management. Whenever cleaning and maintenance personnel are working in restricted areas containing FTI, the cleaning and maintenance activities must be performed in the presence of an authorized employee. Allowing an individual to “piggyback” or “tailgate” into a restricted locations should be prohibited and documented in agency policy. The agency must ensure that all individuals entering an area containing FTI do not bypass access controls or allow unauthorized entry of other individuals. Unauthorized access should be challenged by authorized individuals (e.g., those with access to FTI). Security personnel must be notified of unauthorized piggyback/tailgate attempts.

31 Implementation and Monitoring
Data Access and training is determined at: New hire, reclassification, and during case management changes. Mandatory Annual Staff Training & Signing On-line training Personal Security & Confidentiality by ISO that include P&P. Annual recertification and signing for all staff. In person training for other required staff, (i.e., ITS, Custodian, any necessary staff). UIFSA is a good example of case management changes – Auditors specifically question UIFSA worker as to transmittals with FTI.

32 Policies & Procedures Highlights…
ONLY Program Supervisors are allowed to order tax returns. Any FTI documentation is routed to Supervisory staff after being recorded by ISO and is then stored in FTI cabinet. All workers must lock up case documents in their cabinets at night and ensure a clean desk. No correspondence may be left on chairs when an employee is out of the office. Shredding carts are emptied nightly by staff. Any I&Es and related tax returns are recorded and go to a specific shredder bin. Only ISO & Director has key to open that particular bin. Court prep/Legal files locked in attorney’s cabinet CMT data that may contain FTI is not allowed to be downloaded and stored on county drives. IRS cabinet kept in ISO/Manager’s office to allow for 2 locked, secure doors as required by MPS. Manager records and destroys FTI. We take extra precaution in Napa to ensure: Minimum Protection Standards (MPS) *We ensure paper must be shredded to effect 5/16-inch-wide or smaller strips. Consideration should be given to the purchase of cross-cut shredders when replacing or purchasing new equipment. If shredding deviates from the 5/16-inch specification, FTI must be safeguarded until it reaches the stage where it is rendered unreadable through additional means, such as burning or pulping. As part of our verification of compliance, we literally have staff with an umbrella observing outside (Shred it and walk around with Shred it)--- we finally let them take a chair)

33 Annual Verification and Documentation
Automated system access level audited Annual ISO training and staff signatures obtained Training attendance records maintained Assets & key certification (wet signatures) Automated (FOB) reports to building access records reviewed semi-annually Visitor Log secured and stored monthly Written policies revisited, updated, and are redistributed to staff as appropriate. As required by NIST , ISO monitors and thus completes verification the every year.

34 On-Site Preparation and Process
Received notice of audit Complete Matrix Advise others (ITS) of date and need for accessibility Review/Update procedures related to Matrix. Prepare all staff for DCSS/IRS walk through with daily/random checks On-Site Review Completed Preliminary Report and/or Findings CAP if necessary

35 Napa County IRS Audit Two Audit Teams:
LCSA Management-Director and LCSA ISO Program Supervisory staff UIFSA case manager Information Technology Napa’s IT Security Manager IT staff

36 Safeguard Review Report
Napa Experience Safeguard Review Report (FINDINGS)

37 Napa Findings FINDING: The child support agency is making unauthorized disclosures of FTI to County of Napa Information Technology Services for the purpose of software maintenance, operation support, system maintenance and off-site storage. (Significant) (Held in Abeyance)…County of Napa Information Technology Services have access to more than the three FTI data elements specifically authorized for disclosure to contractors by IRC 6103(l)(6)(B)(ii) and Publication 1075 section 5.5 for the purposes of establishing and collecting child support obligations: The address; Social Security Number of an individual with respect to whom child support obligations are sought to be established or enforced; and The amount of any reduction under IRC 6402(c) in any overpayment otherwise payable to such individual. RECOMMENDATION: Agency corrective actions to remove unauthorized contractor access to FTI is held in abeyance pending resolution by OCSE and IRS of conflicting interpretations of federal statutes. CMT, Iron Mountain finding- what is your IT doing with your data? Ensure that the alternate storage site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance from NIST states that: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

38 Napa Findings FINDING: The agency must enhance their SLA with Napa County DCSS and County of Napa Information Technology Services by providing the safeguarding requirements for the protection of FTI. (Moderate) The agency must enhance their SLA to include Exhibit 7 language. A SLA is required when an agency utilizes services of another state agency requiring the access of FTI. In accordance with Publication 1075 section 5.4.2, to ensure safeguarding requirements follow the data the agency must implement a written agreement documenting the following: Shared responsibility for the protection of FTI Required compliance with the Publication 1075 Support to the recipient agency during an on-site Safeguard review Conducting internal inspections every 18 months Restrict access to employees on a need-to-know basis Ensure employees with access are trained and sign confidentiality statements Restrict disclosures to contractors as authorized by the internal revenue code Identify responsibility for 45-day Notification Identify responsibility and primary contacts for incident and response specific to FTI backup Include appropriate Publication 1075 Exhibit 7 language RECOMMENDATION: The agency must enhance the current SLA with Napa County DCSS and County of Napa Information Technology Services to include the required safeguard language.

39 Napa Findings FINDING: The agency does not provide annual disclosure awareness training for the safeguarding of FTI at the County of Napa Information Technology Department and SRC. (Moderate) Granting agency employees and contractors access to FTI must be preceded by each employee and contractor certifying his/her understanding of the agency's security policy and procedures for safeguarding IRS information. In accordance with Publication 1075 section 6.3, the disclosure awareness training must stipulates that: - Employees and contractors should be advised of the penalty provisions of IRC §§ 7213, 7213A, and 7431 - The training must cover the incident response policy and procedures for reporting unauthorized disclosures and data breaches - Employees must be made aware that disclosure restrictions and the penalties apply even after employment with the agency ends - For both the initial certification and the annual certification, the employee or contractor must sign, either with ink or electronic signature, a confidentiality statement certifying his or her understanding of the security requirements. The initial certification and recertification must be documented and placed in the agency's files for review and retained for at least 5 years RECOMMENDATION: The agency must provide annual disclosure awareness training to all employees and contractors with access to FTI.

40 Napa Findings FINDING: The agency does not conduct internal inspections every 18 months covering the safeguarding of FTI County of Napa Information Technology Department for the case files and disaster recovery tapes. (Moderate) Internal inspections are not conducted at 18 month intervals at County of Napa Information Technology Department. To ensure the continuous safeguarding of FTI, the agency must conduct internal inspections of all offices where FTI is resident. Agencies must establish a review cycle as follows: - Local offices receiving FTI: at least every 3 years - Headquarters office facilities housing FTI and the agency computer facility: at least every 18 months - All contractors with access to FTI, including a consolidated data center or off- site storage facility: for at least every 18 months The completed plan must be included as part of the annual SSR in accordance with Publication 1075 section 6.4. Templates for the plan and internal inspections are available at or may be requested by at D.4 RECOMMENDATION: The agency must conduct internal inspections for the safeguarding of FTI at County of Napa Information Technology Department every 18 months.

41 Craig Neiman Neimanc@saccounty.net
Sacramento County LCSA

42 Early Preparation Identify primary contacts and coordinator
Reference most up-to-date IRS and State DCSS security materials available Reach out to other counties for lessons learned As Janet mentioned, counties options 1,2,3… Separate IT departments…

43 Tangible Tasks (Before Audit)
Gather and review your county’s MOU (Memorandums of Understanding) and other Contracts (get them up-to-date) Have someone ensure security documentation has been done annually by staff (new hire training as well as annuals done by existing staff, also tech support staff who can access FTI) Complete the IRS Safeguards Disclosure Security Evaluation Matrix and obtain consensus on responses Dig to discover discrepancies between office policy and what is done in practice

44 Mock Audit Run Through Walk around the perimeter of the office and test entry points and locked doors. When visitors come to the office, are the procedures being followed regarding escorts and badges? Does everybody agree as to the definition of visitor? Walk around the office after normal work hours to look at things like employee work spaces, fax machines, printers. Review the various logs (temporary badge log, master key log, FTI material logs) with management.

45 Day of Audit Staff should be prepared in case the auditors request to shadow certain practices (i.e.: trainers who conduct security training, staff who handle FTI logging or materials, destruction of materials, tour of office). For the shadowing, it was nice to have a designated room with computer and overhead projector in which selected line staff could come in and provide demonstrations for the auditors. For staff that may respond to the questions, awareness of need to provide succinct accurate responses. Access to servers and data is needed for their automated system tests.

46 Findings in Sacramento: Non-technical
Non-technical related findings in Sacramento: Documents received from CA Central Registry containing FTI were being logged correctly but were found stored in a cabinet with wheels. Sacramento IT Back Up Data Center did not have visitor log in place or adequate safeguards re double barrier requirements for FTI Labelling and double sealing envelope when sending hardcopy outbound Transmittal 2 documents (CSENet helps) Logging, scanning and destruction of inbound hardcopy Transmittal 2 documents possessing FTI

47 Findings in Sacramento: Technical (Part 1)
Technical related findings in Sacramento: Controls required for remote access: county equipment (laptops) with two factor authentication required. Security patches and latest virus protection Multi Functional Devices (MFDs) set-up and not using for PDF delivery…needs to be scanned directly into a restricted access folder) Direct access to Texas Child Support System is prohibited since there are no audit controls

48 Findings in Sacramento: Technical (Part 2)
More technical related findings in Sacramento: Segregate data bases holding FTI from databases that do not. Audit controls (logging) needed when FTI info is accessed via our Local Area Data Repository (LADR) Reports with FTI produced from LADR needed to be labelled, secured, and procedures put in place for their distribution to line staff)

49 Findings in Sacramento: Technical (Part 3)
Technical related findings in Sacramento needing Statewide response: The CSE, SAT, IDB, CMT, State Repository applications does not allow for auditing to capture access and movement of FTI by each user within the application. The agency does not monitor or review access logs for inappropriate or unusual activity. Screens that contain FTI in CSE, SAT, LADR, and IDB are not labeled. When FTI is displayed electronically, data elements or screen must be labeled to clearly identify the Federal tax information. The warning banner that appears prior to accessing FTI does not contain the required language with respect to the CMT and IDB applications on the Secured Website.

50 Corrective Actions Responses have been provided for the Sacramento County specific findings. The two factor authentication is still an outstanding item. We are waiting for a County-wide implementation due to a requirement from the California Department of Justice regarding an unrelated audit and finding for our Sacramento Sheriff’s Department. Transition over to Jesse

51 Access Safeguard Resources Online
The Office of Safeguards maintains Publication 1075, templates, guidance, and frequently asked questions online at: Agencies are highly encouraged to periodically visit the website for new updates. The website is maintained with many resources to assist agencies with meeting Publication 1075 requirements. Examples of the website’s features include: Safeguard alerts and technical assistance memorandums Recommendations on how to comply with Publication 1075 requirements Reporting requirement templates (e.g., Safeguard Security Report [SSR]) and guidance Instructions for reporting unauthorized accesses, disclosures, or data breaches Internal inspections report templates and instructions IRS disclosure awareness videos and resources All references mentioned in this presentation and additional information can be accessed by DCSS Secure Website at:

52 Questions? Please complete your evaluations and drop off at back table. Thank you!

53


Download ppt "Coordinator: Karina Castañeda"

Similar presentations


Ads by Google