2. Coordinator: Karina Castañeda
Preparing for the IRS
Safeguarding Review
Coordinator: Karina Castañeda
Good morning everyone. My name is Karina Castaneda, and I’d like to welcome you to: Preparing for the IRS …
I’d like to introduce your panel for this workshop-

3. Jesse Saenz, Senior Information Security Analyst
California Department of Child Support Services
Jesse Saenz, Senior Information Security Analyst
Napa County Department of Child Support
Janet Nottley, Director
Sacramento County Department of Child Support
Craig Neiman, Child Support Program Planner
TRANSITION-Before we move to today’s presentation- I’d quickly like to go over some housekeeping to ensure we get through all of the material we’ve prepared for you today:

4. Housekeeping Business Cards are available after the presentation
On back table.
There will be time for Q&A at end of presentation
To ensure we finish on time, please hold your questions.
LCSA contact list for SAR will be shared
Please write down your LCSA’s information.
Please turn off your cell phones or put on vibrate
Please take urgent calls outside for everyone’s comfort.

5. Purpose Agenda DCSS Role and Responsibilities
On-Site Safeguard Evaluation Overview
LCSA perspective
The goal for today is to ….

6. TRAINING OBJECTIVE
Ensure the safeguarding of personal, confidential, and sensitive child support information, including FTI by CSS.
Ensure IT Best Practices for privacy and security of information is shared and followed by LCSAs.

7. Jesse Saenz Jesse.Saenz@dcss.ca.gov
DCSS Information Security Office
(next slide)

8. Topics DCSS Information Security Office Responsibilities
Definition of FTI
Requirements for Handling FTI
Restrictions for Access to FTI
On-Site Safeguard Evaluation Overview
SCRIPT
As Karina mentioned I will be going over….
DCSS Information Security Office Responsibilities – talk about the role of the ISO
Definition of FTI – define what is FTI (federal tax information) and data FTI
Requirements for Handling FTI – IRS Publication 1075 has requirements for handling of FTI.
Restrictions for Access to FTI - IRS Publication 1075 has restrict access requirements for FTI.
On-Site Safeguard Evaluation Overview – as the recipient, your agency must implement safeguard in place to protect child support information, including FTI. Am on site evaluation, is conduct by the ISO and we evaluate the adequacy to protect the information from unauthorized access and disclosure.
(next slide)

9. DCSS ISO Responsibilities
Establish and maintain the DCSS Security policies which govern information security within the Child Support Program.
Provide guidance, support and oversight for information security activities, including but not limited to: compliance monitoring, business continuity, security incident, and policy.
Perform on-site safeguard evaluations to determine adequacy to safeguard child support information.
Conduct tasks in a professional manner, promotes superior customer satisfaction and deliver services that meet or exceed our customer’s expectations.
SCRIPT
On this slide let’s discuss the role of the ISO.
Establish and maintain the DCSS Security policies which govern information security within the Child Support Program.
The ISM has detailed policy related requirements.
A copy of the ISM can be found on CA Child Support Central or by contacting the ISO mailbox at
Provide guidance, support and oversight for information security activities, including but not limited to:
compliance monitoring – provide CSE activity of a user
security incident – what to report and how to report a security incident
and policy – guidance and clarification to a policy requirement
Perform on-site safeguard evaluations to determine adequacy to safeguard child support information, including FTI.
We will discuss this later in this presentation
Conduct tasks in a professional manner, promotes superior customer satisfaction and deliver services that meet or exceed our customer’s expectations.
I pride myself to always be a resource to the LCSAs
(next slide)

10. Definition of FTI
Return or Return Information received directly or indirectly from the Secretary of the Treasury.
Received from OCSE (Office of Child Support Enforcement) is stored in CSE (Child Support Enforcement) application.
Most FTI provided to the child support program is received from OCSE. (Via CSE and CMT)
Important to Note – Return or Return information received from a NCP, CP or other participants is not considered FTI. This data is confidential and security controls still apply to protect it from unauthorized access.
SCRIPT
Now, let’s discuss FTI ….
Return or Return Information received directly or indirectly from the Secretary of the Treasury.
Received from OCSE (Office of Child Support Enforcement) is stored in CSE (Child Support Enforcement) application.
Most FTI provided to the child support program is received from OCSE. (Via CSE and CMT)
Important to Note – Return or Return information received from a NCP, CP or other participants is not considered FTI. This data is confidential and security controls still apply to protect it from unauthorized access
So the requirements entail * note the data is received by Locate in CSE, Financials due to payments, data extracted to CMT, and of course manual requests by LCSA that are processed back to DCSS and onto OSCE. In order to ensure you received the necessary data, we have requirements-
(next slide)

11. Requirements for Handling FTI
Every employee granted access to handle or process FTI must certify their understanding of security policy and procedure for protecting IRS information and the penalties for unauthorized disclosure. This includes contractors, consultants, and temporary employees employed by the LCSA.
All Child Support employees at time of hire, and then annually thereafter, certify their understanding of the importance to protect child support information at all times by successful completion of the mandatory Information Security Awareness Training (ISAT) available via the Child Support University (CSU).
SCRIPT
Here we will discuss requirements for handling FTI.
Every employee granted access to handle or process FTI must certify their understanding of security policy and procedure for protecting IRS information and the penalties for unauthorized disclosure.
Penalties include criminal and civil.
This requirement applies to all employees, including contractors, consultants, and temporary employees employed by the LCSA.
All Child Support employees at time of hire, and then annually thereafter, certify their understanding of the importance to protect child support information at all times by successful completion of the mandatory Information Security Awareness Training (ISAT) available via the Child Support University (CSU).
Contact the ISO for ISAT for Vendors and Contractors. The powerpoint does not consist of the modules within CSU.

12. Restrictions for Access to FTI
FTI should be limited to authorized employees with a legitimate business need.
IRS has defined a number of physical and technical requirements that control access, even for authorized persons.
CSE implements tracking and logging consistent with IRS requirements for information electronically stored in CSE and SDU, including the Data Repository.
FTI received outside of CSE must be manually logged and tracked from date of receipt, during the handling, and the destruction.
SCRIPT
Limiting access to individuals on a need-to-know basis reduces
opportunities to “browse” or improperly view FTI. Restricting access to
designated personnel minimizes improper access or disclosure. When FTI
must be provided to clerical, computer operators, or others, these should
only be provided the FTI that is essential to accomplish their official duties.
The Publication 1075 Section 5.0 – Restricting Access provide further requirements for restricting access to FTI.
NOW LET’S MOVE ONTO THE On Site EVALUATION PIECE..
(next slide)

13. On-Site Safeguard Evaluation Overview
SCRIPT
Here we will discuss On Site Safeguard Evlauations
(next slide)

14. What does it entail?
Assessment of the LCSA use of personal, confidential, and sensitive child support information, including FTI and the measures employed to protect the data from unauthorized access and disclosure.
SCRIPT
What does an On Site Evaluation entail….
Assessment of the LCSA use of personal, confidential, and sensitive child support information, including FTI and the measures employed to protect the data from unauthorized access and disclosure.
(next slide)

15. Why are Safeguard Evaluations Conducted?
Internal Revenue Service (IRS) Publication 1075,Tax Information Security Guidelines for Federal, State and Local Agencies states:
“As a condition of receiving FTI, the receiving agency must show, to the satisfaction of the IRS, the ability to protect the confidentiality of that information.”
“Agencies must ensure its safeguards will be ready for immediate implementation upon receipt of FTI.”
“The public must maintain a high degree of confidence that the personal and financial information furnished to us is protected against unauthorized use, inspection, or disclosure.”
Prepare the LCSA for a IRS onsite Safeguard Review
As stated in CSS letter 15-01, DCSS will be conducting CONSISTENT on-site evaluation in order to Prepare LCSAs for the IRS….

16. Safeguard Evaluation Authorities & Objectives
Ensure compliance with:
DCSS Information Security Manual (ISM)
IRS Publication 1075
IRS Safeguard Computer Evaluation Matrixes (SCESMs)
National Institute Standards and Technology (NIST)
CSS Letters regarding safeguarding child support information and IT assets.
Note: recent changes effective 2014 to Publication 1075 and issuance of CSS letter related to those changes.
SCRIPT
Let’s discuss Authorities and Objectives of an Onsite Safeguard Evaluation
Ensure compliance with:
DCSS Information Security Manual (ISM)
DCSS Policies
IRS Publication 1075
specific requirement to safeguard FTI
IRS Safeguard Computer Evaluation Matrixes (SCSEMs)
various IRS document of security controls in place to protect FTI from unauthorized access and disclosure
National Institute Standards and Technology (NIST)
listing of recommended security controls for Information Systems and Organizations
CSS Letters regarding safeguarding child support information and IT assets.
Note: recent changes effective 2014 to Publication 1075 and issuance of CSS letter related to those changes.
(next slide)

17. When are Evaluations Conducted?
Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states:
“Agencies should establish a review cycle so that all local offices receiving FTI are reviewed within a three year cycle.”
“Headquarters, other facilities housing FTI, and the agency data center should be reviewed within a 18 month cycle.”
“IRS visit California every three years.”
SCRIPT
Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies states:
“Agencies should establish a review cycle so that all local offices receiving FTI are reviewed within a three year cycle.” The ISO plans to visit each LCSA every three years
“Headquarters, other facilities housing FTI, and the agency data center should be reviewed within a 18 month cycle.”
“IRS visit California every three years.”
(next slide)
As you know, CSS letter provided a tentative schedule for LCSA reviews and I will visit that towards the end of the presentation- let’s go over the scope..

18. Safeguard Evaluation Scope
Consists of questions pertaining to the agency physical and technical security safeguards in place in the seven subject requirement areas:
Record Keeping………….log to track receipt and handling of FTI
Restricting Access…….....measures taken to restrict/limit access
Secure Storage…..………... building security, storage containers
Incident Reporting ………....….…. procedures to report incidents
Employee Awareness ……...….…… annual awareness training
IT Security….………………. computer security policy/procedures
Disposal……….……….… procedures for confidential destruction
SCRIPT
Here we will see the scope. The IRS Publication has seven specific requirement areas. These include:
Record Keeping………….log to track receipt and handling of FTI
Restricting Access…….....measures taken to restrict/limit access
Secure Storage…..………... building security, storage containers
Incident Reporting ………....….…. procedures to report incidents to the ISO mailbox
Employee Awareness ……...….…… annual awareness training. ISAT on CSU and ISAT for Vendor/Contractors
IT Security….………………. computer security policy/procedures
Disposal……….……….… procedures for confidential destruction. Disposal must be witnessed
See the Publication 1075 for more information.
(next slide)

19. Evaluation Activities
Exit Conference
Discuss Finding(s)
Preliminary Report
Approx. 30 days
Corrective Action Plan
Submit until all closed
Final Report
Notification letter
(30-45 days prior)
Entrance Meeting
Agenda/Events
On-site Evaluation
Walkthrough
Interviews
SCRIPT
Lets now review some the activities of a On Site Evaluation
Notification letter
30-45 days prior
In notification we send:
Internal Inspection Report – covering the Pub 1075 Requirements areas
Documents requested for review prior to arrival
An application located on the DCSS LCSA Secure Website. The purpose of this application is to provide an easy and secure means of file/document exchange between DCSS Information Security Office (ISO) and the LCSAs.
Entrance Conference
Agenda
Days(s) Events
On-site Evaluation
Walkthrough
Interviews
Exit Conference
Discuss Finding(s) and observation
Preliminary Report
Issue Approx. 30 days
Corrective Action Plan (CAP)
CAP submitted every 6 months until all findings have been closed
Final Report
(next slide)

20. 2015 Proposed LCSA Evaluation Schedule
Glenn
Yolo
Colusa
Sierra/Nevada
Plumas
Butte
Tehama
Lake
San Francisco
San Mateo
Monterey
Mariposa
Sutter
Marin
Riverside
Fresno
Santa Cruz/
San Benito
Sonoma
Central Sierra
Here is a proposed list of schedule for NOTE: IRS is scheduled to arrive in California When they visit they request to visit a S, M, L county. Again, ISO will work closely with selected LCSAs prior to arrival
(next slide)
Next IRS Visit

21. Future DCSS ISO Questions:
Contact Information
DCSS – ISO
(916) or
Any specific LCSA questions on the onsite review not answered today, please contact us…
Now I will turn it over Janet Nottley with Napa County…

22. Janet Nottley Janet.Nottley@countyofnapa.org Napa County CSS
LCSA perspective…

23. “I like to audit the small counties because we always find a lot”
Napa Perspective
“I like to audit the small counties because we always find a lot”
-IRS Auditor

24. Napa Evaluation Result
Napa County had no findings at their LCSA office and limited findings at their Information Technology Department

25. National Institute Standards and Technology (NIST) 800-53 Publication 800-53 Revision 4
“Organizations have the responsibility to select the appropriate security controls, to implement the controls correctly, and to demonstrate the effectiveness of the controls in satisfying established security requirements.”
Having stated our final result in last year’s audit, I will reiterate that:
And in order to demonstrate that appropriate controls are in place…
There are specific steps to take to ensure….
Categorize: Visitors, Electronic date, Paper trails,
Select: how to address each one of those parts.
Implement methods for security & ASSESS the effectiveness
Authorize on a NEED to Know… continually monitor…
So let’s talk about some basics we all have to address, Large, medium or small county…

26. From NIST Publication 800-53
Step 1: Categorize the information system based on a FIPS Publication 199 impact assessment;28
SELECTING SECURITY CONTROL BASELINES
In preparation for selecting and specifying the appropriate security controls for organizational information systems and their respective environments of operation, organizations first determine the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems. This process, known as security categorization, is described in FIPS Publication
Step 2: Select the applicable security control baseline based on the results of the security categorization and apply tailoring guidance (including the potential use of overlays);
Note NIST direct and provides Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.
Step 3: Implement the security controls and document the design, development, and implementation details for the controls;
IN Napa, Management developed a matarix for access depending on duties and roles. Those are implement by staff that does not report to the LCSA ISO.
Step 4: Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;29
Step 5: Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable; and
Step 6: Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment.
We learned a lot about environment during our recent earthquake. Please we error on the side of caution, we had no security risks at our temp. sites.

27. Basic Requirements
The MPS or “two barrier” rule applies to FTI, beginning at the FTI itself and extending
outward to individuals without a need-to-know. The MPS provides the capability to
deter, delay, or detect surreptitious entry. Protected information must be containerized
in areas where other than authorized employees may have access after-hours.
Using a common situation as an example, often an agency desires or requires that
security personnel or custodial service workers or landlords for non-governmentowned
facilities have access to locked buildings and rooms. This may be permitted as
long as there is a second barrier to prevent access to FTI. A security guard, custodial
services worker, or landlord may have access to a locked building or a locked room if
FTI is in a locked security container. If FTI is in a locked room but not in a locked
security container, the guard, janitor, or landlord may have a key to the building but
not the room.

28. Napa LCSA Physical Environment
The LCSA is located on the 2nd floor as are other departments: DA, Public Defender , etc. There is a shared conference room.
We have one main entrance and all LCSA doors have alarms; FOBs are required for employee entrance to CSS Department.
We are File-Less.
LCSA: No other separate rooms exist for mail processing, etc.
We have 32 FTEs and all staff has locking cabinets.
Clean Desk policy at Close of Business (COB) actively enforced.
Here is what it means to Napa:
We are File-less but not paperless, the benefits is : amongst other things is Disclosure of FTI to state auditors by child support enforcement and human services agencies is not authorized by statute. FTI in case files must be removed prior to access by the auditors.
We simply do not have document in files to remove, because we are fileless. Necessary documentation is shred after processing, or scanned if necessary (scanners on each desk). Reduces your vulnerablity greatly because it limits the paper trail. No one has to file it, then later remove it/then shred it. Access to information is very limited in our Department--

29. ACCESS to Information
Employees are required to wear County ID badge at all times and have their FOB in order to enter office. (Enables ISO tracking and report logs.)
FAX and copy machines have FTI warning labels
Correspondence not processed by COB is locked
Confidential/FTI transported from one location to another must be double sealed when transported.
FTI can not be shared with other entities. This means audits do not label IRS intercepts. Addresses, and other information obtain via CSE locate are then filtered and verified by an external source as FTI is not able to be shared.
Pub Fax Equipment
If FTI is prohibited from inclusion within fax communications, a policy must be written and distributed.
If FTI is allowed to be included within fax communications, the agency must only transmit FTI to an authorized recipient and must adhere to the following requirements:
a. Have a trusted staff member at both the sending and receiving fax machines;
b. Accurately maintain broadcast lists and other preset numbers of frequent
recipients of FTI;
c. Place fax machines in a secured area; and
d. Include a cover sheet on fax transmissions that explicitly provides guidance to
the recipient,

30. Tracking Access to Restricted Area
Visitors (non-certified staff) are screened, recorded, and escorted at all times when in restricted areas.
A restricted area is an area where entry is restricted to authorized personnel (individuals
assigned to the area). All restricted areas either must meet secured area criteria or
provisions must be made to store FTI in appropriate containers during non-duty hours.
Using restricted areas is an effective method for eliminating unnecessary traffic through
critical areas, thereby reducing the opportunity for unauthorized access or disclosure or
theft of FTI. All of the following procedures must be implemented to qualify as a
restricted area. Restricted areas will be prominently posted and separated from non-restricted areas by
physical barriers that control access. The number of entrances must be kept to a
minimum and must have controlled access (e.g., electronic access control, key access,
door monitor) to prevent unauthorized entry. The main entrance must be controlled by
locating the desk of a responsible employee at the entrance to ensure that only
authorized personnel with an official need may enter.
The visitor must sign, either electronically or physically, into the visitor access log.
The security personnel must validate the person’s identify by examining governmentissued
identification (e.g., state driver’s license or passport) and recording in the access log the type of identification validated. The security personnel must compare the name
and signature entered in the access log with the name and signature of the governmentissued identification. When leaving the area, the security personnel or escort must enter the visitor’s time of departure.Each restricted area access log must be closed out at the end of each month and reviewed by management.
Whenever cleaning and maintenance personnel are working in restricted areas
containing FTI, the cleaning and maintenance activities must be performed in the
presence of an authorized employee.
Allowing an individual to “piggyback” or “tailgate” into a restricted locations should be
prohibited and documented in agency policy. The agency must ensure that all
individuals entering an area containing FTI do not bypass access controls or allow
unauthorized entry of other individuals. Unauthorized access should be challenged by
authorized individuals (e.g., those with access to FTI). Security personnel must be
notified of unauthorized piggyback/tailgate attempts.

31. Implementation and Monitoring
Data Access and training is determined at: New hire, reclassification, and during case management changes.
Mandatory Annual Staff Training & Signing
On-line training
Personal Security & Confidentiality by ISO that include P&P.
Annual recertification and signing for all staff.
In person training for other required staff, (i.e., ITS, Custodian, any necessary staff).
UIFSA is a good example of case management changes – Auditors specifically question UIFSA worker as to transmittals with FTI.

32. Policies & Procedures Highlights…
ONLY Program Supervisors are allowed to order tax returns.
Any FTI documentation is routed to Supervisory staff after being recorded by ISO and is then stored in FTI cabinet.
All workers must lock up case documents in their cabinets at night and ensure a clean desk.
No correspondence may be left on chairs when an employee is out of the office.
Shredding carts are emptied nightly by staff. Any I&Es and related tax returns are recorded and go to a specific shredder bin. Only ISO & Director has key to open that particular bin.
Court prep/Legal files locked in attorney’s cabinet
CMT data that may contain FTI is not allowed to be downloaded and stored on county drives.
IRS cabinet kept in ISO/Manager’s office to allow for 2 locked, secure doors as required by MPS. Manager records and destroys FTI.
We take extra precaution in Napa to ensure: Minimum Protection Standards (MPS)
*We ensure paper must be shredded to effect 5/16-inch-wide or smaller strips. Consideration
should be given to the purchase of cross-cut shredders when replacing or
purchasing new equipment.
If shredding deviates from the 5/16-inch specification, FTI must be safeguarded until it
reaches the stage where it is rendered unreadable through additional means, such as
burning or pulping. As part of our verification of compliance, we literally have staff with an umbrella observing outside (Shred it and walk around with Shred it)--- we finally let them take a chair)

33. Annual Verification and Documentation
Automated system access level audited
Annual ISO training and staff signatures obtained
Training attendance records maintained
Assets & key certification (wet signatures)
Automated (FOB) reports to building access records reviewed semi-annually
Visitor Log secured and stored monthly
Written policies revisited, updated, and are redistributed to staff as appropriate.
As required by NIST , ISO monitors and thus completes verification the every year.

34. On-Site Preparation and Process
Received notice of audit
Complete Matrix
Advise others (ITS) of date and need for accessibility
Review/Update procedures related to Matrix.
Prepare all staff for DCSS/IRS walk through with daily/random checks
On-Site Review Completed
Preliminary Report and/or Findings
CAP if necessary

35. Napa County IRS Audit Two Audit Teams:
LCSA Management-Director and LCSA ISO
Program Supervisory staff
UIFSA case manager
Information Technology
Napa’s IT Security Manager
IT staff

36. Safeguard Review Report
Napa Experience
Safeguard Review Report
(FINDINGS)

37. Napa Findings
FINDING: The child support agency is making unauthorized disclosures of FTI to County of Napa Information Technology Services for the purpose of software maintenance, operation support, system maintenance and off-site storage. (Significant) (Held in Abeyance)…County of Napa Information Technology Services have access to more than the three FTI data elements specifically authorized for disclosure to contractors by IRC 6103(l)(6)(B)(ii) and Publication 1075 section 5.5 for the purposes of establishing and collecting child support obligations:
The address;
Social Security Number of an individual with respect to whom child support obligations are sought to be established or enforced; and
The amount of any reduction under IRC 6402(c) in any overpayment otherwise payable to such individual.
RECOMMENDATION: Agency corrective actions to remove unauthorized contractor access to FTI is held in abeyance pending resolution by OCSE and IRS of conflicting interpretations of federal statutes.
CMT, Iron Mountain finding- what is your IT doing with your data?
Ensure that the alternate storage site provides information security safeguards equivalent to that of the primary site.
Supplemental Guidance from NIST states that: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

38. Napa Findings
FINDING: The agency must enhance their SLA with Napa County DCSS and County of Napa Information Technology Services by providing the safeguarding requirements for the protection of FTI. (Moderate)
The agency must enhance their SLA to include Exhibit 7 language. A SLA is required when an agency utilizes services of another state agency requiring the access of FTI. In accordance with Publication 1075 section 5.4.2, to ensure safeguarding requirements follow the data the agency must implement a written agreement documenting the following:
Shared responsibility for the protection of FTI
Required compliance with the Publication 1075
Support to the recipient agency during an on-site Safeguard review
Conducting internal inspections every 18 months
Restrict access to employees on a need-to-know basis
Ensure employees with access are trained and sign confidentiality statements
Restrict disclosures to contractors as authorized by the internal revenue code
Identify responsibility for 45-day Notification
Identify responsibility and primary contacts for incident and response specific to FTI backup
Include appropriate Publication 1075 Exhibit 7 language
RECOMMENDATION: The agency must enhance the current SLA with Napa County DCSS and County of Napa Information Technology Services to include the required safeguard language.

39. Napa Findings
FINDING: The agency does not provide annual disclosure awareness training for the safeguarding of FTI at the County of Napa Information Technology Department and SRC. (Moderate) Granting agency employees and contractors access to FTI must be preceded by each employee and contractor certifying his/her understanding of the agency's security policy and procedures for safeguarding IRS information. In accordance with Publication 1075 section 6.3, the disclosure awareness training must stipulates that:
- Employees and contractors should be advised of the penalty provisions of IRC
§§ 7213, 7213A, and 7431
- The training must cover the incident response policy and procedures for
reporting unauthorized disclosures and data breaches
- Employees must be made aware that disclosure restrictions and the penalties
apply even after employment with the agency ends
- For both the initial certification and the annual certification, the employee or
contractor must sign, either with ink or electronic signature, a confidentiality statement certifying his or her understanding of the security requirements. The initial certification and recertification must be documented and placed in the agency's files for review and retained for at least 5 years
RECOMMENDATION: The agency must provide annual disclosure awareness training to all employees and contractors with access to FTI.

40. Napa Findings
FINDING: The agency does not conduct internal inspections every 18 months covering the safeguarding of FTI County of Napa Information Technology Department for the case files and disaster recovery tapes. (Moderate) Internal inspections are not conducted at 18 month intervals at County of Napa Information Technology Department. To ensure the continuous safeguarding of FTI, the agency must conduct internal inspections of all offices where FTI is resident. Agencies must establish a review cycle as follows:
- Local offices receiving FTI: at least every 3 years
- Headquarters office facilities housing FTI and the agency computer facility: at
least every 18 months
- All contractors with access to FTI, including a consolidated data center or off-
site storage facility: for at least every 18 months
The completed plan must be included as part of the annual SSR in accordance with Publication 1075 section 6.4. Templates for the plan and internal inspections are available at or may be requested by at
D.4 RECOMMENDATION: The agency must conduct internal inspections for the safeguarding of FTI at County of Napa Information Technology Department every 18 months.

41. Craig Neiman Neimanc@saccounty.net
Sacramento County LCSA

42. Early Preparation Identify primary contacts and coordinator
Reference most up-to-date IRS and State DCSS security materials available
Reach out to other counties for lessons learned
As Janet mentioned, counties options 1,2,3… Separate IT departments…

43. Tangible Tasks (Before Audit)
Gather and review your county’s MOU (Memorandums of Understanding) and other Contracts (get them up-to-date)
Have someone ensure security documentation has been done annually by staff (new hire training as well as annuals done by existing staff, also tech support staff who can access FTI)
Complete the IRS Safeguards Disclosure Security Evaluation Matrix and obtain consensus on responses
Dig to discover discrepancies between office policy and what is done in practice

44. Mock Audit Run Through
Walk around the perimeter of the office and test entry points and locked doors.
When visitors come to the office, are the procedures being followed regarding escorts and badges? Does everybody agree as to the definition of visitor?
Walk around the office after normal work hours to look at things like employee work spaces, fax machines, printers.
Review the various logs (temporary badge log, master key log, FTI material logs) with management.

45. Day of Audit
Staff should be prepared in case the auditors request to shadow certain practices (i.e.: trainers who conduct security training, staff who handle FTI logging or materials, destruction of materials, tour of office).
For the shadowing, it was nice to have a designated room with computer and overhead projector in which selected line staff could come in and provide demonstrations for the auditors.
For staff that may respond to the questions, awareness of need to provide succinct accurate responses.
Access to servers and data is needed for their automated system tests.

46. Findings in Sacramento: Non-technical
Non-technical related findings in Sacramento:
Documents received from CA Central Registry containing FTI were being logged correctly but were found stored in a cabinet with wheels.
Sacramento IT Back Up Data Center did not have visitor log in place or adequate safeguards re double barrier requirements for FTI
Labelling and double sealing envelope when sending hardcopy outbound Transmittal 2 documents (CSENet helps)
Logging, scanning and destruction of inbound hardcopy Transmittal 2 documents possessing FTI

47. Findings in Sacramento: Technical (Part 1)
Technical related findings in Sacramento:
Controls required for remote access: county equipment (laptops) with two factor authentication required.
Security patches and latest virus protection
Multi Functional Devices (MFDs) set-up and not using for PDF delivery…needs to be scanned directly into a restricted access folder)
Direct access to Texas Child Support System is prohibited since there are no audit controls

48. Findings in Sacramento: Technical (Part 2)
More technical related findings in Sacramento:
Segregate data bases holding FTI from databases that do not.
Audit controls (logging) needed when FTI info is accessed via our Local Area Data Repository (LADR)
Reports with FTI produced from LADR needed to be labelled, secured, and procedures put in place for their distribution to line staff)

49. Findings in Sacramento: Technical (Part 3)
Technical related findings in Sacramento needing Statewide response:
The CSE, SAT, IDB, CMT, State Repository applications does not allow for auditing to capture access and movement of FTI by each user within the application. The agency does not monitor or review access logs for inappropriate or unusual activity.
Screens that contain FTI in CSE, SAT, LADR, and IDB are not labeled. When FTI is displayed electronically, data elements or screen must be labeled to clearly identify the Federal tax information.
The warning banner that appears prior to accessing FTI does not contain the required language with respect to the CMT and IDB applications on the Secured Website.

50. Corrective Actions
Responses have been provided for the Sacramento County specific findings.
The two factor authentication is still an outstanding item. We are waiting for a County-wide implementation due to a requirement from the California Department of Justice regarding an unrelated audit and finding for our Sacramento Sheriff’s Department.
Transition over to Jesse

51. Access Safeguard Resources Online
The Office of Safeguards maintains Publication 1075, templates, guidance, and
frequently asked questions online at:
Agencies are highly encouraged to periodically visit the website for new updates. The website is maintained with many resources to assist agencies with meeting Publication 1075 requirements. Examples of the website’s features include:
Safeguard alerts and technical assistance memorandums
Recommendations on how to comply with Publication 1075 requirements
Reporting requirement templates (e.g., Safeguard Security Report [SSR]) and
guidance
Instructions for reporting unauthorized accesses, disclosures, or data breaches
Internal inspections report templates and instructions
IRS disclosure awareness videos and resources
All references mentioned in this presentation and additional information can be accessed by DCSS Secure Website at:

52. Questions?
Please complete your evaluations and drop off at back table.
Thank you!