Your Roadmap to Risk Reduction!
The Continuum GRC ITAM SaaS platform has hundreds of plugin modules available, such as:
Comprehensive IRS 1075 & 4812 Audit Services
Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies and Entities, provides very detailed audit requirements. Publication 1075 documents the managerial, operational, and technical security controls that must be implemented as a condition of receipt of FTI. IRS has mapped the IRS Publication 1075 control requirements to the National Institute of Standards and Technology (NIST) control requirements (NIST SP 800-53).
Modules include:
- Section 1.0, Introduction
- Section 2.0, Federal Tax Information and Reviews
- Section 3.0, Record Keeping Requirement
- Section 4.0, Secure Storage
- Section 5.0, Restricting Access
- Section 6.0, Other Safeguards
- Section 7.0, Reporting Requirements
- Section 8.0, Disposing of FTI
- Section 9.0, Computer System Security
IRS 4812
Publication 4812 is a new publication designed to identify security requirements for contractors and any subcontractors supporting the primary contract. It identifies security controls and requirements for contractors (and their subcontractors) who handle or manage Internal Revenue Service (IRS) Sensitive But Unclassified (SBU) information on or from their own information systems or resources. The level of required security controls may vary depending on the duration, size, and complexity of the contract.
Modules include:
- Access Control and Approving Authorization for IT Assets (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment and Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Program Management (PM)
- Personnel Security (PS)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
FAQ
Who needs to comply with IRS Publication 1075 and 4812 audits?
Any agencies or contractors/subcontractors, data centers, or anyone else that handles or engages with Federal Tax Information (FTI) or Senstive But Unclassified (SBU) data must comply with the security and privacy controls outlined in IRS 1075 and IRS 4812. These Internal Revenue protocols are specifically designed to safeguard Federal Tax Information.
What is Federal Tax Information (FTI)?
Federal Tax Information (FTI) includes tax returns and any information derived from them. This highly-sensitive data from the Internal Revenue Service requires extreme confidentiality, with high levels of security controls, including encryption. Access to Federal Tax Information should be limited only to authorized personnel. Strict systems and practices must be a part of organizations that manage Internal Revenue assets.
What does a 4812 audit involve?
An audit identifies security controls and assesses their effectiveness. The review and risk assessment process looks at elements including access controls, incident response protocols, accountability, and that all appropriate protocols as dictated by the Internal Revenue Service are in place. Some audits can be done internally, others may require a third party.
What services are included in IRS 1075 and 4812 audit support?
Risk assessment and threat modeling around FTI, plus evaluating internal systems and processes. Ensuring alignment with security practices for this sensitive information, including strict access controls. Reviewing record-keeping and documentation. Helping with awareness training and incident response planning. Continuum GRC can assist in these and other audit needs.
What is the Safeguard Security Report (SSR)?
The SSR is used by agencies that work with sensitive information, especially Federal Tax information. It documents the controls, procedures, and processes that are in place to protect it. The SSR documents compliance with the guidelines outlined in publication 1075 and 4812. It requires regular updates based on internal inspections.
What are common areas of non-compliance found in 4812 audits?
Typical areas involve inadequate or outdated documentation, failure to comply with existing regulations or a failure to follow well-defined security procedures. Audits frequently turn up improper staff training and supervision, poor data management, and a lack of disaster recovery planning. And of course, security controls that are too lax.
What are you waiting for?
You are just a conversation away from putting the power of Continuum GRC to work for you.
Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.