AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 27. Internal Revenue Service Policy On Limited Personal Use Of Government Information Technology Resources

10.8.27  Internal Revenue Service Policy On Limited Personal Use Of Government Information Technology Resources

10.8.27.1  (10-12-2007)
Purpose

  1. This policy defines the minimum standard for acceptable personal use of Government IT resources by IRS employees.

  2. This policy incorporates and replaces the IRS Policy on Limited Personal Use of Government Information Technology Equipment/Resources (transmitted by memorandum May 3, 2002).

10.8.27.1.1  (11-30-2007)
Overview

  1. It is the policy of the IRS to establish and manage an Information Security Program within all its offices. This manual provides uniform policies and guidance to be used by each office.

  2. It is the policy of the IRS to protect its information resources and allow the use, access, and disclosure of information in accordance with applicable laws, policies, federal regulations, OMB Circulars, and Treasury Directives (TDs). All IT resources belonging to, or used by the IRS, shall be protected at a level commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that IT resource.

  3. This policy delineates the minimum standard for acceptable personal use of Government IT resources.

  4. If any content of this policy conflicts with or is a variance from IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, IRM 10.8.1 has precedence.

10.8.27.1.2  (11-30-2007)
Scope

  1. The policy applies to all IRS employees, including consultants, detailees, temporary employees, interns and applies to IRS contractors. For purposes of this policy, consultants, detailees, temporary employees, interns and IRS contractors will be termed, "employee."

  2. This policy applies to any employee whenever the employee is working in a government-designated office, traveling, or working from home on behalf of the IRS.

  3. This policy applies, but is not limited to, circumstances such as:

    • Teleworking,

    • Flexiplace,

    • Official travel status,

    • Normal business location,

    • Normal work hours, and

    • Extraordinary work hours, and

    • Performing work for the Department of the Treasury, its offices, and bureaus.

  4. This policy also applies to any non-work circumstances when using IRS equipment.

10.8.27.1.3  (11-30-2007)
IRM Section Topics

  1. This manual contains information on the following subjects:

    • Authority

    • General Policy

    • Specific Requirements

    • Prohibited Uses of Government IT Resources ( see Exhibit 10.8.27-1)

    • Glossary ( see Exhibit 10.8.27-2)

    • References ( see Exhibit 10.8.27-3)

10.8.27.1.4  (11-30-2007)
Authority

  1. Treasury Directive (TD) 87-04 (Dated December 21, 2005), defines acceptable personal use of Government IT resources by Department of the Treasury employees based on:

    • Title 5 - Code of Federal Regulations (CFR) - Part 735, Office of Personnel Management, Employee Responsibilities and Conduct;

    • Title 5 - CFR Part 2635, Office of Government Ethics, Standards of Ethical Conduct for Employees of the Executive Branch;

    • Title 5 - CFR Part 3101, Supplemental Standards of Ethical Conduct for Employees of the Department of the Treasury; and

    • Title 31 - CFR Part 0, Department of the Treasury Employee Rules of Conduct.

  2. This IRM further supplements guidance issued by Treasury and requirements set forth by IRM 10.8.1, IT Security, Policy and Guidance.

10.8.27.2  (11-30-2007)
General Policy

  1. Employees have no inherent right to use Government IT resources.

  2. This policy does not create the right to use Government IT resources for non-government purposes.

  3. Employees have the privilege to use Government IT resources for non-government purposes when such use:

    1. involves minimal additional expense to the Government;

    2. occurs during non-work hours for reasonable duration and frequency;

    3. does not violate the Codes of Ethical Conduct for employees;

    4. does not overburden any of the IRS' IT resources;

    5. does not adversely affect the performance of official duties; and

    6. does not interfere with the mission or operations of the IRS.

  4. Employees have the privilege to use IRS IT resources for non-government purposes in non-work time for periods of reasonable duration and frequency of use as long as they comply with existing Federal Government, Department of the Treasury, and IRS policies for, but not limited to:

    • ethics,

    • security,

    • disclosure, and

    • privacy.

  5. The privileges (and restrictions) established by this policy extend to contractors (also termed "employees" within this policy) only as a courtesy.

  6. Unauthorized or improper use may result in loss or limitations of the use of IT resources, disciplinary or adverse actions, termination, criminal penalties, and the employee being held financially liable for the cost of improper use.

10.8.27.2.1  (11-30-2007)
Roles and Responsibilities

  1. IRM 10.8.2, Information Technology Security Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. The supplemental requirements provided below are specific to the implementation of theLimited Personal Use Of Government Information Technology Resources Policy. Refer to IRM 10.8.2 for additional information regarding organizational and individual responsibilities related to information and computer security.

10.8.27.2.1.1  (11-30-2007)
Agency Head

  1. Federal Information Security Management Act (FISMA), requires the head of each federal agency to provide information security protections commensurate with the risk and magnitude of the harm that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of its information and information systems. The protection should apply not only within the agency, but also within contractor or other organizations working on behalf of the agency and defined in IRM 10.8.2. At the IRS, the Commissioner is the Agency Head.

  2. The Commissioner shall be responsible for ensuring that this policy is disseminated to all employees.

10.8.27.2.1.2  (11-30-2007)
Modernization and Information Technology Services (MITS)

  1. Modernization and Information Technology Services (MITS) is responsible for maintenance and dissemination of this policy.

  2. MITS shall establish sufficient controls to ensure equipment is used appropriately.

10.8.27.2.1.3  (11-30-2007)
Associate Chief Information Officer (ACIO), Cybersecurity

  1. The Associate Chief Information Officer (ACIO), Cybersecurity shall develop and disseminate additional policy appropriate to personal use as necessary.

10.8.27.2.1.4  (11-30-2007)
Managers

  1. Managers shall ensure employees are informed of appropriate uses of Government IT resources as a part of their introductory training, orientation, or the initial implementation of this policy. These requirements are part of the employees' mandatory annual Security Awareness Training and Education (Security ATE).

  2. Managers shall ensure IT resources are being used appropriately and shall take corrective action, as needed.

10.8.27.2.1.5  (11-30-2007)
Employees

  1. Employees shall refrain from using Government IT resources for activities that are inappropriate based on established Codes of Ethical Conduct for employees. For purposes of this policy, IRS personnel, consultants, detailees, temporary employees, interns and IRS contractors will be termed, "employee. "

  2. Employees shall be responsible for their own personal and professional conduct and shall follow, among others, the rules and regulations described below:

    1. The Office of Personnel Management (OPM) Employee Responsibilities and Conduct states, "An employee shall not engage in criminal, infamous, dishonest, immoral, or notoriously disgraceful conduct, or other conduct prejudicial to the Government" (5 CFR § 735.203).

    2. The Office of Government Ethics (OGE) Standards of Ethical Conduct states:

      (1) Employees shall put forth honest effort in the performance of their duties… (5 Code of Federal Regulation (CFR) § 2635.101(b)(5)).
      (2) …an employee shall not use or permit the use of his Government position or title or any authority associated with his public office in a manner that could reasonably be construed to imply that his agency or the Government sanctions or endorses his personal activities (5 CFR § 2635.702 (b)).
      (3) An employee has a duty to protect and conserve Government Property and shall not use such property, or allow its use, for other than authorized purposes. (5 CFR § 2635.704(a)). Employee conduct pursuant to the IRM policy on limited personal use is considered an authorized use of government property as the term is used in 5 CFR § 2635.704(a). See TD 87-04(4)(e) (defining limited personal use).
      (4) …an employee shall use official time in an honest effort to perform official duties and …in accordance with law or regulation… (CFR § 2635.705).

    3. The Department of the Treasury Employee Rules of Conduct states: (1) Employees shall not engage in criminal, infamous, dishonest, or notoriously disgraceful conduct, or any other conduct prejudicial to the Government. (31 CFR § 0.213).

  3. Employees shall ensure that they do not give the false impression that they are acting in an official capacity when they are using Government IT resources for non-government purposes. In addition, they shall not post, disseminate, or otherwise use IRS documents and/or symbols as part of personal documents, Internet sites, or other forms of communication.

    1. If there is an expectation that such a personal use could be interpreted to represent an agency, an adequate disclaimer must be used. One acceptable disclaimer is - "The content of this message is mine personally and does not reflect the position of the U.S. Government, the Department of the Treasury, or the IRS."

10.8.27.2.1.6  (03-03-2008)
Contracting Officer Technical Representative (COTR)

  1. The COTR shall ensure contractors are informed of appropriate uses of Government IT resources as a part of their introductory training, orientation, or the initial implementation of this policy.

  2. The COTR shall ensure IT resources are being used appropriately and shall take corrective action, as needed.

  3. The COTR shall ensure contractors who process IRS information on non-IRS, contractor-furnished IT equipment and resources meet the security standards detailed in IRM 10.8.1.

10.8.27.3  (11-30-2007)
Specific Requirements

  1. Employees are specifically prohibited from inappropriate internet usage such as participation in: gambling, pornography, personal communication on social networking sites, peer-to-peer (P2P) file sharing, downloading unauthorized programs or software, and other activities that open IRS information or information systems to security risks. Specific examples are referenced in Exhibit 10.8.27-1, Prohibited Uses of Government IT Resources.

  2. Employees are specifically prohibited from the pursuit of private commercial business activities or profit-making ventures using the Government's IT resources. The ban also includes employees' use of the Government's IT resources to assist relatives, friends, or other persons in such activities (e.g., employees may not operate or participate in the operation of a business with the use of IRS computers and Internet (i.e., "IRS.gov" ) resources).

  3. Employees are specifically prohibited from engaging in any political fund-raising activity, endorsing any product or service, participating in any lobbying activity, or engaging in any prohibited partisan political activity, in accordance with, Title 5 - Code of Federal Regulations (CFR) - Part 735, Office of Personnel Management, Employee Responsibilities and Conduct.

  4. An individual has no right to privacy. Employees should be aware their rights to privacy do not change even during limited periods of personal use. Employees should have no expectation of privacy, while using any Government IT resources at any time, including (but not limited to) accessing the Internet or using e-mail. To the extent that employees wish their private activities remain private, they should avoid using Government IT resources such as their computer, the Internet or using e-mail. Following are the (representative) banner messages presented to each user when first accessing various IT resources.

    "THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY!
    Use of this system constitutes consent to monitoring, interception, recording, reading, copying or capturing by authorized personnel of all activities. There is no right to privacy in this system. Unauthorized use of this system is prohibited and subject to criminal and civil penalties."

    or

    "THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY!
    Use is consent to authorized monitoring, capturing, etc. & no rights to privacy."

    See the IRM 10.8.1 section for "Warning Banner" for the current banner text.

  5. It is the policy of the IRS to:

    1. allow employees the privilege to use Government IT resources for non-government purposes, when such use involves minimal additional expense to the government, does not overburden any of the Service’s IT resources, and when access to these IT resources is already authorized for official government business;

    2. permit limited personal use to employees during non-work time for periods of reasonable duration and frequency of use;

    3. grant use that does not adversely affect the performance of official duties, result in loss of employee productivity, or interfere with the mission or operations of the IRS;

    4. ensure that computer systems and networks are not used for downloading illegal, inappropriate, or unauthorized copyrighted content, including illegal downloads using file sharing programs, and downloading untrusted, unapproved, or malicious software; and

    5. authorize use that does not violate the Office of Government Ethics (OGE) Standards of Ethical Conduct for Employees of the Executive Branch found at 5 Code of Federal Regulations (CFR) Part 2635, the Supplemental Standards of Ethical Conduct for Employees of the Treasury Department found at 5 CFR Part 3101, Employee Responsibilities and Conduct 5 CFR Part 735, and the Department of the Treasury Employee Rules of Conduct found at 31 CFR Part 0.

  6. The IRS is not required to provide access to IT resources if they are not already provided for an approved business need. Therefore, this policy does not guarantee Internet or e-mail access to those who do not otherwise have it.

  7. Personal use shall incur only minimal additional expense to the Government in areas such as:

    1. communications infrastructure costs (e.g., telephone charges, telecommunications traffic);

    2. use of consumables in limited amounts (e.g., paper, ink, toners);

    3. general wear-and-tear on equipment;

    4. minimal data storage on storage devices; and

    5. minimal network impacts keeping e-mail message sizes less than 1 megabyte including attachments.

  8. Employees shall be aware of IT security issues which are addressed in:

    • IRM 10.8.1, Information Technology Security Policy and Guidance;

    • IRM 10.8.2, Information Technology Security Roles and Responsibilities;

    • IRM 10.8.26, Enterprise Laptop Security Policy; and

    • any other IRS privacy concerns related to the safeguarding of agency information.

  9. Employees are specifically prohibited from willful, unauthorized access and inspection of taxpayer returns and return information (referred to as UNAX -- Unauthorized Access).

    1. Employees are prohibited from accessing returns and return information when requested through other than official channels or when the access is not included as part of their official tax administration duties as determined and authorized by management.

    2. UNAX is an egregious offense that violates the public’s trust in the integrity of IRS employees and raises serious concerns regarding an employee’s suitability for IRS employment. Absent mitigating circumstances, the IRS Guide to Penalty Determinations suggests removal as an appropriate action for a first time offense.

Exhibit 10.8.27-1  (03-31-2008)
Prohibited Uses of Government IT Resources

Prohibited uses of Government IT resources includes, but is not limited to, the following examples:

Note:

These examples and other prohibited uses are in affect regardless of work status.

1) The creation, copying, transmission, download, or retransmission of greeting cards, video, sound (including streaming video or music), other files larger than 1 megabyte, or the use of e-mail practices that involve ongoing message receipt and transmission (referred to as instant messaging/messenger). "Push" technology on the Internet (e.g., subscribing to any unofficial service such as EntryPoint or LaunchPad) that gathers information and sends it out automatically to subscribers) and other continuous data streams (such as streaming stock quote);

2) Using Government IT resources for personal communication on blogs and social networking sites such as MySpace, Facebook, Friendster, Xanga, hi5, Orkut, Yahoo! 360°, Cyworld, Bebo, XuQa, etc.;

3) Access to pornography or hacker sites (sites which open the IRS to unacceptable security risk) regardless of the security risks or lack thereof;

4) Using Government systems as a staging ground or platform to gain unauthorized access to other systems;

5) The creation, copying, transmission, or retransmission of chain letters or other unauthorized mass mailings regardless of the subject matter;

6) Using Government IT resources for activities that are illegal, inappropriate, or offensive to fellow employees or the public. Such activities include, but are not limited to: hate speech, or material that ridicules others on the basis of race, creed, religion, color, sex, disability, national origin, or sexual orientation;

7) The creation, download, viewing, storage, copying, or transmission of sexually explicit or sexually oriented materials, including web sites classified as Personals & Dating;

8) The creation, download, viewing, storage, copying, or transmission of materials related to gambling (legal and illegal), illegal weapons, terrorist activities, and any other illegal activities or activities otherwise prohibited, etc.;

9) Downloading, copying, and/or playing of computer video games;

10) Downloading, copying, or installing of unauthorized data programs (e.g., executable code), such as screen savers, software products, or copyrighted materials such as music and pictures ( See Exhibit 10.8.27-2 for an additional explanation of an unauthorized program);

11) The use for commercial purposes or in support of "for-profit" activities or in support of other outside employment or business activity (e.g., consulting for pay, sales or administration of business transactions, sale of goods or services);

12) Engaging in any political fund-raising activity, endorsing any product or service, participating in any lobbying activity, or engaging in any prohibited partisan political activity, in accordance with, Title 5 - Code of Federal Regulations (CFR) - Part 735, Office of Personnel Management, Employee Responsibilities and Conduct.

13) The use for posting agency information to external news groups, bulletin boards or other public forums without authority. This includes any use that could create the perception that the communication was made in one's official capacity as a Federal Government employee, unless appropriate agency written approval has been obtained or the use is not at odds with the agency's mission or positions;

14) Any use that could generate more than minimal additional expense to the Government (e.g., subscribing to unofficial LISTSERV or other services which create a high-volume of e-mail traffic);

15) The unauthorized acquisition, use, reproduction, transmission, or distribution of any controlled information including computer software and data, that includes privacy information; material which is copyrighted, trademarked, or otherwise controlled with other intellectual property rights (beyond fair use), proprietary data, or export controlled software or data;

16) The use of peer-to-peer (P2P) file sharing and networking. P2P refers to any software or system allowing individual users of the Internet, intranet or extranet to connect and share files or resources. Specific examples of P2P file sharing include applications such as Morpheus, Napster, Grokster, Kazaa, Gnutella as well as decentralized applications such as SETI@Home. P2P is not allowed and is considered outside the scope of limited personal use. Furthermore, engaging in P2P creates a substantial computer security risk in that P2P may facilitate the spread of computer viruses.

17) Any personal use or storage of files on Home Directories or other network drives provided and maintained by the IRS;

18) Any use that reduces employee productivity or interferes with the performance of official duties;

19) Any access to non-IRS e-mail accounts through the Internet (i.e., accessing personal AOL accounts, accessing company accounts, etc. through the IRS Internet firewall);

20) Any access to the Internet that does not go through an IRS-approved Internet gateway (i.e., firewall). Accessing the Internet from non-office locations using a government-owned computer must always be done via the IRS-approved internet gateway; using any other connection (such as a private AOL account) is prohibited;

21) Any access to an Internet site that contains similar content to sites which have been prohibited or restricted.

22) Any use of a photocopier or fax machine that involves more than a few pages of material (e.g., copying a book, making numerous copies of a resume, or sending/receiving a lengthy document via fax machines); and

23) Any use of photocopiers or fax machines that conflicts with the need to use the equipment for official business requirements.

24 ) Any use of telephone services that creates more than minimal additional expense to the Government.

Employees should also remember that some use of Government IT resources is absolutely forbidden, even during non-work hours.

Exhibit 10.8.27-2  (11-30-2007)
Glossary

Unauthorized data program - Is a program not explicitly approved or permitted by the organization(s) with responsibility for managing data programs such as the IDEA Lab authorizes programs running on the workstations.

Employee non-work time - Times when the employee is not otherwise expected to be addressing official business. Employees may, for example, use Government IT resources during their off-work hours such as before or after a workday (subject to local office hours), lunch periods, authorized breaks, or weekends or holidays (if their duty station is normally available at such times). For employees using Government IT resources in a government facility, no expanded access to the building will be provided beyond when the building is normally open for access. The use of Government IT resources during the aforementioned periods should be determined and/or agreed to by the employees and the organization’s managers. Employees should also remember that some use of Government IT resources is absolutely forbidden, even during non-work hours.

Government IT resources - Includes, but is not limited to, office and telephone equipment and services (e.g., phone sets, cell phones, Blackberries, pagers, Palm Pilots, and voice mail), desktop and laptop computers, related peripheral equipment (e.g., printers, scanners) and application software, library resources, fax machines, photocopiers, Internet connectivity and access to Internet services, and e-mail but does not include the use of franked or official envelopes and stationary, and mailing labels.

Information technology - Any equipment, interconnected system, or subsystem of hardware or application software that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice or data.

Minimal additional expense - Employee's limited personal use of Government IT resources is confined to those situations where the Government is already providing resources or services and the employee's use of such resources or services will not result in any additional expense to the Government, will result in only fair wear and tear, or use of small amounts of electricity, ink, toner, or paper. Examples of minimal additional expenses include: making a few photocopies, using a computer printer to print out a few pages of material, making occasional brief personal phone calls (within Treasury Department policy), infrequently sending personal e-mail messages, or limited use of the Internet for personal reasons. Limited personal use activity by employees that is conducted during personal time in the course of the business day is considered an "authorized use" of government property as the term is used in the Standards of Conduct for Employees of the Executive Branch (5 CFR § 2635.101 (b) (9) and § 2635.704 (a)).

Privilege - In the context of this policy, "privilege" refers to the IRS extending the opportunity for its employees to use Government property for limited personal use in an effort to create a more supportive work environment. However, this policy does not create the right to use Government IT resources for non-government purposes. The privilege does not extend to modifying the equipment used, including loading personal software, copying existing software, or making configuration changes.

Exhibit 10.8.27-3  (11-30-2007)
References

The following references were used in developing this policy:

  1. 5 CFR § 2635.101 (b)(5) and (9), Basic Obligation of Public Service

  2. 5 CFR § 2635.702(b), Appearance of Governmental Sanction

  3. 5 CFR § 2635.704 (a) and (b)(1), Use of Government Property

  4. 5 CFR § 2635.705, Use of Official Time

  5. 5 CFR § 735.203, Conduct Prejudicial to the Government

  6. 5 CFR Part 3101, Supplemental Standards Of Ethical Conduct For Employees Of The Department Of The Treasury

  7. 31 CFR Part 0, Department Of The Treasury Employee Rules Of Conduct

  8. 31 CFR § 0.213, General Conduct Prejudicial to the Government

  9. Federal CIO Council, Recommended Executive Branch Model Policy/Guidance on "Limited Personal Use" of Government Office Equipment including Information Technology, May 19, 1999, (See http://www.cio.gov/documents/peruse_model_may_1999.pdf)

  10. Office of Management and Budget(OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources

  11. TD 81-01, Department of the Treasury Information Technology (IT) Manual

  12. TD 85-01, Department of the Treasury IT Security Program (See http://intranet.treas.gov/eitspa/documents/td85-01/)

  13. TD. 87-04, Personal Use of Government Information Technology Resources, dated December 21, 2005

  14. IRM 6.751.1, Discipline and Disciplinary Actions, Policies, Responsibilities, Authorities, and Guidance , Exhibit 6.751.1-1

  15. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance

  16. IRM 10.8.2,Information Technology (IT) Security, IT Security Roles and Responsibilities


More Internal Revenue Manual