ࡱ> UWT'` 01bjbjLULU .B.?.?)4~ ~ ~ ~ ~ ~ ~  8Rn$;^Z. i;k;k;k;k;k;k;$?hnA~;~ ZZ;~ ~ H;   ~ ~ i; i;  M8~ ~ 9; p2hl,i9"M;;0;9AAD9;9;A~ M; ;; ;  D ,~ ~ ~ ~ ~ ~  Safeguards Technical Assistance Memorandum Protecting Federal Tax Information (FTI) By Proactive Auditing Introduction The traditional way to audit a system involves identifying issues that have already occurred, then reviewing audit logs to determine which relevant events are of a serious nature. While this "after the fact" or passive auditing is an important tool in data security, an auditing program requires significant resources in people, process and technology to effectively identify potential incidents in a timely manner. Auditing management should be taken to the next level through adopting a proactive approach. By directly identifying relevant security events prior to, during, or after FTI exposure, the agency can progressively manage risk and identify potential security incidents involving FTI in a timely and near-real time manner. Typically, auditing entails capturing relevant auditable security events from end-to-end, or from receipt of FTI to its destruction or its return to the original source. The events captured in audit log files contain details of the action performed, result of the action, and the date and time of the action. Audit logs are a primary tool used by administrators to detect and investigate attempted and successful unauthorized activity. However, policies and procedures often do not specify the regular review of audit logs, reviews are too infrequent or not conducted on a routine basis, and/or the audit review is conducted after a security incident has occurred. The benefit of passive log analysis, while important, fails to realize the proactive benefit of knowing when a security violation is occurring in real-time. Proactive security measures would capture unauthorized activity as it occurs or immediately following the violation and provide proper personnel with the information they need to react to a violation effectively, which can reduce the impact of the attempt or incident. Currently, IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, requires agencies to perform reactive auditing. However, over the course of the next several years, requirements may be added to the Publication 1075 to cover proactive auditing. At this time proactive auditing is strongly recommended, but not required by the IRS. Given the sheer volume of items in system audit logs, an automated, proactive process will be needed in the future to help identify issues proactively. Additionally applying proactive audit capabilities across the agencies data, as a whole, will assist in identifying irregularities that may have been overlooked while strengthening their entire security posture. The purpose of this memo is to introduce agencies to some of the concepts for proactive auditing, and to start the dialog between the IRS Office of Safeguards and agencies for discussing proactive auditing techniques and methods. Techniques for Proactive Auditing Every agency environment is different, and auditing requirements differ depending on the application being used, the volume of logs generated, and the organizational structure. Proactive auditing should begin with flagging, logging, analyzing, and clearing the incident before moving forward. Logging plays a large role in this process. In order for proactive auditing to be successful, an agency needs to be able to move their logs to a standalone environment, restricted to personnel responsible for security log review. The agency needs to build logical algorithms to conduct analytics of the data in those logs, so that flags are raised proactively when a problem is identified. Whenever an event is triggered, an alert should be automatically forwarded to management for clearance thorough investigation to determine whether the access was appropriate (e.g. having a business need). If the access was determined to be inappropriate, the agency should be report through their incident response process in accordance with IRS Publication 1075 requirements to appropriate officials within the agency and the IRS Office of Safeguards and the Treasury Inspector General for Tax Administration (TIGTA). While this memo focuses on the protection of FTI, the same techniques can be applied for the protection of state data addressing risks to both types of data. The IRS Office of Safeguards recommends the exploring the following techniques to proactively alert agency personnel of potential unauthorized access or browsing of FTI: Do Not Access List Create a Do Not Access list to identify high profile individuals or companies whose records have a high probability of being accessed without proper authorization. Time of Day Access Identify suspicious behavior by tracking FTI accesses outside normal business hours. Name Searches Detect potential unauthorized access by monitoring name searches (especially searches on the same last name as the employee) Previous Accesses Identify employee accesses to TINs which the employee has accessed in the past but currently do not have a case assignment or need to access. Volume Monitor the volume of accesses a person performs and compare them to past case assignment levels. Zip Code Determine if an employee is accessing taxpayers whose address of record is geographically close to the employees home or work location., (i.e. same building, zip code, block) records within the same small geography as the employee (i.e. same zip code) Restricted TIN Monitor all TINs associated with past employees tax returns (spouse, kids, businesses, etc.). These techniques are explained in detail in the sections below. #1 Do Not Access List Create a state-wide Do Not Access list containing high profile individuals as well as other restricted Taxpayer Identification Numbers (TIN). The list will be custom to the state and contain names of high profile individuals that live or file tax returns in the state where the individuals tax records are more likely to be accessed in an unauthorized manner. The list will ensure that their data will be monitored and tracked on a proactive basis so that any unauthorized access, modification, deletion, or movement of their FTI would be flagged immediately. State-wide Do Not Access list can be created for but not limited to: celebrities, artists, entertainers, athletes, high ranking government or military officials, CEOs, and religious leaders. The list should be updated and revalidated at least annually to maintain effectiveness and accuracy. #2 Time of Day Access If FTI is accessed outside of normal hours of operation, it may alert management to suspicious behavior. By analyzing atypical activity and filtering for specific users who normally operate at these times, the agency has a better chance of detecting unauthorized access. The accesses performed by the individual should be flagged for review. #3 Name Searches Generally case workers are assigned a defined amount of cases. TINs associated with these cases are also predefined. Therefore if an individual is performing name searches for TINs that are outside of their case inventory or on people with the same surname, a flag should be raised for potential unauthorized access. If an individual is performing searches on previous cases they were assigned in the past, without a need, should be flagged for review to determine the validity of the searches. #4 Previous Accesses Monitor employee accesses to TINs which the employee has accessed in the past but currently do not have a case assignment or need to access. This scenario generally indicates an unauthorized access to a tax record where the employee has a personal relationship. #5 Volume If the volume of FTI (i.e., case assignments or access) exceeds the expected amount of access for an employees case load, these accesses should be flagged for review. The personnel accessing those files must have a justifiable need for their actions. An example of this is if the employee has performed searches on thousands of taxpayers when their case assignment indicates a significantly smaller number of searches are appropriate. This may provide a very clear indication that the employee is accessing FTI which they may not have a need to know for them to complete their jobs. #6 Zip Code Determine if employee is accessing taxpayer records within the same small geography as the employee (i.e. same zip code). This type of access may indicate that an employee is accessing information about people they know. #7 Restricted TINs A list of restricted TINs should be created for each employee that includes anyone who has ever been identified on the employees personal tax return. This list could contain information about the employees spouse, ex-spouse, children, family, business partners, etc. If the employee attempts to access FTI for any individuals in the list, they should be flagged for review. Implementing Proactive Auditing Proactive auditing is a new technique for identifying and managing risk of unauthorized disclosure of FTI and challenging process that will take auditing to the next level and help agencies identify and respond to unauthorized FTI access in a more efficient and timely manner. The IRS would like to partner with agencies and application software vendors to develop proactive auditing requirements and data mining techniques. If any agency is in the process of or has implemented proactive auditing, or has feedback regarding the techniques, please contact the IRS Office of Safeguards at  HYPERLINK "mailto:SafeguardReports@IRS.gov" SafeguardReports@IRS.gov to schedule a conference call to discuss the details of the implementation. References: IRS Publication 1075, ( HYPERLINK "http://www.irs.gov/pub/irs-pdf/p1075.pdf" http://www.irs.gov/pub/irs-pdf/p1075.pdf) NIST Special Publication (SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, ( HYPERLINK "http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf" http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf) NIST SP 800-92, Guide to Computer Security Log Management, ( HYPERLINK "http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf" http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf) NIST SP 800-123, Guide to General Server Security will serve as the basis for these requirements, ( HYPERLINK "http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf" http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf)      PAGE \* MERGEFORMAT 1 +jkz yzK3i j !!##%%$&.&'|((+)g)h)i)|)L*T*_***ػجإ؍~~؍~~~~ukuukuu5OJQJ^JaJOJQJ^JaJ5B*OJQJ^JaJphB*OJQJ^JaJphB*OJQJ^Jph OJQJ^JCJOJQJ^JaJnH tH OJQJ^JaJnH tH 5B*OJQJ\^JaJphB*OJQJ^JaJph5B*OJQJ\^Jph5B*OJQJ^Jph*+jklmz_ ` yzKLUV7$8$H$$a$11`Wdk3i j !!!###%%%#&$&.&{(|((^ & F (h)i)|)**+--- ../0111111111111111 & F ***++,e-f-y--------- . .!.W.X...../ //·ŒzuzfWIz6OJQJ^JaJmH sH j0JOJQJU^JaJ0JOJQJ^JaJmH sH mH sH  jUOJQJ^JaJmH sH 5>*B*OJQJ^JaJph0JOJQJ^J OJQJ^JjOJQJU^JB*OJQJ^JphB*OJQJ^JaJph5B*OJQJ^JaJph5B*OJQJ^JaJph5OJQJ^JaJOJQJ^JaJ////'0(0t0u00011h1i111111111111111111111׺ jOJQJU^JmHnHuOJQJ^JmHnHu OJQJ^JjOJQJU^J5B*OJQJ\^JaJphjOJQJU^JaJOJQJ^JaJj0JOJQJU^JaJ0JOJQJ^JaJ jU!11111111111$a$ ,1h/ =!"#$% 'HL@L Normal,n CJOJQJ_HmH nHsH tHDAD Default Paragraph FontRiR 0 Table Normal4 l4a (k( 0No List ..Appendix FVV Text,t <<%B*OJPJQJ_HmH phsH tH ^^ Text Char,t Char%B*OJPJQJ_HmH phsH tH ~"~ Bulleted List 1,bl1 & Fd$<<%B*OJPJQJ_HmH phsH tH j3j Table Grid7:V0*WA* Strong5\6U@Q6 Hyperlink >*B*phHBH Body Text7$8$H$ OJQJaJfrf Default 7$8$H$1B*CJOJQJ^J_HaJmH nHphsH tHZ0qrZ List Bullet Fh^` B*^JphB'B Comment ReferenceCJaJ8@8  Comment TextCJ@j@ Comment Subject5\HH  Balloon TextCJOJQJ^JaJ<@< Header H$mHsHBB  Char Char2CJOJQJnHtH< @< Footer H$mHsHBB  Char Char1CJOJQJnHtHTT  No Spacing!$CJOJPJQJ_HaJmH sH tH LZ"L # Plain Text"CJOJ PJQJ mH sH tH@1@ " Char CharOJ PJQJ mH sH <B<  List Paragraph$^4XQ4 @Emphasis 56\]a st1)B z z z z )m+jklmz_` y z KLUV`Wdk3ij#$.{ | h!i!|!""#%%% &&'()))))!!!!!! !! !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!+jklmz_` y z KLUV`Wdk3ij#$.{ | h!i!|!""#%%% &&'())))))))))))))))))))))))000000000000000000000000000 0 0 0 0 0 0 00000000000000000000000000000000 0 0 0 0000d0d0d0d0d0d0d0d0d0d00d0d0d00d0d0d0d0d0 /136*/1(11 1e%%% &W&&''''(t(()h)))XXXXX*,6!T  # @H 0(  0(  B S  ? OLE_LINK2 OLE_LINK1)jj))),/2A EH # D \ K N  hR'0*-6PSPS'-), !!""""""@$K$)):::::::::::::::::::::::::::::::::::::::::::::% &)))) e >fW ~}OҭkA3bh.9zp=ET0O-IɎuZQQ8Px\d^Ž2S2_.@Bp{P¦ hh^h`OJQJo(^`.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L. h^h`OJQJo(8^8`OJ QJ ^J o(o ^`OJ QJ o(  ^ `OJQJo( ^ `OJ QJ ^J o(o x^x`OJ QJ o( H^H`OJQJo(^`OJ QJ ^J o(o ^`OJ QJ o(h^h`OJPJQJ^Jo(-8^8`OJ QJ ^J o(o ^`OJ QJ o(  ^ `OJQJo( ^ `OJ QJ ^J o(o x^x`OJ QJ o( H^H`OJQJo(^`OJ QJ ^J o(o ^`OJ QJ o( h^h`OJQJo(8^8`OJ QJ ^J o(o ^`OJ QJ o(  ^ `OJQJo( ^ `OJ QJ ^J o(o x^x`OJ QJ o( H^H`OJQJo(^`OJ QJ ^J o(o ^`OJ QJ o( hh^h`OJQJo(^`.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L. h^h`OJQJo(8^8`OJ QJ ^J o(o ^`OJ QJ o(  ^ `OJQJo( ^ `OJ QJ ^J o(o x^x`OJ QJ o( H^H`OJQJo(^`OJ QJ ^J o(o ^`OJ QJ o(h^h`6o(.8^8`.L^`L. ^ `. ^ `.xL^x`L.H^H`.^`.L^`L. ^`5B*CJOJQJph Appendix ^`o(^`o(^`o(^`o(^`o(^`o(^`o(^`o(h^h`5.8^8`.L^`L. ^ `. ^ `.xL^x`L.H^H`.^`.L^`L.hh^h`.88^8`.L^`L.  ^ `.  ^ `.xLx^x`L.HH^H`.^`.L^`L.^p=EfWO-I Bp{uZQQkA3S2_}Ox\h.9                  ^.                                   %8        f                 ?@ABCEFGHIJKMNOPQRSVRoot Entry F@E{lX1Table"0BWordDocument.BSummaryInformation(DDocumentSummaryInformation8LCompObjq  FMicrosoft Office Word Document MSWordDocWord.Document.89q