AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 2. IT Security Roles and Responsibilities

10.8.2  IT Security Roles and Responsibilities

10.8.2.1  (03-23-2007)
Policy

  1. In accordance with IRM 10.8.1Information Technology (IT) Security, Policy and Guidance, the IRS shall implement security roles and responsibilities in accordance with federal laws and IT security guidelines that are appropriate for specific operations and functions.

10.8.2.1.1  (03-23-2007)
Purpose

  1. This IRM establishes the IT security roles and responsibilities for the IRS.

10.8.2.1.2  (03-23-2007)
Overview

  1. Department of Treasury Directive Publication (TD P) 85-01 and federal regulations require that senior agency officials establish an IT security program, which includes the identification of IT security roles and responsibilities.

10.8.2.1.3  (03-23-2007)
Scope

  1. The IT security roles and responsibilities delineated in this IRM, applies to all IRS business, operating, and functional units.

10.8.2.1.4  (03-23-2007)
IRM Section Topics

  1. This manual contains information on the following topic areas:

    • Roles and Responsibilities

    • Deviations

    • Glossary ( See Exhibit 10.8.2-1.)

    • References ( See Exhibit 10.8.2-2.)

10.8.2.1.5  (03-23-2007)
Authority

  1. IRM 10.8.1, Information Technology (IT) Security Policy and Guidance, establishes the security program and the policy framework for the IRS.

10.8.2.2  (03-23-2007)
Roles and Responsibilities

  1. The IRS shall implement IT security roles and responsibilities that ensure the confidentiality, integrity, and availability of its systems, applications, and information.

  2. The following roles and responsibilities are based on Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), and Department of Treasury guidance and policies.

10.8.2.2.1  (03-23-2007)
Agency Head

  1. FISMA requires the head of each federal agency to provide information security protections commensurate with the risk and magnitude of the harm that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of its information and information systems. The protection should apply not only within the agency, but also within contractor or other organizations working on behalf of the agency.

  2. As the Agency Head, FISMA assigns the Commissioner responsibilities for:

    1. Providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of: 1) Information collected or maintained by or on behalf of the agency; and 2) Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;

    2. Complying with the requirements of this policy and related policies, procedures, standards, and guidelines, including: 1) Information security standards promulgated under the U.S. Code Section 11331 of Title 40; and 2) Information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; and

    3. Ensuring information security management processes are integrated with agency strategic and operational planning processes.

    4. Ensuring that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this policy and related policies, procedures, standards, and guidelines.

  3. In accordance with FISMA the Agency Head shall:

    1. Ensure that senior agency officials provide information security, for the information and information systems that support the operations and assets under their control;

    2. Assess risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems;

    3. Determine the levels of information security appropriate to protect such information and information systems in accordance with standards and policies for information security classifications and related requirements;

    4. Implement policies and procedures to cost-effectively reduce risks to an acceptable level; and

    5. Periodically test and evaluate information security controls and techniques to ensure that they are effectively implemented.

  4. In accordance with FISMA the Agency Head shall also:

    1. Delegate to the agency Chief Information Officer (CIO), established under Section 3506 of the FISMA Act (or comparable official in an agency not covered by such section), the authority to ensure compliance with the requirements imposed on the agency.

    2. Ensure that the agency CIO, in coordination with other senior agency officials, reports annually to the agency head on the effectiveness of the agency information security program to include progress of remedial actions.

  5. In accordance with FISMA, through delegation by the Agency Head, the CIO shall:

    1. Delegate to the Senior Agency Information Officer, the authority to carry out the CIO's responsibilities under this section.

  6. In accordance with FISMA, through delegation by the CIO, the SAISO shall:

    1. Possess professional qualifications, including training and experience, required to administer the functions described under this section;

    2. Have information security duties be the primary duty; and

    3. Head an office with the mission and resources to assist in ensuring agency compliance with this section;

    4. Develop, document, and implement an agency wide information security program to provide security for all systems, networks, and data that support the operations of the organization;

    5. Develop and maintain information security policies, procedures, and control techniques to address all applicable requirements;

    6. Train and oversee personnel with significant responsibilities for information security with respect to such responsibilities; and

    7. Assist senior agency officials concerning their responsibilities.

10.8.2.2.2  (03-23-2007)
Chief Information Officer (CIO)

  1. The CIO, in accordance with NIST and TD P 85-01, is responsible for designating a Point of Contact (POC) to coordinate all policy issues related to information systems security including: computer security, telecommunications security, operational security, certificate management, electronic authentication, Disaster Recovery (DR), and critical infrastructure protection related to cyber threats.

  2. In accordance with TD P 85-01, the CIO (or designee) shall:

    1. Perform annual FISMA activity reviews;

    2. Review the results of the annual FISMA activity reviews, including any weaknesses for inclusion in the IRS' Plan of Action and Milestones (POA&Ms); and

    3. Coordinate with the Designated Accrediting Authorities (DAAs) regarding the security posture of IT resources.

  3. In accordance with NIST guidance, the CIO shall:

    1. Designate a Senior Agency Information Security Officer (SAISO) who shall carry out the CIO’s responsibilities for system and program security assessments;

    2. Develop and maintain an agency-wide information security program including information security policies, procedures, and control techniques to address all applicable requirements;

    3. Manage the identification, implementation, and assessment of common security controls;

    4. Ensure compliance with applicable information security requirements;

    5. Ensure that personnel with significant responsibilities for system and program security assessments are trained;

    6. Assist senior agency officials with their responsibilities for system and program security assessments;

    7. Report annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions;

    8. Encourage the maximum reuse and sharing of security-related information including: 1) Threat and vulnerability assessments; 2) Risk assessments; 3) Results from common security control assessments; and 4) Any other general information that may be of assistance to information system owners and their supporting security staffs.

    9. Determine the appropriate allocation of resources dedicated to the protection of the agency’s information systems based on organizational priorities.

10.8.2.2.3  (03-23-2007)
Senior Agency Information Security Officer (SAISO)

  1. The SAISO is the agency official responsible for serving as the CIO’s primary liaison to the agency’s information system owners and information system security officer’s. At the IRS, the Chief, MA&SS is the Senior Agency Information Security Officer (SAISO).

  2. In accordance with NIST and TD P 85-01, the SAISO shall:

    1. Ensure that IT system C&A reports and risk analyses are conducted by each DAA;

    2. Review IRS business cases and budget submissions to ensure that IT security requirements are addressed and adequately resourced;

    3. Establish an IRS IT security oversight program to ensure that the security procedures and requirements are in compliance with Department of Treasury and IRS policies and standards;

    4. Conduct security audits, verifications and acceptance checks and maintain documentation on the results;

    5. Provide oversight to Plan of Action and Milestones (POA&Ms) processes, for all IT security weaknesses and provide a quarterly status to Department of Treasury through the IRS CIO;

    6. Coordinate the implementation of logical access controls into operating systems, relational database management systems (RDBMS), remote terminals and IT applications;

    7. Provide IT and facility technical and nontechnical (e.g., physical and personnel security) certification support to any Information System Owner;

    8. Prepare and submit a written report for all technical security exceptions. The report shall outline the risks and vulnerabilities and/or advantages that could result from granting the exception or from implementing any alternative. Maintain a file of all approved IT facility security-related exceptions;

    9. Ensure that risk analyses are conducted at least every 3 years or when major changes occur for IT systems/application processing sensitive information;

    10. Ensure that contingency plans for IT systems processing sensitive information are developed, maintained and tested;

    11. Develop each certification letter citing risks and mitigations along with Authority to Operate (ATO) or Interim Authority to Operate (IATO) recommendation to the DAA;

    12. Review and approve security Certification & Accreditation (C&A) package artifacts;

    13. Be a voting member on the Configuration Control Board (CCB) for the IRS' IT architecture;

    14. Review contract vehicles to ensure they address appropriate security measures; and

    15. Define and implement performance metrics to evaluate the effectiveness of their IT security programs.

  3. The SAISO shall maintain an inventory of major applications and GSSs. This inventory shall contain, at a minimum, the system name, platform and type (major application or GSS); classification level if appropriate; its interfaces and interconnections; whether it is an IT critical asset; and the dates for the last vulnerability test, risk assessment and C&A.

10.8.2.2.3.1  (03-23-2007)
Certification Agent

  1. The certification agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This role is assigned to Chief, Mission Assurance and Security Services (MA&SS).

  2. The Chief, MA&SS is responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

  3. In accordance with NIST, the Chief, MA&SS shall:

    1. Provide corrective actions to reduce or eliminate vulnerabilities in the information system.

    2. Be independent from the persons directly responsible for the development of the information system and the day-to-day operation of the system.

    3. Be independent of those individuals responsible for correcting security deficiencies identified during the security certification.

10.8.2.2.4  (03-23-2007)
Senior Management/Executives

  1. Circular A-130, Appendix III, Security of Federal Automated Information Resources, states executive agencies within the federal government shall:

    1. Plan for security in all phases of the system life cycle;

    2. Ensure appropriate officials are assigned security responsibility;

    3. Review security controls annually (i.e., FISMA annual security program review); and

    4. Formally authorize (accredit) processing prior to operations (as a Designated Approving Authority (DAA)) and periodically thereafter.

  2. FISMA, Office of Management and Budget (OMB), and Department of Treasury FISMA guidance specify that senior agency or program officials are subordinate to the Commissioner and shall be responsible for:

    1. Exercising oversight to ensure that a program manager is assigned for each system;

    2. Exercising oversight over Security Awareness Training and Education (ATE) funding; and

    3. Annually validating and updating the master inventory of information systems.

  3. The DAA for a General Support System (GSS) or major application shall be a senior executive or senior management official.

  4. Senior officials shall be responsible for balancing the mission and business priorities versus any security risks that might be applicable and formally authorizing the operation of an information system; (this is known as security accreditation).

10.8.2.2.5  (03-23-2007)
Information System Owner

  1. The Information System Owner is the agency official responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system. At the IRS, the Information System Owner is the Business and Functional Unit Owner.

  2. In accordance with NIST, FISMA and TD P 85-01, the Business and Functional Unit Owner shall:

    1. Be responsible for all funding and ultimate prioritization of activities within their respective units.

    2. Develop organizational assignments and operational procedures to implement the roles and responsibilities defined in this policy.

    3. Be the official responsible for the overall procurement, development, integration, modification, operation, and maintenance of an information system or application.

    4. Be knowledgeable in the nature of the information and process supported by the application and in the management, operational, and technical controls used to protect it.

    5. In accordance with FISMA requirements, include security requirements in their capital planning and investment business cases.

    6. Ensure security requirements are adequately funded and documented in accordance with OMB Circular A-11.

    7. Serve as or designate a "user representative" ; which represents the operational interests of the user community and serve as the liaison for that community throughout the system development life cycle.

    8. Own the business case, which is a product of the ELC, and formally propose the continuation of the project submitting the related funding requests;

    9. Initiate and manage C&A activities to ensure they are performed appropriately and timely;

    10. Plan and coordinate activities within his/her organization required to complete C&A, FISMA reviews, and POA&M development;

    11. Ensure full and current documentation of the information system in the system security plan and other associated C&A documentation;

    12. Ensure submission of all C&A documents to MA&SS;

    13. Complete the annual review of system security controls for the annual FISMA system security program review.

    14. Conduct annual testing of the system;

    15. Combine and review all security weaknesses from the self-assessment, risk assessment, TIGTA audits, GAO audits and internal reviews into the POA&M;

    16. Coordinate the completion of the Self-Assessment Questionnaire with appropriate organizations and provide the consolidated assessment to the PMO;

    17. Propose changes to the information systems including hardware, software, and surrounding environment as part of the POA&M activities;

    18. Ensure risks to IRS operations and assets are identified, documented, assessed, and appropriately managed (See IRM 10.8.1 for certification);

    19. Assess the business impact of a weakness occurring as part of the POA&M activities;

    20. Determine the corrective actions to mitigate the weakness and the associated cost, time, and resources;

    21. Based on the threat, probability of occurrence, and business and technical impact, consider the cost, time and resources necessary to mitigate and prioritize the weaknesses into High (H), Medium (M), Low (L) categories and notate on the POA&M as appropriate;

    22. Implement corrective actions to mitigate weaknesses assigned to the BO;

    23. Track the mitigation of the weaknesses in the POA&M through status updates, changes to milestones and additional comments;

    24. Test and validate the effectiveness of the corrective actions;

    25. Plan and manage the development and execution of the POA&M to ensure all identified security weaknesses are documented, assessed, prioritized, and managed;

    26. Provide quarterly POA&M status reports to PMO for submission to MA&SS;

    27. Implement and manage a change control process in conjunction with MITS to ensure changes to the system or its environment are appropriately documented, authorized, tested, and implemented;

    28. Ensure least-privilege system access controls and administration are in compliance with policy;

    29. Ensure that appropriate technical, administrative, physical, and personnel security requirements in specifications for the acquisition or operation of information systems are reviewed and approved by the management official responsible for security at the facility operating the information system; and

    30. Confirm the required deliverables of the C&A package with MA&SS.

  3. The IRS Business and Functional Unit Owner’s (including MITS) are responsible for the information security of their Contractor Systems. In accordance with FISMA, the Business and Functional Unit Owner’s shall:

    1. Conduct an annual FISMA Contractor Review of the contractor’s facility and systems.

    2. Perform continuous monitoring and a Plan of Action and Milestones (POA&M) of their FISMA Contractor Systems in accordance with NIST 800-37 and 800-53 guidance

    3. Provide funding to conduct the annual FISMA Contractor reviews.

  4. For Disaster Recovery (DR) / Business Resumption (BR), the Business and Functional Unit Owner shall cooperate with the other business units and the area/site managers to develop, maintain, and validate effective, comprehensive plans. At a minimum, the Owner shall coordinate with other appropriate business units and shall be responsible to:

    1. Fully describe and document the information system in the ITCP;

    2. Clearly define system and application priorities, subsequent needs, and related risk acceptance or avoidance for recovery and BR, accounting for possible degrading of computer processing capabilities;

    3. Acquire and transport replacement equipment required to restore operations;

    4. Acquire space for processing operation to include occupation of an alternate processing facility when necessary; and

    5. Estimate supplies and office equipment needed to support a computer processing operation occupying an alternate processing facility when appropriate.

  5. For additional DR/BR requirements, the system owner shall:

    1. Determine recovery needs and time frames needed for business restoration through comprehensive business impact analysis evaluations;

    2. Determine what data needs to be recovered and the priority order for recovery;

    3. Develop DR requirements during the development phase of all new systems and throughout any production system upgrades;

    4. Determine what data needs to be recovered and the priority order for recovery;

    5. Provide the funding for the DR equipment/space/storage needed to meet the recovery goals (set by the business);

    6. Fully describe and document the details of the information system in the IT Contingency Plan (ITCP) that is required by FISMA for each major system;

    7. Clearly define system and application priorities, subsequent needs, and related risk acceptance or avoidance for recovery and BR;

    8. Support expeditious acquisition and transportation of replacement equipment required to restore operations;

    9. Support the development of processing priorities for completion of work following emergencies that degrade computer processing capabilities;

    10. Ensure ITCPs and DR plans for all applications and systems are tested annually;

    11. Work jointly with MITS and MA&SS in the development and testing of DR plans to ensure business continuity;

    12. Work jointly with MITS and MA&SS in the testing of the DR plans to ensure availability of data from the recovered system.

  6. In collaboration with the Business and Functional Unit Owner, the MITS organization shall:

    1. Develop security controls for systems and applications;

    2. Conduct annual testing of the systems and applications;

    3. Test and validate the effectiveness of corrective actions;

    4. Ensure IT contingency planning and DR requirements are addressed for all applications and systems owned by MITS;

    5. Mitigate technical vulnerabilities and validate fixes;

    6. Implement corrective actions to mitigate weaknesses assigned to MITS; and

    7. Create and implement configuration management plans that control changes to systems and applications during development;

    8. Track security flaws, require authorization of changes, and provide documentation of the configuration management plan and its implementation.

  7. For Disaster Recovery (DR) / Business Resumption (BR), the MITS organization shall:

    1. Jointly develop the detailed content of each DR plan to include recovery of the system, the application, and the associated data, including all platforms applicable to the system/application;

    2. Ensure requirements, priorities, recovery times, and costs of each DR plan are appropriate and achievable;

    3. Exercise and execute each DR plan;

    4. Maintain and update the content of the DR plans;

    5. Support procurement activities to enhance DR capabilities to meet stated business objectives;

    6. Maintain DR equipment located at MITS locations for the business units;

    7. Establish DR location(s) based on FISMA and NIST DR policy and requirements;

    8. Ensure offsite storage of data needed for recovery and ongoing backup of data;

    9. Establish a schedule and notify MA&SS IT Security Field Operations of the schedule for coordinating DR tests throughout the year;

    10. Annually test each major system and establish DR testing priorities; and

    11. Work with business units and MA&SS to resolve (if possible) issues identified during DR testing or document reasons/risk/impact.

10.8.2.2.5.1  (03-23-2007)
Business System Planner (BSP)

  1. The Business System Planner (BSP) shall perform duties outlined for Senior Management Executives.

10.8.2.2.5.1.1  (03-23-2007)
Security Program Management Officer (PMO)

  1. The Security Program Officers (PMOs) have been established within the Business Units and MITS to support their Designated Approving Authority (DAA) and other staff with the successful completion of that office’s security related responsibilities, including the successful completion of all FISMA requirements.

  2. The Security PMO shall support the BSP functions, System Owner, FISMA activities and shall provide other administrative support for other security activities.

  3. When there is no ISSO assigned for an application, the Security PMO shall assume the role of the ISSO.

  4. In support of FISMA, the Security PMO shall:

    1. Ensure development and implementation of the IRS Security Program strategy to meet FISMA requirements;

    2. Ensure currency of the FISMA Master Inventory;

    3. Coordinate and ensure completion of annual security reviews;

    4. Make security determinations (such as prioritization) for weakness reporting;

    5. Ensure completion and DAA approval for POA&Ms;

    6. Collaborate with other PMOs to ensure consistency of FISMA activities across business units;

    7. Serve as the "Security Help Desk" contact for all their business unit staff supporting FISMA;

    8. Identify needs and implement IT security awareness training to current and newly assigned personnel in the business unit; and

    9. Present all training and orientation materials to DAAs and various Points of Contact (POCs).

  5. For weaknesses and POA&Ms, the Security PMO shall:

    1. Identify and track, with ISSO support, the corrective actions to mitigate the weaknesses in the POA&M through status updates, changes to milestones, and additional comments;

    2. Identify the scheduled completion date, cost, and resources needed to mitigate each weakness;

    3. Validate the effectiveness of the corrective actions;

    4. Combine and review all high level security weaknesses from the self-assessment, risk assessment, TIGTA audits, GAO audits, and internal reviews into the POA&M;

    5. As determined by their business unit, consolidate self-assessment scores for their business unit applications then brief POCs and DAAs on results; and

    6. Support the development of answers to the self-assessment questions that cross multiple business units.

10.8.2.2.6  (03-23-2007)
Information Owner

  1. The information owner is an agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. At the IRS, the Information Owner is the Business and Functional Unit Owner.

  2. In accordance with NIST and TD P 85-01, the Business and Functional Unit Owner shall:

    1. Establish the rules for appropriate use and protection of the subject information (e.g., rules of behavior);

    2. Retain responsibility for the information even when the information is shared with other organizations; and

    3. Provide input to information system owners regarding the security requirements and security controls for the information systems where the information resides.

10.8.2.2.7  (03-23-2007)
Designated Approving Authority (DAA)

  1. The Designated Approving Authority (DAA), authorizing official, or accrediting official, is a senior management executive with the authority to formally assume responsibility for operating a system at an acceptable level of risk.

  2. In accordance with NIST and TD P 85-01, the DAA shall:

    1. For all equipment capable of storing or transmitting data, a risk assessment before connecting it to an IRS system or network.

    2. Apply adequate countermeasures before connecting the equipment to an IRS system or network.

    3. Decide through C&A processes to allow or disallow equipment to be connected to an IRS system or network.

    4. Document interconnections between external networks with an Interconnection Security Agreement (ISA) signed by both DAAs.

  3. In accordance with NIST guidance, the DAA shall:

    1. Oversee the budget and business operations of the information system within the agency and is often called upon to approve system security requirements, system security plans, and memorandums of agreement and/or memorandums of understanding;

    2. Issue an Interim Authorization to Operate (IATO) the information system under specific terms and conditions;

    3. Deny Authorization to Operate (ATO) the information system (or if the system is already operational, halt operations) if unacceptable security risks exist;

    4. Report to the Business and Functional Unit Owner and manage the day-to-day activities for the owner.

  4. The DAA shall also:

    1. Ensure that the BO responsibilities are assigned within their organization for each system;

    2. Obtaining and maintain C&A for his/her systems and applications;

    3. Sign the Accreditation Letter and assume responsibility and accountability for operating a system at an acceptable level of risk;

    4. Ensure C&A documentation is current.

  5. The DAA can delegate performance of his or her responsibilities to a designated representative except for the signature of the accreditation letter.

  6. The DAA shall also:

    1. Determine information sensitivity in accordance with NIST special publication guidance on security;

    2. Coordinate with the CIO regarding the security requirements of the sensitive information and provide definitive directions to IT developers or owners relative to the risk in the security posture of the IT system;

    3. Respond to self-assessment questions assigned;

    4. Decide on accepting the minimum security safeguards (requirements) prescribed for an IT system;

    5. Implement all applicable protection policies as required by the Business system owner;

    6. Ensure that risk analysis responsibilities are accomplished in accordance with this policy;

    7. Ensure development of the documentation required for certification and ensure delivery to MA&SS, which is supporting the CIO;

    8. Evaluate security impact of any facility-unique patches or system modifications and approve those that do not adversely affect system security;

    9. Report any condition which appears to invalidate a certification, immediately to MA&SS;

    10. Ensure that current copies of approved C&A or IATO documentation are distributed to the organizations with a need to know as outlined in C&A processes;

    11. Ensure that all acquisitions of goods or services provide for information security, personnel security and physical security; and

    12. The results of contracted and outsourced efforts belong to the DAA(s) who provided funding.

  7. The DAA shall approve the physical removal of Sensitive But Unclassified (SBU) information from IRS facilities in writing prior to its removal.

  8. The DAA shall approve the download, and remote storage of SBU information outside of IRS facilities in writing prior to the action.

  9. The DAA for shall have the authority to deny, terminate, or alter access to a system or application if the level of risk is increased by granting such access.

  10. The only activity that shall not be delegated by the DAA is the security accreditation decision and the signing of the associated accreditation decision letter (i.e., the acceptability of risk to the agency).

  11. When normal day-to-day activities do not allow the DAA to make the necessary risk-based decision(s) as mandated, the DAA shall/can delegate this role, though the delegation of an Accrediting Official Designated Representative.

10.8.2.2.7.1  (03-23-2007)
Accrediting Official Designated Representative

  1. The role of Accrediting Official Designated Representative shall be officially designated.

10.8.2.2.8  (03-23-2007)
Information Systems Security Officer (ISSO)

  1. The Information Systems Security Officer (ISSO) is responsible to the authorizing official, information system owner, or SAISO for ensuring that the appropriate operational security posture is maintained for an information system or program.

  2. In accordance with NIST and TD P 85-01, the Information Systems Security Officer (ISSO) shall:

    1. The ISSO shall be appointed in writing;

    2. Be responsible for the coordination of activities that facilitate confidentiality, integrity, and availability of assigned IRS systems and applications;

    3. Accomplished duties through planning, analysis, development, implementation, maintenance, and enhancement of MA&SS information systems security programs, policies, procedures, and tools consistent with Department of Treasury, FISMA, and NIST guidelines.

  3. The ISSO shall also:

    1. Support the DAA in day-to-day management of an enterprise risk management capability that incorporates the specific GSS or application;

    2. Be a voting member on the Change Control Board (CCB) for the systems and applications for which the DAA is responsible;

    3. Ensure current security plans and contingency plans exist;

    4. Ensure Disaster Recovery (DR) / Business Resumption (BR) planning and testing occurs;

    5. Facilitate testing of corrective action effectiveness, system security controls, and any other security testing;

    6. Facilitate local reviews to ensure that media controls are in place and effectively implemented; background screening requests for individuals in sensitive positions are submitted on time; and adequate physical security controls are implemented.

    7. Provide an early warning to appropriate personnel, assisting with (or in) the tasks necessary to plan, allocate resources, and conduct any required security re-certification and accreditation;

    8. Assist in identification of IT and security resources which support critical operations;

    9. Coordinate activities relating to the security posture of the GSS or application with responsible organizations;

    10. Periodically report the status of the security posture of the GSS or application to the ISSM and the DAA;

    11. Recommend (dis)approval of deviations from policy for the systems or applications for which they are responsible;

    12. Analyze the proposed changes to the systems and applications (including hardware, software, and surrounding environment) to determine needs for re-certification;

    13. Coordinate the C&A packages with the DAA; and

    14. Participate in role-based training opportunities provided by the ISSM;

  4. The ISSO shall support the Security PMO and FISMA activities.

10.8.2.2.9  (03-23-2007)
First Line Manager

  1. First line managers are responsible for day-to-day security awareness activities, in accordance with IRM 1.4.1Resource Guide for Managers, Management Roles and Responsibilities. First Line Managers are also referred to as Front Line Managers.

  2. In accordance with IRM 1.4Resource Guide for Managers, First Line Managers shall:

    1. Enforce clean desk policy;

    2. Sign a Form 11370, Certification of Annual UNAX Awareness Briefing, or comparable document/process.

    3. Be responsible for providing prompt notification to the responsible organization via Form 5081 of the system user status changes (e.g., terminations, transfers). The responsible organization shall immediately suspend, cancel and/or adjust all access privileges associated with changes in status of the user.

    4. Receive Security Awareness Training and Education (ATE). Detailed training requirements for management are stated in IRM 10.8.1.

10.8.2.2.10  (03-23-2007)
Contracting Officer

  1. The Contracting Officer is responsible for managing contracts/acquisitions and overseeing their implementation, in accordance with IRM 1.1.17Organization and Staffing, Agency-Wide Shared Services.

  2. In accordance with IRM 1.1.17, the Contracting Officer shall:

    1. Work in partnership with the SAISO to ensure that agency contracting policies adequately address the information security requirements;

    2. Coordinate with the SAISO to ensure that all agency contracts and procurements are compliant with the agency’s information security policy;

    3. Ensure that all personnel with responsibilities in the agency’s procurement process are properly trained in information security; and

    4. Collaborate with the SAISO to monitor contract performance for compliance with the agency’s information security policy.

10.8.2.2.10.1  (03-23-2007)
Contracting Officer Technical Representative (COTR)

  1. The COTR is a qualified employee appointed by the Contracting Officer to act as its technical representative in managing the technical aspects of a particular contract.

  2. The COTR shall:

    1. Develop security requirements for hardware, software, and services acquisitions specific to the IT security program;

    2. Develop the system termination plan to ensure that IT security breaches are avoided during shutdown and long-term protection of archived resources is achieved;

    3. Ensure hardware, software, data, and facility resources are archived, sanitized, or disposed of in a manner consistent with the system termination plan;

    4. Determine if contractors require IT access in the accomplishment of their mission;

    5. Ensure that contractors comply with this policy and pursue appropriate action for noncompliance;

    6. Review and authorize access privileges for contractors and reviewing user security agreements on at least an annual basis to verify the continuing need for access, the appropriate level of privileges, and the accuracy of information contained in the agreement;

    7. Notify system owners to revoke access privileges in a timely manner when a contractor under his/her supervision or oversight no longer requires access privileges, requires a change in access privileges, or fails to comply with stated policies or procedures.

    8. Ensure contracts for Information Systems contain FISMA security language.

    9. Ensure reviews are conducted on contractor facilities and systems annually, in accordance FISMA, with NIST 800-37 and 800-53 guidance.

10.8.2.2.11  (03-23-2007)
Enterprise Architect

  1. The Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, November 28, 2000, requires agencies to ensure consistency with Federal, agency, and bureau Enterprise Architectures and to demonstrate consistency through compliance with agency business requirements and standards. The Enterprise Architect is a highly experienced IT architect who has a broad and deep understanding of the agency's overall business strategy and general IT trends and directions. The role of Enterprise Architect is assigned to the MITS, Enterprise Services organization.

  2. In accordance with OMB Circular A-130, the Enterprise Architect shall:

    1. Lead agency enterprise architecture development and implementation efforts;

    2. Collaborate with lines of business within the agency to ensure proper integration of lines of business into enterprise architecture;

    3. Participate in agency strategic planning and performance planning activities to ensure proper integration of enterprise architecture;

    4. Facilitate integration of information security into all layers of enterprise architecture to ensure agency implementation of secure solutions; and

    5. Work closely with the program managers, the senior agency information security officer (SAISO), and the business owners to ensure that all technical architecture requirements are adequately addressed by applying Federal Enterprise Architecture (FEA) and the Security and Privacy Profile (SPP).

10.8.2.2.12  (03-23-2007)
Chief Financial Officer (CFO)

  1. To provide a sound leadership structure linked to OMB’s financial management responsibilities, the Chief Financial Officers (CFO) Act of 1991 creates chief financial officer positions in 23 major agencies. The CFO is the senior financial advisor to the Investment Review Board (IRB) and the agency head. Information security investments fall within the purview of the CFO and are included in the CFO’s reports.

  2. In accordance with the CFO Act, the CFO shall:

    1. Review cost goals of each major information security investment;

    2. Report financial management information to OMB as part of the President’s budget;

    3. Comply with legislative and OMB-defined responsibilities as they relate to IT capital investments;

    4. Review systems that impact financial management activities; and

    5. Forward investment assessments to the IRB.

10.8.2.2.13  (03-23-2007)
Privacy Officer

  1. The Privacy Act of 1974 mandates that each United States Government agency have in place an administrative and physical security system to prevent the unauthorized release of personal records. The role of the Privacy Officer is defined in accordance with the Privacy Act. This role within the IRS is assigned to the MA&SS, Director of Privacy and Information Protection.

  2. The Director of Privacy and Information Protection is responsible for privacy compliance across the IRS, including privacy compliance measures that apply to information security assets and activities. The Director of Privacy and Information Protection will work to maintain a balance between security and privacy requirements and ensure that one is not compromised for the sake of the other.

  3. The Director of Privacy and Information Protection shall

    1. Develop, promote, and support the organization’s privacy programs;

    2. Encourage awareness of potential privacy issues and policies; and

    3. Review and implement privacy regulations and legislation.

10.8.2.2.14  (03-23-2007)
Physical Security Officer

  1. The physical security office is usually responsible for developing and enforcing appropriate physical security controls, in consultation with computer security management, program and functional managers, and others, as appropriate. The role of the Physical Security Officer is established in accordance with NIST SP 800–12, An Introduction to Computer Security. This role is assigned to the MA&SS, Director of Physical Security and Emergency Preparedness.

  2. The Director of Physical Security and Emergency Preparedness is responsible for the overall implementation and management of physical security controls across the IRS, including integration with applicable information security controls.

  3. The Director of Physical Security and Emergency Preparedness shall:

    1. Develop, promulgate, implement, and monitor the organization’s physical security programs, to include appropriate controls for alternate work sites;

    2. Ensure organizational implementation and monitoring of access controls (i.e., authorization, access, visitor control, transmission medium, display medium, logging);

    3. Coordinate organizational environmental controls (i.e., ongoing and emergency power support and backups, fire protection, temperature and humidity controls, water damage); and

      </