IRS Office of Safeguards out-of-cycle reviews.

This presentation gives an overview of out-of-cycle reviews conducted by the Office of Safeguards.

In 2016, Safeguards developed a risk score management framework to identify agencies with the highest risk to federal tax information.

Each quarter the framework produces a risk score for every agency reviewed by Safeguards and creates a prioritized list of agencies for review based on data we collected. We use the quarterly results, along with other data, to develop upcoming risk-review schedules As we identify high-risk agencies through the framework, we add one data-exchange partner agency every quarter to the future review schedule.

After fiscal year 2016, we began including out-of-cycle reviews in our review schedules.

As new technology and information becomes available, we’ll revise and expand the out-of-cycle review process.

We’re developing new treatment streams for all agencies - those with the highest risk level as well as those with the lowest level.

Out-of-cycle reviews are here to stay. They’re a permanent work stream within Safeguards We developed the risk management framework layer by layer with the help of our internal and external partners shown in the light blue circle near the center.

Our internal partners include the Treasury Inspector General, IT Cybersecurity, Government Liaison and Disclosure. Our external stakeholders include state, local and federal agencies, as well as the Federal Tax Administration and the Safeguards Advisory Council.

We continue to communicate with our internal partners and external stakeholders as we perfect the framework, consider improvements, develop new work streams and enhance the out of cycle process.

When developing the framework, we first looked at known factors.

We considered the needs of our partners and determined how the risk model affected each of them.

This brought us to our current risk management framework with five actions for us to take.

These actions are: identifying agencies with the highest risk, assessing risks through on-site reviews, reporting risks through the updated corrective action plan that shows findings closed and new findings opened, helping the agency mitigate the risks and monitoring findings to the corrective action plan, phone calls, discussions and recommendations.

Phase I of the out-of-cycle review process starts before each quarter.

It begins with the risk analysis team querying querying our inventory management system for data to rank active agencies by risk.

This initial step identifies high-risk agencies and helps us prioritize the out-of-cycle review schedule.

The inventory management system pulls risk elements and assigns a weighted score.

The risk elements are: Open physical security findings, discussed in Sections A-G of Publication 1075.

Open computer security findings, discussed in Section H of Publication 1075.

Report completion showing timeliness of the safeguards security report. Report completion showing timeliness of the corrective action Remediation of open findings based on the IRS targeted implementation date.

Review age or the amount of time since the agency's last on-site Safeguards Review. And End of support when the vendor no longer supports a piece of equipment. A deduction is completed for each piece of equipment identified as out of support.

The risk matrix output shown here decides the 15 agencies that are ranked the highest in risk.

We conduct a manual review of the agencies, their risks and make a selection.

We conduct further reviews on the 15 agencies with the highest risk scores. We take other factors into consideration for the Manual assessment. After we complete the Manual assessment, we decide which agency will have an out-of-cycle review.

We consider two questions in our review. One- Is the agency scheduled for an upcoming onsite review?

If so, there would be no need to schedule an out-of-cycle review. We would remove the agency from the list. If the agency didn't have an opportunity to submit a corrective action plan and close open findings, we would remove the agency from the list.

Two- Has the agency recently submitted a corrective action plan? If analysis of the corrective action plan is pending, we could expedite the analysis and recalculate the agencies risk score.

Once we select the agency, we assign a disclosure enforcement specialist or DES The DES tells the agency about the upcoming out-of-cycle review in a phone call to their designated point of contact.

The DES then issues the out-of-cycle review notification letter to the head of the agency and sends a copy to the point of contact.

The DES does notifications as soon as possible to give the agency and Safeguards time to prepare for the review.

Safeguards doesn’t decide the final review scope until after the preliminary security evaluation call with the agency.

We may hold a conference call with the head of the agency to discuss the out-of-cycle review, describe why this agency reached the top of the risk matrix and emphasize the importance of the review to help the agency stop risk to the data.

Safeguards’ participants include the associate director, senior technical advisor, policy analyst, review team chief and the assigned disclosure enforcement specialist.

An out-of-cycle review follows a path like a traditional Safeguards on-site review that occurs every three years.

The DES and computer security reviewers focus on findings that show highest risk to federal tax from the most recent review and look for new high-risk vulnerabilities. They give the agency different alternatives to end risks.

Although policies and procedures are still important, our computer security reviewers emphasize system configurations to find high risk issues.

At the end of an out-of-cycle review, we hold a meeting with the head of the agency to discuss risks found and stress the importance of mitigating them.

Once again, participants from Safeguards may include the associate director, policy analyst, senior technical advisor, the review team chief and the assigned disclosure enforcement specialist.

The computer security reviewer may attend the close-out meeting with the head of the agency.

After the close-out meeting, an out-of-cycle review diverges from a traditional Safeguards on-site review.

It’s time to help the agency mitigate the high-risk vulnerabilities that we found to move them off the high-risk matrix.

Our associate director issues a letter to the head of the agency with expectations for remediation and timeframes for completion.

We issue a new corrective action plan with the new findings from the just completed out-of-cycle review and open findings from the most recent on-site review.

We include remediation expectations and timeframes for completion in the corrective action plan.

We’re actively involved in the remediation process by working with the agency as often as needed.

We schedule conference calls to track progress and give support when possible.

This support continues until the closing of the high-risk findings.

The agency remains on the same review schedule as it was before the out-of-cycle review.

In some cases, we may review the agency twice within the same year.

We figure the overall risk to federal tax information quarterly by using information from all agencies.

We analyze it within the risk matrix to figure the overall score.

We’ve seen an improvement in the risk score since out-of-cycle reviews began and we’re continuing to explore new work streams to lower the overall risk to IRS data.

Thank you for viewing our presentation on out-of-cycle reviews.