10.8.8  Live Data Protection

10.8.8.1  (08-31-2010)
Purpose

  1. The IRS shall develop, disseminate, and review/update a formal, documented Live Data Protection policy, annually, that addresses the following:

    • Purpose

    • General Policy

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Deviations/Exceptions

    • Glossary (Exhibit 10.8.8-1)

  2. The IRS shall develop, disseminate, and review/update procedures to facilitate the implementation of the Live Data Protection, and associated Live Data Protection controls, annually.

    1. The Live Data Protection policy and procedures shall be consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

    2. Live data protection shall be developed for the Live Data Protection policy in general, and for a particular IRS information system, when required.

    3. The IRS organizational risk management strategy is a key factor in the development and implementation of the Live Data Protection policy.

10.8.8.1.1  (08-31-2010)
Overview

  1. The requirements of applicable disclosure and security laws, and the requirements within this IRM shall be met before live data can be used.

  2. The use of live data are prohibited without approval from the Office of Privacy, Information Protection, and Data Security (PIPDS). PIPDS may delegate certain assurance processes to business units, such as, validating need to use live data, approving employees' or contractors' access, approval of sanitized data techniques or plan, use of live data for research, etc.. Such delegated activities will be defined in the PIPDS Live Data Protection Guide.

10.8.8.1.2  (08-31-2010)
Scope

  1. This manual establishes policy for the protection of live data. Live data are primarily unmodified, non-sanitized data (e.g., electronic, hardcopy) extracted from taxpayer files which identifies specific individual or corporate taxpayers. See the Glossary for a complete definition of live data.

  2. The provisions in this manual apply to all offices, business, operating and functional units within the IRS, and are to be applied when live data are used to accomplish the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers which use or operate IT systems containing IRS live data.

10.8.8.1.3  (08-31-2010)
Authority

  1. IRC § 7213A, Taxpayer Browsing Protection Act of 1997 IRC language (UNAX);

  2. Treasury Directive 85-01, Department of Treasury Information Technology (IT) Security Program; and

  3. IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance, establishes the IT security policy framework for the IRS.

10.8.8.2  (08-31-2010)
General Policy

  1. The use of live data are strictly prohibited without approval from the Office of Privacy, Information Protection and Data Security (PIPDS).

  2. Live data shall be used only when other alternatives, such as sanitized live data or synthetic data, cannot be used to complete a business process or other assigned official duties.

10.8.8.2.1  (08-31-2010)
Roles and Responsibilities

  1. IRM 10.8.2,Information Technology (IT) Security Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and computer security and is the authoritative source for such information.

  2. The supplemental requirements provided below are specific to live data protection. Refer to IRM 10.8.2 for additional information regarding organizational and individual responsibilities related to information and computer security.

  3. The Office of PIPDS is responsible for the implementation of this IRM. This includes identifying the live data request process (request forms, submission, review, approval, compliance requirements, etc). The Office of PIPDS may delegate certain assurance activities within the live data request process to the information owner (e.g., Authorizing Official (AO)).

  4. The AO of the application that owns the requested live data shall be responsible for its protection. However, if the AO of the application is not the information owner, the information owner is responsible for the protection of live data in accordance with this policy. The AO and/or the information owner are responsible for assessing the risk of a live data request.

  5. The Office of PIPDS is responsible for final approval of the Live Data Request and the authorizing official or the information owner are to work closely with PIPDS to mitigate any risks noted as unacceptable.

  6. Managers shall review and update the access privileges of personnel authorized to use live data at least semi-annually or more frequently as determined by the Office of PIPDS.

    1. Managers shall ensure access to live data are limited to those that have been approved via the live data request process and procedures.

10.8.8.2.2  (08-31-2010)
Requests for Live Data

  1. Requests for unsanitized or sanitized live data shall include appropriate documentation that demonstrates prior consideration for synthetic data.

  2. Live data requests shall:

    1. be submitted to the Office of PIPDS; and

    2. be submitted in accordance with the direction set forth in the Office of PIPDS Live Data Protection Guide.

  3. All requests for live data shall at a minimum:

    1. provide a detailed description/justification for the live data request;

    2. provide a justification for why live data must be used in lieu of sanitized live data or synthetic data;

    3. include a plan for the creation of synthetic data for future use or identify why only live data can be used for specified purpose(s);

    4. detail the security risks associated with the use of the live data being requested in addition to proposed mitigation strategies;

    5. provide a list of personnel who will have access to the data; and

    6. see the Office of PIPDS Live Data Protection Guide for additional guidance.

  4. The use of live data for the purpose of classroom training is prohibited.

    1. Live data may be used by managers during one-on-one on-the-job training of an employee, if the training is in compliance with the UNAX policy and procedures.

10.8.8.3  (08-31-2010)
Management Controls

  1. The IRS shall implement management security controls around the use of live data to mitigate risk of electronic and hard copy information loss in order to protect the organization’s mission. See IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance for general information and computer security management control requirements.

10.8.8.3.1  (08-31-2010)
Risk Assessment

  1. Use of live data shall not be approved without an assessment of risk.

    1. The AO of the application that owns the data or the information owner shall be responsible for conducting an assessment of risk prior to submitting live data requests to the Office of PIPDS.

    2. Refer to IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance for additional information regarding risk assessments.

  2. Managers shall verify that employees and/or contractors are complying with the requirements of this IRM and the Office of PIPDS Live Data Protection Guide by performing a self-assessment to ensure any live data are being handled and accessed appropriately.

    1. For any business unit in which live data are used, managers shall ensure a live data compliance self-assessment is conducted mid-way through the period of the request in accordance with the PIPDS Live Data Protection Guide.

10.8.8.3.2  (08-31-2010)
Data Selection

  1. First consideration for data shall be given to synthetic data.

    1. Synthetic data does not require approval by management under the procedures in this IRM.

    2. The use of live data shall only be considered when it is impossible to create effective synthetic data.

  2. Sanitized live data shall be used when synthetic data cannot be used. Sanitized live data shall be requested, approved, protected, and disposed of in accordance with the Office of PIPDS Live Data Protection Guide.

  3. Live data shall only be requested when synthetic or sanitized live data cannot be used. Unsanitized live data must be requested, approved, protected, and disposed of in accordance with IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance and the Office of PIPDS Live Data Protection Guide.

  4. When requesting use of live data, the requestor shall ensure that the least amount and types of data needed to accomplish the task are selected and used. Data that is not needed for the requested purpose shall not be used and may not be accessed.

10.8.8.4  (04-03-2009)
Operational Controls

  1. The IRS shall implement operational security controls which are primarily implemented and executed by personnel for each information system. See IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance for general information and computer security operational control requirements.

10.8.8.4.1  (04-03-2009)
Personnel Security

  1. All individuals occupying positions where responsibilities include live data usage shall meet the established security criteria for those positions in accordance with IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance .

10.8.8.4.2  (08-31-2010)
Physical and Environmental Protection

  1. Managers shall ensure a physical security review has been conducted in accordance with IRM 10.2.2, Physical Security Program, Physical Security Compliance Reviews.

  2. Protect live data in accordance with IRM 10.2.15, Minimum Protection Standards, when not in use.

10.8.8.4.3  (08-31-2010)
Media Protection

  1. All outputs shall be protected while in use and destroyed by approved means when no longer required. Refer to IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance for additional detail on data protection and disposal.

  2. Sanitization and disposal of live data output shall be in accordance with the requirements detailed in IRM 10.8.1Information Technology (IT) Security, Policy and Guidance and IRM 2.7.4, Modernization and Information Technology Services (MITS) Operations, Magnetic Media Management.

10.8.8.4.3.1  (08-31-2010)
Sanitization

  1. Sanitization of live data or creation of synthetic data shall be the objective for data usage. When feasible, after first use of live data, synthetic data shall be created.

    1. Prior to the expiration of a live data request, efforts shall be taken to create synthetic data if it is foreseen that usage of data is still needed after the request expires.

  2. The sanitization technique(s) utilized shall be dependent on risk. Format, size and structure of the live data are secondary factors that can be taken into consideration when selecting a sanitization technique. Some examples of possible sanitization techniques are nulling out, masking data, substitution, shuffling records, number variance, gibberish generation, encryption and decryption.

  3. Sanitization shall occur each time a test database is refreshed from production.

10.8.8.4.3.2  (08-31-2010)
Disposal

  1. Electronic stores of live data shall be deleted in accordance with data disposal requirements at the end of usage period.

  2. Live data output (including but not limited to, extra copies of test cases, reports, photo impressions, printouts, computer tape printouts, carbon paper, notes, work papers, etc.) shall be destroyed in order to keep the information from being disclosed to unauthorized personnel.

    1. Paper data shall be destroyed through the use of paper shredders or burn boxes.

    2. Live data (i.e., sanitized or unsanitized) contained on any form of media shall be removed and/or destroyed by or in the presence of an IRS employee or contractor , who has approved access to the data, in such a manner that the information is totally unrecoverable.

    3. Destruction of tax payer information shall be done in accordance with IRM 10.2.13, Physical Security Program, Information Protection.

    4. For additional guidance, refer to IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance and IRM 2.7.4,Modernization and Information Technology Services (MITS) Operations, Magnetic Media Management.

10.8.8.4.4  (08-31-2010)
Awareness and Training

  1. See training requirements as outlined in IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance.

10.8.8.5  (08-31-2010)
Technical Controls

  1. See IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance for general information and computer security technical requirements.

10.8.8.6  (08-31-2010)
Deviations/Exceptions

  1. Deviations/exceptions from this policy shall be submitted in accordance with IRM 10.8.1,Information Technology (IT) Security, Policy and Guidance.

Exhibit 10.8.8-1 
Glossary

  1. Information Owner – Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

  2. Live Data - Data (e.g., electronic, hardcopy) extracted from taxpayer files which identifies specific individuals or corporate taxpayers and is either sanitized or unsanitized. It includes sensitive information (i.e., SBU), which may include PII.

  3. Personally Identifiable Information (PII) - All taxpayer information or any combination of information that can be used to uniquely identify, contact, or locate a person. A specific type of sensitive and SBU information that includes the personal information of taxpayers, and the personal information of employees, contractors, applicants, and visitors to the IRS. Examples of PII include, but are not limited to:

    1. Name;

    2. Home address;

    3. Social Security number;

    4. Date of birth;

    5. Home telephone number;

    6. Biometric data (data created during a biometric process, such as height, weight, eye color, fingerprints, etc.); and

    7. Other numbers or information that alone or in combination with other data can identify an individual.

  4. Sanitized Live Data - Is live data which has been altered after being extracted from production files to obscure the identity and location of the taxpayer (i.e., all PII removed). Sanitized live data must, at a minimum, involve changes to the following: taxpayer names, taxpayer identification numbers (TIN), addresses and zip codes.

  5. Sensitive But Unclassified (SBU) Information - Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.

  6. Synthetic Data - Data that does not contain live data, however, imitates data as it appears in an actual taxpayer’s file and does not require the submission of a Live Data Request.

  7. Unsanitized Live Data - See definition for Live Data.

Exhibit 10.8.8-2 
References

1). NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

2). TD P 85–01, Department of Treasury Information Technology Security Program

3). The Office of Privacy, Information Protection, and Data Security (PIPDS) Live Data Protection Guide (see the Live Data Protection Program web page at http://irweb.irs.gov/AboutIRS/bu/pipds/pip/privacy/live_data/default.aspx)


More Internal Revenue Manual