10.2.8  Incident Reporting

10.2.8.1  (09-30-2008)
Purpose

  1. This IRM provides policy and guidance to be used by IRS personnel and organizations when reporting physical security incidents to the Situation Awareness Management Center (SAMC).

10.2.8.2  (09-30-2008)
Overview

  1. The Tax Administration System is of vital importance to the economy of the United States, as such, its protection must be assured at all times. In order to provide adequate response measures, it is necessary to develop sound incident reporting procedures that will ensure immediate and effective response to physical incidents. At a minimum, incidents and emergencies that shall be reported include any situation or condition in or around an IRS facility that could deny access, cause harm to employees or damage to IRS facilities and property.

  2. Proper and timely incident reporting helps afford leadership the capability to make operational decisions on how to best respond to physical incidents and/or emergency situations reducing the effects of threats to IRS personnel, facilities, and property.

10.2.8.3  (09-30-2008)
Scope

  1. A key aspect of incident management is the timely reporting of significant conditions or situations. Prompt reporting of physical security incidents is essential in order to advise all levels of management of conditions that affect the operation of the Service as well as to allow analysis of current information. Trends or patterns detected as a result of the analysis will assist in the development of effective countermeasures to minimize the effects of future disruptions.

  2. Incident reporting provides the IRS Situation Awareness Management Center (SAMC) information upon which to base incident reports and warnings.

  3. This IRM provides guidance on reporting physical security incidents and significant conditions or situations to appropriate authorities and a process for recording incidents.

10.2.8.4  (09-30-2008)
Authority

  1. Treasury Directive, TD P 85-01, Treasury Cyber Security Program, November 3, 2006

  2. TD P 85-01, Appendix G, (TCIO M 08-02, Attachment 1), Department of the Treasury Incident Response Guidelines and Procedures, January 29, 2008

10.2.8.5  (09-30-2008)
Roles and Responsibilities

  1. The Director, Physical Security and Emergency Preparedness (PSEP) is designated as the coordinator of all emergency and significant incident related information. All significant incidents, unusual situations, potential incidents or situations affecting or which may affect the operations of the Service will be reported as quickly as possible to SAMC and the Physical Security and Emergency Preparedness Staff.

  2. The SAMC shall promptly report all significant incidents and emergencies, and incidents that result in the need to respond to inquiries from Treasury or the news media to the Watch Commanders (WCs) so that they may be kept apprised of situations that could require their immediate assistance and/or attention, that of the Commissioner, Chief, Agency-Wide Shared Services (AWSS), Director, Physical Security and Emergency Preparedness, and/or other Service Executives.

  3. Managers and/or their designated representatives, as well as all employees, should be familiar with the physical security incident and emergency reporting procedures.

  4. The local PSEP Territory Manager shall provide managers and designated officials a list of officials and phone numbers for reporting incidents at their location. The list should include appropriate authorities such as Federal Protective Services, Criminal Investigation, Treasury Inspector General for Tax Administration (TIGTA), physical security office, etc. This list shall be updated at least annually or more frequently, if necessary, to maintain accuracy.

  5. Incidents involving the disclosure of tax information or of Privacy Act information shall also be reported to the local Disclosure Officer.

10.2.8.6  (09-30-2008)
Notification and Response

  1. Local procedures shall be developed at all facilities for notification of appropriate authorities for response (i.e. Federal Protective Services, local authorities, Criminal Investigation, etc.). Incidents shall also be immediately reported to the appropriate Senior Commissioner’s Representative or Designated Official and as soon as the incident is under control (that is, appropriate emergency response personnel have been notified and the safety of employees is assured), managers or their designated representative will report the incident to the SAMC and the local Physical Security office (for those offices located in a Postal Service building the Postal Inspector shall also be notified).

  2. All physical security incidents should be reported to the SAMC within 30 minutes of incident discovery. SAMC operates 365 days a year, 24 hours a day, seven days a week. Incidents may be reported to the SAMC through any of the following methods;

    1. By telephone at 202-283-4809 or (toll free hotline) 866-216-4809

    2. By fax at 202-283-0345

    3. By E-mail at samc@irs.gov, or

    4. Web site through the use of the Physical Security Incident Reporting Form at https://www.csirc.web.irs.gov/physical/

  3. Threats against, or assaults upon, employees should also be reported to the Office of Treasury Inspector General for Tax Administration (TIGTA), who has responsibility for investigating these incidents. If an employee is assaulted in an IRS office, a report of the incident should be prepared so established protective measures may be reviewed to determine any needed changes.

10.2.8.7  (09-30-2008)
Types of Incidents

  1. At a minimum, the following types of incidents shall be reported to the SAMC:

    • Bomb threats • Explosions/Bombings

    • Demonstrations

    • Civil disturbances

    • Arson/Fire

    • Utility disruption or failure

    • Sabotage

    • Terrorist/enemy activity/attacks

    • HAZMAT (Hazardous Material)

    • Burglaries

    • Robberies

    • Destruction or loss of significant documents (includes Personal Identifiable Information)

    • Natural disasters

    • Receipt of information of terrorist activities

    • Assaults upon IRS employees

    • Suspicious packages that result in site evacuation or notification of local authorities

    • Service facility closing due to security related incidents, natural disaster, weather conditions, significant utility disruption, etc.

    • Compromise or possible compromise of classified National Security Information

    • Loss or thefts of IT equipment

    • Threats against IRS employees

    • Exercises and/or drills to include fire, shelter-in-place (SIP), and Continuity Planning

    • Natural disasters

    • Unusual weather conditions

    • Vehicle accidents

    • Housebreakings (resulting in the theft of IRS property)

    • Thefts (includes non-IT equipment)

    • Any criminal activity not already identified

10.2.8.7.1  (09-30-2008)
Significant Incidents

  1. Every effort should be made to report all incidents as quickly as possible. Significant incidents shall be immediately reported (via phone) to the SAMC. NOTE: Any incident requiring the evacuation or closing of a Service facility is considered Significant.

  2. The following incidents, by their nature, are considered Significant and will require immediate response actions as well as Executive Level notification. These incidents include, but are not limited to:

    • Bomb threats

    • Explosions/Bombings

    • Demonstrations directed at the Service or which disrupt Service activities

    • Civil disturbances

    • Arson/Fires (causing evacuation or significant damage)

    • Utility disruption or failure

    • Sabotage

    • Terrorist/enemy activity/attacks

    • HAZMAT

    • Robberies

    • Destruction or loss of significant documents (includes Personal Identifiable Information)

    • Natural disasters

    • Receipt of information of terrorist activities

    • Assaults upon IRS employees

    • Suspicious packages that result in site evacuation or notification of local authorities

    • Service facility closing due to security related incidents, natural disaster, weather conditions, significant utility disruption, etc.

    • Compromise or possible compromise of classified National Security Information

  3. There may be incidents that do not fall strictly within the above parameters, but which may be considered sensitive or high profile. When there is doubt as to whether an incident should or should not be reported, the incident should be reported and the SAMC will consult with the Watch Commander for guidance. For further guidance on incident reporting, refer to Exhibit 10.2.8-1., SAMC Incident Reporting Matrix. This exhibit provides examples of reportable incidents. This list of incidents is not all inclusive but will help provide a basis for determining which incidents should be reported.

  4. When reporting significant incidents to the SAMC and to the local Physical Security and Emergency Preparedness office, at a minimum, the following information shall be provided:

    • time and date of incident

    • name of facility/office

    • address of facility/office

    • details of what occurred (who, what, when, where, how, and if possible why)

    • who was notified (FPS, local authorities, etc.)

    • whether facility is a Federal or commercial building

    • whether IRS is the primary Federal tenant

    • approximate number of IRS employees affected

    • whether facility has been evacuated or closed

Exhibit 10.2.8-1  (09-30-2008)
Incident Report Matrix

SAMC INCIDENT REPORTING MATRIX
INCIDENT REPORT (Y/N)
Any incident or event leading to the death of a taxpayer (heart attack, assault, natural causes, etc.) Y
Any incident or event leading to the death of an employee (heart attack, assault, natural causes, etc.) Y
Non - IRS employee automobile accident adjacent to, but not on, IRS property. N
Any incident or event leading to the injury of a taxpayer Y
Any incident or event leading to the injury of an employee. Y
Any vehicle accident on IRS property, includes GSA/CI vehicles. Y
Facility evacuation drills; includes annual fire, SIP, and Continuity Planning drills. Y
Loss of or significant damage to critical infrastructures, including facilities and systems of all types. Y
Weather related facility closures or early dismissals Y
Weather relater damages to IRS property (hurricanes, tornadoes, lightning strikes, etc.) Y
Real world events/incidents causing facility evacuations. Y
Protestors and/or gathering outside of IRS property Y
Flooding of IRS property Y
Thefts on IRS property Y
Thefts of IRS property from employee’s residence Y
Threats from a taxpayer Y
Threats from an employee Y
Loud taxpayer on IRS property (upset but not disruptive). Y
Disruptive taxpayer on IRS property Y
Loss of government property (with or without TP data) Y
Assaults, muggings, robberies on IRS property. Y
Assaults, muggings, robberies not on IRS property, i.e., transit to parking lot not under IRS control. Y (if IRS employee is/are involved)
Quarrels in work spaces between employees, or between employee and manager leading to acts of violence and/or assault . Y
Power outages, includes outages resulting from natural weather events Y
Events requiring the completion of an incident report Y
Theft of a Lockbox Y
Business interruptions of 30 minutes or longer Y
Incidents or events that may attract media interest Y

More Internal Revenue Manual