A Guide to Internal Revenue Service Cybersecurity Standards

Cybersecurity is increasingly becoming a critical concern for private-sector businesses eyeing Internal Revenue Service (IRS) contracts, especially with cyber attacks and threats soaring in sophistication and frequency day by day. Both the federal agency and its suppliers or vendors have to implement audit and accountability controls, which are important data security measures recommended by the National Institute of Standards and Technology (NIST). Compliance with these regulations is necessary for you if you’re eyeing a contract with the IRS, or you’re already in business with the agency.

However, what specific NIST Special Publication 800-53 and IRS Publication 4812 audit and accountability requirements merit your attention? Also, why does the IRS impose its own cybersecurity standards, and how can a Security Information and Event Management (SIEM) solution help your company comply? Let’s find answers below:

Outsourcing Exposes the IRS to Additional Cybersecurity Challenges

The IRS has been outsourcing some of its functions to private-sector contractors for some time. While at it, the agency is sometimes sharing Federal Tax Information (FTI) or Sensitive But Unclassified (SBU) information with these third parties, creating potential points of data exposure. As such, IRS publication 4812 requires the contractors to implement specific audit and accountability controls to safeguard any protected personal data or federal information they’re receiving from the federal agency.

As a private contractor, you’re required to bring your Information Technology (IT) systems and devices to the IRS cybersecurity standards if you maintain, store, or handle IRS taxpayer data, Personally Identifiable Information (PII), or Protected Health Information on behalf of the IRS. The agency expects you to develop capabilities for a comprehensive audit of events within your IT systems, which helps to scrutinize and deter cyber threats.

What are NIST SP 800-53 Audit and Accountability Guidelines?

NIST SP 800-53 provides guidelines that federal agencies and contractors should follow when designing and developing cybersecurity measures in line with the Federal Information Security Management Act (FISMA). The IRS used the publication as the basis for developing its own standards to impose on vendor-operated IT systems that collect, maintain, process, or transmit SBU or FTI.

NIST SP 800-53 audit and control components require an organization to ascertain that its IT infrastructure supports several cybersecurity functions, including:

• Event auditing: It should be possible to track all events that have taken place within a system. An organization should provide a comprehensive definition of auditable incidences, such as password changes and unsuccessful logins.
• Information disclosure: There must be a way to automatically track any unauthorized disclosure of sensitive or protected organizational information via platforms such as social media and commercial websites.
• Audit generation and reporting: The system should be capable of generating audit records for all monitored events.
• Time stamps: The system must capture and reveal the day and time for audit records.
• Session audits: Authorized users, such as administrators, should be able to inspect other users’ activities in a system, such as keystrokes and web portal visits.

IRS Publication 4812 Audit and Accountability Requirements

In publication 4812, the IRS lists IT assets and system events that organizations doing business with the agency must be able to audit and monitor to restrict and detect access to IRS data. It should be possible for these contractors and subcontractors to track the usage of their computer servers, mobile devices, laptops, websites, software, databases, networks, and other digital resources that contain protected personal data or FTI.

If you’re in business with the IRS, a thorough audit of your IT assets as per publication 4812 should address the following key cybersecurity concerns:

1. Who has accessed your business website, on-premises system, or mobile app in the past, what was the time of access, and what actions did users perform while logged on? Logon/logoff event security logs can answer these questions.
2. What changes in user rights or security credentials have taken place within the system? If a user has changed their login password, are they authorized to do that? A security audit requires full visibility into the assignment and modification of file or user permissions.
3. Can you track system administrator (SA) activities, including commands invoked while logged on as SA? Typically, users with SA privileges may access privileged accounts, and they might have the authority to assign super-user permissions. It is essential to monitor these accounts and actions to determine that the wrong people are not gaining access to restricted system resources, such as components containing FTI. An audit of security administrator commands is also necessary.
4. Is the audit log file intact? A successful intruder might attempt to cover their tracks by clearing the audit log, so it is essential to track such an event and identify the user behind it.
5. How many times has the system been accessed remotely?
6. Is the application of user identification and authentication protocols evident? Have there been attempts to access the system using the wrong ID and password?
7. When are audit controls activated or deactivated?

Complying With IRS Cybersecurity Regulations: How a SIEM Solution Can Help

SIEM software can help auditors determine whether or not you’re meeting IRS pub 4812 audit requirements. When you deploy the tool, it monitors your entire digital footprint continually, from on-premises computers, software, and cloud-based portals to network, antimalware, and firewall systems. It collects and aggregates log data from your company’s IT infrastructure.

SIEM software performs three critical audit and accountability functions:

1. Reporting: The tool reports on all suspicious system activities, including flagged intrusion attempts and malware activity. It tracks system administrator activities as well as successful and failed logons.
2. Analytics: It analyzes and categorizes events taking place within a system, singling out any incident that constitutes a potential cybersecurity breach.
3. Notification: It notifies system administrators, IT managers, or cybersecurity providers whenever it detects potential threats or intrusions.

Five Benefits of Outsourcing Cybersecurity

One of the most critical services that companies benefit from is the protection and monitoring of networks and servers by cybersecurity companies. When a company opts to outsource any work, they have the opportunity to receive the best quality of work from other industry experts. When it comes to outsourcing cybersecurity, there should be no hesitation. Here are five reasons that explain why.

Cost Efficiency

You might think that outsourcing work will cost more than finding a way to do it in-house, however, when it comes to protecting important information within your network of devices, outsourcing to a cybersecurity company is the way to go. If you are considering building your own Security Operations Center (SOC) in-house, you should know that the cost can reach as high as three-million a year. Instead of having to hire a team of security analysts, implementing training, going through turnover, and installing the variety of security solutions, you can turn to a reliable cybersecurity company for a couple thousand dollars each month.

The Work of Experts

Not only is relying on the service of a cybersecurity cost efficient, it is also more effective when it comes to reading and creating security solutions. Some companies rely only on software to protect their information, but that is not enough; you need a team of human analysts working alongside the software. Cyber threats are constantly evolving and security analysts have the deep knowledge needed to combat attacks. They are constantly reading complicated reports, searching for problems and finding solutions. If that doesn’t sound all that hard, just think about the fact that individuals can now earn college degrees in cybersecurity.

Real-Time Monitoring and Instant Analysis

With the quality software and work of real security analysts that you get from cybersecurity companies, you will be able to detect potential breaches in your network as soon as they happen instead of days, weeks and months later.

Advanced Monitoring

Diving further into what outsourced services can do for your company, you need to know what different software can do for you when managed correctly. With SIEM-as-a-service solutions that rely on the FortiSIEM platform, you are able to customize your security defense to watch out for specific threats that are common in your line of work. With constant updates in servers, computers and other electronics, you can have a team of experts managing your SOC and preparing your network for new threats; they will be able to pinpoint potential problems and threats as soon as they become dangerous.

Time Efficiency

As with just about any service that you outsource, when you eliminate one line of work or task, you simply free up time for you to be able to focus on more important matters. The company you work with is most likely not a cybersecurity company and therefore has other things to worry about. Outsourcing your cybersecurity needs will give your company one less thing to worry about.

Outsourcing your cybersecurity will ensure that you follow the compliance guidelines and get the protection you need. These five benefits will truly make a difference for your company.

Summing it Up

Organizations eyeing IRS contracts must comply with the federal agency’s pub 4812 cybersecurity rules, or they may miss out on any business that involves handling, storing, or transmitting SBU data or FTI.  At KTG, we can setup and manage FortiSIEM to help your company meet IRS pub 4812 system audit requirements. Get in touch with our cybersecurity experts to learn more!