CY 2020 PERSONAL INCOME AND PERSONAL SCHOOL …



CY 2020 PERSONAL INCOME AND PERSONAL SCHOOL DISTRICT TAX COLLECTIONS APPLICATIONInstructionsThe Internal Revenue Service (“IRS”) has agreed to allow the Attorney General’s Office to continue to forward federal tax information (“FTI”) to collection vendors so long as the number of vendors used for this purpose is minimal. Further, IRS has stated that the Attorney General can use only vendors that can demonstrate the highest level of compliance with IRS Publication 1075 (“Pub 1075”). The IRS has cautioned that vendors who do not maintain a sophisticated computer system and operation will not be able to meet this standard.The Attorney General will make its selection of the CY 2020 personal income tax (“PIT”) and personal school district tax (“PSD”) collection vendors on the basis of business need, sophistication of applicant’s computer system and operation, and the applicant’s understanding and compliance with the provisions of Pub 1075. In order to demonstrate sufficient sophistication, understanding, and compliance, the Attorney General is asking all applicants to submit an application to collect these portfolios along with an Ohio Safeguard Security Report (“OSSR”).Applicants will be selected on the basis of all information in the possession of the Attorney General. This includes but is not limited to the application, OSSR, previous audits by the Internal Audit Section of the Attorney General’s Office or the Internal Revenue Service where applicable. Applicants, particularly those who did not serve as Special Counsel or Third Party Vendor in years past may be subject to over the phone interviews or IRS-style audits of their operations.Applicants must answer questions clearly and completely. Applicants are warned that blank answers are not acceptable. To the extent a question appears on the application and in the OSSR or any other RFQ-related document, applicants are to answer both questions in both areas. Do not cite to a prior response on another document. Applicants are encouraged to cite to and attach additional documentation and certain questions will require certain supporting documentation. Submissions must be clear and well organized and supporting documentation must be clearly labeled to demonstrate to the response it relates to.Consistent with Section 3, paragraph D of the RFQ, the Attorney General will not reimburse any expenses incurred by applicants seeking to collect PIT or PSD accounts for CY 2020.SophisticationPlease describe how the applicant receives information technology services. Please include a breakdown and explanation if multiple resources are used for this purpose.Does the applicant use in-house or contracted professional information technology services? Please attach curriculum vitaes for key internal staff members and any contracts for external IT services. Please also describe any previous experience these individuals have had complying with Pub 1075, National Institute of Standards and Technology, Special Publication 800-53, or any similar standards.Please completely describe the information technology security utilized by the applicant.Please detail the applicant’s complete computer network/ system. Provide a complete Network Diagram w/all systems in the network (not just the ones that process, store, and/or transmit FTI):Firewalls (hardware/software)If applicable, include VLANsRouters & switchesLAN/WAN connectivityTelecom (including copper)Servers - Depict the server environment- Domain Controller, File, Web, ExchangeDatabasesCollections SystemStorage, including offsiteAll printers in the agencyVirtualizationCloud (including Microsoft 365)Describe how the system is maintained and monitored. Include how frequently systems are updated and machines are replaced. Please also discuss the budgetary allotment for systems security and budgetary allotment for the remediation of any findings by outside auditors or clients.III. ComplianceExplain how the applicant engages in formal accounts management in compliance with the requirements of Pub 1075. Describe the physical and logical controls that the applicant has in place to provide end to end protection of FTI data from receipt to destruction in accordance with the minimum protection standards defined in Pub 1075. Please show how FTI would flow through the network and how the applicant has implemented two logical barriers to FTI.Please describe the applicant’s process for audit logging to determine who accesses information held on the applicant’s system(s). Include how logs are stored, whatinformation the logs contain, how often they are reviewed, and how long they are kept. If the agency utilizes remote access (including maintenance activity), describe how it meets the necessary security requirements? (Indicate not applicable if appropriate)Dose the agency have a policy and procedure for managing remote access to its systems?What the agencies uses for remote access?How is multi-factor authentication implemented? Who has accounts with remote access (include all vendors and service providers as well as agency employees)?If applicable, describe VPN connectivity and how it is managed compliantly based on the requirements from Pub 1075? List all other types of remote access your agency &/or its contractor/s have utilized at any point within the last 18 months, including, but not limited to all types of remote support software such as LogMeIn, GoToMeeting, SecureLink, WebEx, TeamViewer, etc.List the associated encryption method/s for all remote support solution/s listed above.Describe the multi-factor authentication is implemented for use with remote access? If a remote support solution does not use multi-factor authentication, please explain any mitigating controls in place.Describe how your agency monitors and audits all remote support solution access.Describe how non-agency user access is approved and monitored.List all Admin and Standard users (both agency &/or contractors) and the duties they perform that require this remote support solution.Do they access &/or view the agency’s collection application or AGO FTI files using this remote support solution? If so, list the types of tasks performed.Describe how the duties between the system administrator(s) and those responsible for auditing the logs are appropriately segregated.Where does the agency store logs (include all FTI information systems such as database, application, printer, VoIP…not just network devices like firewalls and routers) and how does the agency ensure that audit data is protected from unauthorized modification or deletion?Does the agency send scheduled debtor letters that would include FTI?If yes, describe how the letters are logged from creation to mailing and also upon return. If no, describe in detail how the agency is able to avoid including FTI in scheduled debtor letters.Describe how the agency meets minimum protection standards (two barriers) in the following circumstances:A restricted area that creates two barriers to FTI from both agency and non- agency personnel without authorized access.A separate restricted area for the IT system components that would receive/ process/store/transmit FTI that creates two barriers from all agency employees without a need to access.Has the applicant’s system ever been assessed or accredited to be in compliance with the security requirements of Pub 1075 or any similar set of standards? If so, please discuss.Please document all efforts that the applicant has taken in order to comply with Pub 1075.Please include the dates of any staff trainings on Pub 1075 compliance, as well as training certificates and training materials.Please attach applicant’s policy and process for reporting any unauthorized disclosures of FTI or any other confidential information held by the applicant. Please describe applicant’s policy and procedure regarding background checks for employees, staff members, or any individuals exposed to confidential information. Please include types of checks performed and frequency of checks.Please list any and all of the applicant’s contractors. Include names and contact information for each contractor. Describe the service that each contractor performs.Provide any additional information not requested previously that would demonstrate the ability and commitment to safeguarding sensitive protected data provided by the AGO. (i.e. compliance with ORC 1347, HIPAA, FERPA, O/FDCPA, etc.) ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download