Solutions for Enabling IRS 1075 Compliance - Chris Boswell North American Security
Page content transcription
If your browser does not render page correctly, please read the page content below
WHITE PAPER | SEPTEMBER 2013 Solutions for Enabling IRS 1075 Compliance Chris Boswell North American Security
2 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com Table of Contents Executive Summary 3 Section 1: 4 Overview IRS Pub 1075 Section 2: 9 Additional Safeguard Requirements Section 3: 11 System Audit Management Guidelines Section 4: 12 Conclusions Section 5: 12 References Section 6: 26 About the Author
3 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com Executive Summary Challenge State and local governments manage and process large volumes of sensitive data on behalf of their constituents every day. As a result, these organizations are subject to a wide variety of both industry and federal information protection and compliance requirements. Opportunity CA Technologies offers a suite of security solutions that can help government agencies better protect this sensitive data. By mapping solutions to specific requirements of IRS Pub 1075, you can easily see how to address these security needs. Benefits There are multiple ways to address any situation. This paper will describe the various solution offerings from CA Technologies provides to protect Federal Tax Information (FTI) and help satisfy requirements outlined in the Internal Revenue Service Tax Information Security Guidelines for Federal, State and local Agencies (IRS Pub 1075).
4 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com Section 1: Overview IRS Pub 1075 Internal Revenue Service Publication 1075 defines a broad set of managerial, operational and technical security controls that must be in place to protect Federal Tax Information. The general areas of security addressed in this document are listed in the figure below: Audit and Awareness and Security Access Control Accountability Training Assessment and Authorization Identification Incident Configuration Contingency and Response and Management Planning Authorization Reporting Media Access Personnel Maintenance Protection Planning Security System and System and System and Risk Assessment Services Communications Information Acquisition Protection Integrity
5 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com While many of the controls are described in detail within the document itself, the standard also requires implementation and assessment of certain federally mandated controls outlined in NIST Special Publication 800-53. Below is a listing of those control areas and the CA Technologies security solutions that can be used to help achieve each high-level compliance objective: CA Technologies Security Products Mapped to NIST SP 800-53 Controls CA GovernanceMinder™ CA AuthMinder™ and CA IdentityMinder™ CA ControlMinder™ Reporting Module CA DataMinder™ CA User Activity CA RiskMinder™ CA SiteMinder ® Control Name AC-1 Access Control Policies and Procedures Primarily Procedural Control: No CA Technologies Security Solutions map to this objective AC-2 Account Management 4 4 AC-3 Access Enforcement 4 4 AC-4 Information Flow Enforcement 4 4 AC-5 Separation of Duties 4 4 AC-6 Least Privilege 4 4 AC-7 Unsuccessful Login Attempts 4 4 AC-8 System Use Notification 4 AC-11 Session Lock 4 4 AC-14 Permitted Actions w/o Identification or Authentication 4 4 4 4 AC-17 Remote Access 4 4 4 AC-18 Wireless Access No CA Security Solutions map to this objective AC-19 Access Control for Mobile and Portable Devices 4 4 AC-20 Use of External Systems 4 4 AC-22 Publicly Accessible Content 4 AT-1-4 Awareness and Training Primarily Procedural Control: No CA Technologies Security Solutions map to this objective AU-1,2,4 Audit and Accountability Primarily Procedural Control: No CA Technologies Security Solutions map to this objective AU-3 Content of Audit Records 4 4 4 4 4 4 4 AU-5 Response to Audit Processing Failures 4
6 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com CA GovernanceMinder™ CA AuthMinder™ and CA IdentityMinder™ CA ControlMinder™ Reporting Module CA DataMinder™ CA User Activity CA RiskMinder™ CA SiteMinder ® Control Name AU-6 Audit Review, Analysis and Reporting 4 4 4 4 4 4 4 AC-7 Audit Reduction and Report Generation 4 AC-8 Time Stamps 4 4 4 4 AC-9 Protection of Audit Information 4 4 AC-11 Audit Record Retention 4 CA-1-7 Security Assessment and Authorization Primarily Procedural Control: No CA Technologies Security Solutions map to this objective CM-1- Configuration Management Primarily Procedural Control: No CA Technologies 4,8,9 Security Solutions map to this objective CM-2 Baseline Configuration 4 CM-5 Access Restrictions for Change 4 4 CM-6 Configuration Settings 4 CM-7 Least Functionality 4 CP-1-10 Contingency Planning Primarily Procedural Control: No CA Technologies Security Solutions map to this objective IA-1 Identification and Authentication Policy and Procedures Primarily Procedural Control: No CA Technologies Security Solutions map to this objective IA-2 User Identification and Authentication 4 4 4 IA-4 Identifier Management 4 IA-5 Authenticator Management 4 4 4 IA-6 Authenticator Feedback 4 4 IA-7 Cryptographic Module Authentication 4 4 IA-8 Identification and Authentication (non-organizational users 4 4 IR-1-4,8 Incident Response Primarily Procedural Control: No CA Technologies Security Solutions map to this objective IR-5 Incident Monitoring 4 IR-6 Incident Reporting 4
7 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com CA GovernanceMinder™ CA AuthMinder™ and CA IdentityMinder™ CA ControlMinder™ Reporting Module CA DataMinder™ CA User Activity CA RiskMinder™ CA SiteMinder ® Control Name IR-7 Incident Response Assistance 4 MA-1- System Maintenance Primarily Procedural Control: No CA Technologies 3, 6 Security Solutions map to this objective MA-4 Non-local Maintenance 4 MA-5 Maintenance Personnel 4 MP-1, Media Protection Primarily Procedural Control: No CA Technologies 3-6 Security Solutions map to this objective MA-5 Media Access 4 PE-1-18 Physical and Environmental Protection Primarily Procedural Control: No CA Technologies Security Solutions map to this objective PL-1-6 Security Planning Primarily Procedural Control: No CA Technologies Security Solutions map to this objective PS-1-3, Personnel Security Primarily Procedural Control: No CA Technologies 6, 8 Security Solutions map to this objective PS -4 Personnel Termination 4 4 4 4 PS -5 Personnel Transfer 4 4 PS -7 Third Party Personnel Security 4 4 RA - 1-5 Risk Assessment Primarily Procedural Control: No CA Technologies Security Solutions map to this objective SA1-11 System and Services Acquisition Primarily Procedural Control: No CA Technologies Security Solutions map to this objective SC-1, 8, System and Communications Protection No CA Technologies Security Solutions map 9, 17-22, to this objective 32 SC-2 Application Partitioning 4 SC-4 Information Remnance 4 4 SC-5 Denial Of Service Protection 4 SC-7 Boundary Protection 4 4 SC-10 Network Disconnect 4
8 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com CA GovernanceMinder™ CA AuthMinder™ and CA IdentityMinder™ CA ControlMinder™ Reporting Module CA DataMinder™ CA User Activity CA RiskMinder™ CA SiteMinder ® Control Name SC-12 Cryptographic Key Establishment and Management 4 4 SC-13 Use of Cryptography 4 SC-14 Public Access Protections 4 4 SC-15 Collaborative Computing Devices SC-23 Session Authenticity 4 SC-28 Protection of Information at Rest 4 SI-1-3,5, System and Information Integrity No CA Technologies Security Solutions map 8, 10, to this objective 11 SI-4 Information System Monitoring Tools and Techniques 4 4 4 SI-7 Software and Information Integrity 4 SI-9 Information Input Restrictions 4 PM-1-11 Program Management Primarily Procedural Control: No CA Technologies Security Solutions map to this objective
9 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com Section 2: Additional Safeguard Requirements Additional safeguard requirements for Federal Tax Information may be supplemented by the Office of Safeguards between editions of IRS publication 1075. Some of these additional safeguards are referenced in the current edition of Pub 1075, but there are also more safeguards communicated directly on the IRS website. Below is a table listing relevant additional safeguards that may be satisfied by one or more CA solution to help achieve compliance: Authoritative Description CA Technologies Capabilities Guidance Section 9.18.3 Two-factor authentication is required whenever FTI is CA AuthMinder and CA RiskMinder work together to Remote access being accessed from an alternate work location or if provide two-factor step-up authentication services based accessing FTI via the agency’s web portal. on risk factors such as the device being used to access information or location where users are initiating their sessions. Section 9.18.5 • Generally, FTI should not be transmitted or used on CA Email Control provides robust data loss protection Electronic email the agency’s internal e-mail systems. capabilities to prevent your organization’s FTI from • FTI must not be transmitted outside of the agency, seeping into email. With out of the box policies to detect either in the body of an email or as an attachment. and control tax information, CA DataMinder can be rapidly deployed to help ensure that such information • Do not send FTI unencrypted in any email messages. is not transmitted via email and, when necessary, • The file containing FTI must be attached and encrypted. appropriately encrypt messages before submission. Section 9.18.8 The use of live FTI in test environments should generally ITKO’s CA LISA platform optimizes the development and Use of FTI in live be avoided and is not approved unless specifically testing of composite applications and can be leveraged data testing authorized by the IRS Office of Safeguards. Dummy data to create obfuscated dummy data in compliance with should be used in place of live FTI wherever possible. IRS live data requirements. In addition, CA LISA can reduce software delivery timelines by 30% or more by leveraging a proprietary service virtualization technology Section 9.18.9 Access to FTI via the web portal requires a strong identity CA AuthMinder + CA SiteMinder work together to provide Safeguards verification process. The authentication must use a a common security infrastructure for all web portals, technical minimum of two pieces of information although more providing strong authentication to sites where sensitive assistance for than two are recommended to verify the identity. information such as FTI may be accessed. Protecting One of the authentication elements must be a shared Federal Tax secret only known to the parties involved and issued Information by the agency directly to the customer. (FTI) in web portals
10 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com Authoritative Description CA Technologies Capabilities Guidance Section 9.18.12 • When FTI is stored in a shared location, the agency CA ControlMinder™ for Virtual Environments can be Protecting must have policies in place to restrict access to FTI deployed to satisfy a majority of the virtual security FTI in virtual to authorized users. requirements outlined by the IRS. The solution not only environments • Programs that control the hypervisor should be provides capabilities to lock down and the harden host secured and restricted to authorized administrators only. and hypervisor, but also provides a powerful policy enforcement engine to prevent FTI from being accessed • Separation between virtual machines (VMs) must by unauthorized users and administrators. The enhanced be enforced, and functions which allow one VM to auditing capabilities provided by Access Control will also share data with the hypervisor or another VM, such as allow monitoring of virtual environments for insider and clipboard sharing or shared disks, must be disabled. other threats that could result in unauthorized disclosure • Virtualization providers must be able to monitor for or modification of FTI. threats and other activity that is occurring within the virtual environment. This includes being able to monitor the movement of FTI into and out of the virtual environment. • The VMs and hypervisor/ host OS software for each system within the virtual environment that receives, processes, stores or transmits FTI must be hardened in accordance with the requirements of Publication 1075 and be subject to frequent vulnerability testing. • Special VM functions available to system administrators in a virtualized environment that can leverage the shared memory space in a virtual environment between the hypervisor and VM should be disabled. • Backups (virtual machine snapshot) must be properly secured and must be stored in a logical location where the backup is only accessible to those with a need to know. Section 9.8.14 Software, data, and services that receive, transmit, CA ControlMinder for Virtual Environments can be Protecting process, or store FTI must be isolated within the cloud deployed in your cloud infrastructure to promote secure FTI in a cloud environment so that tenants sharing physical space multi-tenancy. Through tight integration with VMware, computing cannot access their neighbors’ physically co-located data CA ControlMinder streamlines and automates the isolation environment and applications. of various operating environments based on a unique guest and host automated tagging capability. As a result, tenants can share physical space without being able to access physically co-located data and applications.
11 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com Section 3: System Audit Management Guidelines Below is a listing of the system auditing guidance outlined in IRS Pub 1075. CA User Activity Reporting Module (UARM) can ingest logs from various operating system and application sources and provide reports to help satisfy the auditing requirements listed below. Event No. System Auditing Guidance 01 The audit trail shall capture all successful login and logoff attempts. 02 The audit trail shall capture all unsuccessful login and authorization attempts. 03 The audit trail shall capture all identification and authentication attempts. 04 The audit trail shall capture all actions, connections and requests performed by privileged users (a user who, by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and network administrator(s) who are responsible for keeping the system available and may need powers to create new user profiles as well as add to or amend the powers and access rights of existing users). 05 The audit trail shall capture all actions, connections and requests performed by privileged functions. 06 The audit trail shall capture all changes to logical access control authorities (e.g., rights, permissions). 07 The audit trail shall capture all system changes with the potential to compromise the integrity of audit policy configurations, security policy configurations and audit record generation services. 08 The audit trail shall capture the creation, modification and deletion of objects including files, directories and user accounts. 09 The audit trail shall capture the creation, modification and deletion of user accounts and group accounts. 10 The audit trail shall capture the creation, modification and deletion of user account and group account privileges. 11 The audit trail shall capture: i) the date of the system event; ii) the time of the system event; iii) the type of system event initiated; and iv) the user account, system account, service or process responsible for initiating the system event. 12 The audit trail shall capture system startup and shutdown functions. 13 The audit trail shall capture modifications to administrator account(s) and administrator group account(s) including: i) escalation of user account privileges commensurate with administrator-equivalent account(s); and ii) adding or deleting users from the administrator group account(s). 14 The audit trail shall capture the enabling or disabling of audit report generation services. 15 The audit trail shall capture command line changes, batch file changes and queries made to the system (e.g., operating system, application, database). Page 107 16 The audit trail shall be protected from unauthorized access, use, deletion or modification. 17 The audit trail shall be restricted to personnel routinely responsible for performing security audit functions.
12 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com Section 4: Conclusions IRS Publication 1075 outlines a wide variety of technical, operational and managerial controls that must be implemented to protect sensitive Federal Tax Information. While the analysis provided in this document provides a clear outline of the types of technologies that can be deployed to help satisfy those compliance requirements, each organization’s priorities and needs will be different. CA welcomes the opportunity to discuss how our technology can help accelerate and streamline your current initiatives and build a sustainable compliance infrastructure going forward. Section 5: References Appendix A: Unified Compliance Framework For Common State Regulatory Requirements All states are subject to a number of both Federal and industry-related information processing requirements. While the focus of this paper is on IRS Pub 1075, the following table is designed to help your organization frame and prioritize its security initiatives against a more holistic view of broader common requirements, including HIPAA and PCI. HIPAA Security Rule HIPAA Privacy Rule Requirements CSR CMS Core Security HIPAA Electronic CA Technologies PCI PA DSS 1.1 NIST 800-53A Health Record IRS Pub 1075 Requirement NIST 800-53 Technology Control ID Solutions Establish and 00637 § 5.6.2, § 3.4, App AU-2, § 4.2 CSR § 164.312 CA UARM maintain logging Exhibit 4 F § AU-2 AU-2.2, 1.4.1(2), (b) and monitoring AU-1 CM-5(1), CSR 2.1, operations. CM-5.8 CSR 3.1.4 Operationalize 00638 § 5.6.2, App F § AU-3, AU- CSR 2.1.1, CA ControlMinder, key logging Exhibit AU-3 3.2 CSR 2.1.3, CA UARM and monitoring 4 AU-2, CSR 3.2.3, concepts and Exhibit 6 CSR 3.4.1, events to ensure CSR 4.2.2 the audit trails capture sufficient information.
13 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com HIPAA Security Rule HIPAA Privacy Rule Requirements CSR CMS Core Security HIPAA Electronic CA Technologies PCI PA DSS 1.1 NIST 800-53A Health Record IRS Pub 1075 Requirement NIST 800-53 Technology Control ID Solutions Enable logging 00640 § 5.6.2, § 4.1 CSR 2.1.2, § 170.302 CA UARM for all systems Exhibit 4 CSR 2.1.7 (r)(2) that meet AU-3 traceability criteria. Review audit 00596 § 5.6.2, App F § AU-6, AU- CSR § CA UARM logs, Intrusion Exhibit AU-6, App 6.2, SI-4 1.6.1(4), 164.408(a) Detection System 4 AU-6, F § AU-6(4) CSR 2.1.12, (1)(ii)(D) reports, security Exhibit 4 CSR 3.1.3, incident tracking AU-7 CSR 3.4.1, reports, and CSR 4.2.2, other security CSR 7.3.6, logs regularly. CSR 10.2.3, CSR 10.10.5 (10) Log and report to 00653 § 7.2, § App F § CSR 3.1.3 § 160. CA UARM management the 7.4, § 8.1, AU-6 310(a) periodic reviews Exhibit of compliance 3(E) checklists, and audit reports. Limit logs and 01342 Exhibit 9 CSR 2.1.4, audit trails to Event 17 CSR 2.1.6 a need to know basis. Use file integrity 01345 § 5.6.2, App F § AU-9, AU- § 170.302 CA ControlMinder, and change Exhibit AU-9(1), 9.2 (s)(3) CA UARM modification 4 AU-9, App F § tools to protect Exhibit 9 AU-9(3) audit logs or log Event 16 management infrastructure from alteration. Archive the 00674 § 5.6.2, AU-9(1), CSR 2.1.11 CA UARM audit trail and Exhibit 4 AU-9.7 log history in AU-11 accordance with regulations or organizational standards.
14 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com HIPAA Security Rule HIPAA Privacy Rule Requirements CSR CMS Core Security HIPAA Electronic CA Technologies PCI PA DSS 1.1 NIST 800-53A Health Record IRS Pub 1075 Requirement NIST 800-53 Technology Control ID Solutions Protect against 04547 § 5.6.2, App F § AU-9, AU- CSR 2.1.4, CA ControlMinder misusing Exhibit 4 AU-9 9.2 CSR 2.1.6 automated AU-9 audit tools. Technical 00508 § 5.6.15, App F § SC-1, SI-1 security. Exhibit SC-1, App F 4 SC-1, § SI-1 Exhibit 4 SI-1 Establish 00512 § 5.6.1, AC-3.2, CSR 2.2.1, § 164.3 CA ControlMinder and maintain Exhibit AC-13.4, CSR 2.2.22, 08(a)(4)(i), access policies 4 AC-1, AC-13.5, CSR 2.9.1, § 164.312 and access Exhibit 6 AC-13.6 CSR 2.11.1, (a)(1) procedures. CSR 2.11.2, CSR 10.10.1 Establish and 00513 § 5.6.7, App F § IA-1 § 3.1, § CSR 2.8.1, § 164. § 164. CA IdentityMinder, maintain an Exhibit AC-2(7), 3.2 CSR 2.9.4, 308(a) 504(f) CA GovernanceMinder™, identification, 4 IA-1, App F § CSR 2.9.5, (3)(i), § (2)(iii) CA ControlMinder authentication, Exhibit 6 AC-14(a), CSR 164.308( (A) and access App F § 2.13.2, a)(3)(ii)(A) rights AC-14(b), CSR 10.3.6 management App F § plan. AC-14(1), App F § IA- 1, App F § IA-4, App F § IA-5 Maintain 00004 § 5.6.1, App F § AC-3.1, CSR § 164.308 § 164. CA ControlMinder, control over Exhibit 4 AC-2(6), AC-3.3 1.4.1(3), (a)(3) 514 CA SiteMinder, access rights AC-13 App F § CSR 2.8.2, (ii)(B), § (d)(2) CA IdentityMinder and user AC-2(7), CSR 164.308( (ii) privileges. App F § 2.10.2, a)(4)(ii)(B), AU-9(4) CSR § 164.308( 2.10.3, a)(4)(ii)(C) CSR 3.3.2, CSR 10.7.8 Verify all 01273 § 5.6.1, App F § IA-2, § 3.1.a, § CSR 2.9.8, § 164.312 § CA IdentityMinder, user IDs are § 5.6.7, IA-2, App IA-2.3, IA- 3.2 CSR (a)(2)(i) 170.302(o) CA GovernanceMinder unique and Exhibit F § IA-4 2.6, IA-4 2.9.15, require proper 4 AC-5, CSR 7.3.3 authentication. Exhibit 4 IA-2
15 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com HIPAA Security Rule HIPAA Privacy Rule Requirements CSR CMS Core Security HIPAA Electronic CA Technologies PCI PA DSS 1.1 NIST 800-53A Health Record IRS Pub 1075 Requirement NIST 800-53 Technology Control ID Solutions Establish 01411 § 5.6.1, App F § AC- AC-6, CSR CA ControlMinder, access rights Exhibit 6, App F AC-14, 1.4.1(7), CA IdentityMinder based on least 4 AC-6, § AC-6(1), AC-14.5, CSR 2.5.4, privilege. Exhibit 4 App F § AC- AC-14(1), CSR 2.7.2, CM-7 6(2), App F AC-14.10 CSR 3.2.3 § AC-6(3), App F § AC- 6(4), App F § AC-6(5), App F § AC- 6(6), App F § AC-14, App F § AC- 14(1), App F § SC-15, App F § SC-15(1) Assign 00538 § 5.1, § CSR § 164. § 170.302(p) CA IdentityMinder, privileges based 5.2, Exhibit 2.9.16, 504 CA GoveranceMinder on job function 3(C) CSR (f )(2) responsibilities. 2.12.1, (iii)(B) CSR 3.3.1, CSR 3.6.4, CSR 4.5.1, CSR 4.6.3, CSR 7.4.1 Establish 01412 § 5.6.1, App F § App F AC-7, CSR 2.9.10 CA ControlMinder, lockout Exhibit AC-2(6), § AC-7, AC-7.5 CA IdentityMinder, procedures or 4 AC-7, App F § App F § CA SiteMinder mechanisms Exhibit 8 AC-2(7), AC-7(1), to be triggered Control 10 App F § App F § after a AU-9(4) AC-7(2) predetermined number of consecutive logon attempts. Establish 01417 § 5.6.1, App F § AC-11, CSR 2.9.8 CA ControlMinder, session lock Exhibit 4 AC-11, AC-11.3 CA SiteMinder capabilities. AC-11 App F § AC-11(1)
16 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com HIPAA Security Rule HIPAA Privacy Rule Requirements CSR CMS Core Security HIPAA Electronic CA Technologies PCI PA DSS 1.1 NIST 800-53A Health Record IRS Pub 1075 Requirement NIST 800-53 Technology Control ID Solutions Establish 01418 § 5.6.1, App F § AC-12, CSR 2.9.12 § 164.312 § 170.302(q) CA ControlMinder, idle session § 5.6.15, SC-10, App AC-12.3, (a)(2)(iii) CA SiteMinder termination Exhibit F § IA-4 SC-10, capabilities. 4 AC-11, SC-10.2 Exhibit 4 AC-12, Exhibit 4 SC-10 Enable access 04553 § 5.6.1, App F § CSR CA ControlMinder, control for Exhibit AC-3, App 2.10.1, CA SiteMinder objects and 4 AC-3, F § AC- CSR users on each Exhibit 4 3(2), App F 2.10.3, system and AC-14 § AC-3(3), CSR ensure the App F § 10.10.1(1) system’s policy AC-3(4) states the objects and users subject to access control. Enforce access 01428 § 5.6.5 App F § CM-5, CA ControlMinder restrictions for AU-1 CM-5(1), change control. CM-5.8 Enforce access 01921 § 6.3.3 App F § AC-3(1), CA ControlMinder restrictions for AC-3(5) AC-3.9 restricted data. Activate 04262 Exhibit 4 § 10.1 CSR 5.9.13 CA IdentityMinder third party MA-4 maintenance accounts and user IDs as necessary. Review or 00788 § 5.6.11, App F § PS-4, PS- CSR § 164.308 CA IdentityMinder, terminate Exhibit PS-4, App 5, PS-5.2 1.10.4, (a)(3)(ii) CA ControlMinder accounts and 4 PS-4, F § PS-5 CSR 2.9.17 (C) access rights Exhibit 4 if notified of PS-5 personnel status changes or termination. Revoke asset 00516 § 5.6.7, App F § AC-2.1, CSR § 164.308 CA IdentityMinder, access for Exhibit 4 AC-2 AC-2.5, 1.10.3(3), (a)(3)(ii) CA ControlMinder personnel IA-4 PS-4.1 CSR 2.9.17 (C) immediately upon termination.
17 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com HIPAA Security Rule HIPAA Privacy Rule Requirements CSR CMS Core Security HIPAA Electronic CA Technologies PCI PA DSS 1.1 NIST 800-53A Health Record IRS Pub 1075 Requirement NIST 800-53 Technology Control ID Solutions Assign and 00514 § 5.6.1, App F § CSR § 164.308 CA IdentityMinder maintain user § 5.6.7, AC-2, App 1.4.1(8), (a)(5)(ii) accounts and Exhibit F § AC- CSR 2.8.3, (D) user access 4 AC-2, 2(1), App F CSR 2.9.3 management Exhibit § AC-2(4), for all systems. 4 AC-13, App F § Exhibit AC-2(5) 4 IA-4, Exhibit 8 Control 17, Exhibit 8 Control 18 Control the 00515 § 5.6.7, App F § AC-2.1, CSR 2.9.20 § 170.302(t) CA IdentityMinder, addition and Exhibit 4 AC-2(c), AC-2.3, CA ControlMinder modification IA-4 App F § AC-2(1), of user IDs, AC-2(d) IA-4.1 credentials, or other object identifiers. Verify user 04567 Exhibit 4 § 164.312 CA IdentityMinder identities IA-5 (d) before manually resetting a password. Remove 00517 Exhibit 8 App F § AC-2.4, CSR 2.9.18 CA IdentityMinder, inactive user Control 05 AC-2, App AC-2(3), CA CA accounts and F § AC- AC-2.18, GoveranceMinder temporary user 2(2), App F IA-4.1 accounts at § AC-2(3) least every 90 days. Enforce 00558 § 5.6.15, App F § AC-3, SC- CSR 2.5.9, CA ControlMinder assigned Exhibit 4 AC-3, App 2, SC-3, CSR 4.1.2, authorizations SC-2 F § SC-2, SC-3(1), CSR 4.7.1, for system App F § SC-3(2), CSR 4.7.2, access and SC-3, App SC-3(3), CSR 4.7.5 separate user F § SC-4 SC-3(4), functionality SC-3(5), from system SC-4 management functionality.
18 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com HIPAA Security Rule HIPAA Privacy Rule Requirements CSR CMS Core Security HIPAA Electronic CA Technologies PCI PA DSS 1.1 NIST 800-53A Health Record IRS Pub 1075 Requirement NIST 800-53 Technology Control ID Solutions Ensure the 01429 § 5.6.15, App F § IA- IA-3, IA- CSR CA AuthMinder, system Exhibit 3, App F § 3.4 10.8.4, CA SiteMinder identifies and 4 IA-3, SC-16 CSR authenticates Exhibit 4 10.8.9, approved SC-23 CSR devices before 10.10.1(1) establishing a connection to restricted data. Ensure 01750 § 5.6.15, App F § IA-3, IA- CSR 2.3.3, CA SiteMinder, electronic Exhibit 4 AC-18 3.4 CSR 10.8.9 CA ARCOT authentication SC-23 is established before transmitting restricted data or restricted information between devices. Control remote 01421 § 5.6.1, § App F § AC-17(3), CSR CA ControlMinder access through 220.127.116.11 AC-17(3) AC-17.16 2.9.11, a network CSR access and 2.9.20, control point. CSR 10.10.4 Monitor 00585 Exhibit 4 App F § IR-5, CA ControlMinder, systems for IR-5 AC-19, IR-5(1), CA UARM inappropriate App F § IR- IR-5.8 usage. 5, App F § IR-5(1) Monitor 01222 Exhibit 4 App F § SC-5, CSR 10.2.5 CA ControlMinder, systems for SC-5 SC-5, App SC-5(1), CA UARM denial of F § SC- SC-5(2), service attacks. 5(1), App F SC-5.4, § SC-5(2) SC-5.8, SC-5.10 Configure the 00555 § 5.6.1, AC-7, AC- CSR 2.9.10 CA ControlMinder, system to Exhibit 7.3 CA SiteMinder lock out user 4 AC-7, IDs after not Exhibit 8 more than a Control 10 predefined number of access attempts.
19 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com HIPAA Security Rule HIPAA Privacy Rule Requirements CSR CMS Core Security HIPAA Electronic CA Technologies PCI PA DSS 1.1 NIST 800-53A Health Record IRS Pub 1075 Requirement NIST 800-53 Technology Control ID Solutions Configure 00556 Exhibit 8 AC-7.1, CSR 2.9.10 CA ControlMinder, the Lockout Control 11 AC-7.5 CA SiteMinder duration to a predefined time period. Configure 00520 Exhibit CSR CA ControlMinder, passwords so 4 IA-5, 2.9.9(4) CA SiteMinder, that users will Exhibit 8 CA IdentityMinder change their Control passwords on 02 thru a regular basis. Exhibit 8 Control 04 Configure the 01703 Exhibit 8 IA-5.1, CA IdentityMinder, minimum Control 07 IA-5.7 CA ControlMinder password age. Configure the 01704 Exhibit 8 IA-5.1, CA IdentityMinder, maximum Control IA-5.7 CA ControlMinder password age. 02, Exhibit 8 Control 03 Configure 01705 Exhibit 8 CSR CA IdentityMinder, the password Control 01 2.9.9(6) CA ControlMinder length to the least allowable. Configure 01706 Exhibit 8 CSR CA IdentityMinder, the password Control 01 2.9.9(7) CA ControlMinder complexity setting. Configure 01707 Exhibit 8 IA-5.1, CSR CA IdentityMinder, the password Control 06 IA-5.7 2.9.9(8) CA ControlMinder history setting so that users cannot submit a new password that is the same as the previous few used. Configure the 02037 § 5.6.7, IA-5.1, CSR CA ControlMinder system to Exhibit IA-5.7 2.9.9(3), use asterisks 4 IA-6, CSR to mask Exhibit 8 2.9.9(5) passwords. Control 14
20 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com HIPAA Security Rule HIPAA Privacy Rule Requirements CSR CMS Core Security HIPAA Electronic CA Technologies PCI PA DSS 1.1 NIST 800-53A Health Record IRS Pub 1075 Requirement NIST 800-53 Technology Control ID Solutions Configure the 00881 Exhibit 8 App F § CA ControlMinder system security Control 13 AC-18(4) parameters to prevent system misuse or information misappropriation. Digitally sign 04493 § 18.104.22.168 CSR 10.3.5 CA DataMinder and encrypt all email. Verify that there 01579 Exhibit 8 CA ControlMinder are no accounts Control 16 with empty password fields. Configure the 01710 Exhibit 8 AC-11, CSR 2.9.10 CA IdentityMinder, account lockout Control 11 AC-11.3 CA ControlMinder duration. Configure the 01574 § 5.6.1, CSR 2.9.10 CA ControlMinder retry limit for Exhibit account lockouts 4 AC-7, according to Exhibit 8 applicable Control 10 standards. Protect the 00565 § 5.6.10, App F § SC-9, § 12.2 CA ControlMinder, confidentiality § 5.6.15, SC-9 SC-9(1), CA DataMinder of restricted Exhibit SC-9.7 data, restricted 4 MP-5, information, Exhibit 4 or restricted SC-9 messages by prohibiting them from being sent via email or instant messaging.
21 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com Appendix B: CA Technologies Security Solution Description CA Technologies has reviewed both NIST SP 800-53 and IRS Publication 1075 to determine which CA Technologies security solutions would aid in meeting their requirements. Based on the various security controls outlined in those documents there are several CA Technologies security solutions that are appropriate and are highlighted in the CA Technologies Security Products Mapped to NIST SP 800-53 Controls table. A description of those solutions can be found below. CA Technologies Capabilities Why Does it Matter? Product CA IdentityMinder™ • User provisioning: The solution provides The benefits of identity management are: automated creation and management of user • Reduced costs: Automation, delegation, and self- accounts and their access to enterprise resources. service can reduce the total number of IT trained • Delegated administration: The solution allows administrators relative to the number of user organizations to selectively distribute user • Improved security: Who can access user data administration tasks to those best equipped and change that data, who can create and who to provide services. can delete user accounts is tightly controlled and • Integrated compliance: The solution supports an auditable. organization’s regulatory compliance by enforcing • Increased productivity: Users are provisioned identity policies and providing centralized new accounts and access rights quickly and auditing. transparently as they enter the organization, • Self-service: The solution provides easy-to-use change roles, or get promoted. web interfaces that allow end users to reset a forgotten password, retrieve a forgotten ID, update For more information, please read our solution brief: their profile, or request additional access. ca.com/us/~/media/Files/ProductBriefs/ CA-IdentityMinder-product-sheet.pdf CA GovernanceMinder™ • Access privilege cleanup: The solution provides a The benefits of identity access governance are: patent-pending analytics engine that can quickly • Improved return on investment: Cleaning up identify user access anomalies. user entitlements and establishing a role model • Entitlement certification: The solution can will decrease the time to deploy an identity automate and streamline user, role, or resource management system. certifications required to meet security or • Mitigated risk: Actively monitoring for access regulatory compliance audits. violations and/or anomalies will allow IT Security • Identity compliance: The solution allows to address potential risks more quickly. organizations to establish and enforce cross- • Improved compliance: Reports and dashboards system identity policies. will increase visibility into security and • Role lifecycle management: The solution can compliance status. discover, analyze, consolidate, and manage roles and the users/resources assigned to those roles. For more information, please read our solution brief: ca.com/us/~/media/Files/SolutionBriefs/identity- and-access-goverance-SB.pdf
22 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com CA Technologies Capabilities Why Does it Matter? Product CA SiteMinder® CA SiteMinder provides a centralized security The web SSO solution can help: management foundation that enables secure use • Provide shared access management services of the web to deliver applications and cloud services across all internal web applications to customers, partners, and employees. • Provide unparalleled scalability and performance CA SiteMinder enables web single sign-on (SSO), to meet business needs centralized authentication, session management, • Integrate with on-premise infrastructure with and auditing, policy-based authorization, and minimal customization enterprise-level manageability. It also supports • Improve regulatory compliance via centralized multiple types of authentication credentials, auditing and reporting including basic, forms, and two-factor. For more information, please read our solution brief: ca.com/us/~/media/Files/DataSheets/ ca-siteminder-datasheet.pdf CA SiteMinder® Federation CA SiteMinder Federation provides standards-based The identity federation solution can help: federation capabilities that enable users of one • Provide shared access management services organization to easily and securely access the data to externally-hosted web applications and applications of other organizations and cloud services without an additional login. • Integrate with external identity and/or service providers via standard protocols CA SiteMinder Federation is tightly integrated with • Improve user experience through SSO CA SiteMinder to expand the web SSO environment • Reduce service desk burden by eliminating to include external business partner sites and cloud- additional login credentials for external based applications. applications For more information, please read our solution brief: ca.com/us/~/media/Files/DataSheets/cs2047- ca-siteminder-federation-ds-0212.pdf CA AuthMinder™ CA AuthMinder provides additional identity The strong authentication solution can help: protection for your web applications and portals • Deploy multi-factor authentication invisibly by allowing organizations to deploy a wide range of strong authentication mechanisms in a cost- • Provide lower cost of ownership effective and centralized manner. • Reduce security risk • Mitigate against Man-in-the-Middle attacks CA AuthMinder supports a wide range of authentication methods, including user ID/ • Address regulatory compliance requirements password, security question/answer, One-Time- For more information, please read our solution brief: Password (OTP) via SMS, email, or IVR, OATH ca.com/us/~/media/Files/DataSheets/ tokens, and the unique CA ArcotID®. ca-authminder-ds-CS3759.pdf
23 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com CA Technologies Capabilities Why Does it Matter? Product CA RiskMinder™ CA RiskMinder provides real-time protection against The adaptive authentication solution can help: identity theft and online fraud via risk-based, • Reduce losses due to identity fraud adaptive authentication. CA RiskMinder evaluates the fraud potential of online transactions and • Align risk rules to your business needs calculates a risk score based on User, Device, and • Address regulatory compliance requirements IP Geo-location data. CA RiskMinder can block, • Deploy multi-factor authentication invisibly quarantine, or prompt for additional authentication credentials for any transaction whose risk score For more information, please read our solution brief: exceeds a defined threshold. All of this is done ca.com/us/~/media/Files/ProductBriefs/ transparently without inconveniencing legitimate, CA-RiskMinder-product-brief-key-features.pdf low-risk users. CA ControlMinder™ CA ControlMinder provides comprehensive access The host access control solution can help: controls on all common operating systems. It is • Mitigate risk designed to control access to system resources, programs, files and processes through security • Regulate and audit privileged user access policies, which can be created, managed and • Enforce server-based compliance and reporting distributed on an enterprise-wide basis. These • Reduce administration cost and complexity policies are required in order to enforce separation of administrative duties on the servers, consistent For more information, please read our solution brief: with industry best practices. Finally, CA ControlMinder ca.com/us/~/media/Files/ProductBriefs/ also provides auditing tools that let you trace ca-access-control-product-brief-vF.pdf users’ activities to track attempted misuse of the computer system. CA ControlMinder™ CA ControlMinder-SAM implements the concept of The shared account management solution can help: a “password vault”, and provides secure access to • Mitigate risk Shared Account Manager privileged accounts and accountability of privileged (SAM) access through the issuance of passwords on a • Enable accountability temporary, one-time use basis, or as necessary while • Eliminate hard-coded passwords providing user accountability of their actions through • Facilitate regulatory compliance secure auditing. CA ControlMinder-SAM is also • Reduce costs designed to allow applications to programmatically access system passwords and, in so doing, remove • Improve efficiency hard-coded passwords from scripts, batch files, ODBC and JDBC wrappers. This support is available For more information, please read our solution brief: for a multitude of servers, applications (including ca.com/us/~/media/files/datasheets/ databases) and network devices in a physical or ca-controlminder-shared-account-management- virtual environment. ds.aspx
24 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com CA Technologies Capabilities Why Does it Matter? Product CA Session Recording CA Session Recording provides a deep understanding The session recording solution can help: of what truly is taking place on corporate servers and • Audit and record all user activities desktops. Video replay provides clear-cut evidence of precise user actions. CA Session Recording is • Provide VCR playback of user activities protocol agnostic, capturing user activity in RDP, • Reduce cost to investigate a security violation, SSH, Telnet, Citrix published apps, VMware sessions, unscheduled outage, or data breach screen-sharing apps, or direct console login. And unlike system logs, CA Session Recording shows For more information, please read our solution brief: exactly which applications were run and what files ca.com/~/media/Files/DataSheets/CA-Session- were accessed. This can eliminate blind spots that Recording-Data-Sheet.pdf currently exist for applications that do not product their own logs and/or provide insufficient log data. CA ControlMinder™ for CA ControlMinder for Virtual Environments provides The shared account management solution can help: Virtual Environments secure privileged user access to virtual machines, • Mitigate risk hypervisor service consoles, and virtual appliances— helping organizations control privileged user • Regulate and audit privileged user access actions, secure access to the virtual environment, • Improve compliance and reporting and comply with industry mandates. It delivers key • Reduce administration cost and complexity capabilities to manage privileged user passwords, harden the hypervisor service console, and monitor For more information, please read our solution brief: privileged user activity. It also provides a centralized ca.com/~/media/Files/SolutionBriefs/ca_access_ foundation for privileged user management that control_for_virtual_environments_solution_brief.pdf serves as a single portal for securing privileged user access across virtual and physical environments. CA ControlMinder™ CA User Activity Reporting provides user activity CA ControlMinder UARM provides: User Activity Reporting and compliance reporting for identity, access and • Simplified user activity reporting. Automated Module (UARM) information usage across physical, virtual and cloud reporting of user activity enables organizations environments. It is designed to effectively verify to assess “what happened” more quickly. security controls and to streamline reporting and investigation of user and resource access activities, • Automatic compliance updates. Enable continuous in order to improve efficiencies and accelerate and compliance and analysis of trends in user activity. simplify compliance. • Rapid time to value. Easy-to-use report • User activity and compliance reporting. Provides customization wizard to accelerate predefined and customizable reports mapped deployment time. to common security auditing guidelines and For more information, please read our solution brief: compliance regulations. ca.com/us/~/media/Files/DataSheets/ca-user- • User activity investigation. Delivers visual log activity-reporting-module-ps-us-en.pdf analysis tools with drill-down capabilities that can expedite the investigation of user and resource activities and identify policy violations. • User activity log correlation. Provides predefined and customizable log-correlation capability, focusing on connecting user activity with the individual who performed it.
25 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com CA Technologies Capabilities Why Does it Matter? Product CA DataMinder™ CA DataMinder is an information protection and CA DataMinder helps you to: control solution that helps minimize the accidental, • Discover where your sensitive information resides, negligent and malicious misuse of data while classify it according to its level of sensitivity, and helping comply with various data protection enforce data handling policies. standards and regulations. Through the delivery of broad information and communication coverage, • Tailor your information protection policy precise policy enforcement and Identity and Access enforcement to the specific attributes of each user Management, organizations are able to take a and their role. comprehensive approach to reducing risk to • Protect your company against the reputational their most critical assets while enabling critical damage from information breach or theft. business processes. • Achieve rapid time-to-value; the modular components help simplify the deployment process. For more information, please read our solution brief: ca.com/us/~/media/Files/ProductBriefs/ ca-dataminder-ps.pdf
26 | WHITE PAPER: IRS 1075 COMPLIANCE Section 6: About the Author Chris Boswell has over 13 years of experience developing and implementing security, risk and compliance solutions. During his tenure at CA Technologies, Chris has held a variety of technical and management positions across our security services, product management and sales organizations. His work in the governance, risk and compliance domain has led to several patent filings for CA Technologies. Chris currently coordinates sales activities for our information protection and control solutions, CA DataMinder™ and CA ControlMinder™, and works closely with product and development teams on behalf of customers to address emerging security, risk and compliance challenges. Connect with CA Technologies at ca.com Agility Made Possible: The CA Technologies Advantage CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organizations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. CA Technologies is committed to ensuring our customers achieve their desired outcomes and expected business value through the use of our technology. To learn more about our customer success programs, visit ca.com/ customer-success. For more information about CA Technologies go to ca.com. Copyright © 2013 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively, “Laws”), referenced herein or any contract obligations with any third parties. You should consult with competent legal counsel regarding any such Laws or contract obligations.. CS200-26950_0913
You can also read
Next slide ... Cancel