AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 1. Policy and Guidance (Cont. 2)

10.8.1  Policy and Guidance (Cont. 2)

10.8.1.5 
Technical Controls

10.8.1.5.2 
Access Control

10.8.1.5.2.5  (03-03-2008)
Personally-Owned Equipment and Software

  1. The IRS shall restrict use of personally owned IT equipment, software and media.

  2. Personally owned equipment shall include all systems, devices, software, and media owned by an individual, but shall not include systems, devices, software, media that the IRS has on a payment schedule or is leasing, or contractor-furnished IT equipment.

    1. Contractors and vendors of the IRS using contractor-furnished IT equipment shall ensure the equipment meets the minimum security requirements detailed in the IRS contract/statement of work. Refer to the Contractors and Outsourced Operations section of this IRM and IRM 10.8.2for additional detailed information.

  3. Personally owned equipment, software and media shall not be used to process, access, or store sensitive/classified information.

  4. Personally owned equipment shall not be connected to sensitive/classified IRS systems and networks directly or via VPN.

  5. Personally owned equipment shall not be connected to IRS information systems and networks.

10.8.1.5.2.6  (12-16-2006)
System Logon Notifications

  1. Each IRS system shall display an approved log-on banner/screen warning banner that identifies the system as the property of the United States Government that is for "Authorized Use Only."

10.8.1.5.2.6.1  (12-16-2006)
Warning Banner

  1. The IRS shall provide warning banners on IT systems.

  2. IT systems accessible to the public shall provide a security and privacy statement at every entry point.

  3. IRS computers and IT systems and network devices shall display a sign-on warning banner to all users who log on to government computers and systems.

  4. Banners shall be set for all services regardless if the services are not active.

  5. The use of government IT systems shall be subject to monitoring and shall be for limited personal use by Treasury/IRS personnel.

  6. All data contained on the IRS systems shall be considered the property of the U.S. Government and there shall be no expectation of personal privacy on these IT systems.

  7. Orientation and Security ATE programs for employees shall include notification of the use of sign-on warning banners on IRS systems.

  8. The following long text provided by General Legal Services via a March 11, 2005 memorandum (See Case GLS-104311-05), shall be implemented for any entry points into the system.

    THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY!
    Use of this system constitutes consent to monitoring, interception, recording, reading, copying or capturing by authorized personnel of all activities. There is no right to privacy in this system. Unauthorized use of this system is prohibited and subject to criminal and civil penalties.

  9. When the long text cannot be used due to technical limitations, the following abbreviated warning banner text shall be used:

    THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY!
    Use is consent to authorized monitoring, capturing, etc. & no rights to privacy.

10.8.1.5.2.6.2  (12-16-2006)
Previous Logon Notification

  1. The IT system notifies users of the date and time of previous logon in addition to the number of unsuccessful logon attempts since the prior successful logon occurred.

10.8.1.5.2.7  (12-16-2006)
Remote Access

  1. The IRS shall ensure remote access capabilities provide strong identification and authentication and shall protect sensitive/classified information throughout transmission.

  2. All remote access to IRS' sensitive IT systems shall be protected with Federal Government-approved devices or techniques that provide explicit user Identification & Authentication (I&A and audit logs/trails and shall be controlled through a managed access control point.)

  3. Encrypted remote access circuits shall comply with the encryption standards and procedures as outlined in this IRM.

  4. The IRS shall use encryption based on a risk assessment, except for wireless, which must use encryption for all remote access.

  5. Secure remote access shall be provided by the Enterprise Remote Access Project (ERAP) or other IRS-approved enterprise solution.

  6. Remote administration of systems and network devices shall be performed only over encrypted pathways.

  7. Secure remote access shall be provided by the ERAP or other IRS-approved Virtual Private Network (VPN) enterprise solution.

  8. Remote access from non-US locations shall be strictly prohibited.

  9. Remote access to SBU information shall be approved by the system DAA. SBU information shall not be accessed remotely prior to receiving documented approval from the DAA.

  10. Remote access connections shall be established via two-factor authentication where one of the factors is provided by a hardware device separate from the computer gaining access.

  11. Activation of collaborative aids remotely is prohibited.

  12. Automated mechanisms aiding in monitoring of remote access methods shall be employed.

  13. Refer to the Network Protection and Design section of this IRM for additional requirements related to remote access.

10.8.1.5.2.8  (12-16-2006)
Wireless Communications

  1. The IRS shall ensure sensitive information is protected from compromise when being transmitted or stored using wireless capabilities. Please contact Cybersecurity for additional requirements related to wireless communications.

10.8.1.5.2.9  (12-16-2006)
Laptop Computers

  1. Sensitive information stored on any laptop computer that may be used outside of IRS facilities or on travel shall be encrypted using FIPS 140-2 or later approved encryption.

  2. Documented approval from the DAA or owner shall be provided before a laptop computer is taken overseas.

  3. Passwords and smart cards shall not be stored on or with the laptop.

  4. Laptop computers in open offices or areas shall be secured when unattended via a locking cable, locked individual office, or locked cabinet or desk.

  5. All IRS-owned laptops shall have asset tags/labels and be inventoried with name, location and use. See IRM 2.14,Asset Management, for roles and responsibilities.

  6. All IRS-owned laptops shall be marked with the appropriate sensitivity level.

  7. Any incidents of mishandling, tampering, or the loss of a laptop computer (the loss of any IT hardware) shall be a reportable security incident.

  8. Laptop IT resources shall never under any circumstance be stored in checked luggage while traveling, whether it is an international or a domestic flight. If the laptop IT resource cannot be carried on board, an alternate means of transportation shall be found for the device. The U.S. Department of State shall be referenced for procedures for delivery of packages that meet SBU security standards for most foreign countries.

  9. For specific guidance related to the protection of laptop computers, please refer to IRM 10.8.26, Laptop Computer Security Policy.

10.8.1.5.2.10  (03-03-2008)
Portable Electronic Devices (PEDs)

  1. Privately owned PEDs shall not be used to process, store, or transmit sensitive IRS information.

  2. Authentication, data encryption, and transmission encryption shall be implemented to protect sensitive information from compromise when using PEDs.

  3. Add-on devices that can record or transmit sensitive information via video, Intermediate Frequency (IF), or Radio Frequency (RF) shall be disabled in areas where sensitive information is discussed.

  4. IRS-owned PEDs shall be inventoried with name, location and use. See IRM 2.14,Asset Management, for roles and responsibilities.

  5. Only government-owned PEDs shall be used to dial up or connect to the IRS network.

  6. A risk assessment shall be conducted on all PED devices. The assessment shall include the risks associated with all functions. The DAA shall review the associated risks that have been identified by the risk assessment. Based on the sensitivity of the data and the risk associated with it, as identified by the risk assessment, the DAA shall approve or disapprove the use of PED devices.

  7. All forms of media provided by Taxpayers and other IRS Business Partners shall be handled with the following minimum security controls:

    1. All systems (workstations and laptops) shall have the latest version of the MITS-approved anti-virus software and signature definitions installed.

    2. All systems shall be scanned for viruses/malicious code on a standalone machine prior to accessing the data. Employees shall attempt to locate an already established stand-alone machine. If one is not readily available, users may create a stand alone environment with their IRS issued machine.

    3. All network cables shall be disconnected from the IRS network, prior to accessing the media and shall be scanned for viruses/malicious code prior to re-connecting to the IRS network.

    4. All systems where malicious code is detected, shall invoke the following process necessary to mitigate the vulnerability:
      (1) Do not re-connect network cable;
      (2) Do not power-down or reboot the system; and
      (3) Immediately contact CSIRC at 866 216-4809 and Frontline Manager, in accordance the Computer Security Incident Reporting Procedures, http://www.csirc.web.irs.gov/reporting/Incident_Reporting_Procedures.pdf.

    5. Business owners shall develop standard operating procedures for acceptance, maintenance, control, storage, and disposal, of media provided by taxpayers and other IRS business partners; in accordance with IRM 10.8.1, IRM 1.15, and IRM 1.16.

10.8.1.5.2.10.1  (03-03-2008)
International Travel with Portable Electronic Devices (PEDs)

  1. All Portable Electronic Devices taken outside the U.S. (whether for official or personal travel) may only connect to an IRS system through wireless connections, unless sanitized. Refer to the Sanitization section of this IRM for additional information.

    1. All sensitive data being taken overseas shall be encrypted.

  2. Any storage, processing device, or media (ex., thumb drives, flash memory, diskettes, USB-powered processors, etc.) obtained by IRS end users for work purposes while outside of the U.S. may not be connected to a IRS network or system (except to a standalone system) until sanitized.

  3. Any IRS storage, processing device, or media (ex., thumb drives, flash memory, diskettes, USB-powered processors, etc.) taken outside of the U.S. may not, upon return, be connected to an IRS network or system (except to a standalone system) until sanitized. Exceptions from this requirement are media which have:

    1. been protected with tamper evident bags/seals/containers each time the media is left unattended and never connected to a foreign system; or

    2. been under the full-time immediate control of the user and never connected to a foreign system.

  4. Media provided by foreign visitors to IRS end users for work purposes may only be loaded onto a standalone IRS system. The system shall remain standalone until the media is sanitized.

10.8.1.5.2.10.2  (12-16-2006)
PEDs as Storage Media

  1. Portable mass storage devices including, but not limited to, flash disks, pen drives, key drives, and thumb drives shall have no additional software or firmware beyond storage management and encryption.

  2. Portable mass storage devices shall automatically be scanned for viruses when attached or as files are accessed.

  3. Portable mass storage devices storing SBU data shall encrypt all data files stored on these devices.

  4. Business and functional units shall establish management controls that ensure the portable mass storage devices are inventoried, administered, and turned in during employee separations or reassignments.

  5. C&A processes shall be utilized for portable mass storage devices requiring a centralized processing unit or other software applications.

10.8.1.5.2.10.3  (12-16-2006)
Encryption of Mobile Media

  1. All mobile media and information stored within electronic devices shall be encrypted. This encryption requirement applies all portable electronic devices, regardless of whether the information is stored on laptops, personal digital assistants, diskettes, CDs, DVDs, flash memory devices, or other mobile media or devices.

10.8.1.5.2.11  (03-03-2008)
Automatic Account Lockout

  1. The IRS shall implement the following Account Lockout security settings, see the following table:

    # ACCOUNT LOCKOUT POLICY SECURITY CONFIGURATION SETTING
    1 Account Lockout Duration (Determines the number of minutes an account remains locked out before automatically becoming unlocked Account locked out forever shall remain; locked in accordance with current Help Desk procedures
    2 Account Lockout Threshold (Determines the number of consecutive failed logon attempts that will cause a user account to be locked out.) 3 attempts
    3 Reset Account Lockout Counter (Determines the number of minutes that must elapse after a failed logon attempt before the bad logon attempt counter is reset to 0 bad logons. While the 60 minutes password count will be reset after 60 minutes, the account will remain locked, until unlocked by an administrator.) 60 minutes or greater
    4 Logon Attempts (Events) All logon attempts shall be recorded in an audit log, in accordance with IRM 10.8.3,Audit Logging Security Standards, and are subject to review.

10.8.1.5.2.12  (12-16-2006)
Automatic Session Lockout

  1. The IRS shall implement and enforce a threshold for the amount of time an operating system managed communication session is inactive before the session time-out feature is automatically invoked.

  2. The inactivity threshold shall be 15 minutes, after which systems shall terminate the session and require the user to initiate a new logon.

    1. Applications shall have a specific timeout requirement implemented in the application and/or operating system, not to exceed 15 minutes, based on an assessment of risk.

  3. Applications requiring continuous, real-time screen display (e.g., network management products) shall be exempt from the inactivity threshold provided the following requirements are met:

    1. The log on session was not initiated by a super user account (e.g., root in UNIX, Master in Unisys, etc.).

    2. The inactivity exemption is documented in the appropriate operational policy approved by the DAA.

    3. The workstation is located in a restricted and controlled access area open only to EN, EO, or EUES staff.

    4. The workstation has a password protected screen saver with a 15 minute auto-activation setting.

10.8.1.5.2.13  (12-16-2006)
Concurrent Session Control

  1. The number of concurrent user sessions for FIPS-199 Moderate or High systems shall be limited by the IT system to 1 for normal users or 3 for system/security administrators.

10.8.1.5.3  (12-16-2006)
Audit and Accountability

  1. The IRS shall create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity in accordance with technology- or system-specific policy and requirements. See IRM 10.8.3,Audit Logging Security Standards for more information.

10.8.1.5.3.1  (12-16-2006)
Non-Repudiation

  1. The IRS shall obtain non-repudiation through a variety of techniques or mechanisms such as, but not limited to, electronic signatures, electronic approval, digital message receipts, and time stamps. Please refer to associated areas within this IRM or contact Cybersecurity for procedures related to non-repudiation techniques.

10.8.1.5.4  (03-03-2008)
System and Communications Protection

  1. The IRS shall monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of information systems and employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.

  2. IRS IT systems shall separate user functionality, including user interfaces, from IT system management functionality.

  3. IRS IT systems shall isolate security functions from non-security functions for FIPS 199 categorized high-impact systems.

  4. IRS IT systems shall prevent unintended information transfer via shared system resources. ( See IRM 10.8.1.4.7, the Media Protection section of this IRM for additional information on media marking, disposal, and sanitization.)

  5. IRS IT systems shall protect against, or limit, the effects of Denial of Service (DoS) attacks as defined in NIST SP 800-61, Computer Security Incident Handling Guide.

    1. IRS IT systems shall restrict the ability of users to launch DoS attacks against other IT systems or networks.

    2. IRS IT systems shall manage excess capacity bandwidth or other redundancy to limit the effects of other DoS attacks.

  6. IRS IT systems shall not allow lower priority processes to negatively impact higher priority processes.

  7. IRS infrastructure network services with an available timeout option shall have the option set to no longer than 15 minutes.

  8. IRS infrastructure network services shall secure name lookup services in accordance with NIST SP 800-81, Secure Domain Name System (DNS) Deployment Guide.

    1. The information systems that collectively provide name/address resolution service for an organization shall be fault tolerant and implement role separation.

    2. The information system shall provide mechanisms to protect the authenticity of communications sessions.

  9. TCP/IP Restrictions

    1. Due to the security risks associated with rogue implementations of IPv6, only organizations that have received approval from Cybersecurity, the IPv6 Transition Office and the system’s Designated Approving Authority (DAA) are authorized to utilize IPv6 on IRS development and production networks.

10.8.1.5.4.1  (12-16-2006)
Overseas Communications

  1. All overseas communications shall occur in accordance with the Department of State, 12 FAM 600, Information Security Technology.

  2. The IRS shall adhere to procedures provided in 12 FAM 600 and 12 FAM 500 for all overseas communication.

10.8.1.5.4.2  (03-03-2008)
Internet Security

  1. Any and all IRS employees, contractors, and vendors shall consider the risk prior to connecting an IRS IT resource to the Internet. Based on the sensitive nature of the information and other factors, stand alone workstations or networks physically separated from the Internet may be the best choice.

    1. Business owners shall ensure that sensitive information is not posted on internal or external websites and that websites comply with the content management guidelines as required by IRM 2.25, Web Services.

  2. Firewalls shall be configured to prohibit any Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) service or other protocol/service that is not explicitly permitted.

  3. Lightweight Directory Access Protocol (LDAP) connections shall be secured using Transport Layer Security (TLS) to provide encryption and authentication.

  4. Remote connections shall be centrally managed and monitored by the IRS to ensure integrity of network security.

  5. The IRS shall prohibit the use of Internet Relay Chat (IRC) and other instant messaging protocols. If necessary, a formal deviation can be submitted in accordance with the process described in the Deviations section of this IRM.

  6. See IRM 2.25,Web Services, for strategic planning, standards and policy for IRS Internet, intranet and extranet web sites.

  7. In order to comply with OMB’s Trusted Internet Connections (TIC) initiative plan, IRS shall reduce external trusted internet connections in order to improve situational awareness and allow for the expedited response to potential threats. See OMB M-08-05 for additional detail.

  8. Internet Connections

    1. Connectivity between the public Internet and any classified network shall be prohibited.

    2. IRS services provided via the Internet shall be implemented using extranets and servers that are isolated from IRS intranets.

    3. IRS servers that are accessible from the Internet shall maintain a comprehensive and functional level of operating system security that shall limit command-level access to designated administrators.

    4. IRS servers that are accessible from the Internet shall provide an intrusion detection capability that shall provide real-time alerts when an attack or attempt at bypassing system security occurs.

    5. Applications using the Internet or other public networks for the transmission of sensitive information shall use virtual private networks, application-level encryption, or another approved means to protect data.

    6. User (i.e., non-administrator, non-service) accounts shall not be installed on externally addressable host systems.

    7. The following services and protocols shall be disabled on externally addressable host systems: Network File System, Network Information System, Remote Procedure Call (RPC), trivial file transfer protocol (tftp), User Datagram Protocol (UDP), boot services, r-commands, Routing Information Protocol (RIP) daemon (routed) and Internet Control Message Protocol (ICMP) redirects.

    8. All unused ports shall be disabled.

    9. The IRS shall physically allocate publicly accessible IT system components to separate subnetworks with distinct physical network interfaces.

    10. The transmission of non-public IRS information over the Internet or other public networks shall be protected using a secure protocol that provides FIPS 140-2 or later compliant cryptography to prevent unauthorized disclosure and recognize unauthorized changes during transmission.

    11. All Internet Access Points/portals shall comply with Treasury Standards for Creating Secure Internet Access Points (when finalized/promulgated).

  9. World Wide Web (WWW) Servers

    1. Internet-accessible WWW servers that store non-public information shall perform user I&A before allowing access. I&A shall be performed in a secure manner not subject to disclosure or playback attacks. Clear text passwords shall not be transmitted across the Internet.

    2. The transmission of non-public information from a department server to an Internet user shall be protected using a secure protocol that provides FIPS 140-2 or later compliant cryptography.

    3. WWW servers shall be configured to prevent any administrative log on from the Internet.

    4. WWW server software shall be kept current with respect to security-related system patches, modifications, and fixes.

    5. WWW servers shall not monitor HTTP ports using an account (user ID) that has SA privileges.

    6. The implementation and use of Common Gateway Interface (CGI) scripts on WWW servers shall be monitored and controlled. Scripts shall be written in a manner that prevents a user from obtaining command-level access to the server. Scripts shall not use code that allows user data to be passed to a server as a command string. Scripts shall use code that is robust and capable of handling data exception conditions to parse/process user input. Server Side Includes (SSIs) shall be disabled for directories containing scripts.

    7. The IRS shall post clear privacy policies on their World Wide Web sites. Each privacy policy shall clearly and concisely inform visitors to the site what information the agency collects about individuals, why the agency collects it and how the agency shall use it. Privacy policies shall be clearly labeled and easily accessed when someone visits a web site.

10.8.1.5.4.2.1  (12-16-2006)
Access to External Internet Sites

  1. HTTP access to external sites shall be accomplished using an HTTP proxy.

  2. Active-X controls shall be approved for use on IRS intranet sites under the following parameters:

    1. Users are provided with a Web browser (Internet Explorer) that has been configured to use the "trusted site zone." Intranet sites shall be defined in this zone.

    2. Active-X controls for intranet host systems have been reviewed to ensure that they comply with Microsoft's security guidelines.

    3. Browsers are configured so as not to permit user modification of the security configuration. Java and JavaScript shall or shall not be approved in accordance with Enterprise Architecture guidance.

  3. Java-enabled browsers shall implement a Java security model that prevents a Java applet from reading and writing files on a client system or establishing network connectivity to a site other than the site from which the applet was downloaded.

  4. Files obtained from the Internet shall be scanned using IRS-approved software to detect malicious logic.

  5. Only IRS-approved software shall be used to access the WWW and the software shall incorporate all vendor-provided security patches.

  6. Internet Mail Gateway

    1. E-mail traffic between the Internet and internal networks shall be implemented with centrally managed gateways.

    2. Proxy applications shall be used to route mail through firewalls.

    3. E-mail messages shall not be located on application gateways or other devices used to implement a firewall.

  7. IRS shall utilize a capability to restrict Internet usage.

10.8.1.5.4.3  (03-03-2008)
Network Protection and Design

  1. The IRS shall appropriately design, operate, and protect IT networks and systems to:

    1. protect information from inadvertent disclosure,

    2. insure integrity of information stored, transmitted, processed, and presented,

    3. insure that information is available when needed,

    4. associate changes to information and systems with unique individuals or system processes,

    5. maintain and update hardware and software promptly in response to identified vulnerabilities, and

    6. offer defense in depth against external and internal attacks.

  2. The IRS shall review and validate network and system design at least annually or when significant changes are made to the IT systems.

  3. Connectivity to any IRS network or system that contains SBU data shall be authorized in writing by the DAA of the system requesting connectivity and the DAA of the host system. At a minimum, the connecting system shall:

    1. not degrade the security present on the host network or system, and

    2. comply with the provisions of this manual and the relevant, subsequent 10.8.x series IRMs.

  4. E-mail protocols (and services) shall be configured to implement least functionality principles. For example, if a system is configured to send an alert status to an SA using e-mail, the e-mail with associated protocols and services shall be configured to ensure the e-mail is outbound only from the system.

    1. All network and system protocols running on the IRS network shall be the latest versions when they do not negatively impact availability. A risk-based decision shall be used to determine when it is appropriate to implement later protocols.

    2. E-mail protocols such as IMAP and IPOP shall be configured to reduce unnecessary risk to the network and the data transmitted. Unnecessary e-mail functionality provided via the protocols and services shall be removed.

  5. The widespread use of insecure protocols can allow passwords and other sensitive data to be transmitted across the Internet unencrypted. The IRS shall restrict the use of insecure protocols. These insecure protocols include, but are not limited to the following: Simple Network Management Protocol (SNMP) v1, Telnet, FTP, sendmail, finger, walld, echo, chargen, netstat, rlogin, rsh, rcp, and rhosts.

    1. The use of the Telnet and FTP protocols shall be replaced with the MITS approved alternatives to Telnet and FTP. In the interim, the Electronic File Transfer Utility can be used where appropriate.

    2. Deviations from this policy will be granted on a case-by-case basis, based on legacy operating system limitation(s) or business owner justification only. Request shall be approved by each individual system’s DAA after an assessment of the risks has been completed. This risk-based decision shall be documented in a SAR.

    3. POA&Ms shall be completed for any IRS system using insecure protocols. The POA&M will address the replacement strategy, and/or secure alternatives as part of future development or upgrade(s).

    4. As new systems are developed or upgrades are proposed to existing systems, priority consideration shall be given early in the development process for disabling and replacing the insecure protocols and services with secure alternatives.

  6. Connectivity to Integrated Data Retrieval System (IDRS) by other than the core IDRS system is subject to the security procedures specified inCybersecurity’s Audit Logging Security Standards policy.

  7. File, protocol, and content filtering shall be used to protect IRS data and networks in accordance with the IRS’ Internet Usage Policy.

  8. All means of connecting from a non-IRS controlled network shall be documented, authorized and protected. This information shall be periodically (at least annually) reviewed, by the business user and telecommunications security function to verify continued adherence to this manual and a continuing business need.

  9. Privileged (well-known) ports (0–1023) as defined by the Internet Assigned Numbers Authority (IANA) shall not be used for any protocol not registered to that port. See http://www.iana.org/assignments/port-numbers.

  10. For servers that need only temporary access to bind to privileged ports, the server shall be configured to start under a privileged account, bind to privileged ports, and change to a non-privileged account.

  11. Emerging technology products with multiple functionalities shall be thoroughly assessed to determine potential threats when introduced into the IRS infrastructure. As an example, remote access card technology may be included as a bundled feature and could present preventable risk to the network. As technology continues to evolve, threats shall continue to be analyzed.

    1. The ISSO shall complete a full analysis of the new technology product and determine the business need of each bundled feature.

    2. The DAA shall ensure a full assessment of risk of all product features is completed prior to the technology product introduction into the IRS environment. The ISSO shall create and document a plan for the enabling/disabling of features required by the business unit.

10.8.1.5.4.3.1  (03-03-2008)
Firewalls

  1. The IRS shall restrict physical access to firewalls to authorized personnel.

  2. The IRS shall implement strong identification and authentication for administration of the firewalls.

  3. The IRS shall encrypt remote maintenance paths to firewalls.

  4. The IRS shall conduct penetration and vulnerability testing on perimeter firewalls at least quarterly to ensure firewall configurations are correct.

  5. All perimeter firewalls shall be treated as a system and shall be certified and accredited in accordance with TD P 85-01 and NIST SP 800-41, Guidelines on Firewalls and Firewall Policy.

  6. IRS firewalls that are accessible from the Internet shall maintain a comprehensive and functional level of operating system security that shall limit command-level access to designated administrators.

  7. IRS firewall audit records shall be recorded on tamper proof media or routed to a host that is not accessible from the Internet.

  8. IRS firewalls that are accessible from the Internet shall provide an intrusion detection capability that shall provide real-time alerts when an attack or attempt at bypassing system security occurs and appropriate action taken.

  9. The following minimum technical security standards shall be followed when implementing IP connections on perimeter firewalls:

    1. Screening Routers - Screening routers (if used as a firewall component) shall have the capability to filter based on TCP and UDP ports as well as IP addresses and incoming network interfaces.

    2. Services - Only services that are required shall be permitted (to pass through a firewall). For each permitted service, the following information shall be documented:
      1) service allowed (including TCP or UDP port number),
      2) service description,
      3) business case necessitating the service and
      4) internal controls associated with the service.

    3. Inbound Filtering - Inbound filtering shall be performed to exclude or reject all data packets that have an internal host address. Inbound filtering shall be in accordance with NIST SP 800-41, Section 4.2, Implementing a Firewall Rule Set.

    4. Logs - All firewall systems shall enable an audit capability to monitor firewall operation and substantiate investigations of real or perceived violations of local security policies. At a minimum, the logs shall track services that are allowed or denied by the firewall, attempted access to network services, rejected source routed addresses, ICMP redirects and any additional system information the local security officer deems relevant. The firewall syslog (or comparable) and audit logs shall be reviewed daily. See IRM 10.8.3,Audit Logging Security Standards, for retention time on log files.

    5. Inbound Services - Inbound services shall be prohibited unless a valid business case can establish their validity. Inbound services shall provide strong authentication using one-time or session passwords, challenge and response protocols, digital signatures, or encryption. Port protocols shall be blocked in accordance with NIST SP 800-41, Appendix C, Section C.4, Recommendation for Firewall Policy, Table C.1. Approval to use these services may not be granted unless it can be demonstrated that the selected firewall configuration provides adequate security.

    6. Firewall Consoles - All firewall consoles shall be located in a physically secure area and require technical controls equal to or exceeding the minimum security requirements specified in Sections 5.1–5.3 above. Monitoring shall be restricted to CSIRC use.

    7. Monitoring - The firewall system shall provide for a monitoring capability and remote notification.

    8. Demilitarized Zone (DMZ) - Systems that are externally accessible, but need some protections shall be located on DMZ networks. Refer to NIST SP 800-41, Section 3.2, DMZ Networks for additional information.

    9. Known malicious sites, identified by TCSIRC are to be blocked (inbound and outbound) at each Internet Access Point (unless explicit instructions are provided to Bureaus no to block specific sites). Blocking is to be accomplished with two business days following TCSIRC release of such sites.

10.8.1.5.4.4  (12-16-2006)
Telecommunications Protection Techniques

  1. The IRS shall select the telecommunications protection techniques that meet their security needs consistent with Treasury and IRS security policies.

  2. The IRS shall protect telecommunications transmissions for all sensitive information.

  3. Encrypted paths shall be used for network management and system management activities.

10.8.1.5.4.4.1  (12-16-2006)
Videoconferencing

  1. The IRS shall implement controls to ensure that only individuals authorized to attend a specific videoconference shall be able to participate in that videoconference.

  2. The IRS shall ensure transmission protections are in place commensurate with the highest sensitivity/classification of information to be discussed over the videoconference.

  3. Videoconferencing shall be disabled when not in use.

  4. Adequate security shall be provided for all sensitive information transmitted in a videoconference.

10.8.1.5.4.4.2  (12-16-2006)
Voice Over Data Networks

  1. This section shall apply to Voice over Internet Protocol (IP) (VoIP) and similar technologies that move voice over digital networks using protocols. Such technologies include voice over frame relay, voice over asynchronous transfer mode, and voice over digital subscriber line.

  2. The IRS shall design voice over data network implementations with redundancy to ensure network outages do not result in the loss of both voice and data communications.

  3. The IRS shall ensure identification and authentication controls, audit logging, and integrity controls are implemented on every component of their voice over data networks.

  4. The IRS shall ensure that physical access to voice over data network components is restricted to authorized personnel.

  5. The underlying operating systems of voice over digital networks shall be securely configured in accordance with this IRM's applicable system- or technology-specific requirements. For security considerations for VoIP Systems, refer to NIST SP 800-58, Security Considerations for Voice Over IP Systems.

10.8.1.5.4.4.3  (12-16-2006)
Telecommunication Devices

  1. The IRS shall safeguard all physical telecommunication devices from theft and tampering.

  2. The IRS shall allow only authorized personnel to access or modify any telecommunication device.