Does your company handle Sensitive But Unclassified (SBU) information in your role as a contractor of the IRS? If you do (and in some cases, even if you don’t), you’ve got IRS Cybersecurity Standards to keep an eye on. Evaluating your current approach to complying with IRS Cybersecurity Standards is a deeper topic than we can cover in a single article, but here we’ll focus on some initial steps you can take (if you haven’t already) to handle some of your most essential cybersecurity obligations.
Think about the Sensitive But Unclassified (SBU) tax information that you handle, store, or transmit. What information systems does it flow through? Some organizations with IRS contracts are quick to assume that the only system that needs scrutiny is professional-grade tax software that is often the central to the contracted project. However, a more realistic assessment will probably reveal that there are other ancillary file storage and reporting systems (amongst others) that are a part of the workflow. Making a list of these systems is a crucial first step towards determining the breadth of your compliance obligations.
As you work towards compliance, you’ll be better off if you have a clear understanding of which of the systems (you did Step #1, right?) touch which types of sensitive information. Here are some of the types of information that qualify as SBU:
The above classifications should help you think broadly about which systems your organization uses that access any information that the IRS defines as SBU
Much of the implementation burden for organizations pursuing compliance with IRS cybersecurity standards comes from a need to have thorough audit logs. The evaluation of audit logs should span all of the systems enumerated in Step #1. Some of the easy-to-identify characteristics you should be looking for are:
Systems built for tax-related workflows will likely have audit logs that sail through these requirements (if they’ve already been scrutinized for IRS cybersecurity standards in the past). However, the “gotcha” tends to be when an organization subject to IRS cybersecurity standards uses some additional software that comes from outside of the tax software industry.
Those types of systems – ones that were often built by providers that have no knowledge of IRS cybersecurity standards – are typically where inadequate audit logging becomes an issue. Sometimes it’s as simple as a system that the organization uses for internal filesharing or internal data analysis – especially if those systems involve any third party cloud-based solutions. If any such system has access to SBU, it needs to be compliant with IRS cybersecurity standards.
If you’ve read this far, you are in deep enough to realize that the typical new-hire at a company that handles SBU information for the IRS is unlikely to automatically know the depth of the company’s cybersecurity obligations. A great start would be to provide companywide cybersecurity training, to increase teamwide understanding of basic cybersecurity terminology that will come up frequently during the compliance effort. If you don’t take this step out the outset, you’ll wish that you did. The first time you need to involve someone without any cybersecurity background in an evaluation of the suitability of some system or software, basic cybersecurity knowledge will go a long way towards making sure that an IRS cybersecurity standards lens is used when choosing additional systems/software. Remember, IRS cybersecurity standards require you to maintain compliance even for systems that only touch tax data momentarily, like a file sharing system used to convey filings to clients.
We’re sorry to be the bearer of bad news: you should probably read some of the introductory parts of IRS Publication 4812, especially the Background and Purpose sections. One of the topics you’ll learn about is the rights that the IRS reserves to access your site on 48 hours of notice. You’ll also learn about your time-bound obligations for remediating any risks identified by the IRS during any such assessment.
A key to understanding how far along your organization is (in its journey towards compliance with IRS cybersecurity standards) is to ask about any unauthorized information disclosures that have happened in the past. Companies that handle SBU information for the IRS and have an unauthorized information disclosure face serious ramifications, and you’ll want a clear understanding of whether there have been any such incidents in the past.
We hesitate to recommend this, but it really is worth your time. You’ll want cybersecurity professionals involved in your effort to comply with IRS cybersecurity standards, and an ability to “speak the language” of those professionals will help you build a good working relationship as the effort progresses. NIST SP 800-53 is a taxonomy that describes the many “controls” that may be needed to mitigate the cybersecurity risk that an organization may face. A brief review of the control families is a good start towards understanding the breadth of security obligations that cybersecurity professionals will need to think about as they guide you to compliance with IRS cybersecurity standards.
Want to go deeper on IRS Cybersecurity Standards? We’d love to guide you through the process of implementing the necessary controls that go well beyond what we’ve covered here. Feel free to get in touch if we can be helpful in that regard.