AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 26. Laptop Computer Security Policy

10.8.26  Laptop Computer Security Policy

10.8.26.1  (03-12-2007)
Purpose

  1. The purpose of this Internal Revenue Manual (IRM) is to provide guidance to IRS employees, contractors, and volunteers for safeguarding IRS laptop/notebook computers, and the sensitive data they contain from loss, theft, breach, or compromise.

10.8.26.1.1  (03-12-2007)
Overview

  1. Laptop computers are vulnerable to theft and the loss of all data contained on them. Many theft rings operating today at airports, hotels, and other public places target laptops. The loss or theft of IRS computers places the sensitive information they contain at risk of loss, disclosure, or compromise.

10.8.26.1.2  (03-12-2007)
Scope

  1. This IRM establishes policy to implement the minimum security controls to safeguard IRS laptop computers. This IRM applies to all IRS employees, contractors, and volunteers assigned laptop or notebook computers.

10.8.26.1.3  (03-03-2008)
IRM Section Topics

  1. This manual contains information on the following subjects:

    • Authority ( IRM 10.8.26.1.4);

    • General Policy ( IRM 10.8.26.2);

    • Management Controls ( IRM 10.8.26.3);

    • Operational Controls ( IRM 10.8.26.4);

    • Technical Controls ( IRM 10.8.26.5);

    • Deviations ( IRM 10.8.26.6);

    • References ( Exhibit 10.8.26-1);

10.8.26.1.4  (03-12-2007)
Authority

  1. This IRM supplements IRM 10.8.1,Information Technology (IT) Security Policy and Guidance.

10.8.26.2  (03-12-2007)
General Policy

  1. The loss or theft of IRS laptop computers puts the information they contain at risk of loss, disclosure, or compromise. In addition, the use of laptops in public places (e.g., airports, restaurants, conferences, airplanes, and while traveling) presents a significant risk of unauthorized persons observing the information being processed. The use of a laptop to transmit information through public telecommunications networks also presents vulnerabilities. To protect sensitive information from these risks, and from unauthorized access, manipulation, and destruction, it is necessary to protect the information by encrypting it.

  2. To protect Sensitive But Unclassified (SBU) data, including Personally Identifiable Information (PII), contained on IRS laptops and other forms of portable media from risk of disclosure or compromise, all sensitive IRS data shall be encrypted.

    1. All IRS laptop users shall utilize IRS-approved encryption procedures to protect SBU data and PII.

    2. Sensitive information stored on any laptop computer that may be used outside of IRS facilities or on travel shall be encrypted using Federal Information Processing Standard (FIPS) 140-2 or later approved encryption.

    3. All IRS laptop computers shall have Enterprise Disk Encryption (EDE).

  3. SBU data, including PII, shall not be downloaded to your hard drive or other portable media devices if the data is available, accessible, and utilizable on other systems. IRS laptops and other portable media shall only include sensitive data that is necessary for the user’s job.

  4. Passwords and smart cards shall be protected at all times and shall not be stored on or with the laptop.

  5. IRS laptop users shall be responsible for securing their laptops and other forms of portable media at all times.

  6. IRS laptop users shall never connect Personally Owned Equipment (printers, scanners, wireless devices, flash drives, etc.) to their IRS laptop computer.

  7. IRS laptop computers and IT resources (e.g. thumb drives, CDs, etc.) shall never be left unattended and/or unsecured.

  8. IRS laptop users shall use an IRS-issued cable lock OR a locked cabinet OR a lockable drawer to secure their IRS laptop. A locked cabinet or a lockable drawer is defined as a secured enclosure.

  9. IRS Laptop Users shall use a cable lock to secure their laptops at all times. This is whether the IRS laptop user is in the workplace, working out of the office, or in travel status.

    1. If a secured enclosure is not available, local management, in conjunction with the user, shall make a determination.

    2. Regardless of whether you work in a private walled office or open work environment or whether your IRS facility has keycard/security arrangements, use your cable lock to secure your laptop. This provides an added layer of security when you need to leave your immediate work area for a short time. When you leave work at the end of the day, either keep the cable lock attached and locked or store your laptop in a locked cabinet or drawer.

    3. When you're away from the office, such as offsite conducting an audit or in a training class, take your cable lock with you and secure your laptop to a piece of furniture or other appropriate device. At the end of the day, take your laptop with you.

    4. When in travel status, take your cable lock with you. If you leave your hotel room, secure your laptop to a piece of furniture or lock it in the room safe, if you have one. Do not store it in the hotel safe.

    5. You are not required to use the cable lock at home. However, be sure to lock all doors when you leave your house and turn on your home security system, if you have one.

    6. The Modernization and Information Technology Systems (MITS) organization shall develop and implement procedures for acquisition, implementation, and use of laptop cables.

  10. IRS laptop users shall log off their laptop computer when not in use.

  11. IRS employees/users assigned laptops shall sign a receipt assuming responsibility for the IRS laptop referenced by the serial number. IRS laptops shall not be used by anyone other than the person who signed for it without a written change of accountability.

  12. ) All IRS laptops computers shall have Asset Tag/Bar Code in accordance with IRM 2.14Asset Management .

  13. All IRS laptop users are required to have an IRS-issued property pass for their IRS-issued laptop computers.

  14. The IRS MITS organization shall develop procedures for the disposal of IT assets. These procedures shall be followed to ensure that all IRS laptops that have processed sensitive information are properly disposed. Specifically, MITS shall ensure each laptop is cleaned by utilizing commercial disk-wiping software or by degaussing the hard drive and all chips containing memory.

  15. MITS shall keep an inventory of all disposed IRS laptops.

  16. The IRS Physical Security organization shall develop and implement procedures for physical laptop security compliance. See IRM 1.16 for additional requirements related to the physical protection of laptops and IT laptop resources.

  17. Refer to IRM 10.8.26.4.1.1 for Laptop Transit and Travel Security Requirements.

  18. Refer to IRM 10.8.26.4.2 for Incident Reporting Requirements.

10.8.26.2.1  (03-12-2007)
Roles and Responsibilities

  1. IRM 10.8.2,Information Technology (IT) Security Roles and Responsibilities defines service-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. The supplemental requirements provided below are specific to IRS laptop users. Refer to IRM 10.8.2 for additional information regarding organizational and individual responsibilities related to information and computer security.

10.8.26.2.1.1  (03-12-2007)
IRS Laptop Users

  1. IRS laptop users shall be responsible for ensuring the security of their assigned equipment.

  2. Managers of employees assigned IRS laptops shall ensure their employees exercise due diligence in safeguarding these devices and the data they contain.

10.8.26.3  (03-12-2007)
Management Controls

  1. Management security controls mitigate risk of IT applications and electronic information loss in order to protect the organization's mission. See IRM 10.8.1 for general information and computer security management control requirements.

  2. Management controls specific to laptop security are provided below in the following areas:

    1. Planning Controls

    2. System and Services Acquisition Controls

10.8.26.3.1  (03-03-2008)
Planning

  1. Business/System owners are required to develop and maintain additional operational documentation (i.e., action and implementation plans, standard operations procedures (SOP), etc. necessary for implementing the requirements of this IRM. See IRM 10.8.1 for general planning requirements.

10.8.26.3.2  (03-12-2007)
System and Services Acquisition

  1. All IRS laptop and notebook computers shall be acquired, accounted for, and inventoried in accordance with IRM 10.8.1.

10.8.26.4  (03-12-2007)
Operational Controls

  1. Operational controls address security mechanisms that primarily are implemented and executed by people versus systems. They often require technical or specialized expertise and rely on management activities as well as technical controls. See IRM 10.8.1 for general information and computer security operational control requirements.

  2. Operational controls specific to laptop security are provided below in the following areas:

    1. Physical and Environmental Protection;

    2. Incident Response; and

    3. Awareness and Training.

10.8.26.4.1  (03-12-2007)
Physical and Environmental Protection

  1. The IRS shall ensure that only authorized personnel have access to IRS laptop computers and data.

  2. Physical and environmental controls shall be based on the level of risk, and shall be sufficient to safeguard assets against possible loss, theft, destruction, accidental damage, hazardous conditions, fire, malicious actions, and natural disasters.

  3. See IRM 1.16 for general information for the physical security requirements for laptop computers.

10.8.26.4.1.1  (03-12-2007)
Laptop Transit and Travel Security Requirements

  1. While in use, IRS laptops shall be kept under the direct control of the employees to whom they are assigned. When not in use, IRS laptops shall be physically secured in accordance with requirements stated within the General Policy section of this IRM.

  2. When in transit, on business trips, or commuting to the workplace, IRS laptop computers shall be secured in a vehicle trunk to prevent theft. If your vehicle does not have a trunk, place your laptop under the vehicle's seat out of sight, or take it with you.

  3. IRS laptops and/or IT resources shall never, under any circumstance, be stored in checked luggage while traveling, whether it is an international or a domestic flight.

  4. IRS laptop users shall ensure a direct line of sight to minimize the potential for damage or theft while passing through security checkpoints (e.g., airports and train stations).

  5. IRS laptops shall never be left unattended while located in facilities other than IRS facilities (i.e. home or office) unless the work space has been physically secured.

  6. IRS laptop users shall not process SBU or PII data in public places.

10.8.26.4.1.2  (03-03-2008)
International Travel with IRS Laptops

  1. The use of a laptop to transmit information through public telecommunications networks presents potential vulnerabilities due to the susceptibility to eavesdropping and interception of the information transmitted. This is especially true in overseas locations since foreign telephone systems and networks may be either owned or controlled by the host government. This allows the foreign government to easily monitor transmissions of selected U.S. corporations, government agencies and American citizens.

  2. Based on guidance from the Department of State, IRS employees should assume that all overseas telecommunications can be intercepted, recorded, and organized into reports, and reviewed for intelligence purposes. Employees should be aware of the fact that:

    1. Intelligence agencies of third-party nations, terrorists, and criminals monitor electronic transmissions.

    2. Government, business and technical data obtained from U.S. citizens may be, and often are, provided to terrorists.

    3. Personal information obtained may be used for financial gain, political, or other malicious purposes.

  3. The following rules apply to IRS employees traveling overseas:

    1. All employees shall have approval from the Designated Accrediting Authority (DAA), or Business Unit Head before an IRS laptop computer is taken overseas. Within the IRS, this approval authority may be delegated to any Business Unit executive.

  4. All laptops temporarily taken overseas must be protected by: 1) full-disk FIPS validated encryption; 2) disabling any wireless capability; and 3) either disabling all USB port(s) or use of tamper-evident bags/seals/containers each time the laptop is left unattended (i.e., not under the direct and immediate control of a U.S. Government employee or authorized government contractor). If any laptop is not protected as described above, it may not be reconnected to IRS system or network until sanitized.

    1. All IRS laptop computers being taken overseas shall have Enterprise Disk Encryption (EDE) installed.

    2. All laptop connections from overseas shall occur via Enterprise Remote Access Project (ERAP) (with two factor authentication).

    3. All sensitive data being taken overseas shall be encrypted.

    4. Employees with business justification requiring that USB port(s) are enabled, during foreign travel, shall request a loaner laptop and tamper-evident bags/seals/containers for use each time the laptop is not under their direct and immediate control.

  5. All employees shall obtain authorization for foreign travel, from IRS’s International Travel Office. Employees may obtain information and procedures from the International Travel Office website at http://lmsb.irs.gov/international/dir_treaty/eoi_overseas/intl_coordination/travel_all.asp .

10.8.26.4.2  (03-03-2008)
Incident Reporting Requirements

  1. All users shall report within 1 hour; any incidents of loss or mishandling of IRS laptops to the IRS Computer Security Incident Response Center (CSIRC), their immediate supervisor, and the Treasury Inspector General for Tax Administration (TIGTA).

  2. Any incidents of mishandling, tampering, or the loss of a laptop computer (the loss of any IT hardware) with IRS information shall be a reportable security incident.

10.8.26.4.3  (03-12-2007)
Security Awareness

  1. All supplemental policies required to implement laptop security solutions shall be documented and provided to users.

  2. IRS laptop users are required to take the IRS Computer Security Briefing when issued their laptop and annually thereafter.

10.8.26.5  (03-12-2007)
Technical Controls

  1. Technical controls focus on the security controls computer systems execute. These controls provide automated protection from unauthorized access or misuse, facilitate detection of security violations, and support security requirements for the systems or applications. The implementation of technical controls shall be consistent with the management of security within the organization. See IRM 10.8.1 for general information and computer security technical control requirements.

  2. Additional technical controls specific to laptop security are provided below in the following areas:

    1. Access Control;

    2. Encryption.

10.8.26.5.1  (03-12-2007)
Access Control

  1. Access and usage control of SBU data and PII shall be implemented in accordance with IRM 10.8.1.

  2. Only the minimum amount of data required for business operations shall be stored on laptop computers.

10.8.26.5.2  (03-12-2007)
Encryption

  1. All IRS laptops shall have the capability to encrypt information using FIPS Publication 140-2, Security Requirements for Cryptographic Modules, or later approved cryptographic technology in accordance with IRM 10.8.1.

  2. Files and directories on IRS laptops containing SBU data shall be encrypted in accordance with established policies.

  3. All IRS laptop users are required to use the IRS approved enterprise solution for disk encryption.

  4. The IRS MITS organization shall develop and implement end-user instructions and procedures for the encryption and decryption of laptop data.

10.8.26.6  (03-31-2008)
Deviations

  1. Deviations from this policy shall be submitted in accordance with IRM 10.8.1, and use Form 13125, as described in the Deviation Standard Operating Procedures (SOPs) provided on the Cybersecurity web site.

Exhibit 10.8.26-1  (03-12-2007)
References

  • Chief, Mission Assurance and Security Services Policy Memorandum "Policy Clarification-Use of Cable Locks for Laptop Computers" , dated February 27, 2007.

  • IRS Deputy Commissioner(s) Policy Memorandum " Please Do Your Part To Protect Taxpayer Data" , dated December 21, 2006.

  • IRM 10.8.1,Information Technology (IT) Security Policy and Guidance.

  • IRM 10.8.2,Information Technology (IT) Security Roles and Responsibilities.

  • Windows Security Policy.

  • IRM 25.10.13,Computer Security Incident Reporting and Response.

  • Treasury Directive (TD) Publication (P) 85-01, Treasury Information Technology Security Program, Volume I, Part I, Policy – Sensitive Systems (dated June 12, 2003).

  • Treasury Directive (TD) Publication (P) 85-01, Treasury Information Technology Security Program, Volume II, Part I, Handbook – Sensitive Systems (dated June 12, 2003).


More Internal Revenue Manual