10.2.1  Physical Security

Manual Transmittal

April 06, 2012

Purpose

(1) This transmits revised Internal Revenue Manual (IRM) 10.2.1, Physical Security, The Physical Security Program, dated September 18, 2008.

Material Changes

(1) This IRM was updated to reflect the new Organizational and Position Titles.

(2) Revised Section 10.2.1.2 (6) -Title changed to Government Accountability Office Standards

(3) Revised Section 10.2.1.2 (10) - Title changed to Federal Information Security Management Act of 2002 (FISMA)

Effect on Other Documents

This supersedes IRM 10.2.1 dated September 18, 2008.

Audience

Servicewide

Effective Date

(04-06-2012)

Signed by Norris L. Walker
Director, Physical Security and Emergency Preparedness

10.2.1.1  (04-06-2012)
Purpose

  1. Provide the Internal Revenue Service (IRS) management and employees with standards and processes to protect IRS lives, property, assets and information.

  2. The IRS processes and maintains sensitive data such as:

    • private information of U.S. citizens,

    • financial information,

    • law enforcement information,

    • proprietary information, and

    • life and mission-critical information.

  3. Inadvertent or deliberate disclosure, alteration or destruction of this sensitive data poses such risk and high degree of harm that the Service must protect its information resources through

    • physical security,

    • data security, and

    • sensitive information and document handling procedures.

  4. Security procedures must also allow for access, use, disclosure and disposition of information in strict accordance with applicable laws, federal regulations, and Treasury Department directives.

10.2.1.2  (04-06-2012)
Authorities

  1. Authorities:

    1. Executive Order 12356, National Security Information

    2. The Privacy Act of 1974

    3. Tax Reform Act of 1976

    4. IRC 6103, 7213, 7217, and 7431

    5. Federal Managers' Financial Integrity Act of 1982 (FMFIA)

    6. Government Accountability Office Standards

    7. OMB Circular A–123 (Internal Control System)

    8. OMB Circular A–130 (Security of Federal Automated Systems)

    9. Treasury Security Manual 71–10

    10. Federal Information Security Management Act of 2002 (FISMA)

    11. National Institute of Standards and Technology (NIST) SP 800-65

10.2.1.3  (09-18-2008)
Directive

  1. Overriding principles of security in the Internal Revenue Service:

    • Every employee is responsible for security; annual briefings by Physical Security and Emergency Preparedness staff will familiarize employees with their individual responsibilities.

    • Access to sensitive information and restricted areas where sensitive information is maintained should be granted only on a need-to-know basis, determined by business unit management officials.

    • Managers and employees are responsible for providing reasonable security for all information, documents, and property entrusted to them.

  2. Established guidelines for minimum security standards allow flexibility to develop higher standards when needed to meet local situations. These guidelines can be found in the Physical Security Handbook and encompass:

    • security reviews,

    • crisis management,

    • ID media,

    • document security, and

    • minimum standards for safeguarding personnel, facilities, assets and property.

10.2.1.4  (04-06-2012)
Responsibilities

  1. The Chief, Agency-Wide Shared Services is authorized to prescribe the Physical Security Program for use within the IRS. The Director, Physical Security and Emergency Preparedness , is responsible for oversight of this IRS Program. The Director, Risk Management Operations and Policy , is responsible for planning, developing, implementing, evaluating, and controlling this IRS Program.

  2. The business unit executives, senior managers and Chief Counsel are responsible for an effective physical security program and reasonable and adequate security measures. Service officials and managers are responsible for the secure operation of the federal tax administration system and for taking actions to ensure adequate Occupant Emergency Plans, and Continuity Plans are established. These plans are essential to the Continuity of Operations, the prevention of loss of life, loss of property, and unauthorized disclosure of documents and information.

  3. PSEP Area Directors will ensure that PSEP Territory Managers are in compliance with Service policy and provide guidance, oversight, and help to client sites with the physical security program.

  4. PSEP Territory Managers plan, develop, implement, manage and evaluate physical security programs for their client sites, ensuring that Service policy and procedures are followed and that security measures meet established minimum security standards.


More Internal Revenue Manual