Protecting Federal Tax Information (FTI) in Integrated Voice Response (IVR) Systems


Whether currently in use or future deployment, there are FTI safeguarding measures required by Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies (Pub. 1075), that must be in place given the security vulnerabilities associated with providing data via an Integrated Voice Response Systems (IVRs). This document will provide the policy requirements for ensuring the confidentiality of FTI is maintained by agencies that provide access to customers through an IVR system.

IVRs present opportunities for agencies to provide a convenient method for customers to access account information, which may include FTI, through a public facing telephone interface. This method of providing FTI to customers opens a new avenue for accessing FTI, and potentially exposes the FTI to compromise of confidentiality. For this reason, measures need to be taken to protect the FTI provided to customers through an IVR system.

IVR technology allows a computer to detect voice and dual-tone multi-frequency signaling keypad inputs to allow customers to access a database via a telephone keypad or by speech recognition, after which they can service their own inquiries by following the instructions. IVR systems can respond with pre-recorded or dynamically generated audio to further direct users on how to proceed. IVR technology does not require human interaction over the telephone as the user's interaction with the database is limited by rules within the IVR system based upon the user’s responses.

The primary vulnerability from IVR systems are man-in-the-middle attacks, where the attacker has put themselves in the middle of the transaction between the customer and the IVR system and captures the traffic. This is possible due to the inability to encrypt communications between the application server and the customer’s telephone. Additionally, taxpayers who use the telephone lines are at risk of having their Personally Identifiable Information (PII) inadvertently overheard.

Requirements for FTI used in an IVR System

To utilize an IVR system that provides FTI over the telephone to a customer, the agency must ensure that the underlying information systems (e.g., servers, databases) that support the IVR meet Pub. 1075 requirements that are delineated below and are configured in compliance with the appropriate Safeguards Computer Security Evaluation Matrices (SCSEM).

These requirements are summarized below.

IVR System Architecture

The IVR system must be placed on a Local Area Network (LAN) segment that is firewalled to prevent direct access from the Internet. Since the LAN segment has no direct connection to the Internet, the risk of unauthorized access to the IVR system from external sources is minimized to an acceptable level.

The IVR application and related software must be hosted on a separate system from the database where FTI resides. The separation of systems into a two-tiered architecture can increase security of the environment because additional restrictions to the sensitive data can be employed by the firewall and intrusion prevention system (IPS).

The first tier (Application Tier) is where the IVR system software and the processing of data and customer requests occur on an application server. This tier provides a layer of protection between the customers on the telephone and the FTI stored in the agency’s database.

The second tier (Database Tier) is where the database server is contained that stores the FTI. The IVR application and related software must be hosted on a separate system from the database where FTI resides.

A firewall and IPS must be deployed between these layers. The firewall must restrict traffic flow to only authorized transactions (IP addresses and ports), while an IPS reviews network traffic for anomalous activity.

All elements of this architecture must log activity to a central log server that is used to analyze the data for unauthorized activity. Activity which must be logged includes, at a minimum, all the event types listed in Pub. 1075 Section Additional log information provided by the firewall, IPS and, database must also be forwarded and analyzed.

FTI must not remain resident on the IVR application server after the data is passed through the system to the customer. The application must immediately delete any FTI that is stored on the server as part of a transaction.

The connection from the backend database to the IVR system must be encrypted as the FTI is transmitted between the two systems.

Access to the database from the application must be restricted to specific database tables, rows and columns that contain FTI and that access must be read only. There should be no ability to overwrite data in the database from the application.

System Hardening

Each system within the architecture that processes, stores or transmits FTI to an external customer through the IVR system must be hardened in accordance with Pub. 1075 policy. The Pub. 1075 policy can be met by utilizing the Safeguards Computer Security Evaluation Matrix (SCSEM) to configure the security settings for the applicable operating system and software that runs the IVR system. These SCSEMs are available for download from the IRS Safeguards web site.

The IVR system must also provide role-based authorization capabilities for controlling access to its menu-driven administration utilities to authorized agency system administrators only.

Risk Assessment and Vulnerability Scanning

Agencies are required to conduct a risk assessment (or update an existing risk assessment, if one exists) to assess the external and internal risk to FTI present in the system. Subsequently, the risk assessment must be reviewed annually to account for changes to the environment. The implementation and an evaluation of the associated risks should be part of the risk assessment.

As with all other systems that process FTI, agencies must conduct monthly vulnerability scanning of the IVR system architecture.

Customer Authentication

Callers to the agency’s IVR telephone lines to access FTI must have to pass a strong authentication mechanism. The authentication must use at least two pieces of information to verify the identity, one of which must be a shared secret only known to the parties involved, and issued by the agency directly to the customer.

Examples of shared secrets include: a unique username, Personal Identification Number (PIN), password or passphrase issued by the agency to the customer through a secure mechanism. Case number does not meet the standard as a shared secret because that case number is likely on all case documents the customer receives and does not provide assurance that it is only known to the parties involved in the communication.

For example, taxpayers who call the IRS toll-free telephone lines are required to answer at least five, but as many as seven questions before the assistor can discuss account information.

Lastly, it is required that all communications that occur between the IVR and external customers should precede with a warning message indicating that the agency is protecting all FTI and PII within the organization; however, there is a risk associated with the transmission of FTI and PII across the unencrypted public telephone network. If they are willing to accept the risk associated with this transmission they should acknowledge their acceptance or terminate the call and conduct their business at a secure agency location.