Although the frequency of conducting vulnerability scans and the particular vulnerability scanning tool utilized is determined by agency policy, the IRS requires that this activity be conducted at least quarterly or when significant new vulnerabilities affecting the system are identified and reported.
The computer security controls outlined in the current version of the IRS Publication 1075 direct agencies to several key areas which focus on operational security.
These areas include, risk assessment, vulnerability scanning/host configuration compliance, patch management, and incident response reporting.
Additionally, implementing operational security procedures will help agencies with the effort needed to meet IRS reporting requirements which include completing the Safeguard Activity Report (SAR) and Safeguard Procedures Report (SPR).
Current operational security procedures related to safeguarding FTI consists of the SAR process in which agencies provide updates to their safeguarding procedures on an annual basis.
The agency should submit copies of these inspections to the IRS with the annual Safeguard Activity Report (see Section 7.4 – Annual Safeguard Activity Report).
To provide an objective assessment, the inspection should be conducted by a function other than the using function.
NIST also provides an example template Risk Assessment on their website.
Vulnerability Scanning/Host Configuration Compliance Periodic vulnerability scanning is vital to maintaining security posture and confidentiality of FTI in light of frequent new exploits that are released.
Headquarters office facilities housing FTI and the agency computer facility should be reviewed within an 18-month cycle, as well as contractors allowed under federal statutes and off-site storage facilities.
Risk Assessments Performing a risk assessment of the system(s) that receive, process, store or transmit FTI on a periodic basis will improve the agency's ability understand and manage the risk faced to the confidentiality, integrity and availability of these IT assets and the FTI that require protection.
It is important to perform risk assessments periodically due to changes in computer equipment and software, organizational policies, and updated security requirements in IRS Publication 1075.