AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 3. Audit Logging Security Standards

10.8.3  Audit Logging Security Standards

10.8.3.1  (08-01-2007)
Purpose

  1. This manual provides policies and guidance to be used by Internal Revenue Service (IRS) organizations to carry out their respective responsibilities in information systems security to ensure auditing controls are integrated and used appropriately for all IRS systems.

10.8.3.1.1  (08-01-2007)
Overview

  1. All users (e.g., IRS employees, contractor employees, external trading partners) of IRS IT resources are expected to comply with the policies, procedures, and guidance addressed in this manual.

10.8.3.1.2  (08-01-2007)
Scope

  1. This IRM establishes IRS-wide policy for the collection and processing of computer generated event logs, hereafter referred to as "audit trails" or "audit logs." This IRM does not address general IT system assessments. Refer to IRM 10.8.1 for information regarding IT system assessments.

  2. Audit logging security shall apply to all IRS systems.

  3. IRS systems subject to this IRM include, but are not limited to:

    1. Unisys and IBM mainframe systems;

    2. UNIX and Linux operating systems);

    3. Windows-based operating systems, including workstations and servers; and

    4. Networking and telecommunications systems and devices including routers, switches, firewalls, gateways, voice and data systems, and other networking devices.

  4. Audit requirements apply to all aspects of a respective system including, but not limited to:

    1. Operating systems,

    2. Database systems,

    3. Applications, and

    4. Files.

  5. The provisions in this manual apply to all offices, business, operating and functional units within the IRS, external trading partners, as well as vendors with contractual arrangements with the IRS, and are to be applied when information technology is used to accomplish the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers, which use or operate information technology systems containing IRS data.

10.8.3.1.3  (08-01-2007)
IRM Topics

  1. This manual contains information on the following subjects:

    • Authority

    • General Policy

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Deviations

    • Security Audit Response See Exhibit 10.8.3-1.

    • Auditable Events See Exhibit 10.8.3-2.

    • Required Data for Auditable Events See Exhibit 10.8.3-3.

    • Audit Trail/Log Requirements Checklist See Exhibit 10.8.3-4.

    • Glossary See Exhibit 10.8.3-5.

    • References See Exhibit 10.8.3-6.

10.8.3.1.4  (08-01-2007)
Authority

  1. IRM 10.8.1, Information Technology (IT) Security Policy and Guidance, establishes the security program and the policy framework for the IRS.

10.8.3.2  (08-01-2007)
General Policy

  1. Audit trails shall maintain a record of system activity both by system and application processes and by user activity of systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications.

  2. Audit trails shall be used by IRS system administrators to ensure the system and its resources are operating as intended.

  3. Audit trails shall be used by security specialists as a means to help accomplish several security-related objectives, including individual accountability, reconstruction of events (actions that happened on a computer system), intrusion detection (of hackers, unauthorized users or disgruntled insiders, etc.) and problem analysis.

10.8.3.2.1  (08-01-2007)
Roles and Responsibilities

  1. IRM 10.8.2,Information Technology Security Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. The supplemental requirements provided below are specific to the implementation of IRS auditing security. Refer to IRM 10.8.2 for additional information regarding organizational and individual responsibilities related to information and computer security.

10.8.3.2.1.1  (08-01-2007)
Information System Owner

  1. The Information System Owner is the agency official responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system as defined by IRM 10.8.2. At the IRS, the Information System Owner is the Business and Functional Unit Owner.

  2. Business and Functional Unit Owners shall ensure that an audit plan is developed for each IRS system, in accordance with this IRM.

  3. Business and Functional Unit Owners shall ensure that audit logs are collected and maintained for each IRS system, in accordance with this IRM.

10.8.3.2.1.2  (08-01-2007)
Associate Chief Information Officer (ACIO), Cybersecurity

  1. ACIO Cybersecurity shall maintain and provide updates to this IRM, in accordance with IRM 10.8.2 and other applicable IRS policies.

  2. ACIO Cybersecurity shall develop Guidelines, Standards, and Procedures (GSP) documentation, consistent with the requirements of this IRM, to describe platform-specific files, permissions, and other configuration settings necessary to comply with this IRM.

10.8.3.2.1.3  (08-01-2007)
Modernization and Information Technology Services (MITS)

  1. Per IRM 10.8.2, MITS shall be responsible for developing security controls for systems and applications.

  2. MITS shall develop and implement an IRS-wide time server, as described in IRM See IRM 10.8.3.5.1.7.

10.8.3.2.1.4  (08-01-2007)
System, Network, and Database Administrators

  1. IRS System Administrators (SAs), Network Administrators (NAs), and Database Administrators (DBAs) each have established responsibilities for maintaining the configuration of IRS information technology devices and software, as defined by IRM 10.8.2.

  2. SAs, NAs, and DBAs shall enable and configure audit logging on all IRS systems in accordance with this IRM and IRM 10.8.2.

10.8.3.2.1.5  (08-01-2007)
Security Specialists

  1. Security Specialists are the primary users of this IRM, and are the primary reviewers of system audit log information. IRM 10.8.2 requires Security Specialists to review system audit logs/trails, and observe system activity to detect inappropriate user and system actions that could be construed as security incidents.

  2. Security Specialists shall be familiar with the requirements and procedures specified in this IRM and its exhibits.

  3. Security Specialists shall notify their management of any implementation discrepancies between the requirements of this IRM and the actual audit logging status of systems that the Security Specialists support.

  4. Security Specialists shall follow any applicable organizational-level incident reporting procedures (such as contacting management, system administrators, or the Computer Security Incident Response Center) in the event that evidence of suspicious activity is discovered in the course of reviewing security audit log information.

10.8.3.2.2  (08-01-2007)
Audit Trails for Systems which Store or Process Taxpayer Data

  1. Confidentiality requirements for tax returns and return information (hereafter referred to as "taxpayer data" ) are established by Section 6103 of the Internal Revenue Code (26 USC 6103) and the Taxpayer Browsing Act of 1997 (Public Law 105-35). These confidentiality requirements are further supplemented in detail by IRM 11.3, Disclosure of Official Information, and IRM 10.8.5, Unauthorized Access (UNAX).

  2. Information technology applications and systems which process or store taxpayer data shall implement the security audit automatic response requirements identified in See Exhibit 10.8.3-1, collection of auditable events as defined in See Exhibit 10.8.3-2, and collection of required data as defined in See Exhibit 10.8.3-3.

  3. In addition to the requirements of (2) above, applications which process any type of or subset of taxpayer data shall capture and record the following application transactional information in audit trails:

    1. Employee and contractor transactions that add, delete, modify, or research a tax filer’s record;

    2. Employee and contractor transactions that add, delete, modify, or research an employee’s record (personnel and financial);

    3. Employee and contractor transactions that add, delete, modify, or research an employee’s access to Employee User Portal (EUP), including changes to EUP roles or sub-roles;

    4. Any system transactions that alter an employee’s access to the EUP, or a system’s or application’s role or sub-role;

    5. Any employee or contractor transactions identified by the system owner as requiring additional oversight; and

    6. Any third party transactions identified by the system owner as requiring additional oversight;

  4. Audit trail records for the transactions identified in (3) above shall include the following data elements, where applicable: The type of event (e.g., command code), the terminal and employee identification, date and time of input, and account accessed to include the taxpayer identifications number (TIN), master file tax (MFT), and tax period.

  5. Audit trail information pertaining to possible or suspected unauthorized access (UNAX) violations shall be forwarded to appropriate organizations for investigation, as specified in the UNAX IRM.

  6. Audit trail archival logs for data covered by (3) and (4) above shall be retained for six (6) years, unless otherwise specified by a formal Records Retention Schedule developed in accordance with IRM 1.15, Records Management.

10.8.3.3  (08-01-2007)
Management Controls

  1. Management controls focus on the management of the risk for an application or system and the management of computer security controls to mitigate that risk. See IRM 10.8.1 for general information and computer security management control requirements.

  2. This section provides management control requirements pertaining to audit logging and audit log security in the following areas that supplement the requirements of IRM 10.8.1:

    1. Risk Assessment;

    2. Planning; and

    3. Certification, Accreditation, and Security Assessments

  3. Managers shall advise their staff that all personnel covered by this IRS are personally accountable for their actions, and that user actions are tracked by audit trails.

10.8.3.3.1  (08-01-2007)
Risk Assessment

  1. Risk assessments of the auditing controls in IRS systems shall be conducted using the Audit Trail/Log Requirements Checklist provided in See Exhibit 10.8.3-4.

  2. Deficiencies in conformance to the Audit Trail/Log Requirements Checklist by applications or GSSs shall be documented in risk assessment reports and brought to the attention of the system’s Designated Accrediting Authority (DAA).

10.8.3.3.2  (08-01-2007)
Planning

  1. Business and Functional Unit Owners shall create an audit plan before implementing audit policy. The audit plan shall detail the purpose and objectives of the audit. The audit plan shall:

    1. Detail scope of the audit;

    2. Describe the type of information to be audited;

    3. Describe when and how much time is available to review audit logs;

    4. Detail the resources available for collecting and storing audit logs;

    5. Describe what type(s) of auditable events will be collected;

    6. Provide technology-specific implementation guidelines and tool-specific parameters requirements;

    7. Document the required retention period for online audit logs; and

    8. Document the required retention period for archived audit logs.

  2. Business and Functional Unit Owners shall consider the resources they have available for collecting and reviewing audit logs.

  3. The Audit Trail/Log Requirements Checklist in See Exhibit 10.8.3-4shall be used by system owners, project managers, application managers, system administrators, security administrators, and other information software/systems development and maintenance professionals as a validation tool for documenting compliance with this IRM.

10.8.3.3.3  (08-01-2007)
Certification, Accreditation, and Security Assessments

  1. Information system certification shall include an assessment of the auditing security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome.

  2. The security controls in information systems shall be monitored on an ongoing basis.

10.8.3.4  (08-01-2007)
Operational Controls

  1. Operational controls address security mechanisms that primarily are implemented and executed by people as opposed to systems. They often require technical or specialized expertise and rely on management activities as well as technical controls. See IRM 10.8.1 for general information and computer security operational control requirements.

  2. This section provides operational control requirements pertaining to audit logging and audit log security in the following areas that supplement the requirements of IRM 10.8.1:

    1. Contingency Planning;

    2. Configuration Management;

    3. System and Information Integrity; and

    4. Incident Response.

10.8.3.4.1  (08-01-2007)
Contingency Planning

  1. Recovery operations to restore audit records shall be reflected in the Information Technology Contingency Plan (ITCP) and incorporated into recovery operational procedures, and shall be tested and validated on a regular basis to ensure the viability of the process.

10.8.3.4.2  (08-01-2007)
Configuration Management

  1. System procedures for archiving audit log files and associated database files shall include procedures to archive log files using a scheduled service or job. Administrators for the systems in question shall be responsible for developing and implementing the archiving procedures.

  2. Archival of audit files shall be maintained in the same format and context as the operating system which created the audit files.

10.8.3.4.3  (08-01-2007)
System and Information Integrity

  1. Audit logs shall be maintained and archived in such a way as to allow for efficient and effective retrieval, viewing, and analysis, and shall be protected from corruption, alteration, or deletion.

10.8.3.4.4  (08-01-2007)
Incident Response

  1. All IRS organizations shall report Cybersecurity-related incidents to the Computer Security Incident Response Center (CSIRC).

  2. CSIRC shall provide a comprehensive list of incidents requiring CSIRC reporting to security administrators and system administrators, auditors, and resource owners. See Exhibit 10.8.3-7 for references of auditable events in this manual. Incident reporting procedures are contained in IRM 10.8.1 and the IT Computer Security Incident Reporting Policy

10.8.3.5  (08-01-2007)
Technical Controls

  1. Technical Controls focus on the security controls that the computer system executes. These controls provide automated protection from unauthorized access or misuse, facilitate detection of security violations, and support security requirements for the systems or applications. The implementation of technical controls should be consistent with the management of security within the organization. See IRM 10.8.1 for general information and computer security technical control requirements.

  2. This section provides technical control requirements pertaining to audit logging and audit log security.

10.8.3.5.1  (08-01-2007)
Audit and Accountability

  1. The IRS shall create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

10.8.3.5.1.1  (08-01-2007)
Auditable Events

  1. All IRS systems shall capture and record the auditable events listed in Exhibit 10.8.3-2.

  2. The security events listed in See Exhibit 10.8.3-2 shall require an automated (i.e., automatic) response as specified by See Exhibit 10.8.3-1

  3. Administrators of IRS systems shall implement necessary software configuration changes and install necessary software tools to bring IRS systems into compliance with the requirements defined in See Exhibit 10.8.3-1 and See Exhibit 10.8.3-2

10.8.3.5.1.2  (08-01-2007)
Content of Audit Records

  1. Audit trails for all IRS systems and applications shall capture, at minimum, the following data for each auditable event:

    1. Date and time that the event occurred;

    2. The unique identifier (e.g., user name, SID, application name) of the user or application initiating the event;

    3. Type of event;

    4. Subject of the event (e.g., the user, file, or other resource affected) and the action taken on that subject; and

    5. The outcome status (success or failure) of the event.

  2. Refer to See Exhibit 10.8.3-3 for additional environment-specific requirements regarding the content of audit records.

10.8.3.5.1.3  (08-01-2007)
Audit Storage Capacity

  1. Per IRM 10.8.1, administrators of IRS systems shall ensure that sufficient online storage space is available to capture all auditable events.

  2. In the event that online log files all consume a system’s available storage capacity, administrators shall copy online log data to archive media before clearing logs.

  3. Systems shall provide an automated alert before capacity becomes a critical issue.

  4. Back-ups of audit logs shall be validated before off-site storage.

  5. Exhibit See Exhibit 10.8.3-1 provides additional guidance on storage capacity management under the security event titled "Security Log is Full."

10.8.3.5.1.4  (08-01-2007)
Audit Processing

  1. Auditable events shall be captured for all IRS systems.

  2. Operating system or system audit logs shall be used to monitor system operational status and to verify functions and performance of the system. These logs shall be able to identify where system process failures have taken place and provide information relative to corrective actions to be taken by the system administrator.

  3. Security logs shall contain information related to the authorized and unauthorized use or attempted misuse of resources.

  4. Audit trails shall be used as on-line tools to help identify problems other than intrusions as they occur.

  5. Audit trails shall provide the necessary information needed to trace an event to a specific user account.

10.8.3.5.1.4.1  (08-01-2007)
Security Audit Automatic Response

  1. Security audit automatic responses shall be taken when detected events indicate potential security incidents and action is required.

  2. At a minimum, automatic response will be required for:

    1. Intrusions and potential intrusions to IRS networks by unauthorized individuals.

    2. UNAX-related events indicating unauthorized access is being made to taxpayer files or related case information.

    3. Unauthorized use or access to IRS resources.

  3. To support automatic response capabilities, reports shall be automatically generated for all systems to allow unusual and/or unauthorized activities to be identified, including:

    1. Unused accounts;

    2. Access connections;

    3. Changes to system account policy or access control settings;

    4. Remote access by users;

    5. Multiple Failed Logon Attempts by system or server;

    6. Clearing of audit log files by User and/or administrator; and

    7. Unauthorized or repeated attempts to exceed user access roles.

  4. See Exhibit 10.8.3-1, Security Audit Automatic Response, defines events which must be addressed through automated mechanisms such as software tools or utilities.

10.8.3.5.1.4.2  (08-01-2007)
Application-Level Audit Trails

  1. Application-level audit trails monitor and log user activities. At a minimum, an event record shall contain the following:

    1. data files opened and closed;

    2. specific actions, such as reading, editing; and

    3. deleting records or fields, and printing reports.

  2. The requirements of the Security Audit Automatic Response section of this IRM shall also be implemented in application level audit trails.

10.8.3.5.1.4.3  (08-01-2007)
User Audit Trails

  1. User audit trails monitor and log user activities. At a minimum, an event record shall specify the following:

    1. All identification and authentication attempts (successful and unsuccessful);

    2. All commands directly initiated by the user; and

    3. Files and resources accessed.

  2. The requirements of the Security Audit Automatic Response section of this IRM shall also be implemented in user level audit trails.

10.8.3.5.1.5  (08-01-2007)
Audit Monitoring, Analysis, and Reporting

  1. Audit trails shall be used to review what occurred after an event, for periodic reviews, and for real-time analysis.

  2. The IT Security Specialists shall be assigned the responsibility to review audit information including the following:

    1. Audit trail review after an event; and

    2. Scheduled audit reviews at least weekly or more frequently at the discretion of the information system owner.

  3. Audit tools shall allow management to hold employees accountable for user actions on computer systems. Please contact Cybersecurity for the latest list of Platform/Tier-specific audit trails tools, deployed across the Service.

10.8.3.5.1.6  (08-01-2007)
Audit Reduction and Report Generation

  1. Automated software tools shall be used to provide audit log reduction and reporting capabilities.

10.8.3.5.1.7  (08-01-2007)
Date and Time Stamps

  1. MITS shall implement an authoritative IRS-wide time server for the purpose of synchronizing the system clocks of IRS systems.

  2. Systems administrators and network administrators shall configure IRS systems to synchronize local system clocks to the authoritative IRS-wide time server.

10.8.3.5.1.8  (08-01-2007)
Protection of Audit Information

  1. Access to on-line audit logs shall be strictly controlled.

  2. Audit logs shall be protected by strong access controls to help prevent unauthorized access to ensure events are not overwritten.

  3. Refer to IRM 10.8.1 for Access Control and Encryption Requirements.

10.8.3.5.1.9  (08-01-2007)
Audit Retention

  1. The IRS shall retain audit log data, along with other application or system-specific records, as specified by a system records retention schedule for the system in question. See IRM 1.15, Records Management, for specific guidance regarding system records retention schedules. Audit logs shall be retained for a minimum six (6) years or shall be retained longer per IRM 1.15.15. IRM 1.15 has precedence over this IRM for data/records retention.

  2. IRS systems (including applications, databases, network devices, and operating systems) that are not covered under the scope of a records retention schedule shall adhere to the following default log retention policy:

    1. Online computer audit logs shall be retained for a minimum of two (2) days prior to archival.

    2. Archival logs shall be retained for a minimum of 6 months.

    3. An Information System Owner may establish a system-level business requirement to retain online or archival logs for a longer period than the minimums specified above. The amount of time that the system-level business wants to retain logs shall be placed in the Audit Plan.

    4. Shorter minimum log retention periods than those specified in (a) and (b) above shall require a deviation from this IRM.

  3. At the end of the retention period, audit logs shall be reviewed to determine if they require archival at the Federal Records Center or require destruction. Additional guidance is provided in IRM 1.15.

10.8.3.6  (08-01-2007)
Deviations

  1. Deviations from this policy shall be submitted in accordance with IRM 10.8.1 and use Form 13125, as described in deviation Standard Operating Procedures (SOPs) provided on the Cybersecurity (formally Mission Assurance and Security Service (MA&SS)) web site.

  2. Refer to IRM 10.8.1 for additional information.

Exhibit 10.8.3-1  (08-01-2007)
Security Audit Automatic Response

Security Audit Automatic Response
Security Event Potential Security Violation Analysis Actions Required
The system logon shows a user has attempted access more than 3 times. The audit log shows a potential failed logon attempt because either the user account-name or password is incorrect. 1) User account shall be locked.
2) Account shall not be unlocked, without interaction with account holder.
3) User account will be unlocked, after verifying the identity of the user.
4) Potential user training may be required.
Attempted application logon exceeds 3 logon attempts. The audit log shows a potential failed logon attempt because either the user account/name or password is incorrect. 1) User account shall be locked.
2) Account shall not be unlocked, without interaction with account holder.
3) User account will be unlocked, after verifying the identity of the user.
4) Potential user training may be required.
Attempted database logon exceeds 3 logon attempts. The audit log shows a potential failed logon attempt because either the user account name or password is incorrect. 1) User account shall be locked.
2) Account shall not be unlocked, without interaction with account holder.
3) Potential user training may be required.
 
Security log is full. Events will not be recorded until the condition is rectified or a secondary log is activated to provide continue the historical record of security related activity. 1) In the event the audit log becomes full, a job shall be executed to archive these logs to a secure location and the security administrator will be notified.
2) In the event the security event log is manually cleared by the system administrator, this shall be recorded as an auditable event for future analysis.
3) Security event logging shall be configured to capture the clearing of the security event log itself as an auditable event. 		 
Intrusion and penetration of IRS systems Dial-in access indicates a potential intrusion is taking place. 1) Send an urgent message via page and/or e-mail requesting the responsible security administrator to review audit logs on the respective system.
2) Additional protective steps, including resource isolation, may be required. 		 
Unusual Logon Times Indicates a possible unauthorized access Notify management of activity times so these may be researched with the user in question.  
Unusual Logon Locations Indicates a possible unauthorized access Notify management of activity times so these may be researched with the user in question.  
Unusual usage patterns, directories, or binaries, etc. accessed Indicates a possible unauthorized access Notify management of activity times so these may be researched with the user in question.  

Exhibit 10.8.3-2  (08-01-2007)
Auditable Events

Auditable event requirements for an IRS system depend upon the impact level of the system as determined by NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems. Systems rated MODERATE or HIGH in impact by FIPS 199 have more rigorous auditing requirements than systems having a impact level of LOW, as indicated in the table below.

The legend for the table below is as follows:

Column 1: Name of audit event

Columns 2-3: Operating system auditing requirements for FIPS 199 MODERATE or HIGH impact rated systems

Column 4: Application auditing requirements for FIPS 199 MODERATE or HIGH impact rated systems

Column 5: Database auditing requirements for FIPS 199 MODERATE or HIGH impact rated systems

Column 6: Auditing requirements for any type of system, application, or database having a FIPS 199 LOW impact rating

1. Audit Event 2. UNIX. Linux and Windows-based (M,H) 3. Mainframes and network systems (M,H) 4. Applications (M,H) 5. DBMSs (M,H) 6. LOW Impact Systems
1- Log onto system X X X X X
2 - Log off of system X X X X X
3 - Change of Password X X X X X
4 - Opening of Files X X X X  
5 - Closing of Files X X X X  
6 - Creating Files X X X X  
7 - Deleting Files X X X X  
8 - Program Execution          
9 - All system administrator (SA) actions, while logged on as an SA X X X X X
10 - Switching accounts or running privileged actions from another account, (e.g., UNIX SU or Windows RUNAS) X X X X X
11 - Creation or modification of superuser groups X X X X X
12 - All system administrator actions, while logged on in the user mode X X X X  
12 - All security administrator actions, while logged on in the security administrator role X X X X X
14 - All system administrator actions, while logged on in the user role X X X X  
15 - Clearing of the audit log file X X X X X
16 - Startup and shut down of audit functions X X X X X
17 - Use of identification and authentication mechanisms (e.g., user id and password) X X X X X
18 - Change of file or user permissions or privileges (use of suid/guid, chown, su, etc.) X X X X X
19 - All dial-in access to the system X X X X X
20 - Command line changes and queries made to the system or application X X X X  
21 - Batch file changes made to an application or database X X X X  
22 - Application critical record changes X X X X X
23 - Changes to database or application records, where the application has been bypassed to produce the change (via a file or other database utility) X X X X  
24 - Stored and ad hoc queries X X X X