Solutions for Enabling IRS 1075 Compliance - Chris Boswell North American Security

 
WHITE PAPER | SEPTEMBER 2013

Solutions for Enabling
IRS 1075 Compliance

Chris Boswell
North American Security
2 | WHITE PAPER: IRS 1075 COMPLIANCE                                        ca.com

Table of Contents                      Executive Summary                              3

                                       Section 1:                                     4
                                       Overview IRS Pub 1075

                                       Section 2:                                     9
                                       Additional Safeguard Requirements

                                       Section 3:                                    11
                                       System Audit Management Guidelines

                                       Section 4:                                    12
                                       Conclusions

                                       Section 5:                                    12
                                       References

                                       Section 6:                                    26
                                       About the Author
3 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                       ca.com

                        Executive Summary

                        Challenge
                        State and local governments manage and process large volumes of sensitive data on behalf of their
                        constituents every day. As a result, these organizations are subject to a wide variety of both industry
                        and federal information protection and compliance requirements.

                        Opportunity
                        CA Technologies offers a suite of security solutions that can help government agencies better protect
                        this sensitive data. By mapping solutions to specific requirements of IRS Pub 1075, you can easily see
                        how to address these security needs.

                        Benefits
                        There are multiple ways to address any situation. This paper will describe the various solution
                        offerings from CA Technologies provides to protect Federal Tax Information (FTI) and help satisfy
                        requirements outlined in the Internal Revenue Service Tax Information Security Guidelines for
                        Federal, State and local Agencies (IRS Pub 1075).
4 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                        ca.com

Section 1:

Overview IRS Pub 1075
Internal Revenue Service Publication 1075 defines a broad set of managerial, operational and technical security controls that
must be in place to protect Federal Tax Information. The general areas of security addressed in this document are listed in the
figure below:

                                      Audit and                      Awareness and                       Security
   Access Control                   Accountability                     Training                      Assessment and
                                                                                                      Authorization

                                                                      Identification                      Incident
    Configuration                     Contingency                         and                          Response and
    Management                         Planning                       Authorization                      Reporting

                                     Media Access                                                         Personnel
    Maintenance                       Protection                          Planning
                                                                                                           Security

                                       System and                    System and                         System and
 Risk Assessment                         Services                  Communications                       Information
                                       Acquisition                    Protection                          Integrity
5 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                      ca.com

While many of the controls are described in detail within the document itself, the standard also requires implementation and
assessment of certain federally mandated controls outlined in NIST Special Publication 800-53. Below is a listing of those
control areas and the CA Technologies security solutions that can be used to help achieve each high-level compliance objective:

CA Technologies Security Products Mapped to NIST SP 800-53 Controls

                                                                                                                                                                           CA GovernanceMinder™

                                                                                                                                                                                                  CA AuthMinder™ and
                                                                                                CA IdentityMinder™
                                                                            CA ControlMinder™

                                                                                                                                       Reporting Module

                                                                                                                                                          CA DataMinder™
                                                                                                                                       CA User Activity

                                                                                                                                                                                                  CA RiskMinder™
                                                                                                                     CA SiteMinder ®
 Control    Name

 AC-1       Access Control Policies and Procedures                         Primarily Procedural Control: No CA Technologies
                                                                           Security Solutions map to this objective

 AC-2       Account Management                                             4                    4

 AC-3       Access Enforcement                                             4                    4

 AC-4       Information Flow Enforcement                                   4                                                                              4

 AC-5       Separation of Duties                                           4                                         4

 AC-6       Least Privilege                                                4                                         4

 AC-7       Unsuccessful Login Attempts                                    4                                                             4

 AC-8       System Use Notification                                                                                  4

 AC-11      Session Lock                                                   4                                         4

 AC-14      Permitted Actions w/o Identification or Authentication         4                                         4                                    4                                         4

 AC-17      Remote Access                                                  4                                         4                                                                              4

 AC-18      Wireless Access                                                No CA Security Solutions map to this objective

 AC-19      Access Control for Mobile and Portable Devices                                                           4                                                                              4

 AC-20      Use of External Systems                                        4                                                                              4

 AC-22      Publicly Accessible Content                                                                                                                   4

 AT-1-4     Awareness and Training                                         Primarily Procedural Control: No CA Technologies
                                                                           Security Solutions map to this objective

 AU-1,2,4   Audit and Accountability                                       Primarily Procedural Control: No CA Technologies
                                                                           Security Solutions map to this objective

 AU-3       Content of Audit Records                                       4                    4                    4                   4                4                4                        4

 AU-5       Response to Audit Processing Failures                                                                                        4
6 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                    ca.com

                                                                                                                                                                         CA GovernanceMinder™

                                                                                                                                                                                                CA AuthMinder™ and
                                                                                              CA IdentityMinder™
                                                                          CA ControlMinder™

                                                                                                                                     Reporting Module

                                                                                                                                                        CA DataMinder™
                                                                                                                                     CA User Activity

                                                                                                                                                                                                CA RiskMinder™
                                                                                                                   CA SiteMinder ®
 Control    Name

 AU-6       Audit Review, Analysis and Reporting                          4                   4                    4                   4                4                4                        4

 AC-7       Audit Reduction and Report Generation                                                                                      4

 AC-8       Time Stamps                                                   4                   4                    4                   4

 AC-9       Protection of Audit Information                               4                                                            4

 AC-11      Audit Record Retention                                                                                                     4

 CA-1-7     Security Assessment and Authorization                         Primarily Procedural Control: No CA Technologies
                                                                          Security Solutions map to this objective

 CM-1-      Configuration Management                                      Primarily Procedural Control: No CA Technologies
 4,8,9                                                                    Security Solutions map to this objective

 CM-2       Baseline Configuration                                        4

 CM-5       Access Restrictions for Change                                4                   4

 CM-6       Configuration Settings                                        4

 CM-7       Least Functionality                                           4

 CP-1-10    Contingency Planning                                          Primarily Procedural Control: No CA Technologies
                                                                          Security Solutions map to this objective

 IA-1       Identification and Authentication Policy and Procedures       Primarily Procedural Control: No CA Technologies
                                                                          Security Solutions map to this objective

 IA-2       User Identification and Authentication                        4                                        4                                                                              4

 IA-4       Identifier Management                                                                                                                                                                 4

 IA-5       Authenticator Management                                      4                   4                                                                                                   4

 IA-6       Authenticator Feedback                                                            4                    4

 IA-7       Cryptographic Module Authentication                                                                    4                                                                              4

 IA-8       Identification and Authentication (non-organizational users                       4                    4

 IR-1-4,8   Incident Response                                             Primarily Procedural Control: No CA Technologies
                                                                          Security Solutions map to this objective

 IR-5       Incident Monitoring                                                                                                        4

 IR-6       Incident Reporting                                                                                                         4
7 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                               ca.com

                                                                                                                                                    CA GovernanceMinder™

                                                                                                                                                                           CA AuthMinder™ and
                                                                         CA IdentityMinder™
                                                     CA ControlMinder™

                                                                                                                Reporting Module

                                                                                                                                   CA DataMinder™
                                                                                                                CA User Activity

                                                                                                                                                                           CA RiskMinder™
                                                                                              CA SiteMinder ®
 Control     Name

 IR-7        Incident Response Assistance                                                                         4

 MA-1-       System Maintenance                      Primarily Procedural Control: No CA Technologies
 3, 6                                                Security Solutions map to this objective

 MA-4        Non-local Maintenance                                                                                4

 MA-5        Maintenance Personnel                   4

 MP-1,       Media Protection                        Primarily Procedural Control: No CA Technologies
 3-6                                                 Security Solutions map to this objective

 MA-5        Media Access                            4

 PE-1-18     Physical and Environmental Protection   Primarily Procedural Control: No CA Technologies
                                                     Security Solutions map to this objective

 PL-1-6      Security Planning                       Primarily Procedural Control: No CA Technologies
                                                     Security Solutions map to this objective

 PS-1-3,     Personnel Security                      Primarily Procedural Control: No CA Technologies
 6, 8                                                Security Solutions map to this objective

 PS -4       Personnel Termination                   4                   4                                                                          4                        4

 PS -5       Personnel Transfer                                          4                                                                          4

 PS -7       Third Party Personnel Security                              4                                                                          4

 RA - 1-5    Risk Assessment                         Primarily Procedural Control: No CA Technologies
                                                     Security Solutions map to this objective

 SA1-11      System and Services Acquisition         Primarily Procedural Control: No CA Technologies
                                                     Security Solutions map to this objective

 SC-1, 8,    System and Communications Protection    No CA Technologies Security Solutions map
 9, 17-22,                                           to this objective
 32

 SC-2        Application Partitioning                4

 SC-4        Information Remnance                    4                                                                             4

 SC-5        Denial Of Service Protection                                                     4

 SC-7        Boundary Protection                     4                                                                             4

 SC-10       Network Disconnect                                                               4
8 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                            ca.com

                                                                                                                                                                 CA GovernanceMinder™

                                                                                                                                                                                        CA AuthMinder™ and
                                                                                      CA IdentityMinder™
                                                                  CA ControlMinder™

                                                                                                                             Reporting Module

                                                                                                                                                CA DataMinder™
                                                                                                                             CA User Activity

                                                                                                                                                                                        CA RiskMinder™
                                                                                                           CA SiteMinder ®
 Control     Name

 SC-12       Cryptographic Key Establishment and Management                                                4                                                                              4

 SC-13       Use of Cryptography                                                                           4

 SC-14       Public Access Protections                            4                                        4

 SC-15       Collaborative Computing Devices

 SC-23       Session Authenticity                                                                          4

 SC-28       Protection of Information at Rest                                                                                                  4

 SI-1-3,5,   System and Information Integrity                     No CA Technologies Security Solutions map
 8, 10,                                                           to this objective
 11

 SI-4        Information System Monitoring Tools and Techniques   4                                                            4                4

 SI-7        Software and Information Integrity                   4

 SI-9        Information Input Restrictions                       4

 PM-1-11     Program Management                                   Primarily Procedural Control: No CA Technologies
                                                                  Security Solutions map to this objective
9 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                    ca.com

Section 2:

Additional Safeguard Requirements
Additional safeguard requirements for Federal Tax Information may be supplemented by the Office of Safeguards between
editions of IRS publication 1075. Some of these additional safeguards are referenced in the current edition of Pub 1075,
but there are also more safeguards communicated directly on the IRS website. Below is a table listing relevant additional
safeguards that may be satisfied by one or more CA solution to help achieve compliance:

 Authoritative
                      Description                                                   CA Technologies Capabilities
 Guidance
 Section 9.18.3       Two-factor authentication is required whenever FTI is         CA AuthMinder and CA RiskMinder work together to
 Remote access        being accessed from an alternate work location or if          provide two-factor step-up authentication services based
                      accessing FTI via the agency’s web portal.                    on risk factors such as the device being used to access
                                                                                    information or location where users are initiating
                                                                                    their sessions.

 Section 9.18.5       • Generally, FTI should not be transmitted or used on         CA Email Control provides robust data loss protection
 Electronic email       the agency’s internal e-mail systems.                       capabilities to prevent your organization’s FTI from
                      • FTI must not be transmitted outside of the agency,          seeping into email. With out of the box policies to detect
                        either in the body of an email or as an attachment.         and control tax information, CA DataMinder can be
                                                                                    rapidly deployed to help ensure that such information
                      • Do not send FTI unencrypted in any email messages.          is not transmitted via email and, when necessary,
                      • The file containing FTI must be attached and encrypted.     appropriately encrypt messages before submission.

 Section 9.18.8       The use of live FTI in test environments should generally     ITKO’s CA LISA platform optimizes the development and
 Use of FTI in live   be avoided and is not approved unless specifically            testing of composite applications and can be leveraged
 data testing         authorized by the IRS Office of Safeguards. Dummy data        to create obfuscated dummy data in compliance with
                      should be used in place of live FTI wherever possible.        IRS live data requirements. In addition, CA LISA can
                                                                                    reduce software delivery timelines by 30% or more by
                                                                                    leveraging a proprietary service virtualization technology

 Section 9.18.9       Access to FTI via the web portal requires a strong identity   CA AuthMinder + CA SiteMinder work together to provide
 Safeguards           verification process. The authentication must use a           a common security infrastructure for all web portals,
 technical            minimum of two pieces of information although more            providing strong authentication to sites where sensitive
 assistance for       than two are recommended to verify the identity.              information such as FTI may be accessed.

 Protecting           One of the authentication elements must be a shared
 Federal Tax          secret only known to the parties involved and issued
 Information          by the agency directly to the customer.
 (FTI) in web
 portals
10 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                  ca.com

 Authoritative
                   Description                                                     CA Technologies Capabilities
 Guidance
 Section 9.18.12   • When FTI is stored in a shared location, the agency           CA ControlMinder™ for Virtual Environments can be
 Protecting          must have policies in place to restrict access to FTI         deployed to satisfy a majority of the virtual security
 FTI in virtual      to authorized users.                                          requirements outlined by the IRS. The solution not only
 environments      • Programs that control the hypervisor should be                provides capabilities to lock down and the harden host
                     secured and restricted to authorized administrators only.     and hypervisor, but also provides a powerful policy
                                                                                   enforcement engine to prevent FTI from being accessed
                   • Separation between virtual machines (VMs) must                by unauthorized users and administrators. The enhanced
                     be enforced, and functions which allow one VM to              auditing capabilities provided by Access Control will also
                     share data with the hypervisor or another VM, such as         allow monitoring of virtual environments for insider and
                     clipboard sharing or shared disks, must be disabled.          other threats that could result in unauthorized disclosure
                   • Virtualization providers must be able to monitor for          or modification of FTI.
                     threats and other activity that is occurring within
                     the virtual environment. This includes being able to
                     monitor the movement of FTI into and out of the
                     virtual environment.
                   • The VMs and hypervisor/ host OS software for each
                     system within the virtual environment that receives,
                     processes, stores or transmits FTI must be hardened in
                     accordance with the requirements of Publication 1075
                     and be subject to frequent vulnerability testing.
                   • Special VM functions available to system
                     administrators in a virtualized environment that
                     can leverage the shared memory space in a virtual
                     environment between the hypervisor and VM should
                     be disabled.
                   • Backups (virtual machine snapshot) must be properly
                     secured and must be stored in a logical location where
                     the backup is only accessible to those with a need to know.

 Section 9.8.14    Software, data, and services that receive, transmit,            CA ControlMinder for Virtual Environments can be
 Protecting        process, or store FTI must be isolated within the cloud         deployed in your cloud infrastructure to promote secure
 FTI in a cloud    environment so that tenants sharing physical space              multi-tenancy. Through tight integration with VMware,
 computing         cannot access their neighbors’ physically co-located data       CA ControlMinder streamlines and automates the isolation
 environment       and applications.                                               of various operating environments based on a unique
                                                                                   guest and host automated tagging capability. As a result,
                                                                                   tenants can share physical space without being able to
                                                                                   access physically co-located data and applications.
11 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                         ca.com

Section 3:

System Audit Management Guidelines
Below is a listing of the system auditing guidance outlined in IRS Pub 1075. CA User Activity Reporting Module (UARM) can
ingest logs from various operating system and application sources and provide reports to help satisfy the auditing requirements
listed below.

 Event No.     System Auditing Guidance
 01            The audit trail shall capture all successful login and logoff attempts.

 02            The audit trail shall capture all unsuccessful login and authorization attempts.

 03            The audit trail shall capture all identification and authentication attempts.

 04            The audit trail shall capture all actions, connections and requests performed by privileged users (a user who, by virtue
               of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than
               those available to the majority of users. Such persons will include, for example, the system administrator(s) and network
               administrator(s) who are responsible for keeping the system available and may need powers to create new user profiles
               as well as add to or amend the powers and access rights of existing users).

 05            The audit trail shall capture all actions, connections and requests performed by privileged functions.

 06            The audit trail shall capture all changes to logical access control authorities (e.g., rights, permissions).

 07            The audit trail shall capture all system changes with the potential to compromise the integrity of audit policy
               configurations, security policy configurations and audit record generation services.

 08            The audit trail shall capture the creation, modification and deletion of objects including files, directories and user accounts.

 09            The audit trail shall capture the creation, modification and deletion of user accounts and group accounts.

 10            The audit trail shall capture the creation, modification and deletion of user account and group account privileges.

 11            The audit trail shall capture: i) the date of the system event; ii) the time of the system event; iii) the type of system event
               initiated; and iv) the user account, system account, service or process responsible for initiating the system event.

 12            The audit trail shall capture system startup and shutdown functions.

 13            The audit trail shall capture modifications to administrator account(s) and administrator group account(s) including:
               i) escalation of user account privileges commensurate with administrator-equivalent account(s); and ii) adding or deleting
               users from the administrator group account(s).

 14            The audit trail shall capture the enabling or disabling of audit report generation services.

 15            The audit trail shall capture command line changes, batch file changes and queries made to the system (e.g., operating
               system, application, database). Page 107

 16            The audit trail shall be protected from unauthorized access, use, deletion or modification.

 17            The audit trail shall be restricted to personnel routinely responsible for performing security audit functions.
12 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                                                         ca.com

Section 4:

Conclusions
IRS Publication 1075 outlines a wide variety of technical, operational and managerial controls that must be implemented to
protect sensitive Federal Tax Information. While the analysis provided in this document provides a clear outline of the types of
technologies that can be deployed to help satisfy those compliance requirements, each organization’s priorities and needs will
be different. CA welcomes the opportunity to discuss how our technology can help accelerate and streamline your current
initiatives and build a sustainable compliance infrastructure going forward.

Section 5:

References
Appendix A: Unified Compliance Framework For Common State Regulatory Requirements
All states are subject to a number of both Federal and industry-related information processing requirements. While the focus
of this paper is on IRS Pub 1075, the following table is designed to help your organization frame and prioritize its security
initiatives against a more holistic view of broader common requirements, including HIPAA and PCI.                                    HIPAA Security Rule

                                                                                                                                                           HIPAA Privacy Rule
                                                                                                              Requirements CSR
                                                                                                              CMS Core Security

                                                                                                                                                                                HIPAA Electronic

                                                                                                                                                                                                         CA Technologies
                                                                                            PCI PA DSS 1.1
                                                                          NIST 800-53A

                                                                                                                                                                                Health Record
                                       IRS Pub 1075
       Requirement

                                                         NIST 800-53

                                                                                                                                                                                Technology
                       Control ID

                                                                                                                                                                                                         Solutions
 Establish and        00637         § 5.6.2,          § 3.4, App       AU-2,             § 4.2               CSR                  § 164.312                                                        CA UARM
 maintain logging                   Exhibit 4         F § AU-2         AU-2.2,                               1.4.1(2),            (b)
 and monitoring                     AU-1                               CM-5(1),                              CSR 2.1,
 operations.                                                           CM-5.8                                CSR 3.1.4

 Operationalize       00638         § 5.6.2,          App F §          AU-3, AU-                             CSR 2.1.1,                                                                            CA ControlMinder,
 key logging                        Exhibit           AU-3             3.2                                   CSR 2.1.3,                                                                            CA UARM
 and monitoring                     4 AU-2,                                                                  CSR 3.2.3,
 concepts and                       Exhibit 6                                                                CSR 3.4.1,
 events to ensure                                                                                            CSR 4.2.2
 the audit trails
 capture sufficient
 information.
13 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                                                               ca.com

                                                                                                                                   HIPAA Security Rule

                                                                                                                                                           HIPAA Privacy Rule
                                                                                                            Requirements CSR
                                                                                                            CMS Core Security

                                                                                                                                                                                HIPAA Electronic

                                                                                                                                                                                                             CA Technologies
                                                                                          PCI PA DSS 1.1
                                                                          NIST 800-53A

                                                                                                                                                                                Health Record
                                       IRS Pub 1075
        Requirement

                                                         NIST 800-53

                                                                                                                                                                                Technology
                       Control ID

                                                                                                                                                                                                             Solutions
 Enable logging       00640         § 5.6.2,                                             § 4.1             CSR 2.1.2,                                                           § 170.302          CA UARM
 for all systems                    Exhibit 4                                                              CSR 2.1.7                                                            (r)(2)
 that meet                          AU-3
 traceability
 criteria.

 Review audit         00596         § 5.6.2,          App F §          AU-6, AU-                           CSR                  §                                                                  CA UARM
 logs, Intrusion                    Exhibit           AU-6, App        6.2, SI-4                           1.6.1(4),            164.408(a)
 Detection System                   4 AU-6,           F § AU-6(4)                                          CSR 2.1.12,          (1)(ii)(D)
 reports, security                  Exhibit 4                                                              CSR 3.1.3,
 incident tracking                  AU-7                                                                   CSR 3.4.1,
 reports, and
                                                                                                           CSR 4.2.2,
 other security
                                                                                                           CSR 7.3.6,
 logs regularly.
                                                                                                           CSR 10.2.3,
                                                                                                           CSR
                                                                                                           10.10.5
                                                                                                           (10)

 Log and report to    00653         § 7.2, §          App F §                                              CSR 3.1.3                                     § 160.                                    CA UARM
 management the                     7.4, § 8.1,       AU-6                                                                                               310(a)
 periodic reviews                   Exhibit
 of compliance                      3(E)
 checklists, and
 audit reports.

 Limit logs and       01342         Exhibit 9                                                              CSR 2.1.4,
 audit trails to                    Event 17                                                               CSR 2.1.6
 a need to
 know basis.

 Use file integrity   01345         § 5.6.2,          App F §          AU-9, AU-                                                                                                § 170.302          CA ControlMinder,
 and change                         Exhibit           AU-9(1),         9.2                                                                                                      (s)(3)             CA UARM
 modification                       4 AU-9,           App F §
 tools to protect                   Exhibit 9         AU-9(3)
 audit logs or log                  Event 16
 management
 infrastructure
 from alteration.

 Archive the          00674         § 5.6.2,                           AU-9(1),                            CSR 2.1.11                                                                              CA UARM
 audit trail and                    Exhibit 4                          AU-9.7
 log history in                     AU-11
 accordance with
 regulations or
 organizational
 standards.
14 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                                                              ca.com

                                                                                                                                   HIPAA Security Rule

                                                                                                                                                           HIPAA Privacy Rule
                                                                                                            Requirements CSR
                                                                                                            CMS Core Security

                                                                                                                                                                                HIPAA Electronic

                                                                                                                                                                                                            CA Technologies
                                                                                          PCI PA DSS 1.1
                                                                        NIST 800-53A

                                                                                                                                                                                Health Record
                                     IRS Pub 1075
      Requirement

                                                       NIST 800-53

                                                                                                                                                                                Technology
                     Control ID

                                                                                                                                                                                                            Solutions
 Protect against    04547         § 5.6.2,          App F §          AU-9, AU-                             CSR 2.1.4,                                                                              CA ControlMinder
 misusing                         Exhibit 4         AU-9             9.2                                   CSR 2.1.6
 automated                        AU-9
 audit tools.

 Technical          00508         § 5.6.15,         App F §          SC-1, SI-1
 security.                        Exhibit           SC-1, App F
                                  4 SC-1,           § SI-1
                                  Exhibit 4
                                  SI-1

 Establish          00512         § 5.6.1,                           AC-3.2,                               CSR 2.2.1,           § 164.3                                                            CA ControlMinder
 and maintain                     Exhibit                            AC-13.4,                              CSR 2.2.22,          08(a)(4)(i),
 access policies                  4 AC-1,                            AC-13.5,                              CSR 2.9.1,           § 164.312
 and access                       Exhibit 6                          AC-13.6                               CSR 2.11.1,          (a)(1)
 procedures.                                                                                               CSR 2.11.2,
                                                                                                           CSR
                                                                                                           10.10.1
 Establish and      00513         § 5.6.7,          App F §          IA-1              § 3.1, §            CSR 2.8.1,           § 164.                   § 164.                                    CA IdentityMinder,
 maintain an                      Exhibit           AC-2(7),                           3.2                 CSR 2.9.4,           308(a)                   504(f)                                    CA GovernanceMinder™,
 identification,                  4 IA-1,           App F §                                                CSR 2.9.5,           (3)(i), §                (2)(iii)                                  CA ControlMinder
 authentication,                  Exhibit 6         AC-14(a),                                              CSR                  164.308(                 (A)
 and access                                         App F §                                                2.13.2,              a)(3)(ii)(A)
 rights                                             AC-14(b),                                              CSR 10.3.6
 management                                         App F §
 plan.                                              AC-14(1),
                                                    App F § IA-
                                                    1, App F §
                                                    IA-4, App
                                                    F § IA-5
 Maintain           00004         § 5.6.1,          App F §          AC-3.1,                               CSR                  § 164.308                § 164.                                    CA ControlMinder,
 control over                     Exhibit 4         AC-2(6),         AC-3.3                                1.4.1(3),            (a)(3)                   514                                       CA SiteMinder,
 access rights                    AC-13             App F §                                                CSR 2.8.2,           (ii)(B), §               (d)(2)                                    CA IdentityMinder
 and user                                           AC-2(7),                                               CSR                  164.308(                 (ii)
 privileges.                                        App F §                                                2.10.2,              a)(4)(ii)(B),
                                                    AU-9(4)                                                CSR                  § 164.308(
                                                                                                           2.10.3,              a)(4)(ii)(C)
                                                                                                           CSR 3.3.2,
                                                                                                           CSR 10.7.8
 Verify all         01273         § 5.6.1,          App F §          IA-2,             § 3.1.a, §          CSR 2.9.8,           § 164.312                                       §                  CA IdentityMinder,
 user IDs are                     § 5.6.7,          IA-2, App        IA-2.3, IA-       3.2                 CSR                  (a)(2)(i)                                       170.302(o)         CA GovernanceMinder
 unique and                       Exhibit           F § IA-4         2.6, IA-4                             2.9.15,
 require proper                   4 AC-5,                                                                  CSR 7.3.3
 authentication.                  Exhibit 4
                                  IA-2
15 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                                                           ca.com

                                                                                                                                HIPAA Security Rule

                                                                                                                                                        HIPAA Privacy Rule
                                                                                                            Requirements CSR
                                                                                                            CMS Core Security

                                                                                                                                                                             HIPAA Electronic

                                                                                                                                                                                                         CA Technologies
                                                                                          PCI PA DSS 1.1
                                                                         NIST 800-53A

                                                                                                                                                                             Health Record
                                      IRS Pub 1075
       Requirement

                                                        NIST 800-53

                                                                                                                                                                             Technology
                      Control ID

                                                                                                                                                                                                         Solutions
 Establish           01411         § 5.6.1,          App F § AC-      AC-6,                                CSR                                                                                  CA ControlMinder,
 access rights                     Exhibit           6, App F         AC-14,                               1.4.1(7),                                                                            CA IdentityMinder
 based on least                    4 AC-6,           § AC-6(1),       AC-14.5,                             CSR 2.5.4,
 privilege.                        Exhibit 4         App F § AC-      AC-14(1),                            CSR 2.7.2,
                                   CM-7              6(2), App F      AC-14.10                             CSR 3.2.3
                                                     § AC-6(3),
                                                     App F § AC-
                                                     6(4), App F
                                                     § AC-6(5),
                                                     App F § AC-
                                                     6(6), App
                                                     F § AC-14,
                                                     App F § AC-
                                                     14(1), App
                                                     F § SC-15,
                                                     App F §
                                                     SC-15(1)

 Assign              00538         § 5.1, §                                                                CSR                                        § 164.                 § 170.302(p)       CA IdentityMinder,
 privileges based                  5.2, Exhibit                                                            2.9.16,                                    504                                       CA GoveranceMinder
 on job function                   3(C)                                                                    CSR                                        (f )(2)
 responsibilities.                                                                                         2.12.1,                                    (iii)(B)
                                                                                                           CSR 3.3.1,
                                                                                                           CSR 3.6.4,
                                                                                                           CSR 4.5.1,
                                                                                                           CSR 4.6.3,
                                                                                                           CSR 7.4.1
 Establish           01412         § 5.6.1,          App F §          App F             AC-7,              CSR 2.9.10                                                                           CA ControlMinder,
 lockout                           Exhibit           AC-2(6),         § AC-7,           AC-7.5                                                                                                  CA IdentityMinder,
 procedures or                     4 AC-7,           App F §          App F §                                                                                                                   CA SiteMinder
 mechanisms                        Exhibit 8         AC-2(7),         AC-7(1),
 to be triggered                   Control 10        App F §          App F §
 after a                                             AU-9(4)          AC-7(2)
 predetermined
 number of
 consecutive
 logon
 attempts.

 Establish           01417         § 5.6.1,          App F §          AC-11,                               CSR 2.9.8                                                                            CA ControlMinder,
 session lock                      Exhibit 4         AC-11,           AC-11.3                                                                                                                   CA SiteMinder
 capabilities.                     AC-11             App F §
                                                     AC-11(1)
16 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                                                            ca.com

                                                                                                                                   HIPAA Security Rule

                                                                                                                                                         HIPAA Privacy Rule
                                                                                                            Requirements CSR
                                                                                                            CMS Core Security

                                                                                                                                                                              HIPAA Electronic

                                                                                                                                                                                                          CA Technologies
                                                                                          PCI PA DSS 1.1
                                                                         NIST 800-53A

                                                                                                                                                                              Health Record
                                      IRS Pub 1075
       Requirement

                                                        NIST 800-53

                                                                                                                                                                              Technology
                      Control ID

                                                                                                                                                                                                          Solutions
 Establish           01418         § 5.6.1,          App F §          AC-12,                               CSR 2.9.12           § 164.312                                     § 170.302(q)       CA ControlMinder,
 idle session                      § 5.6.15,         SC-10, App       AC-12.3,                                                  (a)(2)(iii)                                                      CA SiteMinder
 termination                       Exhibit           F § IA-4         SC-10,
 capabilities.                     4 AC-11,                           SC-10.2
                                   Exhibit
                                   4 AC-12,
                                   Exhibit 4
                                   SC-10
 Enable access       04553         § 5.6.1,          App F §                                               CSR                                                                                   CA ControlMinder,
 control for                       Exhibit           AC-3, App                                             2.10.1,                                                                               CA SiteMinder
 objects and                       4 AC-3,           F § AC-                                               CSR
 users on each                     Exhibit 4         3(2), App F                                           2.10.3,
 system and                        AC-14             § AC-3(3),                                            CSR
 ensure the                                          App F §                                               10.10.1(1)
 system’s policy                                     AC-3(4)
 states the
 objects and
 users subject to
 access control.

 Enforce access      01428         § 5.6.5           App F §          CM-5,                                                                                                                      CA ControlMinder
 restrictions for                                    AU-1             CM-5(1),
 change control.                                                      CM-5.8

 Enforce access      01921         § 6.3.3           App F §          AC-3(1),                                                                                                                   CA ControlMinder
 restrictions for                                    AC-3(5)          AC-3.9
 restricted data.
 Activate            04262         Exhibit 4                                            § 10.1             CSR 5.9.13                                                                            CA IdentityMinder
 third party                       MA-4
 maintenance
 accounts and
 user IDs as
 necessary.
 Review or           00788         § 5.6.11,         App F §          PS-4, PS-                            CSR                  § 164.308                                                        CA IdentityMinder,
 terminate                         Exhibit           PS-4, App        5, PS-5.2                            1.10.4,              (a)(3)(ii)                                                       CA ControlMinder
 accounts and                      4 PS-4,           F § PS-5                                              CSR 2.9.17           (C)
 access rights                     Exhibit 4
 if notified of                    PS-5
 personnel
 status changes
 or termination.

 Revoke asset        00516         § 5.6.7,          App F §          AC-2.1,                              CSR                  § 164.308                                                        CA IdentityMinder,
 access for                        Exhibit 4         AC-2             AC-2.5,                              1.10.3(3),           (a)(3)(ii)                                                       CA ControlMinder
 personnel                         IA-4                               PS-4.1                               CSR 2.9.17           (C)
 immediately
 upon
 termination.
17 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                                                         ca.com

                                                                                                                                HIPAA Security Rule

                                                                                                                                                      HIPAA Privacy Rule
                                                                                                         Requirements CSR
                                                                                                         CMS Core Security

                                                                                                                                                                           HIPAA Electronic

                                                                                                                                                                                                       CA Technologies
                                                                                       PCI PA DSS 1.1
                                                                        NIST 800-53A

                                                                                                                                                                           Health Record
                                      IRS Pub 1075
       Requirement

                                                        NIST 800-53

                                                                                                                                                                           Technology
                      Control ID

                                                                                                                                                                                                       Solutions
 Assign and          00514         § 5.6.1,          App F §                                            CSR                  § 164.308                                                        CA IdentityMinder
 maintain user                     § 5.6.7,          AC-2, App                                          1.4.1(8),            (a)(5)(ii)
 accounts and                      Exhibit           F § AC-                                            CSR 2.8.3,           (D)
 user access                       4 AC-2,           2(1), App F                                        CSR 2.9.3
 management                        Exhibit           § AC-2(4),
 for all systems.                  4 AC-13,          App F §
                                   Exhibit           AC-2(5)
                                   4 IA-4,
                                   Exhibit 8
                                   Control
                                   17, Exhibit
                                   8 Control
                                   18

 Control the         00515         § 5.6.7,          App F §          AC-2.1,                           CSR 2.9.20                                                         § 170.302(t)       CA IdentityMinder,
 addition and                      Exhibit 4         AC-2(c),         AC-2.3,                                                                                                                 CA ControlMinder
 modification                      IA-4              App F §          AC-2(1),
 of user IDs,                                        AC-2(d)          IA-4.1
 credentials, or
 other object
 identifiers.

 Verify user         04567         Exhibit 4                                                                                 § 164.312                                                        CA IdentityMinder
 identities                        IA-5                                                                                      (d)
 before
 manually
 resetting a
 password.
 Remove              00517         Exhibit 8         App F §          AC-2.4,                           CSR 2.9.18                                                                            CA IdentityMinder,
 inactive user                     Control 05        AC-2, App        AC-2(3),                                                                                                                CA CA
 accounts and                                        F § AC-          AC-2.18,                                                                                                                GoveranceMinder
 temporary user                                      2(2), App F      IA-4.1
 accounts at                                         § AC-2(3)
 least every
 90 days.

 Enforce             00558         § 5.6.15,         App F §          AC-3, SC-                         CSR 2.5.9,                                                                            CA ControlMinder
 assigned                          Exhibit 4         AC-3, App        2, SC-3,                          CSR 4.1.2,
 authorizations                    SC-2              F § SC-2,        SC-3(1),                          CSR 4.7.1,
 for system                                          App F §          SC-3(2),                          CSR 4.7.2,
 access and                                          SC-3, App        SC-3(3),                          CSR 4.7.5
 separate user                                       F § SC-4         SC-3(4),
 functionality                                                        SC-3(5),
 from system                                                          SC-4
 management
 functionality.
18 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                                                       ca.com

                                                                                                                              HIPAA Security Rule

                                                                                                                                                    HIPAA Privacy Rule
                                                                                                          Requirements CSR
                                                                                                          CMS Core Security

                                                                                                                                                                         HIPAA Electronic

                                                                                                                                                                                                     CA Technologies
                                                                                        PCI PA DSS 1.1
                                                                         NIST 800-53A

                                                                                                                                                                         Health Record
                                      IRS Pub 1075
       Requirement

                                                        NIST 800-53

                                                                                                                                                                         Technology
                      Control ID

                                                                                                                                                                                                     Solutions
 Ensure the          01429         § 5.6.15,         App F § IA-      IA-3, IA-                          CSR                                                                                CA AuthMinder,
 system                            Exhibit           3, App F §       3.4                                10.8.4,                                                                            CA SiteMinder
 identifies and                    4 IA-3,           SC-16                                               CSR
 authenticates                     Exhibit 4                                                             10.8.9,
 approved                          SC-23                                                                 CSR
 devices before                                                                                          10.10.1(1)
 establishing a
 connection to
 restricted data.

 Ensure              01750         § 5.6.15,         App F §          IA-3, IA-                          CSR 2.3.3,                                                                         CA SiteMinder,
 electronic                        Exhibit 4         AC-18            3.4                                CSR 10.8.9                                                                         CA ARCOT
 authentication                    SC-23
 is established
 before
 transmitting
 restricted data
 or restricted
 information
 between
 devices.

 Control remote      01421         § 5.6.1, §        App F §          AC-17(3),                          CSR                                                                                CA ControlMinder
 access through                    5.6.17.3          AC-17(3)         AC-17.16                           2.9.11,
 a network                                                                                               CSR
 access and                                                                                              2.9.20,
 control point.                                                                                          CSR
                                                                                                         10.10.4

 Monitor             00585         Exhibit 4         App F §          IR-5,                                                                                                                 CA ControlMinder,
 systems for                       IR-5              AC-19,           IR-5(1),                                                                                                              CA UARM
 inappropriate                                       App F § IR-      IR-5.8
 usage.                                              5, App F §
                                                     IR-5(1)

 Monitor             01222         Exhibit 4         App F §          SC-5,                              CSR 10.2.5                                                                         CA ControlMinder,
 systems for                       SC-5              SC-5, App        SC-5(1),                                                                                                              CA UARM
 denial of                                           F § SC-          SC-5(2),
 service attacks.                                    5(1), App F      SC-5.4,
                                                     § SC-5(2)        SC-5.8,
                                                                      SC-5.10

 Configure the       00555         § 5.6.1,                           AC-7, AC-                          CSR 2.9.10                                                                         CA ControlMinder,
 system to                         Exhibit                            7.3                                                                                                                   CA SiteMinder
 lock out user                     4 AC-7,
 IDs after not                     Exhibit 8
 more than a                       Control 10
 predefined
 number
 of access
 attempts.
19 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                                                   ca.com

                                                                                                                          HIPAA Security Rule

                                                                                                                                                HIPAA Privacy Rule
                                                                                                      Requirements CSR
                                                                                                      CMS Core Security

                                                                                                                                                                     HIPAA Electronic

                                                                                                                                                                                                 CA Technologies
                                                                                    PCI PA DSS 1.1
                                                                     NIST 800-53A

                                                                                                                                                                     Health Record
                                     IRS Pub 1075
      Requirement

                                                    NIST 800-53

                                                                                                                                                                     Technology
                     Control ID

                                                                                                                                                                                                 Solutions
 Configure          00556         Exhibit 8                       AC-7.1,                            CSR 2.9.10                                                                         CA ControlMinder,
 the Lockout                      Control 11                      AC-7.5                                                                                                                CA SiteMinder
 duration to
 a predefined
 time period.

 Configure          00520         Exhibit                                                            CSR                                                                                CA ControlMinder,
 passwords so                     4 IA-5,                                                            2.9.9(4)                                                                           CA SiteMinder,
 that users will                  Exhibit 8                                                                                                                                             CA IdentityMinder
 change their                     Control
 passwords on                     02 thru
 a regular basis.                 Exhibit 8
                                  Control 04
 Configure the      01703         Exhibit 8                       IA-5.1,                                                                                                               CA IdentityMinder,
 minimum                          Control 07                      IA-5.7                                                                                                                CA ControlMinder
 password age.

 Configure the      01704         Exhibit 8                       IA-5.1,                                                                                                               CA IdentityMinder,
 maximum                          Control                         IA-5.7                                                                                                                CA ControlMinder
 password age.                    02, Exhibit
                                  8 Control
                                  03

 Configure          01705         Exhibit 8                                                          CSR                                                                                CA IdentityMinder,
 the password                     Control 01                                                         2.9.9(6)                                                                           CA ControlMinder
 length to
 the least
 allowable.

 Configure          01706         Exhibit 8                                                          CSR                                                                                CA IdentityMinder,
 the password                     Control 01                                                         2.9.9(7)                                                                           CA ControlMinder
 complexity
 setting.

 Configure          01707         Exhibit 8                       IA-5.1,                            CSR                                                                                CA IdentityMinder,
 the password                     Control 06                      IA-5.7                             2.9.9(8)                                                                           CA ControlMinder
 history setting
 so that
 users cannot
 submit a new
 password that
 is the same as
 the previous
 few used.

 Configure the      02037         § 5.6.7,                        IA-5.1,                            CSR                                                                                CA ControlMinder
 system to                        Exhibit                         IA-5.7                             2.9.9(3),
 use asterisks                    4 IA-6,                                                            CSR
 to mask                          Exhibit 8                                                          2.9.9(5)
 passwords.                       Control 14
20 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                                                                                         ca.com

                                                                                                                                HIPAA Security Rule

                                                                                                                                                      HIPAA Privacy Rule
                                                                                                            Requirements CSR
                                                                                                            CMS Core Security

                                                                                                                                                                           HIPAA Electronic

                                                                                                                                                                                                       CA Technologies
                                                                                          PCI PA DSS 1.1
                                                                          NIST 800-53A

                                                                                                                                                                           Health Record
                                       IRS Pub 1075
        Requirement

                                                         NIST 800-53

                                                                                                                                                                           Technology
                       Control ID

                                                                                                                                                                                                       Solutions
 Configure the        00881         Exhibit 8         App F §                                                                                                                                  CA ControlMinder
 system security                    Control 13        AC-18(4)
 parameters
 to prevent
 system misuse
 or information
 misappropriation.

 Digitally sign       04493         § 5.6.17.5                                                             CSR 10.3.5                                                                          CA DataMinder
 and encrypt
 all email.

 Verify that there    01579         Exhibit 8                                                                                                                                                  CA ControlMinder
 are no accounts                    Control 16
 with empty
 password fields.

 Configure the        01710         Exhibit 8                          AC-11,                              CSR 2.9.10                                                                          CA IdentityMinder,
 account lockout                    Control 11                         AC-11.3                                                                                                                 CA ControlMinder
 duration.
 Configure the        01574         § 5.6.1,                                                               CSR 2.9.10                                                                          CA ControlMinder
 retry limit for                    Exhibit
 account lockouts                   4 AC-7,
 according to                       Exhibit 8
 applicable                         Control 10
 standards.

 Protect the          00565         § 5.6.10,         App F §          SC-9,             § 12.2                                                                                                CA ControlMinder,
 confidentiality                    § 5.6.15,         SC-9             SC-9(1),                                                                                                                CA DataMinder
 of restricted                      Exhibit                            SC-9.7
 data, restricted                   4 MP-5,
 information,                       Exhibit 4
 or restricted                      SC-9
 messages by
 prohibiting
 them from
 being sent via
 email or instant
 messaging.
21 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                              ca.com

Appendix B: CA Technologies Security Solution Description
CA Technologies has reviewed both NIST SP 800-53 and IRS Publication 1075 to determine which CA Technologies security
solutions would aid in meeting their requirements. Based on the various security controls outlined in those documents there are
several CA Technologies security solutions that are appropriate and are highlighted in the CA Technologies Security Products
Mapped to NIST SP 800-53 Controls table. A description of those solutions can be found below.

 CA Technologies
                            Capabilities                                            Why Does it Matter?
 Product

 CA IdentityMinder™         • User provisioning: The solution provides              The benefits of identity management are:
                              automated creation and management of user             • Reduced costs: Automation, delegation, and self-
                              accounts and their access to enterprise resources.      service can reduce the total number of IT trained
                            • Delegated administration: The solution allows           administrators relative to the number of user
                              organizations to selectively distribute user          • Improved security: Who can access user data
                              administration tasks to those best equipped             and change that data, who can create and who
                              to provide services.                                    can delete user accounts is tightly controlled and
                            • Integrated compliance: The solution supports an         auditable.
                              organization’s regulatory compliance by enforcing     • Increased productivity: Users are provisioned
                              identity policies and providing centralized             new accounts and access rights quickly and
                              auditing.                                               transparently as they enter the organization,
                            • Self-service: The solution provides easy-to-use         change roles, or get promoted.
                              web interfaces that allow end users to reset a
                              forgotten password, retrieve a forgotten ID, update   For more information, please read our solution brief:
                              their profile, or request additional access.          ca.com/us/~/media/Files/ProductBriefs/
                                                                                    CA-IdentityMinder-product-sheet.pdf

 CA GovernanceMinder™       • Access privilege cleanup: The solution provides a     The benefits of identity access governance are:
                              patent-pending analytics engine that can quickly      • Improved return on investment: Cleaning up
                              identify user access anomalies.                         user entitlements and establishing a role model
                            • Entitlement certification: The solution can             will decrease the time to deploy an identity
                              automate and streamline user, role, or resource         management system.
                              certifications required to meet security or           • Mitigated risk: Actively monitoring for access
                              regulatory compliance audits.                           violations and/or anomalies will allow IT Security
                            • Identity compliance: The solution allows                to address potential risks more quickly.
                              organizations to establish and enforce cross-         • Improved compliance: Reports and dashboards
                              system identity policies.                               will increase visibility into security and
                            • Role lifecycle management: The solution can             compliance status.
                              discover, analyze, consolidate, and manage roles
                              and the users/resources assigned to those roles.      For more information, please read our solution brief:
                                                                                    ca.com/us/~/media/Files/SolutionBriefs/identity-
                                                                                    and-access-goverance-SB.pdf
22 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                 ca.com

 CA Technologies
                             Capabilities                                            Why Does it Matter?
 Product

 CA SiteMinder®              CA SiteMinder provides a centralized security           The web SSO solution can help:
                             management foundation that enables secure use           • Provide shared access management services
                             of the web to deliver applications and cloud services     across all internal web applications
                             to customers, partners, and employees.
                                                                                     • Provide unparalleled scalability and performance
                             CA SiteMinder enables web single sign-on (SSO),           to meet business needs
                             centralized authentication, session management,         • Integrate with on-premise infrastructure with
                             and auditing, policy-based authorization, and             minimal customization
                             enterprise-level manageability. It also supports        • Improve regulatory compliance via centralized
                             multiple types of authentication credentials,             auditing and reporting
                             including basic, forms, and two-factor.
                                                                                     For more information, please read our solution brief:
                                                                                     ca.com/us/~/media/Files/DataSheets/
                                                                                     ca-siteminder-datasheet.pdf

 CA SiteMinder® Federation   CA SiteMinder Federation provides standards-based       The identity federation solution can help:
                             federation capabilities that enable users of one        • Provide shared access management services
                             organization to easily and securely access the data       to externally-hosted web applications
                             and applications of other organizations and cloud
                             services without an additional login.                   • Integrate with external identity and/or service
                                                                                       providers via standard protocols
                             CA SiteMinder Federation is tightly integrated with     • Improve user experience through SSO
                             CA SiteMinder to expand the web SSO environment         • Reduce service desk burden by eliminating
                             to include external business partner sites and cloud-     additional login credentials for external
                             based applications.                                       applications

                                                                                     For more information, please read our solution brief:
                                                                                     ca.com/us/~/media/Files/DataSheets/cs2047-
                                                                                     ca-siteminder-federation-ds-0212.pdf

 CA AuthMinder™              CA AuthMinder provides additional identity              The strong authentication solution can help:
                             protection for your web applications and portals        • Deploy multi-factor authentication invisibly
                             by allowing organizations to deploy a wide range
                             of strong authentication mechanisms in a cost-          • Provide lower cost of ownership
                             effective and centralized manner.                       • Reduce security risk
                                                                                     • Mitigate against Man-in-the-Middle attacks
                             CA AuthMinder supports a wide range of
                             authentication methods, including user ID/              • Address regulatory compliance requirements
                             password, security question/answer, One-Time-
                                                                                     For more information, please read our solution brief:
                             Password (OTP) via SMS, email, or IVR, OATH
                                                                                     ca.com/us/~/media/Files/DataSheets/
                             tokens, and the unique CA ArcotID®.
                                                                                     ca-authminder-ds-CS3759.pdf
23 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                              ca.com

 CA Technologies
                          Capabilities                                              Why Does it Matter?
 Product

 CA RiskMinder™           CA RiskMinder provides real-time protection against       The adaptive authentication solution can help:
                          identity theft and online fraud via risk-based,           • Reduce losses due to identity fraud
                          adaptive authentication. CA RiskMinder evaluates
                          the fraud potential of online transactions and            • Align risk rules to your business needs
                          calculates a risk score based on User, Device, and        • Address regulatory compliance requirements
                          IP Geo-location data. CA RiskMinder can block,            • Deploy multi-factor authentication invisibly
                          quarantine, or prompt for additional authentication
                          credentials for any transaction whose risk score          For more information, please read our solution brief:
                          exceeds a defined threshold. All of this is done          ca.com/us/~/media/Files/ProductBriefs/
                          transparently without inconveniencing legitimate,         CA-RiskMinder-product-brief-key-features.pdf
                          low-risk users.

 CA ControlMinder™        CA ControlMinder provides comprehensive access            The host access control solution can help:
                          controls on all common operating systems. It is           • Mitigate risk
                          designed to control access to system resources,
                          programs, files and processes through security            • Regulate and audit privileged user access
                          policies, which can be created, managed and               • Enforce server-based compliance and reporting
                          distributed on an enterprise-wide basis. These            • Reduce administration cost and complexity
                          policies are required in order to enforce separation
                          of administrative duties on the servers, consistent       For more information, please read our solution brief:
                          with industry best practices. Finally, CA ControlMinder   ca.com/us/~/media/Files/ProductBriefs/
                          also provides auditing tools that let you trace           ca-access-control-product-brief-vF.pdf
                          users’ activities to track attempted misuse of the
                          computer system.

 CA ControlMinder™        CA ControlMinder-SAM implements the concept of            The shared account management solution can help:
                          a “password vault”, and provides secure access to         • Mitigate risk
 Shared Account Manager   privileged accounts and accountability of privileged
 (SAM)                    access through the issuance of passwords on a             • Enable accountability
                          temporary, one-time use basis, or as necessary while      • Eliminate hard-coded passwords
                          providing user accountability of their actions through    • Facilitate regulatory compliance
                          secure auditing. CA ControlMinder-SAM is also
                                                                                    • Reduce costs
                          designed to allow applications to programmatically
                          access system passwords and, in so doing, remove          • Improve efficiency
                          hard-coded passwords from scripts, batch files,
                          ODBC and JDBC wrappers. This support is available         For more information, please read our solution brief:
                          for a multitude of servers, applications (including       ca.com/us/~/media/files/datasheets/
                          databases) and network devices in a physical or           ca-controlminder-shared-account-management-
                          virtual environment.                                      ds.aspx
24 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                                 ca.com

 CA Technologies
                           Capabilities                                               Why Does it Matter?
 Product

 CA Session Recording      CA Session Recording provides a deep understanding         The session recording solution can help:
                           of what truly is taking place on corporate servers and     • Audit and record all user activities
                           desktops. Video replay provides clear-cut evidence
                           of precise user actions. CA Session Recording is           • Provide VCR playback of user activities
                           protocol agnostic, capturing user activity in RDP,         • Reduce cost to investigate a security violation,
                           SSH, Telnet, Citrix published apps, VMware sessions,         unscheduled outage, or data breach
                           screen-sharing apps, or direct console login. And
                           unlike system logs, CA Session Recording shows             For more information, please read our solution brief:
                           exactly which applications were run and what files         ca.com/~/media/Files/DataSheets/CA-Session-
                           were accessed. This can eliminate blind spots that         Recording-Data-Sheet.pdf
                           currently exist for applications that do not product
                           their own logs and/or provide insufficient log data.

 CA ControlMinder™ for     CA ControlMinder for Virtual Environments provides         The shared account management solution can help:
 Virtual Environments      secure privileged user access to virtual machines,         • Mitigate risk
                           hypervisor service consoles, and virtual appliances—
                           helping organizations control privileged user              • Regulate and audit privileged user access
                           actions, secure access to the virtual environment,         • Improve compliance and reporting
                           and comply with industry mandates. It delivers key         • Reduce administration cost and complexity
                           capabilities to manage privileged user passwords,
                           harden the hypervisor service console, and monitor         For more information, please read our solution brief:
                           privileged user activity. It also provides a centralized   ca.com/~/media/Files/SolutionBriefs/ca_access_
                           foundation for privileged user management that             control_for_virtual_environments_solution_brief.pdf
                           serves as a single portal for securing privileged user
                           access across virtual and physical environments.

 CA ControlMinder™         CA User Activity Reporting provides user activity          CA ControlMinder UARM provides:
 User Activity Reporting   and compliance reporting for identity, access and          • Simplified user activity reporting. Automated
 Module (UARM)             information usage across physical, virtual and cloud         reporting of user activity enables organizations
                           environments. It is designed to effectively verify           to assess “what happened” more quickly.
                           security controls and to streamline reporting and
                           investigation of user and resource access activities,      • Automatic compliance updates. Enable continuous
                           in order to improve efficiencies and accelerate and          compliance and analysis of trends in user activity.
                           simplify compliance.                                       • Rapid time to value. Easy-to-use report
                           • User activity and compliance reporting. Provides           customization wizard to accelerate
                             predefined and customizable reports mapped                 deployment time.
                             to common security auditing guidelines and
                                                                                      For more information, please read our solution brief:
                             compliance regulations.
                                                                                      ca.com/us/~/media/Files/DataSheets/ca-user-
                           • User activity investigation. Delivers visual log         activity-reporting-module-ps-us-en.pdf
                             analysis tools with drill-down capabilities that can
                             expedite the investigation of user and resource
                             activities and identify policy violations.
                           • User activity log correlation. Provides predefined
                             and customizable log-correlation capability,
                             focusing on connecting user activity with the
                             individual who performed it.
25 | WHITE PAPER: IRS 1075 COMPLIANCE                                                                             ca.com

 CA Technologies
                          Capabilities                                           Why Does it Matter?
 Product

 CA DataMinder™           CA DataMinder is an information protection and         CA DataMinder helps you to:
                          control solution that helps minimize the accidental,   • Discover where your sensitive information resides,
                          negligent and malicious misuse of data while             classify it according to its level of sensitivity, and
                          helping comply with various data protection              enforce data handling policies.
                          standards and regulations. Through the delivery of
                          broad information and communication coverage,          • Tailor your information protection policy
                          precise policy enforcement and Identity and Access       enforcement to the specific attributes of each user
                          Management, organizations are able to take a             and their role.
                          comprehensive approach to reducing risk to             • Protect your company against the reputational
                          their most critical assets while enabling critical       damage from information breach or theft.
                          business processes.                                    • Achieve rapid time-to-value; the modular
                                                                                   components help simplify the deployment process.

                                                                                 For more information, please read our solution brief:
                                                                                 ca.com/us/~/media/Files/ProductBriefs/
                                                                                 ca-dataminder-ps.pdf
26 | WHITE PAPER: IRS 1075 COMPLIANCE

                        Section 6:

                        About the Author
                        Chris Boswell has over 13 years of experience developing and implementing security, risk and
                        compliance solutions. During his tenure at CA Technologies, Chris has held a variety of technical
                        and management positions across our security services, product management and sales organizations.
                        His work in the governance, risk and compliance domain has led to several patent filings for
                        CA Technologies. Chris currently coordinates sales activities for our information protection and control
                        solutions, CA DataMinder™ and CA ControlMinder™, and works closely with product and development
                        teams on behalf of customers to address emerging security, risk and compliance challenges.

                                                              Connect with CA Technologies at ca.com

                        Agility Made Possible: The CA Technologies Advantage
                        CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage
                        and secure complex IT environments to support agile business services. Organizations leverage
                        CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure
                        and secure data and identities, from the data center to the cloud. CA Technologies is committed
                        to ensuring our customers achieve their desired outcomes and expected business value through
                        the use of our technology. To learn more about our customer success programs, visit ca.com/
                        customer-success. For more information about CA Technologies go to ca.com.

                        Copyright © 2013 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document
                        is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law,
                        CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose,
                        or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits,
                        business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this
                        document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation,
                        rule, directive, standard, policy, administrative order, executive order, and so on (collectively, “Laws”), referenced herein or any contract obligations with any third parties.
                        You should consult with competent legal counsel regarding any such Laws or contract obligations..                                                          CS200-26950_0913
You can also read
Next slide ... Cancel