With lean budgets, fewer [employees] and ever more burdensome security standards, the state realized it can no longer afford to have its agencies tackling security issues in silos.
John Stehno, business analyst for solutions architecture, state of Oregon
Security specialists for the state of Oregon’s information systems have created a silo-busting IT security model for standardizing state agency compliance with Internal Revenue Service (IRS) requirements on managing federal tax data. The initiative could provide models — for example, a computer-based module for security training and certification -- for the way other governments, including the federal government, standardize compliance with regulations governing the use of sensitive data across large, complex enterprises, state officials said.
The IRS reports federal tax information (FTI) to a handful of Oregon state agencies, including the departments of Revenue, Employment, Justice and Human Services. Those agencies must comply with IRS’s daunting information security requirements, which are promulgated in the IRS’s 128-page Publication 1075, “Tax Information Security Guidelines for Federal, State and Local Agencies” (.pdf)
The document requires, for instance, that all FTI data in transit be encrypted when moving across an agency’s wide area network and within its local area network. That data must be protected by using National Institute of Standards and Technology Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules (.pdf), according to Publication 1075.
Until recently, Oregon’s state agencies struggled individually to comply and keep up with the IRS’s FTI security requirements. “With lean budgets, fewer [employees] and ever more burdensome security standards, the state realized it can no longer afford to have its agencies tackling security issues in silos,” said John Stehno, a business analyst for solutions architecture in Oregon’s state data center.
About a year ago, officials from the data center, the Enterprise Security Office, the FTI-affected agencies, and other agencies formed an FTI Joint-Agency Security Committee to standardize IRS compliance across the state government. Among other efforts, the committee is generating statewide policies for compliance with Publication 1075 to “ensure the entire state is on the same security page, shooting at the same security target” and to minimize “reinventing the wheel” for each agency, Stehno said.
A key product of the state’s cross-government collaboration is a technical training and certification module for FTI compliance. Every state employee or contractor who is exposed to federal tax information, no matter which agency he or she works for, will be required to use the module and achieve certification, Stehno said.
The module, which contains about a half hour of intensive training on IRS requirements relating to FTI, concludes with a certification test. “Because it will be in a computer-based module, we’ll be able to track who’s taken it and whether they passed or not,” said Theresa Masse, the state’s chief information security officer, manager of the Enterprise Security Office and chairwoman of the FTI joint-agency committee. “So it will be auditable and we can show the results to the IRS. I think the IRS will appreciate that because they’re all about auditing and records.”
The module will be released once it has undergone pilot testing and gets the stamp of approval from the IRS, which is currently reviewing it. “The IRS is pretty clear about the need for training [on handling FTI], who needs to have it and the training it needs to cover,” Masse said. “We’re waiting for the IRS to [complete the review] and see whether they have any recommendations that we need to incorporate.”