The IRS Office of Safeguards can provide guidance and clarification on how Agency Internal Audits can be helpful in meeting some of the Safeguarding requirements and also provide coverage for security evaluations on a continuous basis.
Performing an internal audit results in the agency coming to an understanding about the current security posture of the system. In addition to understanding the risks associated with the system, the agency will not be surprised by the results of a safeguards review. There are a number of advantages when the agency performs an internal security audit. First, the agency controls the pace and schedule. The agency can determine the best time and resources and can schedule it around the operating time period with the least impact. Remediation can take place as part of the process, hopefully well in advance of a Safeguard review and minimize the number of IRS findings. Additionally, a well defined internal audit process means that the process should be repeatable and, therefore, more likely to be successful.
There are a number of tools at the agency’s disposal to aid in performing efficient internal audits.
Risk management methodology
Risk assessments take into account vulnerabilities, threat sources, and security controls planned or in place to determine the resulting level of residual risk posed to organizational operations, organizational assets, or individuals based on the operation of the information system. NIST Special Publication 800-30 provides guidance on conducting risk assessments including threat, vulnerability, and impact assessments.
The Safeguards Computer Security Evaluation Matrices (SCSEMs) provide a detailed step-by-step set of test procedures designed to test a system’s compliance with security controls required by IRS Publication 1075 and NIST Special Publication 800-53. The SCSEMs are used by the IRS Safeguard review team to assess the agency’s security compliance during the on-site Safeguard Review. The SCSEMs are readily available on the IRS Web site, and provide the agency with the exact information that will be used during the on-site Safeguard review. The SCESMs are an excellent tool for an agency to incorporate into their internal audit program to aid in preparation for upcoming Safeguard reviews, but more importantly to ensure continual compliance with security requirements and provide a secure computing environment for the processing of FTI.
Automated Compliance Tools
Automated compliance tools are a compilation of non-intrusive scripts or software designed to quickly probe an IT environment for evidence of security configuration compliance against a developed security checklist for specific technology, e.g. Windows 2003. The use of automated security compliance tools enables the agency to perform comprehensive and consistent analyses of secure system configurations. The tools are designed to automate many of the manual configuration checks required by Publication 1075 and executed in the SCSEMs. NIST has also partnered with multiple government entities such as DISA and NSA to develop the Security Content Automation Protocol (SCAP) standard for developing industry wide consolidated secure configuration checklists for various technologies (e.g. Windows XP and VISTA). SCAP capable automated compliance tools not only check secure configuration and map them back to the appropriate NIST 800-53 control but also validates the existence of latest patches and vulnerabilities for the system under review. These tools can be used throughout the year for continuous monitoring or as part of other internal audit reviews and reporting requirements. The use of automated compliance tools will bring consistency, efficiency, and repeatability to the agency’s internal audit program, as well as ensure that agencies are well prepared for the on-site Safeguard review.
Automated Network Scanning
Network scanning involves using a port scanner to identify all hosts potentially connected to an organization's network, the network services operating on those hosts, such as the file transfer protocol (FTP), the hypertext transfer protocol (HTTP) and the specific application running the identified service. The result of the scan is a comprehensive list of all active hosts and services, printers, switches, and routers operating in the address space scanned by the port-scanning tool, i.e., any device that has a network address or is accessible to any other device. Network scanning should be included as part of the agency’s internal audit strategy to check for unauthorized hosts connected to the organization’s network, identify vulnerable services, and identify deviations from the allowed services defined in the organization’s security policy.
Automated Vulnerability Scanning
A vulnerability scanner identifies hosts and open ports, but it also provides information on the associated vulnerabilities. Most vulnerability scanners also attempt to provide information on mitigating discovered vulnerabilities. Vulnerability scanners provide system and network administrators with proactive tools that can be used to identify vulnerabilities before an adversary can find them. A vulnerability scanner is a relatively fast and easy way to quantify an organization's exposure to surface vulnerabilities. Agencies should use vulnerability scanners to add capabilities to their internal audit program to identify active hosts on the network, identify active and vulnerable services (ports) on hosts, identify applications and banner grabbing, identify operating systems, identify vulnerabilities associated with discovered operating systems and applications, identify misconfigured settings and validate that operating systems and major applications are up to date on security patches and software version.
There are many benefits in performing internal audits. For instance, a more comprehensive scope is possible for an internal audit as more time can be devoted to its execution whereas a Safeguard review is generally limited to a week. A more in-depth review of some components (especially operating systems) can take place depending on selected tools. The protection of all agency data, including FTI, can be improved. Internal audits therefore become an iterative ongoing process where management can understand the agency’s security posture and manage risks to acceptable levels. The results of an internal audit can also become input into the Certification and Accreditation of the system (where applicable) where the process of understanding and officially accepting the known risks goes into management’s approval for the system to operate.
NIST Special Publication 800-30 offers an excellent methodology for performing risk assessments. However here is a suggested process for internal audits that the agency can build upon:
Define the scope of the review
Perform review of scoped components
- Safeguards SCSEMs
- Other tools as selected
- Collect and document evidence as to the implementation status of each security control
- Assess security posture
- Document and track findings through a Plan of Action and Milestones (POA&M)
- Close findings as appropriate
- Identify residual risk for remaining open findings
- Implement and document mitigations
- Map security posture to IRS requirements
- Document and cross-reference to SCSEMs
- Establish a central electronic repository of evidence which demonstrates each security control has been satisfied
- Provide evidence for IRS Safeguard reviewers when on site
- Periodically repeat
- Repeat this process to continually monitor agency’s security posture and make necessary updates as needed.