Safeguard Computer Security Evaluation Matrix (SCSEM) - Excel by wlYLAN

VIEWS: 17 PAGES: 15

									   Safeguard Computer Security Evaluation Matrix
                   (SCSEM)

Management, Operational, and Technical Controls
        Data Warehouse Appendix
                Release IV
                                          July 30, 2010
                                           Version 0.6

The IRS strongly recommends agencies test all SCSEM settings in a development/test
environment prior to deploying them in operational environments because in some cases a
security setting may impact a system’s functionality and usability. Consequently, it is important
to perform testing to determine the impact on system security, functionality, and usability.
Ideally, the test system configuration should match the operational system configuration. Prior
to making changes to the production system agencies should back up all critical data files on
the system and if possible, make a full backup of the system to ensure it can be restored to its
pre-SCSEM state if necessary. The IRS welcomes feedback and suggestions from agencies in
regard to individual SCSEMs.




          Tester:               First M. Last
          Date:                 month d, yyyy - month d, yyyy
Location:          City, ST
Agency POC(s):     Name:           Telephone #           Email Address
                   First M. Last   (###) ###-#### x##### First.M.Last@xx.xxx
                   First M. Last   (###) ###-#### x##### First.M.Last@xx.xxx

System Hostname:
                                                         DIRECTIONS FOR SCSEM USE


This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented a data
warehouse for storing or processing Federal Tax Information (FTI). This SCSEM is meant to be a vendor-neutral compliance check of data
warehouse controls.

Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal
periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also
the agency can use the SCSEM to identify the types of policies to have in place to ensure continued compliance with IRS Publication 1075.
                      SCSEM Results Dashboard

           Status                   # of Tests                Percent (%)
           Pass                          0                       0.0%
            Fail                         0                       0.0%
 Additional Information                  0                       0.0%
      Needed (Info)
  Not Applicable (N/A)                   0                       0.0%
  Blank (Not Reviewed)                  30                      100.0%
Total # of Tests Performed                                         -
                                         0
 Total # of Tests Available             30                          -

The dashboard is provided to automatically calculate test results from the Test
Case tab.

The 'Info' status is provided for use by the reviwer during test execution to
indicate more information is needed to complete the test. It is not an acceptable
final test status, all test cases should be Pass, Fail or N/A at the conclusion of
the review.
                                                                                                                                IRS Safeguards
                                                                                                          Management, Operational, and Technical (MOT) Controls SCSEM
                                                                                                                          Data Warehouse Appendix



        Control                                                                                                                                                                                                      Pass / Fail / Info
 ID               NIST Control      NIST ID   Test Objective   Test Method                         Procedures                                               Expected Result                         Actual Results                                 Comments / Supporting Evidence
         Class                                                                                                                                                                                                            / N/A
 MOT-      T    Transmission         SC-9     Data Warehouse     Interview   1. Determine the mechanism(s) used to input data into       1. All Internet transmissions are encrypted utilizing at
DW-01           Confidentiality                    Load             Test     the data warehouse environment (e.g., A Data                least a 128 bit length key. All sessions for extract,
                                                                             Warehouse is a structure that is designed to distribute     transform and load stages of data entering a
                                                                             data from multiple arenas to the primary enterprise         warehouse are protected with end-to-end encryption,
                                                                             system. A DW collects, extracts, transforms,                i.e., from workstation to point of data.
                                                                             transports, and loads data for a distribution. In the
                                                                             context of FTI within agencies, the DW stores sets of
                                                                             historical data, which contains specific taxpayer
                                                                             information, as well as summary information and
                                                                             historical data.)

                                                                             2. Examine the controls in place to protect
                                                                             transmission of data into the data warehouse
                                                                             environment.

 MOT-     T     Flaw                 SI-2     Data Warehouse     Interview   1. Determine if the platform the data warehouse is          1. The Platform is running a supported operating
DW-02           Remediation                     Supporting          Test     hosted on is running a supported release of that            system release. (Please note the OS and release in
                                                  Platform                   particular operating system.                                Actual Results)
 MOT-     T     External             SA-9     Data Warehouse     Interview   1. Determine if all connections to the Data                 1. The Data Warehouse has no connections to
DW-03           Information                        Load             Test     Warehouse are controlled and monitored.                     systems external from the Agency network.
                System Services
                                                                                                                                         2. If there are connections to Web Portals and/or
                                                                                                                                         IVR feeds, they must meet the requirements outlined
                                                                                                                                         in the Web Portal and IVR technical requirements.


 MOT-     O     Information Flow     IA-4     Data Warehouse     Interview   1. Determine what sources the data warehouse                Listing of Applications/Systems (to include Agency
DW-04           Enforcement                        Data             Test     receives FTI from and what specific extracts are            ownership) providing data.
                                                                             included.                                                                                                                                                    Note: Test Case should not necessarily fail, unless
                                                                                                                                         Listing of extracts received.                                                                    the applications/systems listed are external to the
                                                                                                                                                                                                                                          agency.



 MOT-     O     Information Flow     IA-4     Data Warehouse     Interview   1. Determine what data is extracted from the data           Listing of Applications/Systems (to include Agency
DW-05           Enforcement                        Data             Test     warehouse. (This could be other applications pulling        ownership) receiving data.
                                                                             data or the data warehouse pushing to another                                                                                                                Note: Test Case should not necessarily fail, unless
                                                                             application.)                                               Listing of extracts sent.                                                                        the data warehouse is sending FTI outside the agency.




 MOT-     O     Information Flow     IA-4     Data Warehouse     Interview   1. Determine what products (electronic or paper) are        List all products created by the data warehouse and
DW-06           Enforcement                        Data             Test     created from the data warehouse.                            what particular FTI extracts are included.
                                                                                                                                                                                                                                          Note: Test Case should not necessarily fail, unless
                                                                                                                                                                                                                                          the products created do not meet Publication 1075
                                                                                                                                                                                                                                          requirements. Consult with the DES on this.

                                                                                                                                                                                                                                          Note: Ensure the DES is made aware of paper and
                                                                                                                                                                                                                                          electronic products created from the data warehouse.



 MOT-     O     Information Input    SI-10    Data Warehouse     Interview   1. Determine the mechanism(s) used to check data            1. Rules for checking the valid syntax of information
DW-07           Accuracy,                          Load             Test     input to the data warehouse environment for                 system inputs (e.g., character set, length, numerical
                Completeness,                                                completeness, accuracy and validity.                        range, acceptable values) are in place to verify that
                Validity, and                                                                                                            inputs match specified definitions for format and
                Authenticity                                                                                                             content.

                                                                                                                                         2. Data that does not match the required format and
                                                                                                                                         content are rejected.

 MOT-     T     Information Input    SI-9     Data Warehouse     Interview   1. Examine the list of personnel authorized to input        1. Only personnel with a job function that requires
DW-08           Restrictions                       Load             Test     data to the data warehouse environment.                     them to input data to the data warehouse
                                                                             2. Verify the list of authorized personnel contains only    environment have this level of access.
                                                                             current personnel with a job function that requires this    2. Personnel who no longer require this level of
                                                                             level of access.                                            access are promptly removed from the access list.




 MOT-     T     Information in       SC-4     Data Warehouse   Interview     Interview the administrator and/or network personnel The agency has documented procedures in place for
DW-09           Shared                          FTI Extract                  and determine what happens to the original FTI extract the removal or backing up of the original FTI extract,
                Resources                        Removal                     after it has been loaded into the Data Warehouse.      after it has been loaded into the Data Warehouse.

 MOT-     T     Session             SC-23     Data Warehouse     Interview   1. Determine controls in place to protect FTI data while 1. Access to database tables containing FTI are
DW-10           Authenticity                   Data Storage         Test     at rest in the data warehouse environment.               restricted to authorized personnel only.
                                                                                                                                      2. FTI data is isolated from other state
                                                                                                                                      agency data within database tables. If FTI and other
                                                                                                                                      state agency data are commingled (as defined in
                                                                                                                                      IRS Publication 1075) in database tables, proper
                                                                                                                                      controls are in place to identify the FTI data.




                                                                                                                                        Page 5 of 15
                                                                                                                                      IRS Safeguards
                                                                                                                Management, Operational, and Technical (MOT) Controls SCSEM
                                                                                                                                Data Warehouse Appendix



        Control                                                                                                                                                                                                         Pass / Fail / Info
 ID               NIST Control        NIST ID    Test Objective      Test Method                         Procedures                                            Expected Result                         Actual Results                        Comments / Supporting Evidence
         Class                                                                                                                                                                                                               / N/A
 MOT-      T    User                   IA-2     Data Warehouse        Interview    1. Determine if access attempts to the data               1. Identification and authentication is required at the
DW-11           Identification and               Identification &        Test      warehouse environment require the user to be              operating system, database and application level
                Authentication                    Authentication                   identified and authenticated prior to access being        within the data warehouse environment.
                                                                                   granted.                                                  2. Automated processes that access the data
                                                                                                                                             warehouse are identified and authenticated using
                                                                                   Note: There are various ways to access the data           process account credentials.
                                                                                   warehouse environment. Ensure identification and          3. Passwords are not displayed in clear text.
                                                                                   authentication controls are implemented for the
                                                                                   following access mechanisms:
                                                                                   a) Direct access to the backend database
                                                                                   management system and data dictionary;
                                                                                   b) Operating system access to the platform where the
                                                                                   database resides;
                                                                                   c) Access to the application used to query the data
                                                                                   warehouse environment and produce reports.

                                                                                   2. Determine if there are any automated processes
                                                                                   that access the data warehouse for data retrieval and
                                                                                   verify the identification and authentication mechanism
                                                                                   in place for these processes.


 MOT-      T     User                  IA-4     Data Warehouse        Interview    1. Work with the administrator to view a list of all users 1. All usernames are unique.
DW-12            Identification and              Identification &        Test      of the system.                                             2. All administrative accounts are valid and all users
                 Authentication                   Authentication                                                                              have a need for access.

 MOT-      T     Account               AC-2     Data Warehouse        Interview    1. Determine if account configurations meet IRS           1. All privileged accounts are disabled after 60 days
DW-13            Management                      Identification &        Test      requirements.                                             of inactivity and all normal user accounts are
                                                  Authentication                                                                             disabled after 90 days of inactivity.

 MOT-      T     Authenticator         IA-5     Data Warehouse        Interview    1. Determine if password configurations meet IRS          1. Passwords are required to be a minimum of 8
DW-14            Management                      Identification &        Test      requirements for minimum length.                          characters in length.
                                                  Authentication
 MOT-      T     Authenticator         IA-5     Data Warehouse        Interview    1. Determine if password configurations meet IRS          1. Password complexity is enforced.
DW-15            Management                      Identification &        Test      requirements for password complexity.
                                                  Authentication
 MOT-      T     Authenticator         IA-5     Data Warehouse        Interview    1. Determine if password configurations meet IRS     1. Passwords are required to be changed every 60
DW-16            Management                      Identification &        Test      requirements for password expiration.                days for privileged users and every 90 days for
                                                  Authentication                                                                        normal users.
 MOT-      T     Access                AC-3     Data Warehouse        Interview    1. Determine who has access to the data warehouse 1. Access is restricted to authorized application end
DW-17            Enforcement                     Access Control          Test      environment from all possible connection points      users, operating system administrators and
                                                                                   including:                                           database administrators.
                                                                                   a) Direct access to the backend database             2. Personnel who no longer require access to the
                                                                                   management system and data dictionary;               data warehouse environment are promptly removed
                                                                                   b) Operating system access to the platform where the from the access list.
                                                                                   database resides;
                                                                                   c) Access to the application used to query the data
                                                                                   warehouse environment and produce reports.

 MOT-      T     Access                AC-3     Data Warehouse        Interview    1. Review account approval procedures to determine        1. All account access has a documented approval.
DW-18            Enforcement                     Access Control          Test      who approves access to the Data Warehouse.                2. Agency personnel approve all access to the Data
                                                                                   2. Determine who has access to the Data                   Warehouse.
                                                                                   Warehouse.                                                3. All personnel who have access are approved and
                                                                                                                                             have a need for access.

 MOT-      T     Access                AC-3     Data Warehouse        Interview    1. Determine if appropriate roles have been assigned. 1. Varying level of roles have been established for
DW-19            Enforcement                     Access Control          Test                                                            access with no user having too high of privileges
                                                                                                                                         than necessary.




 MOT-      T     Session Lock         AC-11     Data Warehouse        Interview    1. Determine if the data warehouse is configured to       1. The data warehouse is configured to lock out a
DW-20                                            Access Control          Test      lock a session after 15 minutes of inactivity.            session after 15 minutes of inactivity.


 MOT-      T     Configuration         CM-6      Data Warehouse       Interview    1. Determine if the data warehouse application            1. FTI is clearly identified to the user (on screen)
DW-21            Settings                       Application Screen       Test      screens clearly identify FTI to the user.                 from the data warehouse application.




 MOT-      T     Information Flow      AC-4     Data Warehouse        Interview    1. Determine which data tables within the data            1. All data tables, containing FTI, are clearly labeled
DW-22            Enforcement                       Data Flow             Test      warehouse contain FTI.                                    identifying them to have FTI within it's records.
                                                                                   2. Determine the naming convention of the data            2. If data tables are commingled with FTI and state
                                                                                   tables.                                                   data, the labeling needs to be done at the data
                                                                                                                                             element level.




                                                                                                                                            Page 6 of 15
                                                                                                                                   IRS Safeguards
                                                                                                             Management, Operational, and Technical (MOT) Controls SCSEM
                                                                                                                             Data Warehouse Appendix



        Control                                                                                                                                                                                                         Pass / Fail / Info
 ID               NIST Control      NIST ID   Test Objective      Test Method                         Procedures                                               Expected Result                         Actual Results                        Comments / Supporting Evidence
         Class                                                                                                                                                                                                               / N/A
 MOT-      T    Information Flow     AC-4     Data Warehouse       Interview    1. Determine if FTI data is comingled with non-FTI           1. FTI data is not commingled with non-FTI data.
DW-23           Enforcement                      Data Flow            Test      data.                                                        FTI data remains in a separate data table.

                                                                                                                                             2. If FTI data is comingled with non-FTI data ensure
                                                                                                                                             the FTI data meets IRS requirements on comingling
                                                                                                                                             data. (All FTI is clearly identified and auditing must
                                                                                                                                             be turned on.)

 MOT-     T      Information Flow    AC-4     Data Warehouse       Interview    1. Determine if FTI within the data tables are clearly       1. FTI data within the data tables are clearly
DW-24            Enforcement                     Data Flow            Test      identified.                                                  identified as being Federal Taxpayer Information. It
                                                                                                                                             must meet the following requirements:

                                                                                                                                             a. FTI needs to be tagged at the application,
                                                                                                                                             database, data profile, data table, data column and
                                                                                                                                             row, or even data element level.

                                                                                                                                             b. If an agency has a database that is composed
                                                                                                                                             entirely of FTI, labeling at the database level would
                                                                                                                                             be sufficient. However, if an agency has FTI
                                                                                                                                             commingled with other information in a database,
                                                                                                                                             FTI has to be labeled at the level that separates
                                                                                                                                             from non-FTI data (i.e. data table, data element).




 MOT-     T      Audit Generation   AU-12     Data Warehouse       Interview    1. Determine if auditing is activated within the data        1. Auditing is activated within the data warehouse
DW-25                                            Data Flow            Test      warehouse and on all data tables containing FTI.             and all data tables containing FTI.
 MOT-     T      Auditable Events    AU-2     Data Warehouse       Interview    1. Determine the security relevant events that are           1. The data warehouse captures all changes made
DW-26                                         Security Auditing       Test      captured in the audit logs within the data warehouse         to data, including: additions, modifications, or
                                                                                environment.                                                 deletions. If a query is submitted, the audit log must
                                                                                2. Verify that security events are captured in logs at       identify the actual query being performed, the
                                                                                the operating system, database and application level.        originator of the query, and relevant time/stamp
                                                                                                                                             information.
                                                                                                                                             2. Security events are captured in logs at the
                                                                                                                                             operating system, database and application level.
                                                                                                                                             3. All users, including administrators, are subject to
                                                                                                                                             auditing.


 MOT-     T      Audit Review,       AU-6     Data Warehouse       Interview    1. Determine if audit logs are reviewed on a regular         1. Audit logs are reviewed on a regular basis.
DW-27            Analysis, and                Security Auditing       Test      basis.
                 Reporting                                                                                                                   (Note how often and who is responsible for
                                                                                                                                             reviewing audit logs)
 MOT-     O      Information         CP-9     Data Warehouse       Interview    1. Determine if data is backed up from the data              1. Data is backed up from the data warehouse to
DW-28            System Backup                 Data Backup            Test      warehouse.                                                   either electronic media or electronic storage.

                                                                                                                                             Record the following data:
                                                                                                                                             --What type of backup
                                                                                                                                             --Where does the backup reside
                                                                                                                                             --How often backups occur
                                                                                                                                             --Who has access to the backups

 MOT-     O      Information         SC-4     Data Warehouse       Interview    1. Procedures for removing data from the data                1. Record data removal procedures.
DW-29            Remnants                      Data Removal           Test      warehouse.
                                                                                                                                             2. Destruction log is created and meets Publication
                                                                                2. Determine if there is a destruction log.                  1075 requirements. (Check with DES if necessary)




 MOT-     T      Transmission        SC-9     Data Warehouse       Interview    1. Examine the controls in place to protect the retrieval    1. During the Extract, Transform and Load stages of
DW-30            Confidentiality                Processing            Test      of data from the data warehouse to be used for               data entering a warehouse, data is at its highest risk.
                                                                                analysis and reporting and controls surrounding data         Encryption shall occur as soon as possible. All
                                                                                extraction and transformation.                               sessions shall be encrypted and provide end-to-end
                                                                                                                                             encryption, i.e., from workstation to point of data.




                                                                                                                                            Page 7 of 15
                                                        IRS Safeguards
                                       Management, Operational, and Technical Controls (MOT)
                                                            SCSEM
Control
                                 Out-of-Scope Reason
  ID
 AC-1     Control covered in the MOT SCSEM
 AC-2     Covered in operating system and network SCSEMs
 AC-5     Control covered in operating system and network device SCSEMs
 AC-6     Control covered in operating system and network device SCSEMs
 AC-7     Control covered in operating system and network device SCSEMs
 AC-8     Control covered in operating system and network device SCSEMs
 AC-11    Control covered in operating system and network device SCSEMs
 AC-14    Control covered in the MOT SCSEM
 AC-17    Control covered in the MOT SCSEM
 AC-18    Control covered in the MOT SCSEM
 AC-19    Control covered in the MOT SCSEM
 AC-20    Control covered in the MOT SCSEM
 AT-1     Control covered in the SDSEM
 AT-2     Control covered in the SDSEM
 AT-3     Control covered in the MOT SCSEM
 AT-4     Control covered in the MOT SCSEM
 AU-1     Control covered in the MOT SCSEM
 AU-3     Control covered in operating system and network device SCSEMs
 AU-4     Control covered in operating system and network device SCSEMs
 AU-5     Control covered in operating system and network device SCSEMs
 AU-7     Control covered in the MOT SCSEM
 AU-9     Control covered in operating system and network device SCSEMs
 AU-11    Control covered in the MOT SCSEM
 CA-1     Control covered in the MOT SCSEM
 CA-2     Control covered in the MOT SCSEM
 CA-3     Control covered in the MOT SCSEM
 CA-5     Control covered in the MOT SCSEM
 CA-6     Control covered in the MOT SCSEM
 CA-7     Control covered in the MOT SCSEM
 CM-1     Control covered in the MOT SCSEM
 CM-2     Control covered in the MOT SCSEM
 CM-3     Control covered in the MOT SCSEM
 CM-4     Control covered in the MOT SCSEM
 CM-5     Control covered in the MOT SCSEM
 CM-6     Control covered in the MOT SCSEM
 CM-7     Control covered in the MOT SCSEM
 CM-8     Control covered in the MOT SCSEM
 CP-1     Control covered in the MOT SCSEM
                                                           IRS Safeguards
                                        Management, Operational, and Technical Controls (MOT)
                                                               SCSEM
CP-2    Control covered in the MOT SCSEM
CP-3    Control not selected in IRS Publication 1075
CP-4    Control covered in the MOT SCSEM
CP-5    Control covered in the MOT SCSEM
CP-6    Control covered in the MOT SCSEM
CP-7    Control covered in the SDSEM
CP-8    Control not selected in IRS Publication 1075
CP-9    Control not selected in IRS Publication 1075
CP-10   Control not selected in IRS Publication 1075
 IA-1   Control covered in the MOT SCSEM
 IA-3   Control covered in operating system and network device SCSEMs
 IA-4   Control covered in the MOT SCSEM
 IA-5   Control covered in operating system and network device SCSEMs
 IA-6   Control covered in operating system SCSEMs
 IA-7   Control covered in operating system and network device SCSEMs
 IA-8   Control not selected in IRS Publication 1075
 IR-1   Control covered in the SDSEM
 IR-2   Control covered in the SDSEM
 IR-3   Control covered in the MOT SCSEM
 IR-4   Control covered in the SDSEM
 IR-5   Control covered in the SDSEM
 IR-6   Control covered in the SDSEM
 IR-7   Control covered in the MOT SCSEM
 IR-8   Control covered in the MOT SCSEM
MA-1    Control covered in the MOT SCSEM
MA-2    Control covered in the MOT SCSEM
MA-3    Control covered in the MOT SCSEM
MA-4    Control covered in the MOT SCSEM
MA-5    Control covered in the MOT SCSEM
MP-1    Control covered in the SDSEM
MP-2    Control covered in the SDSEM
MP-3    Control covered in the SDSEM
MP-4    Control covered in the SDSEM
MP-5    Control covered in the SDSEM
MP-6    Control covered in the SDSEM
MP-7    Control covered in the SDSEM
 PL-1   Control covered in the MOT SCSEM
 PL-2   Control covered in the MOT SCSEM
 PL-3   Control covered in the MOT SCSEM
 PL-4   Control covered in the MOT SCSEM
                                                         IRS Safeguards
                                        Management, Operational, and Technical Controls (MOT)
                                                             SCSEM
 PL-5   Control covered in the MOT SCSEM
 PL-6   Control covered in the MOT SCSEM
PE-1    Control covered in the SDSEM
PE-2    Control covered in the SDSEM
PE-3    Control covered in the SDSEM
PE-4    Control covered in the SDSEM
PE-5    Control covered in the SDSEM
PE-6    Control covered in the SDSEM
PE-7    Control covered in the SDSEM
PE-8    Control covered in the SDSEM
PE-9    Control not selected in IRS Publication 1075
PE-10   Control not selected in IRS Publication 1075
PE-11   Control not selected in IRS Publication 1075
PE-12   Control not selected in IRS Publication 1075
PE-13   Control not selected in IRS Publication 1075
PE-14   Control not selected in IRS Publication 1075
PE-15   Control not selected in IRS Publication 1075
PE-16   Control covered in the SDSEM
PE-17   Control covered in the SDSEM
PE-18   Control covered in the SDSEM
PS-1    Control covered in the SDSEM
PS-2    Control covered in the SDSEM
PS-3    Control covered in the SDSEM
PS-4    Control covered in the SDSEM
PS-5    Control covered in the SDSEM
PS-6    Control covered in the SDSEM
PS-7    Control covered in the SDSEM
PS-8    Control covered in the SDSEM
RA-1    Control covered in the MOT SCSEM
RA-2    Control covered in the MOT SCSEM
RA-3    Control covered in the MOT SCSEM
RA-5    Control covered in the MOT SCSEM
SA-1    Control covered in the MOT SCSEM
SA-2    Control covered in the MOT SCSEM
SA-3    Control covered in the MOT SCSEM
SA-4    Control covered in the MOT SCSEM
SA-5    Control covered in the MOT SCSEM
SA-6    Control covered in the MOT SCSEM
SA-7    Control covered in the MOT SCSEM
SA-8    Control covered in the MOT SCSEM
                                                      IRS Safeguards
                                     Management, Operational, and Technical Controls (MOT)
                                                          SCSEM
SA-9    Control covered in the SDSEM
SA-10   Control covered in the MOT SCSEM
SA-11   Control covered in the MOT SCSEM
SC-1    Control covered in the MOT SCSEM
SC-2    Control covered in operating system and network device SCSEMs
SC-4    Control covered in operating system and network device SCSEMs
SC-5    Control covered in the MOT SCSEM
SC-7    Control covered in the MOT SCSEM
SC-8    Control covered in operating system and network device SCSEMs
SC-10   Control covered in operating system and network device SCSEMs
SC-12   Control covered in the MOT SCSEM
SC-13   Control covered in operating system and network device SCSEMs
SC-15   Control covered in the MOT SCSEM
SC-17   Control covered in the MOT SCSEM
SC-18   Control covered in the MOT SCSEM
SC-19   Control covered in the MOT SCSEM
SC-20   Control not selected in IRS Publication 1075
SC-22   Control not selected in IRS Publication 1075
 SI-1   Control covered in the MOT SCSEM
 SI-2   Control covered in operating system and network device SCSEMs
 SI-3   Control covered in the MOT SCSEM
 SI-4   Control covered in the MOT SCSEM
 SI-5   Control covered in the MOT SCSEM
 SI-8   Control not selected in IRS Publication 1075
SI-11   Control covered in the MOT SCSEM
SI-12   Control covered in the SDSEM
                                                    IRS Safeguards
                                   Management, Operational, and Techical Controls (MOT)
                                                        SCSEM
                                                      References

NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, Revision 3

IRS Publication 1075, October 2007 Revision
                                                                                              IRS Safeguards
                                                                         Management, Operational and Technical (MOT) Controls SCSEM
                                                                                         Data Warehouse Appendix


                                                                                        IRS Safeguard SCSEM Legend

Test Case Tab: Execute the test cases and document the results to complete the IRS Safeguard Computer Security review. Reviewer is required to complete the following columns: Actual Results,
Comments/Supporting Evidence. Please find more details of each column below.


                                  ID                              Identification number of SCSEM test case
                                  Control                         NIST 800-53/PUB 1075 Control Class (Management, Operational, Technical)
                                   Class
        PUB 1075




                                                                  NIST 800-53/PUB 1075 Control Family (Risk Assessment, Security Planning, System and Services Acquisition, Security Assessment, Personnel Security,
                                  Control
                                                                  Contingency Planning, Configuration Management, System Maintenance, System and Information Integrity, Incident Response, Security Awareness and
                                  Family                          Training, Identification and Authentication, Access Control, Audit and Accountability, System and Communications Protection)
                                     REF.                         NIST 800-53/PUB 1075 Reference Identification (1, 2, etc.)
                                       ID
                             Control Objective                    Objective of test procedure.
                   Test Procedure & Expected Results              Detailed test procedures to follow for test execution, and the expected outcome of the test step execution that would result in a Pass.
                             Actual Results                       The actual outcome of the test step execution, i.e., the actual configuration setting observed.
                          Pass / Fail / Info / N/A                Reviewer to indicate if the test case passed, failed, is not applicable, or if more information is needed.
                                                                  Reviewer to include any supporting evidence to confirm if the test case passed., failed on not applicable As evidence, provide the following information for
                                                                  the following assessment methods:
                                                                  1. Interview - Name and title of the person providing information. Also provide the date when the information is provided.
                                                                  2. Examination - Provide the name, title, and date of the document referenced as the evidence. Also provide section number where the pertinent information
                   Comments / Supporting Evidence
                                                                  is resident within the document (if possible).

                                                                  Ensure all supporting evidence to verify the test case passed or failed. If the control is marked as NA, then provide appropriate justification as to why the
                                                                  control is considered NA.




                                                                  The test cases contained in this SCSEM are meant to be an objective based test of the Data Warehouse implementation. Detailed database
                    Data Warehouse Testing Scope:                 specific controls and secure configuration related controls are not in-scope. This appendix is only executed for data warehouse
                                                                  implementations.
                     IRS Safeguards
Management, Operational and Technical (MOT) Controls SCSEM
                Data Warehouse Appendix
           Release
Version                                                              Summary of Changes                                                         Changed By         Comments
            Date
     0.1      9/18/2008 First Release                                                                                                      Booz Allen Hamilton
     0.2      12/1/2008 Revised some of the test case language.                                                                            Booz Allen Hamilton
     0.3      1/27/2009 Updates:
                        -Cover:
                        Reorganized the Tester and Agency POC information cells, to better reflect possible multiple POCs.
                        -Test Cases:
                        a. Changed Column G header to "Pass / Fail / N/A", to more accurately reflect the four possible status
                        indicators.
                        b. Added conditional formatting to the status cells, and included summary cells at the bottom of the checks.
                        c. Added control names to the NIST ID cells. Primary control is listed in black; any secondary controls are listed
                        in GRAY.
                        -Legend: Updated the Pass/Fail row to reflect the three possible status indicators (above).
                        -Test IDs:
                        None.


                                                                                                                                             Booz Allen Hamilton

                          Cover:
                          1) Added disclaimer language.
                          Dashboard:
                          2) Added this tab to reflect summary numbers for the test cases and each of their possible result statuses (i.e.
                          pass, fail, N/A, Info).
                          Test Cases:
                          3) Changed Column Heading D from Ref. ID to Control ID
                          4) Changed Column H Heading to include Pass / Fail / Info / N/A to more accurately reflect the four possible
                          status indicators.
                          5) Added "Test Method" column
                          Sources:
                          7) Tab added
                          Legend:
                          8) Updated the Pass/Fail row to reflect the four possible status indicators (including N/A & Info - more
                          information needed).
     0.4     11/11/2009                                                                                                                      Booz Allen Hamilton
     0.5       4/9/2010 Updates based on NIST 800-53 rev 3 release                                                                           Booz Allen Hamilton
                        Added several test cases
                        Removed Control ID Column, since an ID column was already established.
     0.6      7/30/2010 Updated for new version of Publication 1075                                                                          Booz Allen Hamilton

								
To top