IRS Security Recommendations Quiz

1. Facilities Security - You've assured that taxpayer information, including data on hardware and media, is not left un-secured on desks or photocopiers, in mailboxes, vehicles, trash cans or rooms in the office or at home where unauthorized access can occur.

Yes

No

Locking the doors to your office may no longer be effective. With the decline in the cost of alarm systems, coupled with the various security sensors and cameras, which can integrate with your smartphone, it is now very cost effective to have additional physical security measures protecting your office. When planning for disaster, we factor in fires and server crashes. Why is a burglary less likely?

Explanation

Locking the doors to your office may no longer be effective. With the decline in the cost of alarm systems, coupled with the various security sensors and cameras, which can integrate with your smartphone, it is now very cost effective to have additional physical security measures protecting your office. When planning for disaster, we factor in fires and server crashes. Why is a burglary less likely?

2. Information Systems Security - You've put in place a written contingency plan to perform critical processing, in the event that your business is disrupted. It should include a plan to protect both electronic and paper taxpayer information systems. You've identified individuals who will recover and restore the system after disruption or failure.

Yes

No

It’s important to note that a contingency plan is not the same as a data backup plan, as a contingency plan addresses more than data. What if you utilize a cloud based tax preparation software, and you lose Internet? What occurs in the event of an extended power loss? On April 17th, 2016, an underground fire caused a power outage in downtown Altoona. On April 18th, the filing deadline, power was still not restored. What is your contingency plan for a power loss during the last two days of tax season?

Explanation

It’s important to note that a contingency plan is not the same as a data backup plan, as a contingency plan addresses more than data. What if you utilize a cloud based tax preparation software, and you lose Internet? What occurs in the event of an extended power loss? On April 17th, 2016, an underground fire caused a power outage in downtown Altoona. On April 18th, the filing deadline, power was still not restored. What is your contingency plan for a power loss during the last two days of tax season?

3. Personnel Security - You terminate access to taxpayer information (e.g., login IDs and passwords) for those employees who are terminated or who no longer need access.

Yes

No

A termination checklist is critical to ensure former employees no longer have access to the organizations IT systems. Simply disabling their user account many not suffice, due to the number of services which have separate logins, or worse, logins which are shared across the organization.

Explanation

A termination checklist is critical to ensure former employees no longer have access to the organizations IT systems. Simply disabling their user account many not suffice, due to the number of services which have separate logins, or worse, logins which are shared across the organization.

4. Computer Systems Security - You regularly update firewall, intrusion detection, anti-spyware, anti-adware, anti-virus software and security patches.

Yes

No

Security is not like the Ronco Rotisserie oven. You can’t set it and forget it. If your security software is not being managed by a centralized server, or cloud service, how do you know it’s working effectively? How do you know it’s updating itself, as it should? How do you know the latest virus or malware didn’t disable it (as they’re known to do)? How do you know your systems are being patched for the latest security vulnerabilities? Without management and centralization, you don’t know. You’re hoping and assuming.

Explanation

Security is not like the Ronco Rotisserie oven. You can’t set it and forget it. If your security software is not being managed by a centralized server, or cloud service, how do you know it’s working effectively? How do you know it’s updating itself, as it should? How do you know the latest virus or malware didn’t disable it (as they’re known to do)? How do you know your systems are being patched for the latest security vulnerabilities? Without management and centralization, you don’t know. You’re hoping and assuming.

5. Computer Systems Security - You lock out computer system users after three consecutive invalid access attempts.

Yes

No

A very common attack is a brute force attack against a computer system, often a remote desktop server (terminal server or Citrix server). In this attack, the attacker continually guesses passwords, until one is correct and grants them access. This can easily be prevented by implementing an account lockout policy, which temporarily disables an account after a predetermined number of invalid attempts. Additionally, being alerted to excessive invalid logins is also important, so you can take proactive measures to block the attacker. A major area of concern for organizations is the time it takes until they realize they’ve been compromised. A call from the FBI informing you that your information is for sale, on the Internet, is not welcoming.

Explanation

A very common attack is a brute force attack against a computer system, often a remote desktop server (terminal server or Citrix server). In this attack, the attacker continually guesses passwords, until one is correct and grants them access. This can easily be prevented by implementing an account lockout policy, which temporarily disables an account after a predetermined number of invalid attempts. Additionally, being alerted to excessive invalid logins is also important, so you can take proactive measures to block the attacker. A major area of concern for organizations is the time it takes until they realize they’ve been compromised. A call from the FBI informing you that your information is for sale, on the Internet, is not welcoming.

6. Media Security - You securely remove all taxpayer information when disposing of computers, diskettes, magnetic tapes, hard drives, or any other electronic media that contain taxpayer information. The FTC Disposal Rule has information on how to dispose of sensitive data.

Yes

No

Did you know that when you delete a file, it’s not really gone? And if you reformat a computer, that doesn’t erase all the sensitive data that was stored on it? When disposing of systems, especially those which have created, accessed, stored or edited sensitive information, you must ensure the system is properly sanitized. Various studies have been conducted where used systems were purchased from eBay and Craigslist, and using data recovery tools (not necessarily rocket science), personal and confidential information was recovered.

Explanation

Did you know that when you delete a file, it’s not really gone? And if you reformat a computer, that doesn’t erase all the sensitive data that was stored on it? When disposing of systems, especially those which have created, accessed, stored or edited sensitive information, you must ensure the system is properly sanitized. Various studies have been conducted where used systems were purchased from eBay and Craigslist, and using data recovery tools (not necessarily rocket science), personal and confidential information was recovered.

7. Personnel Security - You've performed a background and/or reference check on new employees who will have contact with taxpayer information, and have conducted background screenings that are appropriate to the sensitivity of an assigned position. This includes interns and part-time employees.

Yes

No

A survey by CareerBuilder, in 2015, found that 56% of hiring managers have caught job candidates lying on their resumes. A quarter have seen people who claim to be employed by companies they never worked for. A background check, employment, and education verification should be included as part of the hiring process.

Explanation

A survey by CareerBuilder, in 2015, found that 56% of hiring managers have caught job candidates lying on their resumes. A quarter have seen people who claim to be employed by companies they never worked for. A background check, employment, and education verification should be included as part of the hiring process.

8. Information Systems Security - You periodically test your contingency plan.

Yes

No

No plan, whether it is your data backup plan or a contingency plan for an extended power outage, is complete until it has been tested. At our office, we test our backup generator weekly, and the backup to our backup (a portable backup generator) every 60 days.

Explanation

No plan, whether it is your data backup plan or a contingency plan for an extended power outage, is complete until it has been tested. At our office, we test our backup generator weekly, and the backup to our backup (a portable backup generator) every 60 days.

9. Computer Systems Security - You identify and authenticate computer system users who require access to electronic taxpayer information systems before granting them access.

Yes (all systems require login)

No (only some systems require login)

While authentication (user login) is part of major tax systems, not all sensitive taxpayer data is held within your tax software (E.g. Excel spreadsheets, PDF’s, emails, etc.). It’s important that all systems are secured, with logins required.

Explanation

While authentication (user login) is part of major tax systems, not all sensitive taxpayer data is held within your tax software (E.g. Excel spreadsheets, PDF’s, emails, etc.). It’s important that all systems are secured, with logins required.

10. Administrative Activities - Have you completed a risk assessment?

Yes

No

A risk assessment identifies the risks and potential impacts of unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems that can be used to access taxpayer data. How vulnerable is your clients’ data to theft, disclosure, unauthorized alterations or unrecoverable loss? What can you do to reduce the impact to your customers and your business in such an event? What can you do to reduce vulnerability? These are just a few of the questions a risk assessment looks to answer. It’s not if an incident will occur, it’s when (and more importantly, will you be prepared for it).

Explanation

A risk assessment identifies the risks and potential impacts of unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems that can be used to access taxpayer data. How vulnerable is your clients’ data to theft, disclosure, unauthorized alterations or unrecoverable loss? What can you do to reduce the impact to your customers and your business in such an event? What can you do to reduce vulnerability? These are just a few of the questions a risk assessment looks to answer. It’s not if an incident will occur, it’s when (and more importantly, will you be prepared for it).