Hello and welcome!
Today I will be talking to you about the use of automated scans during an on-site Safeguard Review for the Internal Revenue Service (IRS) Office of Safeguards.
The release of federal tax information (FTI) to a federal, state or local agency requires compliance with the Internal Revenue Code section 6103 and a coordinated effort within the Office of Safeguards to protect the data.
The IRS Safeguards Computer Security Review Team evaluates the protection of FTI through agency compliance with IRS Publication 1075 and NIST Publication 800-53.
We review agency computer systems for Federal Information Security Management Act compliance during an on-site review.
The majority of this inspection is a paper and a data collection exchange, followed by a report to the agency to correct deficiencies.
We determine the scope of an on-site review in advance to better understand the flow of FTI and which systems are best for automated review scans.
To enhance our ability to identify, monitor and mitigate risk to FTI, the Office of Safeguards uses an automated tool.
Our computer security reviewers have performed hundreds of credentialed compliance scans with zero agency network interruptions.
This scanning tool complements compliance checking, discovers missing security patches and identifies known weaknesses with specific software installed on the host computer.
During an on-site review, our computer security reviewer uses IRS government laptops with the updated automated tool installed.
Keep in mind that these laptops are used only for scanning with the automated tool.
Safeguards developed a compiler called the Finding Generator, which compares the Center for Internet Security benchmark Test IDs to the automated scan file of each system scanned.
We then use an algorithm developed by the Safeguards team to compare the converted CIS benchmarks to test controls in the Safeguards Computer Security Evaluation Matrices (or SCSEMs)
The automated tool only looks at the security of the systems being scanned.
We use customized audit files and templates that are essentially .xml files tailored to IRS Publication 1075 requirements.
With the automated tool, we test systems such as Windows, Redhat Linux, IBM AIX, Oracle Solaris, Cisco ASA Firewalls and VMWare ESXi to name a few.
When configuring information systems, we look for a balance of confidentiality, integrity and availability.
This is known as the CIA Triad.
Although the CIA Triad is a framework used across the information security industry, we will focus on the CIA Triad as it pertains to FTI.
The CIA Triad ensures that FTI is only provided to personnel and systems that are authorized to access the information (confidentiality), while making sure the data has not been tampered with.
This CIA Triad validates the data (integrity) and ensures the information systems and FTI are accessible when needed (availability).
At the time of purchase, most information systems are partially configured.
The scans of partially configured systems usually score between 35 to 45 percent.
By utilizing, the automated scans and the Safeguards Computer Security Evaluation Matrices as a guide to configure their information systems, agencies have greatly improved their compliance.
The scores typically improve in the range of 65 to 85 percent.
We hope you’ve found this podcast useful.
If your agency has questions about our use of automated tools, submit your questions to the Safeguards mailbox at SafeguardReports@irs.gov and/or visit the IRS Safeguards website at www.irs.gov, keyword Safeguards.