10.2.2  Physical Security Compliance Reviews

Manual Transmittal

May 02, 2013

Purpose

(1) This transmits revised Internal Revenue Manual (IRM) 10.2.2 Physical Security Compliance Reviews. It replaces IRM 10.2.2, dated October 21, 2011.

Material Changes

(1) The removal of text approved but not changed in the last updated revision.

Effect on Other Documents

This supersedes IRM 10.2.2 dated October 21, 2011

Audience

Servicewide

Effective Date

(05-02-2013)

Signed by Norris L. Walker
Director, Physical Security and Emergency Preparedness

10.2.2.1  (09-26-2008)
Scope

  1. The Service has established minimum physical security standards and requirements for which Service managers and employees are responsible. Periodic program assessments provide security personnel and management officials with information helpful in determining the effectiveness and appropriateness of existing security guidelines.

  2. Compliance Reviews are a means of assessing implementation and compliance of security program standards and requirements in the National Office, area offices, posts of duty, submission processing and computing centers. These assessments will help determine the effectiveness and appropriateness of existing procedures and requirements as well as define areas for future security program emphasis.

10.2.2.2  (10-21-2011)
Responsibilities

  1. The Chief, Agency-Wide Shared Services, is authorized to prescribe Compliance Reviews for use within the IRS. The Director, Physical Security and Emergency Preparedness, is responsible for oversight of the planning, developing, implementing, evaluating, and controlling of this IRS Program. The Associate Director, Risk Management Operations and Policy, is responsible for planning, developing, implementing, evaluating, and controlling this IRS Program.

10.2.2.3  (10-21-2011)
Compliance Reviews

  1. At a minimum, Compliance Reviews of processing and computing center facilities will be conducted every two years (or more frequently if circumstances warrant ie., major renovations or relocations). Compliance Reviews will also be performed every two years at off-site campus locations that perform Receipt and Control and submission processing type functions. The reviews may be staggered over a two calendar year period in order to minimize the impact on staffing. Compliance Reviews of all other offices will be conducted every three years (or more frequently if circumstances warrant). Physical Security and Emergency Preparedness Territory personnel will conduct on-site visits of their posts of duty and campus, submission processing/computing center facilities, including all off-site facilities. In addition, Compliance Reviews should be performed within six months of occupying new facilities.

  2. A Compliance Review may be warranted more often then every two/three years if:

    1. There has been a change in location or major renovation (offices or functional areas have relocated).

    2. There has been a significant change in the mission of the businesses/organizations at the site.

    3. There has been a significant change in procedures/processing (new procedures, whether security procedures or operational procedures with potential security implications).

    4. There has been a change in significant incidents (a serious incident or a trend of incidents indicating a need for adjustment to existing procedures or review of security procedure implementation).

  3. Security personnel conducting on-site visits will utilize sampling techniques to the maximum extent possible. Emphasis will be placed on known or suspected areas of weakness in the security program in the particular office or functional area.

  4. A duty-hours review is conducted in an office or functional area during working hours to determine if proper security procedures are in place and followed: such as protection and control of padlocks, keys, IDRS passwords and entry codes, and to ensure that restricted areas are properly occupied during breaks and lunch. Compliance with local identification card requirements should also be measured during this review.

  5. An after-hours review is conducted during non-working hours to determine that documents, property, and monies are properly secured when not under the direct and continuous supervision of authorized personnel. This includes both before and after work, when offices or areas may not be occupied.

    1. In preparation for an after-hours review, security personnel will make arrangements with the appropriate management officials to obtain approval for the date, time and place of the review. Officials should be cautioned not to alert employees of the date and time of the review.

    2. Security personnel will invite an official of the function(s) to be reviewed and/or designated management official to participate in the review.

    3. Security personnel will coordinate with appropriate facility personnel, if necessary, to ensure that arrangements have been made for keys for access to the buildings, rooms, or areas to be reviewed; that any intrusion detection systems have been turned off/on as necessary; and that police, security or guard force personnel are aware of the expected arrival and departure times of the review team members.

    4. During an after-hours review, team members will not: force or pick any locks; conduct penetration tests or use subterfuge to gain entry to a guarded building or area; or, open any mail or mail bags or any other sealed items.

    5. During an after-hours review, team members will : if possible, secure any cabinets and/or doors found open that should be locked; document both adequate and inadequate security measures observed during the review; consider the use of Form 9374 (formerly Document 6041), Notice of Results of Security Inspections; and, secure any document that is receiving less than the required level of protection.

  6. A follow-up review is conducted to determine the effectiveness of corrective actions taken on findings from after-hours and duty-hours reviews and functional reviews. If serious deficiencies are identified, a follow-up review should be conducted within 90 days of completion of the initial review.

  7. At the conclusion of the review, the review team should meet with upper management (or their designated representative) to discuss the findings and recommended corrective actions. In addition, time frames for completing and reporting corrective actions should be determined.

  8. A compliance review file should be maintained for each facility and should contain copies of reports of security reviews (i.e., Risk Assessments, last Compliance Review, TIGTA reviews, audit findings etc.) and any other information that can be used to assist in preparing for the review. The content of these reports should be considered in planning the Compliance Review.

10.2.2.4  (09-26-2008)
Review Criteria

  1. In order to provide a uniform and consistent review process, at a minimum, the following criteria will be used in conducting compliance reviews:

    • Perimeter Security

    • ID Media/Card Keys/Keys

    • Document Security

    • Incident Reporting

    • Security Awareness

    • Occupant Emergency Plan (OEP)

    • Business Resumption Plan

10.2.2.5  (10-21-2011)
Review Report

  1. Compliance review reports will be prepared in narrative form and will follow the format in Exhibit 10.2.2-1. The report will emphasize past problem areas or areas of suspected program weakness, as well as successes or particularly effective measures devised to deal with security problems. The Compliance Review can be performed in conjunction with the Risk Assessment utilizing the FSR automated tool.

  2. At a minimum, the completed report will be submitted to the Territory Manager for review and once approved a copy will be posted on the Risk Assessment and Compliance Review SharePoint Site and an e-mail notification will be sent to the Risk Management Operations and Policy Program Owner.

Exhibit 10.2.2-1 
Compliance Review Report

COMPLIANCE REVIEW REPORT
COMPLIANCE REVIEW FACILITY BACKGROUND
Office and Address: START HERE AND INSERT ADDRESS. TAB TO GO TO THE NEXT FIELD OR DOUBLE CLICK ON THE SHADED FIELD.
Building Number: DOUBLE CLICK HERE AND INSERT BUILDING NUMBER
Date of This Report: DOUBLE CLICK HERE AND INSERT DATE
Date of Review: DOUBLE CLICK HERE AND INSERT DATE
Date of Last Review: DOUBLE CLICK HERE AND INSERT DATE
Reviewer(s) Name and Phone Number: DOUBLE CLICK HERE AND INSERT THE REVIEWER'S NAME AND PHONE NUMBER
Copies of Report sent to: Territory Manager Attn: DOUBLE CLICK HERE AND INSERT NAME DOUBLE CLICK HERE AND INSERT ADDRESS
  Click here and select one from the drop down list: Compliance Review Coordinator Attn: DOUBLE CLICK HERE AND INSERT NAME DOUBLE CLICK HERE AND INSERT ADDRESS
  Security and Emergency Programs Division Attn:
  Office Reviewed Attn: DOUBLE CLICK HERE AND INSERT NAME
COMPLIANCE REVIEW REPORT
Reason for Review: Click here and select one from the drop down list:
Description of Site: (Commercial/Federal Building, number of employees housed at site, facility security level, co-located with other Federal agencies/commercial businesses, IRS primary tenant, square footage, number of floors, floors occupied by IRS): DOUBLE CLICK HERE AND INSERT DESCRIPTION
Security Guard Force
(Submission Processing/Computing Centers/IRS Facilities where IRS is COTR for Guard Contract):
a. Do all guards receive proper training (certification and use of firearms, use of surveillance equipment, disclosure, post orders, etc., in accordance with IRM 10.2.12) 0Yes 0No. DOUBLE CLICK HERE AND INSERT DETAILS
b. Have post orders been developed for each guard post (brief, written in simple terms, understandable and current)? DOUBLE CLICK HERE AND INSERT DETAILS
c. Do post orders provide procedures on alarm response 0Yes 0No and are guards familiar with response procedures? 0Yes 0No DOUBLE CLICK HERE AND INSERT DETAILS
d. Do guards demonstrate a working knowledge of post orders? 0Yes 0No DOUBLE CLICK HERE AND INSERT DETAILS
e. How frequently are alarms and responses tested? 0Annually 0Quarterly 0Monthly 0Weekly 0Daily 0Other (explain) When was the last test and what was the response time, in accordance with IRM 10.2.12? DOUBLE CLICK HERE AND INSERT DETAILS
f. Do incident reports prepared by the guards contain relevant, objective information (who, what, when, where, why)? 0Yes 0No DOUBLE CLICK HERE AND INSERT DETAILS
Perimeter Security:
a. Provide a description of the current building security (e.g. guards (contract, how many posts, hours), CCTV/alarms (who monitors and responds-- guards, private security company, FPS, local police), magnetometers/x-ray equipment (who operates and what training has been provided) Is screening of all visitors and/or all employees required? 0Yes 0No Is a visitor register used? 0Yes 0No Is visitor register reconciled at end of each work day? 0Yes 0No Are visitor/contractor badges issued? 0Yes 0No Is there after-hours access 0Yes 0No and if so how is it controlled? DOUBLE CLICK HERE AND INSERT DETAILS
b. Is parking provided at facility 0Yes 0No and is it controlled? 0Yes 0No If so, how is parking controlled (guard, access card, etc.)? Is a parking setback in place? 0Yes 0No If so, how many feet? DOUBLE CLICK HERE AND INSERT DETAILS
c. Provide a description of the interior security (office space design description, type of locks/electronic access control systems, and identify where installed, alarms (IDS- door contacts/motion/glass break, duress), after-hours access, cleaning personnel (daytime or after hours access?), etc.): DOUBLE CLICK HERE AND INSERT DETAILS
d. How is visitor/contractor access into work area controlled and monitored (reception area, viewing window in door, intercom)? What is the policy for vendor/maintenance personnel/visitor access (visitor register, escort only, etc.)? Are visitor/contractor badges issued? DOUBLE CLICK HERE AND INSERT DETAILS
e. Is there verification that an NBIC background investigation has been conducted before authorizing a contract employee unescorted access in a work area? 0Yes 0No. If yes, explain verification process. If no NBIC background investigation is verified, is the contract employee escorted at all times while in the work area? 0Yes 0No DOUBLE CLICK HERE AND INSERT DETAILS
f. Are there restricted or controlled areas at this facility? 0Yes 0No DOUBLE CLICK HERE AND INSERT AREAS If there is a restricted/controlled area, how is the area secured (cipher locks, card readers)? What controls are in place to monitor access to restricted area (monitor at entrance, electronic access, register, badge exchange for visitors)? How is ID media maintained (security cabinet, desk)? Are employees and visitors issued the appropriate ID card (restricted area designator)? 0Yes 0No DOUBLE CLICK HERE AND INSERT DETAILS
ID Media / Card Keys / Keys:
a. Have ID cards been issued to all employees 0Yes 0No and do employees wear ID cards properly when in Service facilities/work areas? 0Yes 0No What procedures are followed when an employee forgets/loses their ID card? If employees have not been issued Photo ID cards, what procedures are in place to facilitate the requirement that all employees must wear ID card in Government Space? DOUBLE CLICK HERE AND INSERT DETAILS
b. Are employees aware of their responsibility to safeguard ID cards (do not allow others to use card/do not leave ID card in view unattended INSTRUCTIONS TO REVIEWER: ASK RANDOMLY SELECTED EMPLOYEES AND OBSERVE EMPLOYEE BADGE WEARING)? 0Yes 0No Are employees aware of the requirement to immediately report lost or stolen ID cards? 0Yes 0No How are these policies communicated to employees? DOUBLE CLICK HERE AND INSERT DETAILS
c. Is a record maintained on the issuance of keys/key cards? 0Yes 0No If so, how are records maintained (custody receipt, automated file, other) and where are records maintained? DOUBLE CLICK HERE AND INSERT DETAILS Who is responsible for issuance of keys/key cards? DOUBLE CLICK HERE AND INSERT NAME OR TITLE Are periodic reviews being conducted to reconcile records? 0Yes 0No If so when was the last review conducted? DOUBLE CLICK HERE AND INSERT DETAILS
d. Has a procedure been established for recovery of ID cards/key cards (an employee separates, transfer, etc.)? 0Yes 0No Briefly describe the procedure and identify the responsible official. DOUBLE CLICK HERE AND INSERT DETAILS
e. Is there a procedure in place to control removal of property from the office (e.g. log, etc.)? 0Yes 0No Who is designated to approve removal of equipment? Is there a periodic review of procedures? Who has responsibility for ensuring equipment accountability? DOUBLE CLICK HERE AND INSERT DETAILS
f. Are combinations to locks changed when the safe or lock is originally received; at least once each year; when an employee who knows the combination retires, resigns, transfers or no longer has a need to know; or, if the combination is compromised? 0Yes 0No Who is responsible for ensuring that combinations are changed and what mechanism is in place to ensure combinations are changed and to record date of changes? DOUBLE CLICK HERE AND INSERT DETAILS
Document Security:
a. Provide a description of the types of documents (tax returns, personnel records, etc.) maintained in work area. Are documents maintained in container commensurate with level of sensitivity? Are employees aware of the need to protect sensitive information against inadvertent disclosure when visitors/maintenance personnel/vendors are in work area? Do employees secure sensitive information whenever it is not in the direct control of an authorized employee? How is the policy communicated to employees? DOUBLE CLICK HERE AND INSERT DETAILS
b. Are sensitive documents disposed of as required by Manual procedures (give description, i.e. shredded, burn bag)? 0Yes 0No If waste is recycled, are appropriate procedures in place to safeguard sensitive information (describe procedures--how is waste containerized until picked up by vendor? DOUBLE CLICK HERE AND INSERT DETAILS Where necessary, has a safeguard review been conducted of the vendor facility, was the review documented, and are requirements documented and in place for safeguarding waste material when being transported to vendor facility)? DOUBLE CLICK HERE AND INSERT DETAILS
c. Is a clean desk policy in place? 0Yes 0No If so, how is the clean desk policy administered and communicated to employees? DOUBLE CLICK HERE AND INSERT DETAILS
d. Does management periodically review work area to ensure that the clean desk policy is followed; that laptops are secured, mail is secured, that containers are being locked, that keys to containers are secured and not left out or left in unlocked desk drawers, and that offices are being secured at the end of the day? 0Yes 0No How are these reviews documented? DOUBLE CLICK HERE AND INSERT DETAILS Was an after hours review conducted as part of the compliance review? 0Yes 0No What were the results? DOUBLE CLICK HERE AND INSERT DETAILS
Incident Reporting:
a. Is there a designated official at each site responsible for reporting incidents? 0Yes 0No Is there a procedure in place for reporting incidents? 0Yes 0No What is the procedure? DOUBLE CLICK HERE AND INSERT DETAILS Are employees aware of this procedure? 0Yes 0No
b. Is there a list of names and phone numbers of individuals (e.g., FPS, Physical Security, Inspection, etc.) to contact when an incident occurs? 0Yes 0No Is the list of contacts kept current? When was the last time the list was updated? DOUBLE CLICK HERE AND INSERT DETAILS
c. Are incidents being reported to CSIRC? 0Yes 0No DOUBLE CLICK HERE AND INSERT DETAILS
Security Awareness:
a. Is there a security awareness program in place? 0Yes 0No How often are security awareness sessions conducted? When was the last security awareness session? What means are used to communicate security awareness (staff meetings, posters, memorandums, etc.)? DOUBLE CLICK HERE AND INSERT DETAILS
b. Are new employees given a security awareness orientation within the first week of employment? 0Yes 0No Does the orientation include the employee's responsibility for safeguarding information, documents and property with which they are entrusted? 0Yes 0No Does the orientation cover employee's responsibility for following established security procedures (including local procedures)? 0Yes 0No Does the orientation cover special security requirements unique to their area of responsibility? 0Yes 0No Who conducts the security awareness orientation? DOUBLE CLICK HERE AND INSERT DETAILS
Occupant Emergency Plan (OEP):
a. Is there an Occupant Emergency Plan in place 0Yes 0No, and when was it last updated? DOUBLE CLICK HERE AND INSERT DETAILS
b. Who has primary responsibility for the Plan (IRS, other)? DOUBLE CLICK HERE AND INSERT DETAILS
c. Has the OEP been shared with employees 0Yes 0No and are emergency procedures periodically reviewed with employees? 0Yes 0No When was the last review? When was the OEP last tested (i.e. evacuation drill, shelter in place drill)? DOUBLE CLICK HERE AND INSERT DETAILS
d. Are the Shelter in Place supplies checked regularly (at least annually) to make sure the supplies are adequate and not expired? 0Yes 0No Are the batteries still good for the radios and flashlights? 0Yes 0No When were they last checked? DOUBLE CLICK HERE AND INSERT DETAILS
Business Continuity Plan:
a. Is there a Business Continuity Plan in place 0Yes 0No, and when was it last updated? DOUBLE CLICK HERE AND INSERT DETAILS
b. Where is the Business Continuity Plan maintained? DOUBLE CLICK HERE AND INSERT DETAILS
Other Areas Reviewed (not covered above):
DOUBLE CLICK HERE AND INSERT DETAILS
a. Describe security measures, initiatives or corrective actions that have been implemented since the last review. DOUBLE CLICK HERE AND INSERT DETAILS
b. Describe security weaknesses identified in this review. DOUBLE CLICK HERE AND INSERT DETAILS
Recommended Corrective Actions and Proposed Completion Date:
DOUBLE CLICK HERE AND INSERT DETAILS

More Internal Revenue Manual