This document provides guidance on creating the Management, Operational and Technical Policies and integrating them with an organizational security policy and program. There are two aspects to security policy development that ensure the policy will comply with IRS Safeguard and National Institute of Standards and Technology (NIST) 800-53 requirements: Create an issue-specific policy that provides directives, establishes goals and assigns responsibilities. The policy should address these key sections: Purpose of the policy: What is the goal or desired outcome? What are the drivers or triggers that make this policy a requirement? Scope of the policy: What will it cover, e.g., all agency IT systems that store, process, transmit or receive Federal Tax Information (FTI)? All agency IT systems regardless of function? Roles and Responsibilities of the policy to define the departments and people that are responsible for policy creation, policy implementation and monitoring policy compliance. Use titles instead of actual people’s names. Management Commitment of the policy to maximize organizational visibility and management support. Identify the management lead for the policy with a statement emphasizing their commitment to the policy. Coordination Among Organizational Entities among internal/external organizations to document relationships to carry out th)e policy here. Compliance metrics to measure and ensure how requirements are being met? Policy Statements to align with each of the control statements in NIST 800-53, the control family. Use each security control statement to craftkey sections: Below are two examples for the System Security Plan PL-2 and PL-3 security controls. System Security Plan PL-2 The agency shall develop, document, periodically update and implement system security plans for agency information systems that process, store, transmit or receive FTI. The security plan describes the security controls in place or planned for the information system. NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, shall be used as the guide for developing security plans. System Security Plan Update PL-3 The agency shall review system security plans for agency information systems that process, store, transmit or receive FTI annually and update system security plans a minimum of every three years or whenever there is a significant change to the system. 2) Create documented procedures that support the policy and detail how the policy will be implemented. These procedures assist the people responsible for implementing the policy in complying with applicable policy requirements. There are detailed steps, i.e., standard operating procedures, to be followed by users, system operations personnel or others to accomplish a particular task (e.g., developing a system security plan). Apply this guidance to the full list of security control areas: Management Controls: Assessment, Authorization, and Monitoring (CA) Planning (PL) Risk Assessment (RA) System and Services Acquisition (SA) Operational Controls: Awareness and Training (AT) Configuration Management (CM) Contingency Planning (CP) Incident Response (IR) Maintenance (MA) Media Protection (MP) Physical and Environmental Protection (PE) Personnel Security (PS) System and Information Integrity (SI) Technical Controls Access Resources Additional information can be found in the following documents: IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local AgenciesPDF NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information SystemsPDF NIST SP 800-53, Revision 5, Recommended Security Controls for Federal Information Systems and OrganizationsPDF
