ACG 6415 Access Control Simulation AICPA 2012 Top 10 Technology Initiatives I.R.S.

ACG 6415Access Control Simulation

AICPA 2012 Top 10 Technology InitiativesI.R.S.

Access Control SimulationsGetting Started

Tutorial

• Enter here to:

• Watch Slideshow of “what to do”

• Get Key card for Access

• Play around with office and other objects

Inside

• Wall has slides that automatically advance

• Receptionist can provide you with objects needed for simulation

Touch/Click Receptionist

• To acquire key-card

• Red or Blue

• Equipment Form

Get Key Card

• Click Keep

Wear Key Card step 1

• Open Inventory

• Briefcase icon

• Open Objects folder

• Find Security_CardBlue

• Find Security_CardRed

Wear Key Card Step 2

• Click Wear button

• Note the Inventory object description changes to show it is now (worn on Chest)

• You can now access the blue or red building

• Make sure this control is working; try accessing the wrong building

click around and Play

Choose Your Starting Point

You’ve got This Far what Should I do?

• Walk around Building and Grounds

• Enter Offices, Computer Rooms, Network Rooms, etc.

• Click things (computer screens, cabinets, “people”, etc.).

• Use the Camera (option on Mac, Ctrl on PC) to zoom in on desktops and other objects

• Keep Notes

• Controls in Place

• Weaknesses (how can they be fixed)

• Usability Issues (this is beta after all)

• What’s easy / hard

• How long did it take you

• Overall Comments

AICPA 2012Top 10 Technology Initiatives

Bonus QuestionWhat’s #1?

1 Securing the IT environment 

2 Managing and retaining data  

3 Managing risk and compliance  

4 Ensuring privacy 

5 Leveraging emerging technologies 

6  Managing system implementation

7 Enabling decision support and managing performance 

8 Governing and managing IT investment/spending 

9  Preventing and responding to fraud

10  Managing vendors and service providers

New This year

• Confidence that their organization or client are taking necessary actions related to initiative

• What were respondents least confident in?

• Protecting all mobile devices (laptops, tablets, mobile phone, etc.) to prevent a data breach

• Ensuring that data will be safe in event of a cyber-attack or mobile device loss.

Biggest Impact

1 IT Security

2 Remote Access

3  Control and use of mobile devices

4 Business process improvement with technology 

5 Data retention policies and structure 

6 Privacy policies and compliance 

7 Staff and management training 

8 Spreadsheet management 

9 Overall data proliferation and control 

10 Portals (vendor and client/customer) 

IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer DataGAO-12-393, Mar 16, 2012

What GAO Found

• Control weaknesses jeopardize

• Confidentiality, Integrity and Availability of

• Financial & Sensitive taxpayer information

Weaknesses

• Did not implement controls for identifying and authenticating users

• Did not require users to set new passwords after a prescribed period of time

• Did not appropriately restrict access to certain servers

• Did not ensure that sensitive data were encrypted when transmitted

• Did not audit and monitor systems to ensure that unauthorized activities would be detected

• Did not ensure management validation of access to restricted areas.

• Left unpatched and outdated software exposed IRS to known vulnerabilities

• Did not enforce backup procedures for a key system.

Not a Good Opinion

• “Considered collectively, these deficiencies, both new and unresolved from previous GAO

audits, along with a lack of fully effective compensating and mitigating controls, impair IRS's

ability to ensure that its financial and taxpayer information is secure from internal threats.

This reduces IRS's assurance that its financial statements and other financial information

are fairly presented or reliable and that sensitive IRS and taxpayer information is being

sufficiently safeguarded from unauthorized disclosure or modification. These deficiencies

are the basis of GAO’s determination that IRS had a material weakness in internal control

over financial reporting related to information security in fiscal year 2011.”

Access Controls

• User Identification

• Authorization

• Cryptography

• Audit and Monitoring

• Physical Security

Identification and Authorization

• Authentication

• IRS requires “strong” password 8 characters minimum

• one special character; at least one upper & lowercase

• Can’t reuse a password within 10 password changes

• IRS did not set appropriate password reuse maximum time or ensure complex password verification checking for its procurement system.

• systems used to process tax and financial information did not fully prevent access by unauthorized users or excessive levels of access for authorized users.

• IRS has implemented an access authorization control for a system used to process electronic tax payment information; however, users had the capability to circumvent this control and gain access to this system’s server.

• During its monthly compliance check in August 2011, the agency identified 16 users who had been granted access to the procurement system without receiving approval from the agency’s authorization system.

• data in a shared work area used to support accounting operations were fully accessible by network administration staff although they did not need such access.

• IRS has not taken actions to appropriately restrict services and user access, and to remove active application accounts in a timely manner for employees who had separated or no longer needed access.

Cryptography

• the agency configured a server that transfers tax and financial data between internal systems to use protocols that allowed unencrypted transmission of sensitive data.

• IRS also had not rectified its use of unencrypted protocols for a sensitive tax-processing application, potentially exposing user ID and password combinations.

Audit and Monitoring

• the agency had not delivered system audit reports covering a 4-month period for one financial application

• the agency had enabled and configured audit logging for UNIX operating systems on 31 servers reviewed. However, it had not enabled and configured monitoring activity for its authorization system

• IRS did not properly enable auditing features on its Oracle databases supporting three systems we reviewed

• IRS’s ability to establish individual accountability, monitor compliance with security policies, and investigate security violations was limited.

Physical Security• Physical security controls are important for protecting computer facilities and resources from espionage, sabotage,

damage, and theft.

• IRS did not always consistently authorize employees’ access to restricted areas or inventory physical access cards.

• the guard forces at two of the three computing centers we visited did not always sign, thus providing accountability for, the inventory of physical access cards.

• one of three guard shifts did not detect an anomaly in the inventory for 4 of the 5 days we reviewed at one computing center.

• physical security weaknesses identified during previous audits remain unresolved.

• management validation of access to restricted areas

• proximity cards allowing inappropriate access

• unlocked cabinets containing network devices.

Configuration Management

• verify the correctness of the security settings in the operating systems, applications, or computing and network devices

• obtain reasonable assurance that systems are configured and operating securely and as intended.

• IRS had never installed numerous patch releases for the UNIX operating system supporting another system we reviewed, although this operating system has existed since March 2009.

• 10 uninstalled security-related patch releases were considered “critical” by the vendor.

• The agency also used outdated software on all three reviewed servers used for remote access.

• IRS was using unsupported versions of software on most network devices reviewed