Simplifying Agency ComplianceOregon Initiative to Comply with IRS Rules Gains Attention
Spearing heading the movement, a more cost effective and efficient way to have agencies comply with IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies, is state chief information security office Theresa Masse.
"Rather than each one of them developing a particular solution, they felt it would be more efficient and productive ... to work together," Masse says in an interview (transcript below).
Government agencies - whether federal, state or local, or any other organization, for that matter - receiving tax information from the IRS must document how they protect taxpayer information they receive.
Oregon has a consolidated data center that multiple agencies receiving IRS data use. Each agency previously would perform individually a risk assessment. Now, they're coming together and doing one assessment following requirements laid out by the IRS then modifying them to fit each agency's specific needs.
Masse's efforts are catching the attention of other states suit with centralizing compliance in a de-centralized environment.
In the interview, with GovInfoSecurity.com's Eric Chabrow, Masse discusses:
- How the committee functions.
- The CISO's role in coordinating committee activities.
- Interest expressed by other states in replicating the Oregon process.
Masse, Oregon's state chief information security officer since 2004, has been active in getting non-IT security personnel involved in information security (see Giving Non-IT Execs Onus for IT Risk).
Before becoming state CISO, Masse established the information security office at Oregon's Department of Human Services, the state's largest agency. Earlier in her career, she served as director of corporate and information security at engine maker Cummins Inc. Masse holds a master's degree in management from Webster University.
Common Solutions to IRS RequirementsERIC CHABROW: Oregon has established a multi-agency federal tax information committee focused on discussing and identifying Internal Revenue Service requirements that can be addressed through common solutions. What is the IRS requiring the state to do? What are the IT security challenges to meet those IRS requirements?
THERESA MASSE: The IRS has a publication called 1075 and it outlines numerous information security requirements that any agency receiving federal tax information directly from the IRS has to be compliant with. In the past, the agencies that received that data from the IRS have been operating in silos. They all had to be compliant with publication 1075 but they were addressing all those security issues in isolation. So they decided it would be much more cost effective and efficient if they got together. There are a number of requirements that are common and that they can share. Rather than each one of them developing a particular solution, they felt it would be more efficient and productive for them to work together.
This is kind of revolutionary in this area for the agencies. They're very protective of IRS and TI (tax information) data but they did see the benefit in working together. We have a committee comprised of those agencies that receive that data. The Department of Human Services, the Oregon Health Authority, Employment, Revenue Department and Department of Justice all receive that type of data and they got together. There are some other folks that have joined the committee from our state data center where the servers and the data is actually housed.
We established a committee late last year, and one of the first things they did was they developed a spreadsheet that outlined the requirements of Publication 1075. It's a fairly detailed spreadsheet listing each of the requirements. It talks about the status, the type of control and what the actual safeguard action item is. Then there's a list of subcommittees and which subcommittee is directing each of the issues. So they've really taken a very project management approach to this and they seem to be extremely pleased. We've done a lot of work. Some of the things that they've accomplished is they've developed a training package. Any agency that's handling IRS FTI (Federal Tax Information) data has to provide specific training to anyone who comes in contact, whether it's an employee or a contractor. Each of them have their own little training programs, none of them they felt were very good. So they got together, joined forces and developed a training package that we now have in front of the IRS. We're asking them to review and approve it, or give us some recommendations on any revisions that we need to make. Apparently this is an original step forward because we have inquiries from other states who have said, "Wow, are you doing this? When you're finished would you please share it with us?" I think that's really great. There seems to be a lot of interest from other states in our approach to this of working together, formulating responses to requirements that each of them have in front of them and that they have to meet. There are a lot of policies that they have to develop again. Rather than each of them developing their own policies they're going to develop a common policy. And if they need to make some modification to it they can but it will save each of them going through that effort individually.
Centralized InitiativesCHABROW: You're talking about some common issues. Can you give us some examples of the kinds of issues that you're dealing with and how they're being resolved?
MASSE: One of the things that the agencies need to do is, starting in the summer of this year, they have to conduct an internal inspection of our consolidated data center every 18 months. Multiple agencies that receive IRS data are using the same data center and so what they're going to do is come together and do a single assessment rather than each of the agencies going to our data center needing to do an assessment. They're going to come together and they're going to do one assessment following the requirements that the IRS has laid out. It's both a physical and an IT assessment. We'll only have to do one and we'll be able to give that information back to the IRS. That's much more efficient than each of them doing this on their own.
CHABROW: You also spoke about training. What does the training involve?
MASSE: We have an online training package that we've developed. It's about 30 minutes. There are really very few penalties if you don't provide training. We've piloted this online training program and we're going to be sharing it with the agencies who receive IRS FTI data. Once we hear back from the IRS, if they have any recommendations on changes they want to see to it, we're going to start to roll it out to our contractors also. It really involves anybody who comes in contact with IRS FTI data, whoever that might be. Whether it's cleaning staff or any other type of staff, they have to have some training. Having it online means that we can track it better. We'll know who has taken the training. They have to take it on an annual basis. We'll be able to audit. We're going to be much more confident at being able to respond to the IRS when they've asked have you trained everybody. How can you validate that you've done it?
CHABROW: What are they being trained in?
MASSE: They're being educated on how IRS FTI data has to be appropriately secured. You're not supposed to leave it out on your desk, it has to be locked up in file cabinets and it has to be encrypted when it's in transmission; all these types of things that anyone handling or coming in contact with IRS FTI data has to be aware of and has to demonstrate that they have received training annually on.
CHABROW: And this includes a wide variety of employees and contractors?
MASSE: Correct, and their definition is anyone who comes in contact with that data has to have training.
CHABROW: What is your role in this?
MASSE: My role is in facilitating the committee and ensuring that we are covering all the assets of the requirements of the IRS and that we are finding all of the areas where there is commonality where we can work together and share a final work product, rather than an agency having to go it alone. They just needed somebody to bring them together, give them a central focus point, make sure it's being handled as a project and a program and giving it some structure. Much of the work product that we've developed we will be able to make some modifications so that it can be used for other federal requirements. What we've tended to find is there is kind of an 80/20 rule. Most of the security requirements you find for HIPAA, for PCI or for IRS are very, very common. So rather than having other agencies have to reinvent the wheel we may be able to make some modifications to the work products and be able to share that with other agencies. These have been created by agencies and sanctioned by agencies and folks in the federal government. I think it's a pretty efficient and effective approach to doing this.
CHABROW: Was there much of an investment going to start this process?
MASSE: No, it was really just the agencies getting together. As I said each of them needed to ensure that they were compliant. Rather than each of them developing a training package it's actually been more cost effective because we've been able to get together and do it. Each of them has money within their organizations to do this. It's just that we have better standardization and consistency in the type of training that we're providing or policies. They find it to be extremely beneficial and productive to approaches in this manner. They're pretty excited about it and the IRS thinks it's a great idea. They've been very responsive and have said they want to share our work product with other states. That's great.
Moving ForwardCHABROW: Will this be something that will be continuing or will you get to a point where it will just stop? And if that's the case, when will it stop?
MASSE: That would be great if we could see the end game, but one of the challenges is that the IRS continues, and rightfully so, to update their requirements. When they make updates to it that means there is additional workload. We need to make some changes or we need to add something new. We will continue this committee. We're meeting on a monthly basis. Once we have some of the fundamental things in place we may not need to meet as frequently. We'll certainly be keeping in touch with the agencies. They really like getting together, so that's a good thing. As new requirements come out, we'll work together on what those common things are. Working together would be more productive than going it alone.
They're also sharing the results that they get when the IRS comes in to do an audit. Where they can, they will share some of the results, like you need to do this better or you need to do this different, whatever that happens to be. They'll share that; and they never used to in the past. They'll share that with the others so that they can make adjustments. For example, "I didn't realize they were expecting that." They can start to make adjustments to their program. Again, it might spawn another subcommittee where folks can work together. They're pretty excited about it and have done a lot of really good work.