AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 30. Unisys Operating Systems Security Standards (Cont. 1)

10.8.30  Unisys Operating Systems Security Standards (Cont. 1)

10.8.30.5 
Technical Controls

10.8.30.5.2 
Access Control

10.8.30.5.2.4  (09-01-2007)
Manual User-id Revocation

  1. When an employee resigns, retires, transfers or changes his or her status within the organization so that system access is no longer required, the USA shall immediately disable or delete the user-id as appropriate and remove it from all accounts. If a user-id is disabled, the password shall also be changed.

10.8.30.5.2.5  (09-01-2007)
Demand Session @Run Card

  1. The Run Image for individual users shall always be System Generated.

  2. The project-id shall always be the same as the user-id and shall be restricted to that user-id only.

  3. The account may be user entered. The USA shall specify an alternate Run-id in accordance to local standard operating procedures.

  4. The Run Image for System user-ids shall be based on the functionality required by that user-id.

  5. The USAs shall grant exceptions to these rules based on firm, on-going functional requirements. These exceptions are subject to review by the Systems Administrator and ACIO, Cybersecurity and shall be documented and kept on file.

10.8.30.5.2.6  (09-01-2007)
Screen Warning Banner

  1. The Office of Chief Counsel, Public Contracts and Technology Law (memo dated November 15, 2000) advised the Service to standardize the screen-warning banner for all computer systems.

  2. See IRM 10.8.1 for Warning Banner Requirements.

10.8.30.5.2.7  (09-01-2007)
Automatic Terminal Logoff

  1. Changing the terminal time-out parameter during a session shall not be permitted. The automatic session logoff (Terminal Timeout) parameter shall be set to terminate or lock out a user session after 15 minutes of inactivity.

  2. When a user session is logged off, the communications line shall be dropped.

  3. Handicapped employees shall have a longer time-out period that is necessary to support their individual need but shall not exceed 60 minutes. This situation shall be documented, kept on file and revalidated whenever a new manager is assigned or a new domain is installed.

  4. The FTP bulk transfer user-id’s timeout period shall be determined locally but shall not exceed 15 minutes.

10.8.30.5.3  (09-01-2007)
Audit and Accountability

  1. System audit requirements are specified in IRM 10.8.1 and IRM 10.8.3. Specific audit procedures applicable to the Unisys mainframe system environment are listed below.

  2. Audit trails shall be reviewed as specified in the IT system security plan. The audit trail shall contain at least the following information:

    1. Identity of each user-id associated with the event and/ or device

    2. Time and date access occurred

    3. Type of event or activities that threaten to modify, bypass, or negate IT security safeguards

    4. Result of the event and security-relevant actions associated with processing.

  3. Unisys audit trails shall be protected from modification, unauthorized access and destruction.

  4. Unisys audit trails shall be recorded and retained in accordance with TD P 80-05, Records and Information Management Program.

10.8.30.5.3.1  (09-01-2007)
Duties

  1. Personnel assigned auditing duties (i.e. Security Specialists) shall log, analyze, and report to the responsible managing official all security incidents (e.g., repeated unauthorized access attempts to files or resources) in accordance with the IT Security Roles and Responsibilities Policy.

10.8.30.5.3.2  (09-01-2007)
Required Privileges for Auditing

  1. The individual(s) assigned system auditor duties shall have privileges needed to read the various log files. These privileges are defined in the Unisys Access Standard Profile Matrix.

  2. The USA shall provide read access or read only copies of other files as requested by the Auditor. Personnel assigned audit responsibilities shall be audited by the USA.

10.8.30.5.3.3  (09-01-2007)
Audit/Security Reports

  1. The USA or designated alternate shall be responsible for the timely distribution of the reports to authorized reviewers.

10.8.30.5.3.3.1  (09-01-2007)
Violations Report

  1. The Violations Report shows unsuccessful access to any files or resources protected by the Unisys Security System. It also shows other security related events. This report is generated weekly.

  2. The Violations Report shall be distributed to the manager(s) of those users who appear on the report. The manager receiving the report shall be required to review the report, determine if corrective action is necessary, indicate if any activity was not a true security violation, sign the report and return it to the USA within 10 working days and if the report is mailed off-site, 30 calendar days.

  3. The System Auditor shall also review this report regularly. The System Auditor shall also request documentation of the manager’s determination and corrective actions taken for violations that the System Auditor judges to be significant.

  4. If the signed Violations Report is not returned to the USA within 10 working days of the report (30 calendar days if the report is mailed off site), the USA shall e-mail the responsible manager’s immediate supervisor indicating that the report is overdue. The USA shall disable the user-id of the users on the report until the signed report is returned.

10.8.30.5.3.3.2  (09-01-2007)
Super-User Access Reports

  1. This report shows the file accesses of users with "Trusted Privileges" See Exhibit 10.8.30-3.

  2. This report is generated daily and shall be analyzed and reviewed by the System Auditor, or the DSA/DBA manager or both to determine whether unauthorized activities were taken by these users.

10.8.30.5.3.3.3  (09-01-2007)
Taxpayer Data Accesses Reports

  1. Successful accesses to files that are likely to contain taxpayer data shall be recorded in the log file. Reports shall be generated on an as-needed basis.

10.8.30.5.3.3.4  (09-01-2007)
File Transfers/FTP Reports

  1. The FTP Report shows FTP activity that is likely to be unauthorized.

  2. Operations shall generate this report on a regular basis.

  3. The FTP Report shall be reviewed and analyzed for inappropriate activity by the System Auditor and/or other designated Computing Center staff.

10.8.30.5.3.3.5  (09-01-2007)
Ad Hoc Reports

  1. Ad Hoc reports shall be requested by Functional Managers, Internal Auditors, IS Executives, ACIO Cybrsecurity, or external oversight organizations (e.g. GAO).

  2. These reports shall be generated using vendor software (e.g. LA reports, MFDRPT reports, ZIP and DMP).

  3. Security violations or unauthorized accesses to taxpayer data indicated on these reports shall be handled in the same manner as the other violation reports.

10.8.30.5.3.3.6  (09-01-2007)
Security System Audit Reports

  1. These reports are dumps of the security related information used by the operating system. These dumps are formatted and loaded into an Excel list for analysis.

  2. These reports shall be generated by the USA per request.

10.8.30.5.3.4  (09-01-2007)
Retention and Protection of Security Reports and Disk/Tape Backups

  1. All Unisys Security Reports shall be maintained in an appropriate security container as defined in IRM 10.8.1.

  2. Retention and destruction of the Violation reports shall meet the IRM 10.8.1 requirements for Records Management and Disposition of Records.

10.8.30.5.3.5  (09-01-2007)
Referral of Unauthorized Activity

  1. If the Systems Auditor, designated official, or USA encounters any unauthorized activity that significantly impacts or threatens to impact system integrity, the situation shall be immediately reported to IRS’ Computer Security Incident Response Center (CSIRC) and first-line manager.

  2. CSIRC will work with local Area Security Managers and site management to determine the severity or significance of the security incident.

  3. Incidents shall be reported using any of the following methods:
    a. On-line reporting contact information

    • CSIRC Portal: http://www.csirc.web.irs.gov/

    • E-mail: csirc@csirc.irs.gov


    b. Telephonic reporting information

    • (866) 216-4809 (toll-free)

    • (202) 283-4809 (local)

    • (202) 283-0345 (FAX)

  4. Refer to Cybersecurity"Computer Security Incident Reporting Procedures" for more information.

  5. Action shall be taken to minimize any identified vulnerability. Other questionable activities shall be referred immediately to the appropriate management official.

10.8.30.5.4  (09-01-2007)
System and Communications Protection

  1. IRS Unisys systems shall use the Security Option 1 feature, the Security Option 3 – Controlled Access Protection Environment configuration settings, Mandatory Access Clearance Levels and the policies stated in this IRM to satisfy this requirement.

  2. Unisys Security shall be implemented and maintained on IRS systems to provide:

    • Only explicitly granted access;

    • Conformance with least privilege principle;

    • Assurance that access to data and resources are granted on a need-to-know basis.

10.8.30.5.4.1  (09-01-2007)
Subsystem Parameters

  1. Individual users shall not have System Control Designators, Process Privileges, Access Privileges or Subsystem Sharing Levels. DBA/DSAs on all systems and selected (by the site USA) systems programmers on the MADS/SAT/FIT/TST systems are excluded from this restriction.

10.8.30.5.4.2  (09-01-2007)
Account Parameters

  1. The account security parameters shall be set in accordance with See Exhibit 10.8.30-2.

10.8.30.5.4.3  (09-01-2007)
Quota Set Parameters

  1. Quota sets define the maximum system resources a run can use, type of run, and time of day the run can execute. Quota sets at the IRS shall not be used to control for time of day.

  2. The name of a quota set shall be 1-6 characters in length. Each partition shall have at least 2 quota sets, one for production called PROD and one for other users. The USA shall develop other quota sets as needed. These quota sets shall be named according to local standards.

    • The PROD quota set is used for production and shall have all quota privileges, configuration bits set, bypass features turned on, limitations disabled, and unlimited access to all removable drives, tape drives and VTH drives. The PROD quota set shall only be attached to the PROD and other system/non-human user-ids.

    • The USA shall develop other quota sets for users. The purpose of these sets shall ensure that demand users do not interfere with production and that system resources are shared among all users.

    • The USA shall consider the potential for adverse impact on Operations and other users when developing these quota sets.

    • The USA shall seek advice from Operations, SSD and/or Mission Assurance and Security Services in questionable situations. The Unisys Matrix controls some of the settings.

    • The USA shall document for auditing purposes, the reasons for having other settings. In general, these quota sets shall not have the Deadline privilege set or access to tape drives, VTH drives and removable disk drives for periods longer than a typical shift period.

    • Access to removable disk drives shall only be granted when the user needs access to the data base container files.

10.8.30.5.4.4  (09-01-2007)
File Protections

  1. Mandatory Access Controls (MAC) and Discretionary Access Controls (DAC) control access to files. On the IRS Unisys systems, MAC means Clearance Levels and DAC means an Access Control Record (ACR) and/or Public/Private access list and Read/Write mode. The owner of the file determines what MAC and DAC are attached to their files.

  2. All data files on any system containing taxpayer data shall be protected by an ACR or the Private access list. All other Sensitive But Unclassified (SBU) data files or data files necessary to perform tax processing on the Production systems shall be protected by an ACR or the Private access list.

  3. Exception: Data Base and VTH containers. These files shall be kept on removable disk packs and shall not be protected by an ACR. They shall be protected by Quota restrictions on access to removable disk packs.

10.8.30.5.4.4.1  (09-01-2007)
File Ownership

  1. All data files on the Production systems that are used in tax processing shall be owned by the PROD user-id or a system user-id.

  2. All system files (both vendor and IRS specific) on the Production systems shall be owned by the PROD user-id or a system user-id.

  3. On all other systems, the user who creates the initial cycle of a file shall be the owner of the file who is responsible for the security of that file. The user’s manager shall assume this responsibility when a user’s status or job function changes and the user is removed from the system.

10.8.30.5.4.4.2  (09-01-2007)
Clearance Levels

  1. All data files containing taxpayer data shall have a clearance level of 31 on all systems.

  2. All other Sensitive but Unclassified data or data files needed to perform tax processing on the Production systems shall have a clearance level of 31.

  3. All system processors and associated configuration files shall have a clearance level of 0. All files that shall be read/execute only to the general user community (e.g. SOFT*LIB, the system log) shall be at a clearance level of 0.

  4. Program development and test data files on the ADS shall have a clearance level of 30.

  5. Other files may be placed in any of the other clearance levels. To the extent possible, these files (e.g. transmittal files, automation files, scheduler files, external auditor files, etc.) shall be placed at clearance levels that reduce their user’s need for access to the 31 and 0 clearance levels.

10.8.30.5.4.4.3  (09-01-2007)
Access Control Records

  1. Each system shall have a default ACR named PROD that is owned by the PROD user-id. This ACR may be attached to files owned by the PROD user-id and in many cases shall provide appropriate protection for production files.

  2. To prevent UNAX and other unauthorized accesses, this ACR shall prohibit read access of files by non-privileged users, grant read/write/delete access to the CSA staff and grant read access to other selected Operations staff.

10.8.30.5.4.4.4  (09-01-2007)
Use of Tax Payer Data for Testing

  1. IRM 2.5.16 specifies the procedures for using live data for testing.

  2. Testers and their managers shall have to justify and document their need for the data using the specified forms and checklists. Testers shall also use taxpayer data to resolve work stoppages or other production related problems without obtaining a waiver. The ITAMS ticket (or its successor) takes the place of the waiver.

  3. The tester shall be responsible for protecting live data during testing and no testing shall be performed in the production operating environment.

  4. All taxpayer data used for testing and all files derived from that data shall be kept at a clearance level of 30 and shall be protected by an ACR that limits access to the data to the testers. The copies of the taxpayer data shall be deleted from the system at the end of the waiver period or when the ITAMS ticket is closed.

10.8.30.5.4.4.5  (09-01-2007)
Electronic File Transfers

  1. All file transfers to or from the Production system shall be approved in advance.

  2. FTP shall be replaced with secure alternatives, per IRM 10.8.1. Replacement programs for FTP, such as Secure Shell (SSH) or other IRS approved utilities, shall implement session encryption to meet the transmission integrity and transmission confidentiality objectives of NIST Special Publication 800-53.

10.8.30.6  (09-01-2007)
Deviations

  1. Deviations from this policy shall be submitted in accordance with IRM 10.8.1 and use Form 13125, as described in the deviation Standard Operating Procedures (SOPs).

  2. Refer to IRM 10.8.1 for additional information.

Exhibit 10.8.30-1  (09-01-2007)
Appendix A. Operational System Tag Settings

Item No. Function Dynamic/Static Tag Name Tag Setting
1 Accounting Logs accntg_class_logged LOGACCTON TRUE
2 Automatic Tape Labeling automatic_tape_labeling TLAUTO TRUE
3 Log Boot Events boot_event_class_logged LOGBOOTEVTON TRUE
4 Log Communication Files comm_file_class_logged LOGCOMFILEON TRUE
5 COMPOOL is disabled compool_disabled CMPDIS TRUE
6 Log System console messages console_class_logged LOGCONSOLEON TRUE
7 Use Version 4 tape labels create_pre_version4_tape TLPRE4 TRUE
8 Max # of Days a user can have a password before it expires default_max_days_password MAXPASSDAY Refer to IRM 10.8.1
9 Min # of Days Before user can change password default_min_days_password MINPASSDAY 5 (superseding IRM 10.8.1)
10 Default Tape Expiration default_tape_expiration TFEXP 7
11 Delay sign on solicitation delayed_sign_on_solicitation DELAYSOL TRUE
12 Abort/Crash if LOG AT unavailable exerr_054_for_alat ALATXR TRUE
13 Files Private by Account files_private_by_account SSPBP FALSE
14 Log Fixed Mass Storage Activity fixed_ms_file_class_logged LOGFIXMSON TRUE
15 EBCDIC Tape Label Support ebcdic_tape_labels TLEBCDIC 0
16 Log Hardware Errors hardware_error_class_logged LOGHDWRERRON TRUE
17 Log File Header log_file_hdr_class_logged LOGFILEHDRON TRUE
18 Allow Machine Generated Passwords machine_generated_passwords MACHGENPASS FALSE
19 Max # of sign-on Attempts max_sign_on_attempts MAXATMP Refer to IRM 10.8.1
20 Min Password Length min_password_length MINPASSLEN Refer to IRM 10.8.1
21 NPE Control npe_control NPECTRL 1
22 No Operator Query For Undefined Account operator_assist_undef_account RESTRICT TRUE
23 Allows read write keys on owned files owned_file_read_write_keys OWNEDRWKEY FALSE
24 Log Performance Monitor Events performance_class_logged LOGPRFORMON TRUE
25 Userid Quota Enforcement Is On quota_enforcement_by_userid USERON TRUE
26 Catalogued File Enforcement quota_enforcement_for_cat_files CATON FALSE
27 Set QUOTLevel quota_level ACCTON 4
28 Residue Clear residue_clear RESDUCLR FALSE
29 Security label verification on Tapes security_disable_object SSDSOB FALSE
30 Security Officer Userid security_officer SECOFFDEF MASTER
31 Privileges/Accesses are checked at time of request sentry_control SENTRY TRUE
32 Log File Clearance Level is System High srsf_sys_high SRFHGH FALSE
33 Turn On Start/Fin Stamp Code start_fin_stamp SFTIMESTAMP TRUE
34 Controls enforcement of subsystem entry point protection subsystem_entry_protection SSPROTECT TRUE
35 Log System History system_history_class_logged LOGSYSHISTON TRUE
36 Tape Access Restricted by Account tape_access_restrict_by_account TPOWN FALSE
37 Privileged Account to read tape label tape_labeling_privileged_account PRIVAC 001234
38 Tape Volume Security Level tape_volume_security_level TVSL 0
39 TIP File Security Is On tip_file_security TFSEC TRUE
40 TIP Message Security Is On tip_message_security TMSEC TRUE
41 Trace Log Entries trace_class_logged LOGTRACEON TRUE
42 Verification of Userids & Passwords at sign on tss_control TSS TRUE
43 Allow Non-EXEC Log Entries user_class_logged LOGUSERON TRUE

Exhibit 10.8.30-2  (09-01-2007)
Appendix B. Account Parameter Settings

  1. The account security parameters shall be set as follows:

Parameter Setting
Maximum Real Time Level 2 XXPROD and 001234 accounts.
  Mar-35 0 DBA/CPE/CSA/ SSD accounts all other accounts (not allowed)
Maximum Priority A XXPROD and 001234 accounts.
Allowed M all other accounts.
Maximum SUAs Allowed Maximum values. Maximum values.
Default Priority Allowed A M XXPROD and 001234 accounts. all other accounts.
Quota Set Name PROD XXPROD accounts Set to the quota set that most of the users of the account have
Account Usage Can Exceed Maximum Allowed SUAs * all accounts (allowed)
Deadline Jobs Allowed Under This Account * XXPROD accounts (allowed) blank all other accounts (not allowed)

Exhibit 10.8.30-3  (09-01-2007)
Appendix C. Definitions of Unisys Specific Security Tags

  1. The following information is extracted from various Unisys Manuals, the ODB, and IRS local code to the Operating System and may change slightly as SSD upgrades or updates the Unisys Operating System.

  2. Console Modes and Keyin Groups

    1. Console Mode controls what unsolicited Operator Keyins a user can enter from a demand session. The Operator Keyins are categorized into Keyin Groups. These groups can be used to limit the accesses granted by the Console Mode. Basic Console Mode lets the user manipulate or request information on their run or any other run started by or controlled by their user-id. Limited Console Mode grants users access to the Basic Console Mode Keyins and many of the status keyins. Full Console Mode grants users access to all the non Read-and-Reply keyins. Display Console Mode grants users access to the Full Console Mode Keyins and displays the Message Group console traffic. The Response Console Mode grants users access to respond to Read-and-Reply console messages as well as granting users all the features of the Display Console Mode.

    2. The following table shows the Operator keyin available by Console Mode and Keyin Group. The function of each keyin is explained in detail in EXEC System Software Operations Reference Manual – 7831-0281.

    Keyin Group Basic Limited
    CMBRLD Common Bank Reload    
    COMMUN Communications   TM
    DATKEY Date Keyin D D
    DEBUGS System Debug    
    DEVCNT Device Control    
    GENSTA General Status MU MU, FS, SS
    LOGGIN System Logging LG LG
    MSGREC Remote Console Msgs    
    MSTCNT Mass Storage Control    
    PRFANL Performance Analysis    
    RNCNT1 Run Process Control CS, E, RM CS, E, RM
    RNCNT2 Run Termination    
    RNCNT3 Checkpoint/Re start    
    RUNSTA Run Status RC BL, RC, T
    SECURI Security Keyins    
    SYMCTL Symbiont Control SX, SQ SQ, SX
    TIPGRP TIP Keyins   TIP

  3. Message Groups

    1. Message Groups control the type of messages displayed on a user’s demand terminal when that user’s console is in Display or Response Mode. Similar types of console messages (called Message Classes) are grouped together in the ODB to create the Message Group. The following table lists the IRS Message Groups and their associated Message Classes.

    Message Group Types of Console Messages (Message Classes)
    COMMSG Communications messages
    HDWCON Hardware confidence, Online maintenance, Disk prep messages
    IOMSG Disk error messages, Disk service messages, Facility prescan messages, Mass storage availability messages, Mass storage error messages, Onsite card reader messages, Onsite card punch messages, Onsite printer messages
    RSIMSG Remote symbiont interface (RSI) messages
    SYSMSG Audit trail, step control messages, Checkpoint/restart messages, Common bank messages, Run status messages, Security messages, Transition unit status messages, Miscellaneous (time/date, and so on)
    TAPEMG Tape error messages, Tape mount messages, Tape service messages
    TIPMSG TIP messages
    USER4 Reserved for specific site Ad Hoc applications
    USER5 Reserved for specific site Ad Hoc applications
    USER6 Reserved for specific site Ad Hoc applications
    USER7 Reserved for specific site Ad Hoc applications
    CALNxx Restrict Messages to ALN xx
    MSTCNT Mass Storage Control  
       
    PRFANL Performance Analysis  
    RNCNT1 Run Process Control CS, E, RM
    RNCNT2 Run Termination  
    RNCNT3 Checkpoint/Re start  
    RUNSTA Run Status RC
    SECURI Security Keyins  
    SYMCTL Symbiont Control SX, SQ
    TIPGRP TIP Keyins  

  4. Quota Tags

    1. The following is a list of Quota Resource Limits, Quot