AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 1. Policy and Guidance (Cont. 1)

10.8.1  Policy and Guidance (Cont. 1)

10.8.1.4 
Operational Controls

10.8.1.4.3  (12-16-2006)
Contingency Planning

  1. The IRS shall develop, test, and maintain contingency plans for all systems.

  2. Contingency development, testing, and maintenance shall be coordinated with other related plans including the Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, and Incident Response Plan.

  3. The IRS shall develop and maintain detailed business, communications, and IT recovery plans with associated recovery capabilities in the event that normal operations are disrupted.

  4. The IRS shall review/update contingency plans and perform tests of the recovery capability at least annually. Testing of contingency plans shall occur through a variety of mechanisms including classroom and functional exercises.

    1. Classroom exercises shall be used to walk through contingency plan procedures to ensure the documentation reflects the ability to adequately perform the tasks outlined without any actual recovery operations occurring.

    2. Functional exercises (e.g., simulations, war gaming) shall be incorporated to test more extensive capabilities of the contingency plan to ensure that each item can be met as planned.

    3. Testing results shall be reviewed and documented.

  5. All personnel involved with planning efforts shall be identified and trained, at least annually, in executing the contingency plan and recovery capability.

    1. Training shall incorporate realistic, simulated events in order to ensure personnel are adequately prepared for times of crisis.

    2. An automated capability for effective contingency plan testing and providing a lifelike training situation shall be utilized.

  6. The IRS shall identify alternate processing and storage sites and ensure necessary agreements are in place to permit the resumption of information system operations and telecommunications capabilities for critical mission/business functions within a specified time period (documented in a Service Level Agreement) when the primary processing capabilities are unavailable.

    1. To ensure site and plan effectiveness in addition to personnel readiness, the contingency plan shall be fully executed at the alternate processing and storage sites.

    2. The alternate processing and storage site locations shall be far enough away from the main IRS facility, so as to not be affected by the same threat and be configured to be fully operational.

    3. Telecommunication service agreements contain priority-of-service for primary and secondary services. Agreements shall be made with service providers with sufficient contingency planning and be far enough away from the main IRS facility, so as to not be affected by the same threat or share a point of failure with the primary telecommunication service.

  7. The IRS shall review and update contingency plans at least annually and perform tests of the recovery capability annually.

  8. An emergency response capability shall be composed of the following components:

    1. An emergency staff with primary and alternate representatives designated for each key position;

    2. A viable plan with recovery procedures that can be successfully executed by the emergency staff;

    3. One or more alternate operating facilities for recovery of business operations and services (e.g., manufacturing or site-unique operations; information resources);

    4. Saved, retrieved, and usable vital records; and

    5. A dynamic crisis management structure.

  9. The emergency response capability shall encompass methods and techniques that guarantee a high level of readiness and enable implementation in response to any threat with and without warning. The threat spectrum includes localized acts of nature, accidental incidents, technological emergencies, criminal acts, and terrorist attacks using weapons of mass destruction.

  10. Continuity planning shall encompass the following:

    1. Essential IRS business processes shall be identified.

    2. A recovery time objective shall be established for each process. During an emergency, essential IRS processes shall be recovered and reconstituted no later than the recovery time objective. Recovery of other processes deemed non-critical shall be deferred until resources are available to permit restoration.

    3. A recovery strategy shall be developed for the resumption of each essential IRS business process, including the associated IT system, application, and telecommunications.

    4. Standards to meet recovery strategies shall include instructions for backing up and restoring systems/applications, a methodology for reconstructing lost data, steps for implementing alternative work methods or emergency operations, steps required for managing and processing work backlog, and synchronizing of files and data.

    5. The recovery strategy shall be assessed for sufficiency in meeting the recovery time objective for the essential IRS Business processes.

    6. The IRS shall acknowledge risk and any associated data loss.

    7. Recovery strategies shall make use of internal recovery, commercial recovery centers, or cooperative agreements, or shall be a combination of the aforementioned. Implementation of the strategy shall be achieved via hot sites, cold sites, mutual internal support, or reciprocal agreements.

    8. An Incident Action Plan shall be developed for managing an orderly response and recovery of business processes.

    9. A vital records program shall be established and maintained. Vital records shall be identified, duplicated, and stored off-premises in a suitable environment located at a safe distance from the IRS facility. The IRS shall be responsible for sending vital records, to and retrieving them from, the off-premises storage facility using reliable packing methods, and transport mechanisms that guarantee delivery and safe storage of vital records. Frequency of shipping shall correlate directly to the recovery objectives of the IRS. The location of the off-premises storage facility shall be far enough away from the main IRS facility, so as to not be affected by the same threat. Analysis shall occur to determine ease of access to the alternate storage and processing sites in the event of widespread disaster and alternative planning outlined.

    10. Designation of the emergency staff (teams), duties/responsibilities and procedures for notification, and recall of the emergency staff (teams) during duty and non-duty hours shall be identified.

    11. Succession and emergency delegations clearly stating those individuals authorized to act on the behalf of the senior Treasury officials during an emergency shall be identified.

    12. A strategy for communicating with non-emergency staff and rendering assistance to them as required/needed shall be documented.

    13. Guidance for continued and uninterrupted command, control, and leadership of the IRS shall be documented.

    14. A strategy shall be developed for communicating with employees, visitors, and others (including the media) during an emergency.

    15. Procedures shall be developed for restoring or replacing damaged or destroyed facilities while maintaining operations at the alternate operating facility or facilities.

    16. Continuity plans and procedures shall be reviewed at least annually and updated whenever there is a significant change to the system or when problems are encountered during plan implementation, execution, or testing.

  11. All aspects of computer support and operations shall be documented to ensure continuity and consistency.

  12. The IRS shall develop, test, and maintain a disaster recovery plan for mission or business critical systems for use in the event normal operations cease.

10.8.1.4.3.1  (12-16-2006)
Information Backup

  1. The IRS shall implement and enforce backup procedures for all IT systems and information.

  2. Backup procedures shall include off-premises storage and both user and system-level information backup frequencies in accordance with the contingency plan for the system, site, or application.

  3. Backup media transmitted or stored outside of IRS facilities shall be encrypted and protected at the highest level of sensitivity of the data included on the media and shall be marked with the highest level of sensitivity.

  4. Media containing master copies for systems, including vendor media, shall be protected at the same level as the sensitivity of the system and marked accordingly.

  5. Backups shall be restricted to authorized personnel only.

  6. The IRS shall periodically (at least quarterly) verify backup copies by restoring a statistical sampling of file(s) to ensure the integrity of the backups.

  7. The IRS shall establish backup procedures for each information system, including the following:

    1. Frequency,

    2. Retention,

    3. Offsite schedule, including personnel who are authorized to send and receive backup media,

    4. Logs of backups, including recording errors that might occur,

    5. Backup schedule,

    6. Restore software from the original medium, not from backups, and

    7. Reconfiguration of the media in accordance with IRS policy.

  8. Backup information shall be selectively utilized to restore system functioning in contingency plan testing.

  9. If the employee leaves or the system crashes, recovery agents shall be established and managed to ensure data shall not be lost. Where the system does not support this, procedures shall be provided to users to ensure data recovery.

10.8.1.4.4  (03-03-2008)
Configuration Management

  1. The IRS shall establish and maintain baseline configurations and inventories of organizational information systems, establish and enforce security configuration settings for IT products employed in organizational information systems, and monitor and control changes to the baseline configurations of organizational information systems throughout the respective SDLCs.

  2. A capability for automated central management, application and verification of configuration settings shall be established in accordance with NIST 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer, checklists.

  3. The IT system shall be configured to provide only necessary capabilities, and to prohibit and/or restrict the use of unsecure services to ensure least functionality ( see IRM 10.8.1.5.4.3,the Network Protection and Design section of this IRM for a list of prohibited services).

  4. The IT system(s) shall be reviewed at least annually to identify and eliminate unnecessary functions, ports, protocols, and/or services.

  5. The BIOS configurations for IT systems shall be configured in accordance with manufacturer operating system and/or platform specifications.

  6. In order to meet standards mandated by OMB and Treasury, the IRS shall ensure that changes/upgrades to systems, applications, and programs are compatible with the Security Content Automation Protocol (SCAP) and FDCC.

    1. The standard installation, operation, maintenance, update, and/or patching of software shall not alter the configuration settings from the approved FDCC configuration.

10.8.1.4.4.1  (12-16-2006)
Baseline Configuration

  1. Only legal and licensed (including open source, shareware, and freeware licenses, etc.) software (including operating system, databases, applications, etc.) approved by Modernization and IT Services (MITS) shall be used or installed on the IRS systems and networks.

  2. MITS shall establish policy and procedures to approve, manage, and monitor software on the IRS systems and networks.

10.8.1.4.4.2  (03-03-2008)
System Component Inventory

  1. The IRS shall implement and maintain an inventory management system that includes tracking of IT systems and components.

  2. The IRS shall maintain a current inventory of the components of the information system and relevant ownership information.

  3. The inventory management system shall contain, at a minimum, Manufacturer, Model Number, Serial Number, IP Address, IRS Barcode, Host Name, Function, Software License Information, Interconnections and System/Component Owner.

  4. The IRS shall communicate inventory changes to the Treasury CIO Office.

10.8.1.4.4.3  (12-16-2006)
Security Change Management

  1. The IRS shall prepare configuration management plans for all IT systems and networks.

  2. The IRS shall establish, implement, and enforce change management and configuration management controls on all IT systems and networks.

  3. The IRS shall evaluate the impact on the security posture, functionality and infrastructure for all proposed changes to an IT system, including security patches.

  4. A formal written change request shall be submitted to the appropriate Change Control Board(s) for all changes, scheduled and unscheduled. The change request shall be assigned to the appropriate personnel, including the ISSO, to determine the impact of the change on the IT system and its interconnections, including the security posture of the IT system (or its supporting GSS). If the change request creates a significant change in the security posture of the system, the C&A of the IT system shall be updated.

  5. All changes shall be tested and evaluated before implementation.

10.8.1.4.4.4  (12-16-2006)
Patches and Hot Fixes

  1. Procedures for evaluating, approving, and installing patches and hot fixes shall be in place to ensure that these patches are installed in a timely manner and in conformance with the configuration management plan.

  2. The IRS shall install security-related patches and hot fixes in accordance with Cybersecurity' Service-wide Patch Management policy.

  3. The IRS shall manage systems to reduce vulnerabilities by promptly installing patches.

10.8.1.4.5  (12-16-2006)
Maintenance

  1. The IRS shall limit access to system software and hardware to authorized personnel.

  2. The IRS shall install security-related patches and hot fixes in accordance with Cybersecurity' Service-wide Patch Management policy.

  3. The IRS shall inspect, test, authorize, approve, and monitor the use of all new and revised software and hardware before implementation in accordance with their configuration management plan and on an ongoing basis.

  4. The IRS shall manage systems to reduce vulnerabilities through vulnerability testing, promptly installing patches and eliminating or disabling unnecessary services.

  5. Maintenance ports shall be disabled and shall be enabled only during maintenance.

  6. System services, protocols, and utilities not specifically required for normal business operations shall be disabled or removed.

  7. Maintenance shall be approved by the appropriate IT system manager(s). Affected systems shall be backed up before maintenance begins. Maintenance equipment with storage capabilities shall be properly sanitized prior to release.

  8. Changes made to hardware or software during maintenance shall be recorded per configuration management processes for the hardware or software.

  9. A list of authorized IT practitioners (e.g., system administrators (SAs), vendor technicians) shall be maintained and be the only personnel authorized to perform maintenance activities on IRS hardware or software. Visiting IRS practitioners shall adhere to the IRS' sensitive facility policy.

  10. Following IT system upgrades or consolidations, surplus equipment shall be secured until it has been properly prepared for surplus.

  11. Contracts with maintenance vendors shall identify the security requirements.

  12. All IRS system physical inventories shall be reconciled, at least annually, to ensure that all IT equipment (e.g., CPUs, printers, etc.) is accurately inventoried. These inventories shall be reconciled with any property passes to ensure that all notebook/laptop computers are also accounted.

  13. A log of maintenance activities shall be maintained and periodically reviewed in addition to an automated capability to ensure maintenance scheduling, completion, and logging occurs.

  14. Any connection from outside the protected IRS network used to access an IRS system for maintenance shall be protected by physical and procedural controls, including training of authorized users, restricting use to authorized users, and maintenance of a usage access log.

    1. Remote maintenance (e.g., dial-in) ports shall be disabled when not required for authorized maintenance or repair.

    2. Access to remote maintenance ports shall only be available to explicitly identified personnel with required clearances.

    3. When a vendor requires remote maintenance access for system maintenance, means shall be provided to properly identify, authenticate, and audit such access.

    4. The IRS shall audit all remote maintenance sessions.

    5. Remote maintenance logs shall be reviewed by appropriate personnel. Such personnel shall be specifically identified in the SSP.

    6. The IRS shall document procedures for installation and use of remote diagnostic links in the SSP.

    7. Any service or organization performing remote diagnostics or maintenance shall be accessed by a system at the same level of security, or higher, as the system being serviced.

10.8.1.4.6  (12-16-2006)
System and Information Integrity

  1. The IRS shall identify, report, and correct information and information system flaws in a timely manner, provide protection from malicious code at appropriate locations within organizational information systems, and monitor information system security alerts and advisories and take appropriate actions in response.

    1. Typical required actions for alert response shall be developed and available to appropriate personnel.

  2. IRS information systems shall check information for accuracy, completeness, validity and authenticity.

  3. A centralized capability for flaw remediation management and malicious code protection shall be utilized. Additionally, an automated method for determining remediation status with updates shall be employed.

  4. The correct operation of information system security functions shall be validated at least quarterly. SAs shall be notified when any anomalies are discovered.

    1. In addition, for systems categorized as high-impact in accordance with FIPS 199, the correct operation of security functions shall also be verified upon system startup and restart. SAs shall be notified when any anomalies are discovered.

  5. Automated IT system monitoring shall be incorporated to detect unauthorized changes.

  6. IRS information systems shall generate error messages that provide timely and useful information to authorize users without revealing information that could be exploited by adversaries.

10.8.1.4.6.1  (12-16-2006)
Production, Input/Output Controls

  1. The IRS shall establish procedures to ensure sensitive information cannot be accessed by unauthorized individuals. These procedures shall address paper and electronic outputs from systems, as well as the preparation, transportation, storage or mailing of sensitive media.

  2. The IRS shall establish procedures to ensure that media, including tapes, disks and paper, are not accessed by unauthorized individuals.

  3. The ACIO Cybersecurity, shall be the final arbiter for questions related to need-to-know.

  4. A clean desk policy shall be in place to ensure destruction of discarded computer media (e.g., paper output, diskettes, etc.) to preclude unauthorized disclosures.

  5. Proper protection of the IT system from information leakage due to electromagnetic signals shall be employed.

  6. IT system input shall be completed by authorized personnel only.

10.8.1.4.6.2  (03-03-2008)
Virus Protection

  1. Anti-virus software shall be used to detect malicious code on all IRS systems.

    1. The solution used shall be in accordance with the MITS-approved technology for virus protection and based on the capabilities of the platform.

  2. Anti-virus software shall be configured to check all files, Internet downloads, and e-mail for viruses/malicious code.

  3. Anti-virus software shall be configured to check all files, Internet downloads, and e-mail for viruses/malicious code.

  4. The IRS shall install updates to anti-virus software and signature files at the desktop timely and expeditiously, without requiring the end user to specifically request the update.

  5. Anti-virus software shall not be disabled.

10.8.1.4.6.3  (03-03-2008)
Electronic Mail (E-mail) Security

  1. The IRS shall configure their e-mail systems to provide appropriate security to the network where the systems reside and to the data stored and transmitted by the e-mail systems in accordance with NIST SP 800-45, Guidelines on Electronic Mail Security.

  2. At a minimum, e-mail systems shall:

    1. Use dedicated hosts;

    2. Disable all unnecessary services and protocols (i.e., without a business need) such as, but not limited to: ftp, wireless, directory services, web-based mail, etc.;

    3. Disable and remove all unnecessary operating system user and service accounts; and

    4. Disable dangerous or unnecessary mail commands (e.g., VRFY and EXPN). For example, the mail server shall not be set up to forward mail if it is not necessary for that service to be provided by that particular server.

  3. All e-mail services (for example, UNIX sendmail) shall be configured as securely as an e-mail server.

  4. The IRS shall implement measures to detect and block unauthorized code (e.g., viruses, worms, spyware, etc.) and objectionable content (e.g., pornography, hate mail/videos, etc.).

  5. E-mail messages, appointments, and other collaboration mechanisms shall not be used to transmit SBU data unless encrypted when transmitted and stored.

  6. Access to privately-owned e-mail accounts regardless of method or protocol shall be prohibited.

  7. By using IRS e-mail, personnel shall consent to have their e-mail monitored.

  8. Any use of IRS IT resources, including e-mail, shall be made with the understanding that such use may not be secure, is not private, is not anonymous and may be subject to disclosure under FOIA.

  9. E-mail spamming, sending or forwarding chain letters, other junk e-mail, or inappropriate messages shall be prohibited.

  10. Spam protection capability and updates shall be automated and centrally managed.

  11. IRS shall ensure that e-mail communications are free of viruses through regular screening of incoming e-mail traffic and virus detection updates.

  12. E-mail shall be retained as an official record. See IRM 1.15,Records Management, for additional instruction.

  13. See IRM 1.10.3, for additional e-mail guidelines.

10.8.1.4.6.3.1  (03-03-2008)
Privately Owned E-mail Accounts

  1. Non-IRS/Treasury accounts shall not be used for any government or official purposes.

  2. Automatic forwarding shall not be used to send messages to non-IRS/Treasury accounts.

  3. IRS employees or contractors transmitting Federal Tax Information (FTI) to conduct IRS business shall do so in accordance with IRM 1.10.3, Standards for Using E-mail.

10.8.1.4.7  (12-16-2006)
Media Protection

  1. The IRS shall implement appropriate media protection controls.

  2. The IRS shall ensure backup media are stored in accordance with their contingency plans.

  3. The IRS shall ensure all media (e.g., diskettes, external drives and master copies of software) containing sensitive information, including backup media and removable media, are stored in a secure location when not in use.

  4. All media shall be marked with the appropriate sensitivity level and any applicable special handling or distribution instructions, and kept in a limited-access location on-site. Backup and archive media shall be sent to an off-site location having appropriate security controls, as identified through contingency plans.

  5. Records shall be established to track all deposits and withdrawals from media storage facilities and libraries.

  6. The IRS shall maintain an accurate record of the media's chain of custody and hold users accountable for the media removed from storage.

  7. Records shall be secured to prevent unauthorized access and manipulation of log information.

  8. The IRS shall maintain records of receipt of disks or other storage media that are transferred to another location by courier or mail.

  9. The download and remote storage of SBU information outside of IRS facilities shall be approved by the system DAA.

  10. SBU information shall not be downloaded or remotely stored prior to receiving documented approval from the system DAA.

10.8.1.4.7.1  (12-16-2006)
Media Marking

  1. The IRS shall mark media indicating the sensitivity of the information stored on the media.

  2. If the IRS requires markings other than LOU, the IRS shall establish sensitivity levels and the associated labels, in accordance with TD P 71-10.

  3. LOU media shall be stored and marked in accordance with TD P 71-10.

  4. The IRS shall establish storage, mailing and marking procedures for each level of sensitivity they define. See IRM 3.10, Campus Mail and Work Control, for details.

  5. The IRS shall exempt specific types of media or hardware components from labeling if they remain within a secure environment in accordance with IRM 2.7,Modernization and IT Services (MITS) Operations, and IRM 1.16, Physical Security Program.

10.8.1.4.7.2  (12-16-2006)
Sanitization

  1. The IRS shall establish procedures to ensure sensitive information stored on any media is transferred to an authorized individual upon the termination or reassignment of an employee or contractor or prior to disposal of the IT resource.

  2. The IRS shall ensure that any sensitive information stored on media to be surplused or returned to the manufacturer shall be purged from the media before disposal.

  3. Sanitization methods shall be commensurate with the sensitivity of the data residing on storage devices or equipment.

  4. All magnetic media, diskettes, hard disks, or other storage devices containing sensitive data or software shall be sanitized before the transfer, reuse, surplus, or donation of any equipment or media.

  5. Removable or portable media that are to be reused within the same organization shall be reformatted.

  6. Contracts with external companies for repair or recovery of data from systems, hard drives, or media shall require a nondisclosure statement, in accordance with TDs.

  7. Before being disposed of, any device containing a hard drive or memory that has processed sensitive information shall be cleaned by commercial disk-wiping software or by degaussing the hard drive and all chips containing memory. A letter/form stipulating that this procedure has been complied with shall be signed by the responsible person who has performed this procedure and shall accompany the device when it is turned into property management for disposal.

  8. Sanitization procedures shall be periodically tested to ensure proper function.

  9. The following are approved methods for sanitization. Other comparable or better methods shall be documented in policy and approved by MITS.

    1. Magnetic Tapes - A Type I or Type II degausser is acceptable for clearing Type I, II and III tapes.

    2. Magnetic Hard Disks and Magnetic Drums - Both overwriting and degaussing are approved methods to clear or purge this media.

    3. Magnetic Floppy Disks and Cards - Overwriting for clearing is an approved method for cards. Degaussing with Type I degaussers or approved hand-held magnets are the preferred method for purging floppy disks and cards.

    4. Magnetic Core Memory - Magnetic Bubble Memory and Thin Film Memory. Overwriting and degaussing, using Type I degaussers and hand-held magnets, are approved methods to clear and purge magnetic core memory.

    5. Random Access Memory (RAM) - Both overwriting and removal of power for at least one minute are approved methods for clearing and purging.

    6. Read Only Memory (ROM) - Data is permanently stored in ROM; therefore, clearing and purging this media has no relevance so the media may need to be destroyed.

    7. Erasable Programmable Read Only Memory (UVPROM) - The use of ultraviolet is approved as a method to clear and purge.

    8. Electrically Erasable Read Only Memory (EEPROM) - Different forms of overwriting (e.g., single-step chip erase, individual overwriting, etc.) are approved methods to clear and purge.

    9. Magneto-optical Disks - Magneto-optical disks can be cleared by a single overwrite.

    10. CD-ROM (Compact Disk Read-Only Memory) and WORM (Write-Once-Read-Many) require destruction.

    11. Ferromagnetic RAM - Consistency with all other types of storage media would dictate that a single overwrite is sufficient for clearing.

    12. Disk Exercisers - Many drawbacks exist to using overwrite software for purging disks. Some of these drawbacks are not applicable to disk exercisers, which use a dedicated operating system. Exercisers have the capability of writing at different frequencies. This makes them a more effective alternative to overwrite software; however, the exerciser is not approved to purge disks.

10.8.1.4.7.3  (12-16-2006)
Disposal

  1. The IRS shall implement an appropriate disposal method to ensure that organizational information is not disclosed to unauthorized individuals.

  2. Disposal shall be performed using approved sanitization methods.

  3. The IRS shall ensure that prior to disposal, all media (e.g., paper, diskettes, and removable disk drives) are purged or sanitized in such a manner that sensitive information on that media cannot be recovered by ordinary means.

  4. MITS shall define the approved sanitization methods with concurrence from ACIO Cybersecurity.

  5. Portable electronic devices (PED) shall be destroyed when no longer needed.

  6. Sensitive media shall be sanitized or destroyed.

  7. The IRS shall verify and maintain records certifying that purging or sanitization was performed when no longer needed.

10.8.1.4.8  (03-03-2008)
Incident Response

  1. The IRS shall establish and maintain an IT incident response capability and shall report incidents to the Treasury Computer Security Incident Response Capability (TCSIRC) in accordance with TCSIRC procedures.

  2. The IRS shall:

    1. establish and maintain an IRS incident response capability;

    2. incorporate an automated capability to periodically test incident response capabilities no less than annually;

    3. routinely train both new users and responders in addition to providing incident response refresher training at least annually;

    4. provide training in various forms, including an automated capability for event simulation to aid personnel decision making in times of crisis;

    5. ensure all employees and contractors report significant computer security incidents to the IRS Computer Security Incident Response Center (CSIRC), within one hour after detection;

    6. ensure the IRS CSIRC reports minor incidents in a monthly incident report;

    7. report all planned penetration testing and vulnerability assessments to the Treasury CSIRC; and

    8. incorporate an automated capability to assist in reporting of security incidents.

  3. The IRS CSIRC shall immediately report any incident occurring on a sensitive or classified system to the Treasury (reporting timeframe shall not exceed one hour). At a minimum, the following events are defined as computer security incidents that shall be reported to the Treasury CSIRC (Refer to the IRS CSIRC organization’s Computer Security Incident Reporting Procedures, http://www.csirc.web.irs.gov/reporting/Incident_Reporting_Procedures.pdf, for comprehensive information regarding incident types):

    1. Malicious Logic Attacks - These attacks are performed by crackers and hackers in an attempt to gain privileges and/or information, capture passwords and modify audit logs to hide unauthorized activity. The attempts include the use of active code such as viruses, Trojan horses, worms, and scripts.

    2. Probes and Reconnaissance Scans - These scans include probing or scanning networks for critical services or security weaknesses. They also include nuisance scans.

    3. Unauthorized Access and Unsuccessful Attempts - These attempts include all successful unauthorized accesses and suspicious unsuccessful attempts.

    4. Denial of Service (DoS) Attacks - These attacks affect the availability of critical resources, such as e-mail servers, Web servers, routers, gateways, and communication infrastructure.

    5. Alterations/Compromises of Information - These events involve the unauthorized altering of information or the compromise of information.

    6. Adverse Site Mission Impacts - These events have significant impact on the mission of the site or operations but do not fall into any of the aforementioned categories.

    7. Classified System Incidents - These events involve either a system used to process national security information, or classified information on any system not certified for that level of classified information.

    8. Loss or Theft of Equipment - These events must be reported to the IRS CSIRC to determine the potential compromise of sensitive material. This effort includes the compromise of user accounts and passwords that could allow unauthorized persons to access Treasury computing resources or agents' names or case information that could compromise an investigation or risk the loss of human life. The IRS CSIRC's emphasis is on the data that was lost or stolen, not on the hardware itself.

    9. Misuse of Resources - These events include the misuse of a computing or telecommunications system or network.

    10. Domain Name System (DNS) Attacks - These attacks affect the availability of services or networks.

    11. Root Compromise - These events compromise the most trusted privileges of the machines on the network.

    12. Web Site Defacements - These events compromise the integrity and availability of all public Web sites.

  4. The IRS shall report unplanned outages and less severe acts of nature (i.e., small scale water damage) to the Treasury CSIRC within a 1-hour timeframe.

  5. While responding to an incident, it is possible that changes would be made to system or application configurations, user accesses and other activities to limit and control a situation. Once the incident handling has been completed, actions shall be performed by the CSIRC to include but are not limited to:

    1. Affected DAAs shall be notified of actions taken and changes made to their systems/applications;

    2. After a predetermined period, changes made to systems and applications shall be reviewed to determine if they are still relevant. The review period shall be determined by the CSIRC;

    3. Any actions to undo changes shall be requested though existing Configuration Management (CM) processes; and

    4. Any changes remaining shall be documented and subsequently controlled as part of normal CM processes.

  6. The IRS shall provide an incident response support resource (e.g., helpdesk or assistance group) to offer advisement and assistance to IT system users for handling and reporting of security incidents. In order to increase the availability of incident response information and support, automated mechanisms shall be utilized.

10.8.1.4.8.1  (03-03-2008)
Incident Response Capability Overview

  1. The IRS shall implement an incident response capability which serves as a mechanism for receiving and/or disseminating incident information and provide a consistent capability to respond to and report on incidents.

  2. Please refer the IRS CSIRC organization’s Computer Security Incident Reporting Procedures, http://www.csirc.web.irs.gov/reporting/Incident_Reporting_Procedures.pdf , for additional policy and procedures related to incident response.

  3. See TD P 85-01 Volume II, Handbook Part One - Sensitive Systems, Section 1.6.1 for additional information related to incident response capability.

10.8.1.4.8.1.1  (03-03-2008)
Incident Reporting Requirements

  1. All IRS employees and contractors shall be responsible for reducing the impact and severity of security-related incidents by immediately reporting suspicious or anomalous events in accordance with policy and procedures specified in theIRS CSIRC organization’s Computer Security Incident Reporting Procedures,http://www.csirc.web.irs.gov/reporting/Incident_Reporting_Procedures.pdf .

  2. See TD P 85-01 Volume II, Handbook Part One - Sensitive Systems, Section, 1.6.2 for additional information related to incident reporting.

10.8.1.4.8.1.2  (03-03-2008)
Incident Handling

  1. The IRS shall implement a capability for handling of security incidents which includes preparation, detection and analysis, containment, eradication, and recovery.

    1. Lessons learned from ongoing incident handling activities shall be incorporated into incident response procedures.

    2. Automated mechanisms to support the incident handling process shall be utilized.

  2. Please refer to the IRS CSIRC organization’s Computer Security Incident Reporting Procedures,http://www.csirc.web.irs.gov/reporting/Incident_Reporting_Procedures.pdf , for additional incident handling requirements.

  3. See TD P 85-01 Volume II, Handbook Part One - Sensitive Systems, Section, 1.6.3 for additional information related to incident handling.

10.8.1.4.8.1.3  (03-03-2008)
Prevention Requirements

  1. All IRS employees and contractors shall be responsible for security-related incident prevention through the use and response of disseminated alerts and advisories from IRS CSIRC.

  2. Please refer to the IRS CSIRC organization’s Computer Security Incident Reporting Procedures,http://www.csirc.web.irs.gov/reporting/Incident_Reporting_Procedures.pdf , for additional incident prevention methods and requirements.

  3. See TD P 85-01 Volume II, Handbook Part One - Sensitive Systems, Section 1.6.4 for additional information related to incident prevention.

10.8.1.4.8.2  (03-03-2008)
Monitoring Protection

  1. The IRS shall monitor its networks for security events.

  2. The IRS shall provide information on any reportable event in accordance with Treasury CSIRC policy.

  3. The IRS shall utilize automated mechanisms to track, document, analyze, and report any event that is a security incident to the Treasury CSIRC on an ongoing basis.

  4. The IRS shall conduct security compliance checks, vulnerability scans and/or penetration tests quarterly or when significant changes are made to the IT systems.

  5. Intrusion detection methods shall be configured to have system-wide detection capabilities and utilize automated features for attack detection and reaction.

    1. Operators of Internet Access Points shall ensure that their intrusion detection system (or other functionally equivalent technology is updated with new indicators/signatures as they are made available by TCSIRC.

    2. All Internet Access Points/portals shall have the capability to utilize the indicators/signatures for intrusion prevention/detections as described in a.

  6. IRS IT systems shall be monitored by an authorized individual to the extent permitted by law. This monitoring may include monitoring of e-mail and e-mail transmissions or attachments, traffic analysis, keystroke monitoring, examination of log files, access authorization changes, and examination of any or all computer files. Monitoring may be initiated whenever misuse or possible criminal activity is suspected. Monitoring of user activities with significant IT system responsibilities shall be more frequent. An automated mechanism for user activity review shall be employed.

  7. Any equipment that may be used for passively intercepting telecommunications information shall be subject to procedural control, including training of authorized users, restricting use to authorized users and maintenance of a usage access log.

    1. Acquisition of all such equipment shall be approved by the Director, Enterprise Networks.

    2. Use of such equipment shall be authorized, in writing, by a senior manager of the Telecommunications Division.

    3. All such equipment shall be kept in a locked cabinet when not in use.

    4. When the equipment is a computer system, network monitoring software shall be restricted to only SAs and when it is used, it shall be authorized by the SA's manager.

10.8.1.4.9  (03-03-2008)
Awareness and Training

  1. In accordance with federal laws and IT security guidelines, the IRS shall develop, fund, and implement an Information Security ATE (Awareness Training and Education) program to inform all IRS employees and contractors, and any other users of IRS information systems that support the operations and assets of the IRS, of the following:

    1. information security risks associated with their activities; and

    2. their responsibilities in complying with IRS policies and procedures designed to reduce these risks.

10.8.1.4.9.1  (12-16-2006)
Awareness