The purpose is to introduce agencies to some of the concepts for proactive auditing, and to start the dialog between the IRS Office of Safeguards and agencies for discussing proactive auditing techniques and methods.
Proactive auditing is a technique for identifying and managing risk of unauthorized disclosure of FTI and challenging processes to take auditing to the next level to help agencies identify and respond to unauthorized FTI access in a more efficient, effective and timely manner.
The traditional way to audit a system involves identifying issues that have already occurred, then reviewing audit logs to determine which relevant events are of a serious nature.
While this "after the fact" or passive auditing is an important tool in data security, it is only half of the picture. Auditing management should be taken to the next level through the adoption of a proactive approach. By directly identifying relevant security events prior to, during or immediately after FTI exposure, the agency can progressively manage risk and identify potential security incidents involving FTI in a timely and near-real time manner. This effort will require additional resources in the form of people, processes and technology; however, the benefits are significant.
Typically, auditing entails capturing relevant auditable security events from end- to-end, or from receipt of FTI to its destruction or its return to the original source. The events captured in audit log files contain details of the action performed, result of the action and the date and time of the action.
Audit logs are a primary tool used by administrators to detect and investigate attempted and successful unauthorized activity. Due to criticality of timely detection of incidents, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, (Pub. 1075), Section 220.127.116.11 mandates that these logs be reviewed weekly.
Unfortunately, the review of this information is not typically viewed as being at the top of the list of operational priorities and it is therefore not conducted at the frequency or with the focus required. Luckily, there are tools that can assist with these efforts which can also provide the additional benefits associated with proactive monitoring.
The benefit of passive log analysis, while important, fails to realize the proactive benefit of knowing when a security violation is occurring in real-time. Proactive security measures would capture unauthorized activity as it occurs or immediately following the violation and provide proper personnel with the information they need to react to a violation effectively, which can reduce the impact of the attempt or incident.
Pub. 1075 requires agencies to perform reactive auditing. However, over the course of the next several years, requirements may be added to the Pub. 1075 to cover proactive auditing. Currently, proactive auditing is strongly recommended, but not required by the IRS. Section 18.104.22.168 provides this guidance.
Given the sheer volume of data associated with system audit logs, an automated, proactive process will be needed to help identify issues. Applying proactive audit capabilities across the agency’s data will assist in identifying irregularities that may have been overlooked while strengthening the entire organization’s security posture. An additional benefit of this type of solution is that it can also assist with production operations, problem identification and remediation, such as the identification of performance issues.
Techniques for Proactive Auditing
Every agency environment is different, and auditing requirements differ depending on the application being used, the volume of logs generated and the organizational structure. Proactive auditing should begin with the creation of the infrastructure (hardware and software) necessary to conduct this activity.
The next steps include flagging known types of events with each type of system within the environment, capturing all the logging information, consolidating and reducing this information, analyzing it for suspicious activity, properly reacting to the identified and event, cleaning up all aspects of the incident and lastly identifying lessons learned and using this to improve the organization’s security posture.
Of primary importance in this effort is the need to employ a Security Information and Event Management (SIEM) solution. These systems are purposely built to accept these log files, analyze them and then notify the appropriate personnel for manual remediation. Automated remediation is potentially possible; however, this must be approached with care so appropriate operations are not negatively affected.
Logging plays a vital role in this process. For proactive auditing to be successful, an agency must be able to ensure that all security relevant logs are capturing information and copies of that data are moved to a standalone environment. At this point the SIEM and would conduct the brunt of the log analysis, while personnel responsible for security log review conduct incident investigation and response as appropriate.
Whenever an event is triggered, an alert must be automatically forwarded to incident response and security management for clearance through investigation processes to determine whether the access was appropriate (e.g. having a business need).
If the access was determined to be inappropriate, the agency must report, through their incident response process and in accordance with Pub. 1075 requirements, to appropriate officials within the agency and the IRS Office of Safeguards and the Treasury Inspector General for Tax Administration (TIGTA).
While this message focuses on the protection of FTI, the same techniques can be applied for the protection of state data addressing risks to both types of data.
The IRS Office of Safeguards recommends exploration of the following techniques to proactively alert agency personnel of potential unauthorized access or browsing of FTI:
1) Do Not Access List — Create a state-wide “Do Not Access” list containing high profile individuals as well as other restricted Taxpayer Identification Numbers (TINs). The list will be custom to the state and contain names of high profile individuals that live or file tax returns in the state where the individual’s tax records are more likely to be accessed in an unauthorized manner. The list will ensure that their data will be monitored and tracked on a proactive basis so that any unauthorized access, modification, deletion, or movement of their FTI will be flagged immediately.
Suggestions for inclusion in this state-wide “Do Not Access” list are celebrities, artists, entertainers, athletes, high ranking government or military officials, CEO’s, and religious leaders. The list must be updated and revalidated at least annually to maintain effectiveness and accuracy
2) Time of Day Access — If FTI is accessed outside of normal hours of operation, it may alert management to suspicious behavior. By analyzing atypical activity and filtering for specific users who normally operate at these times, the agency may have a chance of detecting unauthorized access. The accesses performed by the individual should be flagged for review.
3) Name Searches — Generally, case workers are assigned a defined number of cases. TINs associated with these cases are also predefined. Therefore, if an individual is performing name searches for TINs that are outside of their case inventory or on people with the same surname, a flag must be raised for potential unauthorized access. If an individual is performing searches on previous cases they were assigned in the past, without a need, these activities must be flagged for review to determine the validity of the searches.
4) Previous Accesses — Monitor employee access to TINs which the employee has accessed in the past but currently does not have a case assignment or need to access. This scenario generally indicates unauthorized access to a tax record where the employee has a personal relationship.
5) Volume — If the volume of FTI (i.e., case assignments or access) exceeds the expected amount of access for an employee’s case load, these activities must be flagged for review. The personnel accessing those files must have a justifiable need for their actions. An example is if the employee has performed searches on thousands of taxpayers when their case assignment indicates a significantly smaller number of searches are appropriate. This may provide an indication that the employee is accessing FTI which they may not have a “need to know” for them to complete their jobs.
6) Zip Code — Determine if an employee is accessing taxpayer records within the same small geography as the employee (i.e. same zip code). This type of access may indicate that an employee is accessing information about people they know.
7) Restricted TINs — A list of restricted TINs must be created for each employee that includes anyone who has ever been identified on the employee’s personal tax return. This list could contain information about the employee’s spouse, ex- spouse, children, family members, business partners, etc. If the employee attempts to access FTI for any individuals in this list, they must be flagged for review.
Implementing Proactive Auditing
The IRS would like to partner with agencies and application software vendors to develop proactive auditing requirements and data mining techniques. If any agency is in the process of or has implemented proactive auditing, or has feedback regarding the techniques provided, please contact the IRS Office of Safeguards at SafeguardReports@IRS.gov to schedule a conference call to discuss the details of the implementation.
Additional information can be found in the following documents:
- Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies
- NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
- NIST SP 800-123, Guide to General Server Security
- NIST SP 800-92, Guide to Computer Security Log Management