1.1.25  Mission Assurance and Security Services

1.1.25.1  (01-01-2007)
Mission Assurance and Security Services

  1. MA&SS supports the vital mission of the IRS by assuring the security and resilience of critical Agency functions and business processes using risk-based decision-making practices. MA&SS is structured to enable an integrated approach to meeting security needs. There are six offices within MA&SS that shape the direction of services and initiatives. These offices are Information Technology Security; Physical Security and Emergency Preparedness; Personnel Security and Investigations; Office of Privacy and Information Protection; Strategic Planning and Resources; and Audit Activity Management. Within these offices, there are organizations that perform the day-to-day activities fulfilling the MA&SS mission.

  2. The MA&SS organization reports to the Deputy Commissioner Operations Support (DCOS) and is responsible for advising the DCOS and other IRS senior executives on issues related to mission assurance and security.

1.1.25.1.1  (01-01-2007)
Information Technology (IT) Security

  1. The Information Technology (IT) Security Program ensures the confidentiality, integrity, and availability of IRS electronic resources, services, and data. The IT Security Director is responsible for interpreting Office of Management and Budget (OMB), Federal Information Security Management Act (FISMA), Department of the Treasury, and National Institute of Standards and Technology (NIST) requirements, and incorporating them into IRS IT Security policy and programs. The IT Security Director is charged with establishing policy and standards, tracking compliance, identifying and mitigating threats, determining strategy and priorities, monitoring program implementation, and providing day-to-day security support to all IRS employees/contractors, applications, systems and data.

  2. IT Security applies to all information systems owned or operated by, or, on behalf of, the IRS and any information stored or processed by IRS or on the behalf of the IRS. Specific areas of responsibility include certification and accreditation of IRS systems and applications; implementation, oversight and reporting of IRS compliance with mandates and the legislative/regulatory requirements of FISMA; developing and publishing enterprise IT Security Policies based on the guidance of NIST; maintaining and operating the IRS’ Computer System Incident Response Center (CSIRC) to include the Internet Misuse Monitoring Program; managing the IRS’ IT Security Awareness Program; managing the IRS’ IT Security Training Program; managing the security program for the Integrated Data Retrieval System (IDRS) ; management of the System Audit Analysis System (SAAS); and Enterprise Disaster Recovery coordination. The IT Security Office is comprised of the following organizations: IT Security Policies and Programs; Certification Program Office; Computer Systems Incident Response Center and Information Systems Disaster Recovery; and a Field organization further subdivided into Computing Center IT Security Operations, and Campus IT Security Operations (Eastern and Western Regions).

1.1.25.1.1.1  (01-01-2007)
IT Security Policies and Programs

  1. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), requires each Federal agency to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency. The mission of the IT Security Policies and Programs Division includes establishing IT security policy and standards, and tracking compliance with FISMA requirements. The IT Security Policies and Programs Division is also charged with managing the IT Security Awareness Program, managing the IT Security Training Program, managing the security program for the Integrated Data Retrieval System (IDRS), and Management of the System Audit Analysis System (SAAS).

1.1.25.1.1.2  (01-01-2007)
Certification Program Office

  1. The Certification Program Office (CPO) performs the certification and accreditation support for all IRS applications and systems being deployed, upgraded, and maintained in the production environment. CPO reviews, analyzes, and provides feedback concerning customer submitted certification and accreditation documentation. For certification and accreditation support, CPO coordinates the security testing and evaluations (ST&Es). The ST&Es are conducted to provide an independent assessment of the security controls of an information system, for either a major application or general support system (GSS).

1.1.25.1.1.3  (01-01-2007)
Computer Systems Incident Response Center and Information Systems Disaster Recovery

  1. The IRS Computer Systems Incident Response Center (CSIRC) and Information Systems Disaster Recovery organization is responsible for preventing, detecting, and responding to cyber security threats targeting IRS enterprise systems and data. The CSIRC is equipped to identify, contain, and eradicate cyber threats targeting IRS computing assets. The four major CSIRC operational functions of prevention, detection, response, and reporting meet FISMA requirements for incident response and reporting. In addition, CSIRC and the Information Systems Disaster Recovery organization serve as the coordination point for information systems disaster recovery planning and management.

1.1.25.1.1.4  (01-01-2007)
IT Security Field Operations -- Computing Center and Campus Security Operations (Eastern and Western Regions)

  1. The Information Technology Security Field Operations Computing Center and Campus Security Operations (Eastern and Western Regions) integrates all the components of IT Security to provide localized service and support in all aspects of Information Technology Security and to ensure enterprise oversight and compliance with corporate directives, policies, and requirements.

1.1.25.1.2  (01-01-2007)
Physical Security and Emergency Preparedness

  1. The Physical Security and Emergency Preparedness Office provides program management and coordination to ensure that the disciplines of physical security and emergency preparedness are operating in an integrated manner to serve IRS facilities and critical business operations. The Physical Security and Emergency Preparedness Office is comprised of fifteen Area and Territory Offices, three Area Offices and the Physical Security and Emergency Preparedness Program Office.

1.1.25.1.2.1  (01-01-2007)
Physical Security and Emergency Preparedness Program Office

  1. The Physical Security and Emergency Preparedness Program Office supports the creation of an operational environment within the IRS that is able to withstand systemic discontinuities or catastrophic events. The Program Office develops physical security and emergency management policies and procedures. Specific areas of responsibility include physical security compliance reviews, risk assessments, ID media, Occupant Emergency Plans, Security guard services, Incident Command Training, and support for Business Continuity Exercises. In addition, the Program Office serves as the coordination point for Continuity of Operations Planning (COOP) and management for IRS, and works with the Department of the Treasury to manage the Critical Infrastructure Protection (CIP) program for IRS.

1.1.25.1.2.2  (01-01-2007)
Area and Territory Offices

  1. The Area and Territory Offices ensure that the appropriate level of physical security is maintained for all IRS facilities, personnel, and assets. The Area and Territory Offices implement and execute agency-wide policy, procedures, and standards to ensure that safeguards are in place for the protection of IRS employees, tax returns, monies, property, facilities, and records. Specific areas of responsibility include physical security compliance reviews, risk assessments, ID media, Occupant Emergency Plans. The Area and Territory Offices serve as the "driver" in emergency situations to ensure that the requisite IRS organizations take action to meet customer needs and minimize disruption to business.

1.1.25.1.3  (01-01-2007)
Personnel Security and Investigations

  1. The Personnel Security and Investigations Office ensures that the employment or retention of employees at the IRS is consistent with the interests of national security, the efficiency of the Federal service, and the integrity of the tax system. The office conducts high quality, fair, and impartial suitability and security investigations in a timely manner to mitigate risks of employing untrustworthy or unsuitable individuals. The results of investigations are then used to make determinations about allowing access to facilities, systems, and/or data, or to grant access to classified information through issuance of a National Security clearance. Within the Personnel Security and Investigations Office there are three subordinate organizations: Policy, Planning, and Adjudications; Field Operations; and National Background Investigations Center.

1.1.25.1.3.1  (01-01-2007)
Policy, Planning, and Adjudications

  1. The Policy, Planning, and Adjudications organization provides the overall administration for Personnel Security and Investigations Office by developing and implementing policy, procedure, and guidance. The Policy, Planning and Adjudications organization issues program guidance and direction in accordance with Treasury standards. In addition, this organization provides the resources support needed to carry out the investigative workload of Personnel Security and Investigations, including planning and budgeting, and the management of information systems.

1.1.25.1.3.2  (01-01-2007)
Field Operations

  1. The Field Operations organization performs investigative activities for personnel security investigations on applicants, IRS employees, contractor employees, and other Treasury Bureau employees to provide a basis for determining suitability for employment, or for access to IRS systems, data, facilities, or National Security classified information.

1.1.25.1.3.3  (01-01-2007)
National Background Investigations Center

  1. National Background Investigations Center (NBIC) performs personnel security/suitability investigations on applicants, IRS employees, contractor employees, and other Treasury Bureau employees to provide a basis for determining suitability for employment, or for access to IRS systems, data, facilities, or National Security classified information.

1.1.25.1.4  (01-01-2007)
Office of Privacy and Information Protection

  1. The Office of Privacy and Information Protection focuses on enabling high taxpayer and employee confidence by ensuring the right people see the right data in the right places and for the right reasons. The Office of Privacy and Information Protection is made up of three programs: Privacy; Safeguards; and Homeland Security Presidential Directive (HSPD) 12.

1.1.25.1.4.1  (01-01-2007)
Privacy

  1. The mission of the Office of Privacy is to ensure that IRS policies, procedures, and programs protect taxpayer and employee privacy. The Office of Privacy will achieve its mission by institutionalizing privacy as a core value across the IRS enterprise through its four program areas: Policies and Procedures, Communications, Operations, and Assurance. The basis of our strategy is the identification of IRS privacy vulnerabilities in collecting, sharing, storing, and disposing of personal information, then making risk-based decisions on privacy risk mitigation. The Office of Privacy has expanded its scope to include the Unauthorized Access (UNAX) Program, Identity Theft Management Program, and the Pseudonym Management Project.

1.1.25.1.4.2  (01-01-2007)
Safeguards

  1. The Office of Safeguards provides oversight to recipient external agencies in protecting Federal tax information (FTI) and to internal customers in protecting FTI, employee information and other official use only information for contracting purposes. Safeguards ensures that agencies authorized to receive FTI are protecting the data in accordance with policy and legal requirements. Safeguards conducts sensitive but unclassified (SBU) contract document reviews for all new contracts to ensure that disclosure language is appropriate to protect tax information. To perform safeguard reviews, Safeguards personnel visit the State child support and welfare agencies and State and Local taxing authorities, as well as Federal agencies authorized to receive FTI.

  2. The MA&SS portion of the Lockbox program has been realigned to the Office of Safeguards commencing FY 2007 to affect a consistent standard. On-site reviews of Lockbox Banks, who are authorized to process remittances as part of the IRS mission critical business function, are also conducted in accordance with the Lockbox Security Standards and in coordination with the Financial Management Service (FMS).

1.1.25.1.4.3  (01-01-2007)
HSPD-12 Program Office

  1. The Homeland Security Policy Directive - 12 (HSPD-12) Program Office is a centralized management organization with a charter to lead the implementation of a Treasury-wide enterprise solution to HSPD-12 compliance. This program encompasses the Treasury-wide plan for the definition and implementation of products and operational systems to issue smart-card credentials to all Treasury employees and contractors. These smart-card credentials will conform to the HSPD-12 policy and FIPS 201-1 and associated 800 series Special Publications. The Treasury HSPD-12 Program Management Office (PMO) will coordinate and direct the establishment of a PIV infrastructure that includes an Identity Management System (IDMS), a Card Management System (CMS), an Enrollment System, and a Card Production and Personalization System to issue electronically readable credentialing smart-cards to Treasury employees and contractors as a common platform for identity and authentication.

1.1.25.1.5  (01-01-2007)
Strategic Planning and Resources

  1. The Strategic Planning and Resources Office provides planning, program management, integration, and resource management support to all MA&SS organizations. This office spearheads the development of strategic and program plans which serve as the basis for budget submissions. By serving as an integration organization for issues that span multiple MA&SS organizations, the Strategic Planning and Resources Office ensures that customers receive the best possible service and complex issues are addressed timely and completely. In addition, the Strategic Planning and Resources Office serves as a central point for management of internal information management tools and communication both within IRS and externally on mission assurance-related topics.

1.1.25.1.6  (01-01-2007)
Audit Activity Management

  1. The Audit Activity Management (AAM) organization manages the ongoing Government Accountability Office (GAO) and Treasury Inspector General for Tax Administration (TIGTA) audit activities that are related to security. This involves coordinating entrance and exit conferences, providing information to GAO and TIGTA, coordinating review of all documents, and providing management responses to findings. AAM manages the inventory of GAO recommendations and TIGTA corrective actions, which includes monitoring due dates and status to achieve timely closure. When an audit in another business unit impacts MA&SS, AAM coordinates a unified MA&SS response and collaborates across organizational boundaries to resolve audit findings.


More Internal Revenue Manual