Solutions for Enabling IRS 1075 Compliance - Chris Boswell North American Security
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
WHITE PAPER | SEPTEMBER 2013 Solutions for Enabling IRS 1075 Compliance Chris Boswell North American Security
2 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
Table of Contents Executive Summary 3
Section 1: 4
Overview IRS Pub 1075
Section 2: 9
Additional Safeguard Requirements
Section 3: 11
System Audit Management Guidelines
Section 4: 12
Conclusions
Section 5: 12
References
Section 6: 26
About the Author3 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
Executive Summary
Challenge
State and local governments manage and process large volumes of sensitive data on behalf of their
constituents every day. As a result, these organizations are subject to a wide variety of both industry
and federal information protection and compliance requirements.
Opportunity
CA Technologies offers a suite of security solutions that can help government agencies better protect
this sensitive data. By mapping solutions to specific requirements of IRS Pub 1075, you can easily see
how to address these security needs.
Benefits
There are multiple ways to address any situation. This paper will describe the various solution
offerings from CA Technologies provides to protect Federal Tax Information (FTI) and help satisfy
requirements outlined in the Internal Revenue Service Tax Information Security Guidelines for
Federal, State and local Agencies (IRS Pub 1075).4 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
Section 1:
Overview IRS Pub 1075
Internal Revenue Service Publication 1075 defines a broad set of managerial, operational and technical security controls that
must be in place to protect Federal Tax Information. The general areas of security addressed in this document are listed in the
figure below:
Audit and Awareness and Security
Access Control Accountability Training Assessment and
Authorization
Identification Incident
Configuration Contingency and Response and
Management Planning Authorization Reporting
Media Access Personnel
Maintenance Protection Planning
Security
System and System and System and
Risk Assessment Services Communications Information
Acquisition Protection Integrity5 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
While many of the controls are described in detail within the document itself, the standard also requires implementation and
assessment of certain federally mandated controls outlined in NIST Special Publication 800-53. Below is a listing of those
control areas and the CA Technologies security solutions that can be used to help achieve each high-level compliance objective:
CA Technologies Security Products Mapped to NIST SP 800-53 Controls
CA GovernanceMinder™
CA AuthMinder™ and
CA IdentityMinder™
CA ControlMinder™
Reporting Module
CA DataMinder™
CA User Activity
CA RiskMinder™
CA SiteMinder ®
Control Name
AC-1 Access Control Policies and Procedures Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
AC-2 Account Management 4 4
AC-3 Access Enforcement 4 4
AC-4 Information Flow Enforcement 4 4
AC-5 Separation of Duties 4 4
AC-6 Least Privilege 4 4
AC-7 Unsuccessful Login Attempts 4 4
AC-8 System Use Notification 4
AC-11 Session Lock 4 4
AC-14 Permitted Actions w/o Identification or Authentication 4 4 4 4
AC-17 Remote Access 4 4 4
AC-18 Wireless Access No CA Security Solutions map to this objective
AC-19 Access Control for Mobile and Portable Devices 4 4
AC-20 Use of External Systems 4 4
AC-22 Publicly Accessible Content 4
AT-1-4 Awareness and Training Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
AU-1,2,4 Audit and Accountability Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
AU-3 Content of Audit Records 4 4 4 4 4 4 4
AU-5 Response to Audit Processing Failures 46 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
CA GovernanceMinder™
CA AuthMinder™ and
CA IdentityMinder™
CA ControlMinder™
Reporting Module
CA DataMinder™
CA User Activity
CA RiskMinder™
CA SiteMinder ®
Control Name
AU-6 Audit Review, Analysis and Reporting 4 4 4 4 4 4 4
AC-7 Audit Reduction and Report Generation 4
AC-8 Time Stamps 4 4 4 4
AC-9 Protection of Audit Information 4 4
AC-11 Audit Record Retention 4
CA-1-7 Security Assessment and Authorization Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
CM-1- Configuration Management Primarily Procedural Control: No CA Technologies
4,8,9 Security Solutions map to this objective
CM-2 Baseline Configuration 4
CM-5 Access Restrictions for Change 4 4
CM-6 Configuration Settings 4
CM-7 Least Functionality 4
CP-1-10 Contingency Planning Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
IA-1 Identification and Authentication Policy and Procedures Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
IA-2 User Identification and Authentication 4 4 4
IA-4 Identifier Management 4
IA-5 Authenticator Management 4 4 4
IA-6 Authenticator Feedback 4 4
IA-7 Cryptographic Module Authentication 4 4
IA-8 Identification and Authentication (non-organizational users 4 4
IR-1-4,8 Incident Response Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
IR-5 Incident Monitoring 4
IR-6 Incident Reporting 47 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
CA GovernanceMinder™
CA AuthMinder™ and
CA IdentityMinder™
CA ControlMinder™
Reporting Module
CA DataMinder™
CA User Activity
CA RiskMinder™
CA SiteMinder ®
Control Name
IR-7 Incident Response Assistance 4
MA-1- System Maintenance Primarily Procedural Control: No CA Technologies
3, 6 Security Solutions map to this objective
MA-4 Non-local Maintenance 4
MA-5 Maintenance Personnel 4
MP-1, Media Protection Primarily Procedural Control: No CA Technologies
3-6 Security Solutions map to this objective
MA-5 Media Access 4
PE-1-18 Physical and Environmental Protection Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
PL-1-6 Security Planning Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
PS-1-3, Personnel Security Primarily Procedural Control: No CA Technologies
6, 8 Security Solutions map to this objective
PS -4 Personnel Termination 4 4 4 4
PS -5 Personnel Transfer 4 4
PS -7 Third Party Personnel Security 4 4
RA - 1-5 Risk Assessment Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
SA1-11 System and Services Acquisition Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective
SC-1, 8, System and Communications Protection No CA Technologies Security Solutions map
9, 17-22, to this objective
32
SC-2 Application Partitioning 4
SC-4 Information Remnance 4 4
SC-5 Denial Of Service Protection 4
SC-7 Boundary Protection 4 4
SC-10 Network Disconnect 48 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
CA GovernanceMinder™
CA AuthMinder™ and
CA IdentityMinder™
CA ControlMinder™
Reporting Module
CA DataMinder™
CA User Activity
CA RiskMinder™
CA SiteMinder ®
Control Name
SC-12 Cryptographic Key Establishment and Management 4 4
SC-13 Use of Cryptography 4
SC-14 Public Access Protections 4 4
SC-15 Collaborative Computing Devices
SC-23 Session Authenticity 4
SC-28 Protection of Information at Rest 4
SI-1-3,5, System and Information Integrity No CA Technologies Security Solutions map
8, 10, to this objective
11
SI-4 Information System Monitoring Tools and Techniques 4 4 4
SI-7 Software and Information Integrity 4
SI-9 Information Input Restrictions 4
PM-1-11 Program Management Primarily Procedural Control: No CA Technologies
Security Solutions map to this objective9 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
Section 2:
Additional Safeguard Requirements
Additional safeguard requirements for Federal Tax Information may be supplemented by the Office of Safeguards between
editions of IRS publication 1075. Some of these additional safeguards are referenced in the current edition of Pub 1075,
but there are also more safeguards communicated directly on the IRS website. Below is a table listing relevant additional
safeguards that may be satisfied by one or more CA solution to help achieve compliance:
Authoritative
Description CA Technologies Capabilities
Guidance
Section 9.18.3 Two-factor authentication is required whenever FTI is CA AuthMinder and CA RiskMinder work together to
Remote access being accessed from an alternate work location or if provide two-factor step-up authentication services based
accessing FTI via the agency’s web portal. on risk factors such as the device being used to access
information or location where users are initiating
their sessions.
Section 9.18.5 • Generally, FTI should not be transmitted or used on CA Email Control provides robust data loss protection
Electronic email the agency’s internal e-mail systems. capabilities to prevent your organization’s FTI from
• FTI must not be transmitted outside of the agency, seeping into email. With out of the box policies to detect
either in the body of an email or as an attachment. and control tax information, CA DataMinder can be
rapidly deployed to help ensure that such information
• Do not send FTI unencrypted in any email messages. is not transmitted via email and, when necessary,
• The file containing FTI must be attached and encrypted. appropriately encrypt messages before submission.
Section 9.18.8 The use of live FTI in test environments should generally ITKO’s CA LISA platform optimizes the development and
Use of FTI in live be avoided and is not approved unless specifically testing of composite applications and can be leveraged
data testing authorized by the IRS Office of Safeguards. Dummy data to create obfuscated dummy data in compliance with
should be used in place of live FTI wherever possible. IRS live data requirements. In addition, CA LISA can
reduce software delivery timelines by 30% or more by
leveraging a proprietary service virtualization technology
Section 9.18.9 Access to FTI via the web portal requires a strong identity CA AuthMinder + CA SiteMinder work together to provide
Safeguards verification process. The authentication must use a a common security infrastructure for all web portals,
technical minimum of two pieces of information although more providing strong authentication to sites where sensitive
assistance for than two are recommended to verify the identity. information such as FTI may be accessed.
Protecting One of the authentication elements must be a shared
Federal Tax secret only known to the parties involved and issued
Information by the agency directly to the customer.
(FTI) in web
portals10 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
Authoritative
Description CA Technologies Capabilities
Guidance
Section 9.18.12 • When FTI is stored in a shared location, the agency CA ControlMinder™ for Virtual Environments can be
Protecting must have policies in place to restrict access to FTI deployed to satisfy a majority of the virtual security
FTI in virtual to authorized users. requirements outlined by the IRS. The solution not only
environments • Programs that control the hypervisor should be provides capabilities to lock down and the harden host
secured and restricted to authorized administrators only. and hypervisor, but also provides a powerful policy
enforcement engine to prevent FTI from being accessed
• Separation between virtual machines (VMs) must by unauthorized users and administrators. The enhanced
be enforced, and functions which allow one VM to auditing capabilities provided by Access Control will also
share data with the hypervisor or another VM, such as allow monitoring of virtual environments for insider and
clipboard sharing or shared disks, must be disabled. other threats that could result in unauthorized disclosure
• Virtualization providers must be able to monitor for or modification of FTI.
threats and other activity that is occurring within
the virtual environment. This includes being able to
monitor the movement of FTI into and out of the
virtual environment.
• The VMs and hypervisor/ host OS software for each
system within the virtual environment that receives,
processes, stores or transmits FTI must be hardened in
accordance with the requirements of Publication 1075
and be subject to frequent vulnerability testing.
• Special VM functions available to system
administrators in a virtualized environment that
can leverage the shared memory space in a virtual
environment between the hypervisor and VM should
be disabled.
• Backups (virtual machine snapshot) must be properly
secured and must be stored in a logical location where
the backup is only accessible to those with a need to know.
Section 9.8.14 Software, data, and services that receive, transmit, CA ControlMinder for Virtual Environments can be
Protecting process, or store FTI must be isolated within the cloud deployed in your cloud infrastructure to promote secure
FTI in a cloud environment so that tenants sharing physical space multi-tenancy. Through tight integration with VMware,
computing cannot access their neighbors’ physically co-located data CA ControlMinder streamlines and automates the isolation
environment and applications. of various operating environments based on a unique
guest and host automated tagging capability. As a result,
tenants can share physical space without being able to
access physically co-located data and applications.11 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
Section 3:
System Audit Management Guidelines
Below is a listing of the system auditing guidance outlined in IRS Pub 1075. CA User Activity Reporting Module (UARM) can
ingest logs from various operating system and application sources and provide reports to help satisfy the auditing requirements
listed below.
Event No. System Auditing Guidance
01 The audit trail shall capture all successful login and logoff attempts.
02 The audit trail shall capture all unsuccessful login and authorization attempts.
03 The audit trail shall capture all identification and authentication attempts.
04 The audit trail shall capture all actions, connections and requests performed by privileged users (a user who, by virtue
of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than
those available to the majority of users. Such persons will include, for example, the system administrator(s) and network
administrator(s) who are responsible for keeping the system available and may need powers to create new user profiles
as well as add to or amend the powers and access rights of existing users).
05 The audit trail shall capture all actions, connections and requests performed by privileged functions.
06 The audit trail shall capture all changes to logical access control authorities (e.g., rights, permissions).
07 The audit trail shall capture all system changes with the potential to compromise the integrity of audit policy
configurations, security policy configurations and audit record generation services.
08 The audit trail shall capture the creation, modification and deletion of objects including files, directories and user accounts.
09 The audit trail shall capture the creation, modification and deletion of user accounts and group accounts.
10 The audit trail shall capture the creation, modification and deletion of user account and group account privileges.
11 The audit trail shall capture: i) the date of the system event; ii) the time of the system event; iii) the type of system event
initiated; and iv) the user account, system account, service or process responsible for initiating the system event.
12 The audit trail shall capture system startup and shutdown functions.
13 The audit trail shall capture modifications to administrator account(s) and administrator group account(s) including:
i) escalation of user account privileges commensurate with administrator-equivalent account(s); and ii) adding or deleting
users from the administrator group account(s).
14 The audit trail shall capture the enabling or disabling of audit report generation services.
15 The audit trail shall capture command line changes, batch file changes and queries made to the system (e.g., operating
system, application, database). Page 107
16 The audit trail shall be protected from unauthorized access, use, deletion or modification.
17 The audit trail shall be restricted to personnel routinely responsible for performing security audit functions.12 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
Section 4:
Conclusions
IRS Publication 1075 outlines a wide variety of technical, operational and managerial controls that must be implemented to
protect sensitive Federal Tax Information. While the analysis provided in this document provides a clear outline of the types of
technologies that can be deployed to help satisfy those compliance requirements, each organization’s priorities and needs will
be different. CA welcomes the opportunity to discuss how our technology can help accelerate and streamline your current
initiatives and build a sustainable compliance infrastructure going forward.
Section 5:
References
Appendix A: Unified Compliance Framework For Common State Regulatory Requirements
All states are subject to a number of both Federal and industry-related information processing requirements. While the focus
of this paper is on IRS Pub 1075, the following table is designed to help your organization frame and prioritize its security
initiatives against a more holistic view of broader common requirements, including HIPAA and PCI. HIPAA Security Rule
HIPAA Privacy Rule
Requirements CSR
CMS Core Security
HIPAA Electronic
CA Technologies
PCI PA DSS 1.1
NIST 800-53A
Health Record
IRS Pub 1075
Requirement
NIST 800-53
Technology
Control ID
Solutions
Establish and 00637 § 5.6.2, § 3.4, App AU-2, § 4.2 CSR § 164.312 CA UARM
maintain logging Exhibit 4 F § AU-2 AU-2.2, 1.4.1(2), (b)
and monitoring AU-1 CM-5(1), CSR 2.1,
operations. CM-5.8 CSR 3.1.4
Operationalize 00638 § 5.6.2, App F § AU-3, AU- CSR 2.1.1, CA ControlMinder,
key logging Exhibit AU-3 3.2 CSR 2.1.3, CA UARM
and monitoring 4 AU-2, CSR 3.2.3,
concepts and Exhibit 6 CSR 3.4.1,
events to ensure CSR 4.2.2
the audit trails
capture sufficient
information.13 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
HIPAA Security Rule
HIPAA Privacy Rule
Requirements CSR
CMS Core Security
HIPAA Electronic
CA Technologies
PCI PA DSS 1.1
NIST 800-53A
Health Record
IRS Pub 1075
Requirement
NIST 800-53
Technology
Control ID
Solutions
Enable logging 00640 § 5.6.2, § 4.1 CSR 2.1.2, § 170.302 CA UARM
for all systems Exhibit 4 CSR 2.1.7 (r)(2)
that meet AU-3
traceability
criteria.
Review audit 00596 § 5.6.2, App F § AU-6, AU- CSR § CA UARM
logs, Intrusion Exhibit AU-6, App 6.2, SI-4 1.6.1(4), 164.408(a)
Detection System 4 AU-6, F § AU-6(4) CSR 2.1.12, (1)(ii)(D)
reports, security Exhibit 4 CSR 3.1.3,
incident tracking AU-7 CSR 3.4.1,
reports, and
CSR 4.2.2,
other security
CSR 7.3.6,
logs regularly.
CSR 10.2.3,
CSR
10.10.5
(10)
Log and report to 00653 § 7.2, § App F § CSR 3.1.3 § 160. CA UARM
management the 7.4, § 8.1, AU-6 310(a)
periodic reviews Exhibit
of compliance 3(E)
checklists, and
audit reports.
Limit logs and 01342 Exhibit 9 CSR 2.1.4,
audit trails to Event 17 CSR 2.1.6
a need to
know basis.
Use file integrity 01345 § 5.6.2, App F § AU-9, AU- § 170.302 CA ControlMinder,
and change Exhibit AU-9(1), 9.2 (s)(3) CA UARM
modification 4 AU-9, App F §
tools to protect Exhibit 9 AU-9(3)
audit logs or log Event 16
management
infrastructure
from alteration.
Archive the 00674 § 5.6.2, AU-9(1), CSR 2.1.11 CA UARM
audit trail and Exhibit 4 AU-9.7
log history in AU-11
accordance with
regulations or
organizational
standards.14 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
HIPAA Security Rule
HIPAA Privacy Rule
Requirements CSR
CMS Core Security
HIPAA Electronic
CA Technologies
PCI PA DSS 1.1
NIST 800-53A
Health Record
IRS Pub 1075
Requirement
NIST 800-53
Technology
Control ID
Solutions
Protect against 04547 § 5.6.2, App F § AU-9, AU- CSR 2.1.4, CA ControlMinder
misusing Exhibit 4 AU-9 9.2 CSR 2.1.6
automated AU-9
audit tools.
Technical 00508 § 5.6.15, App F § SC-1, SI-1
security. Exhibit SC-1, App F
4 SC-1, § SI-1
Exhibit 4
SI-1
Establish 00512 § 5.6.1, AC-3.2, CSR 2.2.1, § 164.3 CA ControlMinder
and maintain Exhibit AC-13.4, CSR 2.2.22, 08(a)(4)(i),
access policies 4 AC-1, AC-13.5, CSR 2.9.1, § 164.312
and access Exhibit 6 AC-13.6 CSR 2.11.1, (a)(1)
procedures. CSR 2.11.2,
CSR
10.10.1
Establish and 00513 § 5.6.7, App F § IA-1 § 3.1, § CSR 2.8.1, § 164. § 164. CA IdentityMinder,
maintain an Exhibit AC-2(7), 3.2 CSR 2.9.4, 308(a) 504(f) CA GovernanceMinder™,
identification, 4 IA-1, App F § CSR 2.9.5, (3)(i), § (2)(iii) CA ControlMinder
authentication, Exhibit 6 AC-14(a), CSR 164.308( (A)
and access App F § 2.13.2, a)(3)(ii)(A)
rights AC-14(b), CSR 10.3.6
management App F §
plan. AC-14(1),
App F § IA-
1, App F §
IA-4, App
F § IA-5
Maintain 00004 § 5.6.1, App F § AC-3.1, CSR § 164.308 § 164. CA ControlMinder,
control over Exhibit 4 AC-2(6), AC-3.3 1.4.1(3), (a)(3) 514 CA SiteMinder,
access rights AC-13 App F § CSR 2.8.2, (ii)(B), § (d)(2) CA IdentityMinder
and user AC-2(7), CSR 164.308( (ii)
privileges. App F § 2.10.2, a)(4)(ii)(B),
AU-9(4) CSR § 164.308(
2.10.3, a)(4)(ii)(C)
CSR 3.3.2,
CSR 10.7.8
Verify all 01273 § 5.6.1, App F § IA-2, § 3.1.a, § CSR 2.9.8, § 164.312 § CA IdentityMinder,
user IDs are § 5.6.7, IA-2, App IA-2.3, IA- 3.2 CSR (a)(2)(i) 170.302(o) CA GovernanceMinder
unique and Exhibit F § IA-4 2.6, IA-4 2.9.15,
require proper 4 AC-5, CSR 7.3.3
authentication. Exhibit 4
IA-215 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
HIPAA Security Rule
HIPAA Privacy Rule
Requirements CSR
CMS Core Security
HIPAA Electronic
CA Technologies
PCI PA DSS 1.1
NIST 800-53A
Health Record
IRS Pub 1075
Requirement
NIST 800-53
Technology
Control ID
Solutions
Establish 01411 § 5.6.1, App F § AC- AC-6, CSR CA ControlMinder,
access rights Exhibit 6, App F AC-14, 1.4.1(7), CA IdentityMinder
based on least 4 AC-6, § AC-6(1), AC-14.5, CSR 2.5.4,
privilege. Exhibit 4 App F § AC- AC-14(1), CSR 2.7.2,
CM-7 6(2), App F AC-14.10 CSR 3.2.3
§ AC-6(3),
App F § AC-
6(4), App F
§ AC-6(5),
App F § AC-
6(6), App
F § AC-14,
App F § AC-
14(1), App
F § SC-15,
App F §
SC-15(1)
Assign 00538 § 5.1, § CSR § 164. § 170.302(p) CA IdentityMinder,
privileges based 5.2, Exhibit 2.9.16, 504 CA GoveranceMinder
on job function 3(C) CSR (f )(2)
responsibilities. 2.12.1, (iii)(B)
CSR 3.3.1,
CSR 3.6.4,
CSR 4.5.1,
CSR 4.6.3,
CSR 7.4.1
Establish 01412 § 5.6.1, App F § App F AC-7, CSR 2.9.10 CA ControlMinder,
lockout Exhibit AC-2(6), § AC-7, AC-7.5 CA IdentityMinder,
procedures or 4 AC-7, App F § App F § CA SiteMinder
mechanisms Exhibit 8 AC-2(7), AC-7(1),
to be triggered Control 10 App F § App F §
after a AU-9(4) AC-7(2)
predetermined
number of
consecutive
logon
attempts.
Establish 01417 § 5.6.1, App F § AC-11, CSR 2.9.8 CA ControlMinder,
session lock Exhibit 4 AC-11, AC-11.3 CA SiteMinder
capabilities. AC-11 App F §
AC-11(1)16 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
HIPAA Security Rule
HIPAA Privacy Rule
Requirements CSR
CMS Core Security
HIPAA Electronic
CA Technologies
PCI PA DSS 1.1
NIST 800-53A
Health Record
IRS Pub 1075
Requirement
NIST 800-53
Technology
Control ID
Solutions
Establish 01418 § 5.6.1, App F § AC-12, CSR 2.9.12 § 164.312 § 170.302(q) CA ControlMinder,
idle session § 5.6.15, SC-10, App AC-12.3, (a)(2)(iii) CA SiteMinder
termination Exhibit F § IA-4 SC-10,
capabilities. 4 AC-11, SC-10.2
Exhibit
4 AC-12,
Exhibit 4
SC-10
Enable access 04553 § 5.6.1, App F § CSR CA ControlMinder,
control for Exhibit AC-3, App 2.10.1, CA SiteMinder
objects and 4 AC-3, F § AC- CSR
users on each Exhibit 4 3(2), App F 2.10.3,
system and AC-14 § AC-3(3), CSR
ensure the App F § 10.10.1(1)
system’s policy AC-3(4)
states the
objects and
users subject to
access control.
Enforce access 01428 § 5.6.5 App F § CM-5, CA ControlMinder
restrictions for AU-1 CM-5(1),
change control. CM-5.8
Enforce access 01921 § 6.3.3 App F § AC-3(1), CA ControlMinder
restrictions for AC-3(5) AC-3.9
restricted data.
Activate 04262 Exhibit 4 § 10.1 CSR 5.9.13 CA IdentityMinder
third party MA-4
maintenance
accounts and
user IDs as
necessary.
Review or 00788 § 5.6.11, App F § PS-4, PS- CSR § 164.308 CA IdentityMinder,
terminate Exhibit PS-4, App 5, PS-5.2 1.10.4, (a)(3)(ii) CA ControlMinder
accounts and 4 PS-4, F § PS-5 CSR 2.9.17 (C)
access rights Exhibit 4
if notified of PS-5
personnel
status changes
or termination.
Revoke asset 00516 § 5.6.7, App F § AC-2.1, CSR § 164.308 CA IdentityMinder,
access for Exhibit 4 AC-2 AC-2.5, 1.10.3(3), (a)(3)(ii) CA ControlMinder
personnel IA-4 PS-4.1 CSR 2.9.17 (C)
immediately
upon
termination.17 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
HIPAA Security Rule
HIPAA Privacy Rule
Requirements CSR
CMS Core Security
HIPAA Electronic
CA Technologies
PCI PA DSS 1.1
NIST 800-53A
Health Record
IRS Pub 1075
Requirement
NIST 800-53
Technology
Control ID
Solutions
Assign and 00514 § 5.6.1, App F § CSR § 164.308 CA IdentityMinder
maintain user § 5.6.7, AC-2, App 1.4.1(8), (a)(5)(ii)
accounts and Exhibit F § AC- CSR 2.8.3, (D)
user access 4 AC-2, 2(1), App F CSR 2.9.3
management Exhibit § AC-2(4),
for all systems. 4 AC-13, App F §
Exhibit AC-2(5)
4 IA-4,
Exhibit 8
Control
17, Exhibit
8 Control
18
Control the 00515 § 5.6.7, App F § AC-2.1, CSR 2.9.20 § 170.302(t) CA IdentityMinder,
addition and Exhibit 4 AC-2(c), AC-2.3, CA ControlMinder
modification IA-4 App F § AC-2(1),
of user IDs, AC-2(d) IA-4.1
credentials, or
other object
identifiers.
Verify user 04567 Exhibit 4 § 164.312 CA IdentityMinder
identities IA-5 (d)
before
manually
resetting a
password.
Remove 00517 Exhibit 8 App F § AC-2.4, CSR 2.9.18 CA IdentityMinder,
inactive user Control 05 AC-2, App AC-2(3), CA CA
accounts and F § AC- AC-2.18, GoveranceMinder
temporary user 2(2), App F IA-4.1
accounts at § AC-2(3)
least every
90 days.
Enforce 00558 § 5.6.15, App F § AC-3, SC- CSR 2.5.9, CA ControlMinder
assigned Exhibit 4 AC-3, App 2, SC-3, CSR 4.1.2,
authorizations SC-2 F § SC-2, SC-3(1), CSR 4.7.1,
for system App F § SC-3(2), CSR 4.7.2,
access and SC-3, App SC-3(3), CSR 4.7.5
separate user F § SC-4 SC-3(4),
functionality SC-3(5),
from system SC-4
management
functionality.18 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
HIPAA Security Rule
HIPAA Privacy Rule
Requirements CSR
CMS Core Security
HIPAA Electronic
CA Technologies
PCI PA DSS 1.1
NIST 800-53A
Health Record
IRS Pub 1075
Requirement
NIST 800-53
Technology
Control ID
Solutions
Ensure the 01429 § 5.6.15, App F § IA- IA-3, IA- CSR CA AuthMinder,
system Exhibit 3, App F § 3.4 10.8.4, CA SiteMinder
identifies and 4 IA-3, SC-16 CSR
authenticates Exhibit 4 10.8.9,
approved SC-23 CSR
devices before 10.10.1(1)
establishing a
connection to
restricted data.
Ensure 01750 § 5.6.15, App F § IA-3, IA- CSR 2.3.3, CA SiteMinder,
electronic Exhibit 4 AC-18 3.4 CSR 10.8.9 CA ARCOT
authentication SC-23
is established
before
transmitting
restricted data
or restricted
information
between
devices.
Control remote 01421 § 5.6.1, § App F § AC-17(3), CSR CA ControlMinder
access through 5.6.17.3 AC-17(3) AC-17.16 2.9.11,
a network CSR
access and 2.9.20,
control point. CSR
10.10.4
Monitor 00585 Exhibit 4 App F § IR-5, CA ControlMinder,
systems for IR-5 AC-19, IR-5(1), CA UARM
inappropriate App F § IR- IR-5.8
usage. 5, App F §
IR-5(1)
Monitor 01222 Exhibit 4 App F § SC-5, CSR 10.2.5 CA ControlMinder,
systems for SC-5 SC-5, App SC-5(1), CA UARM
denial of F § SC- SC-5(2),
service attacks. 5(1), App F SC-5.4,
§ SC-5(2) SC-5.8,
SC-5.10
Configure the 00555 § 5.6.1, AC-7, AC- CSR 2.9.10 CA ControlMinder,
system to Exhibit 7.3 CA SiteMinder
lock out user 4 AC-7,
IDs after not Exhibit 8
more than a Control 10
predefined
number
of access
attempts.19 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
HIPAA Security Rule
HIPAA Privacy Rule
Requirements CSR
CMS Core Security
HIPAA Electronic
CA Technologies
PCI PA DSS 1.1
NIST 800-53A
Health Record
IRS Pub 1075
Requirement
NIST 800-53
Technology
Control ID
Solutions
Configure 00556 Exhibit 8 AC-7.1, CSR 2.9.10 CA ControlMinder,
the Lockout Control 11 AC-7.5 CA SiteMinder
duration to
a predefined
time period.
Configure 00520 Exhibit CSR CA ControlMinder,
passwords so 4 IA-5, 2.9.9(4) CA SiteMinder,
that users will Exhibit 8 CA IdentityMinder
change their Control
passwords on 02 thru
a regular basis. Exhibit 8
Control 04
Configure the 01703 Exhibit 8 IA-5.1, CA IdentityMinder,
minimum Control 07 IA-5.7 CA ControlMinder
password age.
Configure the 01704 Exhibit 8 IA-5.1, CA IdentityMinder,
maximum Control IA-5.7 CA ControlMinder
password age. 02, Exhibit
8 Control
03
Configure 01705 Exhibit 8 CSR CA IdentityMinder,
the password Control 01 2.9.9(6) CA ControlMinder
length to
the least
allowable.
Configure 01706 Exhibit 8 CSR CA IdentityMinder,
the password Control 01 2.9.9(7) CA ControlMinder
complexity
setting.
Configure 01707 Exhibit 8 IA-5.1, CSR CA IdentityMinder,
the password Control 06 IA-5.7 2.9.9(8) CA ControlMinder
history setting
so that
users cannot
submit a new
password that
is the same as
the previous
few used.
Configure the 02037 § 5.6.7, IA-5.1, CSR CA ControlMinder
system to Exhibit IA-5.7 2.9.9(3),
use asterisks 4 IA-6, CSR
to mask Exhibit 8 2.9.9(5)
passwords. Control 1420 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
HIPAA Security Rule
HIPAA Privacy Rule
Requirements CSR
CMS Core Security
HIPAA Electronic
CA Technologies
PCI PA DSS 1.1
NIST 800-53A
Health Record
IRS Pub 1075
Requirement
NIST 800-53
Technology
Control ID
Solutions
Configure the 00881 Exhibit 8 App F § CA ControlMinder
system security Control 13 AC-18(4)
parameters
to prevent
system misuse
or information
misappropriation.
Digitally sign 04493 § 5.6.17.5 CSR 10.3.5 CA DataMinder
and encrypt
all email.
Verify that there 01579 Exhibit 8 CA ControlMinder
are no accounts Control 16
with empty
password fields.
Configure the 01710 Exhibit 8 AC-11, CSR 2.9.10 CA IdentityMinder,
account lockout Control 11 AC-11.3 CA ControlMinder
duration.
Configure the 01574 § 5.6.1, CSR 2.9.10 CA ControlMinder
retry limit for Exhibit
account lockouts 4 AC-7,
according to Exhibit 8
applicable Control 10
standards.
Protect the 00565 § 5.6.10, App F § SC-9, § 12.2 CA ControlMinder,
confidentiality § 5.6.15, SC-9 SC-9(1), CA DataMinder
of restricted Exhibit SC-9.7
data, restricted 4 MP-5,
information, Exhibit 4
or restricted SC-9
messages by
prohibiting
them from
being sent via
email or instant
messaging.21 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
Appendix B: CA Technologies Security Solution Description
CA Technologies has reviewed both NIST SP 800-53 and IRS Publication 1075 to determine which CA Technologies security
solutions would aid in meeting their requirements. Based on the various security controls outlined in those documents there are
several CA Technologies security solutions that are appropriate and are highlighted in the CA Technologies Security Products
Mapped to NIST SP 800-53 Controls table. A description of those solutions can be found below.
CA Technologies
Capabilities Why Does it Matter?
Product
CA IdentityMinder™ • User provisioning: The solution provides The benefits of identity management are:
automated creation and management of user • Reduced costs: Automation, delegation, and self-
accounts and their access to enterprise resources. service can reduce the total number of IT trained
• Delegated administration: The solution allows administrators relative to the number of user
organizations to selectively distribute user • Improved security: Who can access user data
administration tasks to those best equipped and change that data, who can create and who
to provide services. can delete user accounts is tightly controlled and
• Integrated compliance: The solution supports an auditable.
organization’s regulatory compliance by enforcing • Increased productivity: Users are provisioned
identity policies and providing centralized new accounts and access rights quickly and
auditing. transparently as they enter the organization,
• Self-service: The solution provides easy-to-use change roles, or get promoted.
web interfaces that allow end users to reset a
forgotten password, retrieve a forgotten ID, update For more information, please read our solution brief:
their profile, or request additional access. ca.com/us/~/media/Files/ProductBriefs/
CA-IdentityMinder-product-sheet.pdf
CA GovernanceMinder™ • Access privilege cleanup: The solution provides a The benefits of identity access governance are:
patent-pending analytics engine that can quickly • Improved return on investment: Cleaning up
identify user access anomalies. user entitlements and establishing a role model
• Entitlement certification: The solution can will decrease the time to deploy an identity
automate and streamline user, role, or resource management system.
certifications required to meet security or • Mitigated risk: Actively monitoring for access
regulatory compliance audits. violations and/or anomalies will allow IT Security
• Identity compliance: The solution allows to address potential risks more quickly.
organizations to establish and enforce cross- • Improved compliance: Reports and dashboards
system identity policies. will increase visibility into security and
• Role lifecycle management: The solution can compliance status.
discover, analyze, consolidate, and manage roles
and the users/resources assigned to those roles. For more information, please read our solution brief:
ca.com/us/~/media/Files/SolutionBriefs/identity-
and-access-goverance-SB.pdf22 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
CA Technologies
Capabilities Why Does it Matter?
Product
CA SiteMinder® CA SiteMinder provides a centralized security The web SSO solution can help:
management foundation that enables secure use • Provide shared access management services
of the web to deliver applications and cloud services across all internal web applications
to customers, partners, and employees.
• Provide unparalleled scalability and performance
CA SiteMinder enables web single sign-on (SSO), to meet business needs
centralized authentication, session management, • Integrate with on-premise infrastructure with
and auditing, policy-based authorization, and minimal customization
enterprise-level manageability. It also supports • Improve regulatory compliance via centralized
multiple types of authentication credentials, auditing and reporting
including basic, forms, and two-factor.
For more information, please read our solution brief:
ca.com/us/~/media/Files/DataSheets/
ca-siteminder-datasheet.pdf
CA SiteMinder® Federation CA SiteMinder Federation provides standards-based The identity federation solution can help:
federation capabilities that enable users of one • Provide shared access management services
organization to easily and securely access the data to externally-hosted web applications
and applications of other organizations and cloud
services without an additional login. • Integrate with external identity and/or service
providers via standard protocols
CA SiteMinder Federation is tightly integrated with • Improve user experience through SSO
CA SiteMinder to expand the web SSO environment • Reduce service desk burden by eliminating
to include external business partner sites and cloud- additional login credentials for external
based applications. applications
For more information, please read our solution brief:
ca.com/us/~/media/Files/DataSheets/cs2047-
ca-siteminder-federation-ds-0212.pdf
CA AuthMinder™ CA AuthMinder provides additional identity The strong authentication solution can help:
protection for your web applications and portals • Deploy multi-factor authentication invisibly
by allowing organizations to deploy a wide range
of strong authentication mechanisms in a cost- • Provide lower cost of ownership
effective and centralized manner. • Reduce security risk
• Mitigate against Man-in-the-Middle attacks
CA AuthMinder supports a wide range of
authentication methods, including user ID/ • Address regulatory compliance requirements
password, security question/answer, One-Time-
For more information, please read our solution brief:
Password (OTP) via SMS, email, or IVR, OATH
ca.com/us/~/media/Files/DataSheets/
tokens, and the unique CA ArcotID®.
ca-authminder-ds-CS3759.pdf23 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
CA Technologies
Capabilities Why Does it Matter?
Product
CA RiskMinder™ CA RiskMinder provides real-time protection against The adaptive authentication solution can help:
identity theft and online fraud via risk-based, • Reduce losses due to identity fraud
adaptive authentication. CA RiskMinder evaluates
the fraud potential of online transactions and • Align risk rules to your business needs
calculates a risk score based on User, Device, and • Address regulatory compliance requirements
IP Geo-location data. CA RiskMinder can block, • Deploy multi-factor authentication invisibly
quarantine, or prompt for additional authentication
credentials for any transaction whose risk score For more information, please read our solution brief:
exceeds a defined threshold. All of this is done ca.com/us/~/media/Files/ProductBriefs/
transparently without inconveniencing legitimate, CA-RiskMinder-product-brief-key-features.pdf
low-risk users.
CA ControlMinder™ CA ControlMinder provides comprehensive access The host access control solution can help:
controls on all common operating systems. It is • Mitigate risk
designed to control access to system resources,
programs, files and processes through security • Regulate and audit privileged user access
policies, which can be created, managed and • Enforce server-based compliance and reporting
distributed on an enterprise-wide basis. These • Reduce administration cost and complexity
policies are required in order to enforce separation
of administrative duties on the servers, consistent For more information, please read our solution brief:
with industry best practices. Finally, CA ControlMinder ca.com/us/~/media/Files/ProductBriefs/
also provides auditing tools that let you trace ca-access-control-product-brief-vF.pdf
users’ activities to track attempted misuse of the
computer system.
CA ControlMinder™ CA ControlMinder-SAM implements the concept of The shared account management solution can help:
a “password vault”, and provides secure access to • Mitigate risk
Shared Account Manager privileged accounts and accountability of privileged
(SAM) access through the issuance of passwords on a • Enable accountability
temporary, one-time use basis, or as necessary while • Eliminate hard-coded passwords
providing user accountability of their actions through • Facilitate regulatory compliance
secure auditing. CA ControlMinder-SAM is also
• Reduce costs
designed to allow applications to programmatically
access system passwords and, in so doing, remove • Improve efficiency
hard-coded passwords from scripts, batch files,
ODBC and JDBC wrappers. This support is available For more information, please read our solution brief:
for a multitude of servers, applications (including ca.com/us/~/media/files/datasheets/
databases) and network devices in a physical or ca-controlminder-shared-account-management-
virtual environment. ds.aspx24 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
CA Technologies
Capabilities Why Does it Matter?
Product
CA Session Recording CA Session Recording provides a deep understanding The session recording solution can help:
of what truly is taking place on corporate servers and • Audit and record all user activities
desktops. Video replay provides clear-cut evidence
of precise user actions. CA Session Recording is • Provide VCR playback of user activities
protocol agnostic, capturing user activity in RDP, • Reduce cost to investigate a security violation,
SSH, Telnet, Citrix published apps, VMware sessions, unscheduled outage, or data breach
screen-sharing apps, or direct console login. And
unlike system logs, CA Session Recording shows For more information, please read our solution brief:
exactly which applications were run and what files ca.com/~/media/Files/DataSheets/CA-Session-
were accessed. This can eliminate blind spots that Recording-Data-Sheet.pdf
currently exist for applications that do not product
their own logs and/or provide insufficient log data.
CA ControlMinder™ for CA ControlMinder for Virtual Environments provides The shared account management solution can help:
Virtual Environments secure privileged user access to virtual machines, • Mitigate risk
hypervisor service consoles, and virtual appliances—
helping organizations control privileged user • Regulate and audit privileged user access
actions, secure access to the virtual environment, • Improve compliance and reporting
and comply with industry mandates. It delivers key • Reduce administration cost and complexity
capabilities to manage privileged user passwords,
harden the hypervisor service console, and monitor For more information, please read our solution brief:
privileged user activity. It also provides a centralized ca.com/~/media/Files/SolutionBriefs/ca_access_
foundation for privileged user management that control_for_virtual_environments_solution_brief.pdf
serves as a single portal for securing privileged user
access across virtual and physical environments.
CA ControlMinder™ CA User Activity Reporting provides user activity CA ControlMinder UARM provides:
User Activity Reporting and compliance reporting for identity, access and • Simplified user activity reporting. Automated
Module (UARM) information usage across physical, virtual and cloud reporting of user activity enables organizations
environments. It is designed to effectively verify to assess “what happened” more quickly.
security controls and to streamline reporting and
investigation of user and resource access activities, • Automatic compliance updates. Enable continuous
in order to improve efficiencies and accelerate and compliance and analysis of trends in user activity.
simplify compliance. • Rapid time to value. Easy-to-use report
• User activity and compliance reporting. Provides customization wizard to accelerate
predefined and customizable reports mapped deployment time.
to common security auditing guidelines and
For more information, please read our solution brief:
compliance regulations.
ca.com/us/~/media/Files/DataSheets/ca-user-
• User activity investigation. Delivers visual log activity-reporting-module-ps-us-en.pdf
analysis tools with drill-down capabilities that can
expedite the investigation of user and resource
activities and identify policy violations.
• User activity log correlation. Provides predefined
and customizable log-correlation capability,
focusing on connecting user activity with the
individual who performed it.25 | WHITE PAPER: IRS 1075 COMPLIANCE ca.com
CA Technologies
Capabilities Why Does it Matter?
Product
CA DataMinder™ CA DataMinder is an information protection and CA DataMinder helps you to:
control solution that helps minimize the accidental, • Discover where your sensitive information resides,
negligent and malicious misuse of data while classify it according to its level of sensitivity, and
helping comply with various data protection enforce data handling policies.
standards and regulations. Through the delivery of
broad information and communication coverage, • Tailor your information protection policy
precise policy enforcement and Identity and Access enforcement to the specific attributes of each user
Management, organizations are able to take a and their role.
comprehensive approach to reducing risk to • Protect your company against the reputational
their most critical assets while enabling critical damage from information breach or theft.
business processes. • Achieve rapid time-to-value; the modular
components help simplify the deployment process.
For more information, please read our solution brief:
ca.com/us/~/media/Files/ProductBriefs/
ca-dataminder-ps.pdf26 | WHITE PAPER: IRS 1075 COMPLIANCE
Section 6:
About the Author
Chris Boswell has over 13 years of experience developing and implementing security, risk and
compliance solutions. During his tenure at CA Technologies, Chris has held a variety of technical
and management positions across our security services, product management and sales organizations.
His work in the governance, risk and compliance domain has led to several patent filings for
CA Technologies. Chris currently coordinates sales activities for our information protection and control
solutions, CA DataMinder™ and CA ControlMinder™, and works closely with product and development
teams on behalf of customers to address emerging security, risk and compliance challenges.
Connect with CA Technologies at ca.com
Agility Made Possible: The CA Technologies Advantage
CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage
and secure complex IT environments to support agile business services. Organizations leverage
CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure
and secure data and identities, from the data center to the cloud. CA Technologies is committed
to ensuring our customers achieve their desired outcomes and expected business value through
the use of our technology. To learn more about our customer success programs, visit ca.com/
customer-success. For more information about CA Technologies go to ca.com.
Copyright © 2013 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document
is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law,
CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose,
or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits,
business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this
document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation,
rule, directive, standard, policy, administrative order, executive order, and so on (collectively, “Laws”), referenced herein or any contract obligations with any third parties.
You should consult with competent legal counsel regarding any such Laws or contract obligations.. CS200-26950_0913You can also read
