10.8.26  Laptop Computer Security Policy

Manual Transmittal

October 03, 2012

Purpose

(1) This transmits revised Internal Revenue Manual (IRM) 10.8.26, Information Technology (IT) Security, Laptop Computer Security Policy, and along with IRM 10.8.1, IT Security, Policy and Guidance, provides a service-wide strategy to protect IRS laptops and the sensitive information they contain.

Background

This IRM establishes policy to implement the minimum security controls required to safeguard Internal Revenue Service (IRS) laptop computers.

Material Changes

(1) Effective July 1, 2012, the Modernization and Information Technology Services (MITS) organization changed its name to IRS Information Technology (IT) . All instances of MITS within this IRM have been updated to IRS Information Technology organization to reflect the change. (Link to IT website communication is: http://it.web.irs.gov/ProceduresGuidelines/ITNameChange.htm)

(2) The following sections have been updated or clarified with this version of policy:

  1. Purpose;

  2. Effect on Other Documents;

  3. Signature;

  4. IRM 10.8.26.1, Purpose;

  5. IRM 10.8.26.1.1, Overview;

  6. IRM 10.8.26.1.3, IRM Section Topics;

  7. IRM 10.8.26.1.4, Authority;

  8. IRM 10.8.26.2, General Policy;

  9. IRM 10.8.26.2.1.1 IRS Laptop Users;

  10. IRM 10.8.26.3.1, Risk Assessments;

  11. IRM 10.8.26.3.2, Sensitive Information;

  12. IRM 10.8.26.3.3, Security Assessment and Authorization;

  13. IRM 10.8.26.4, Operational Controls;

  14. IRM 10.8.26.4.1, Physical and Environmental Protection;

  15. IRM 10.8.26.4.1.1, Methods of Physically Securing Laptops;

  16. IRM 10.8.26.4.2, Travel;

  17. IRM 10.8.26.4.2.1, Transit Travel;

  18. IRM 10.8.26.4.2.2, Foreign Travel;

  19. IRM 10.8.26.4.3, Incident Reporting Requirements;

  20. IRM 10.8.26.4.4, Security Awareness and Training;

  21. IRM 10.8.26.4.5, Sanitization and Disposal;

  22. IRM 10.8.26.5, Technical Controls;

  23. IRM 10.8.26.5.1, Access Control;

  24. IRM 10.8.26.5.1.1, Remote Access;

  25. IRM 10.8.26.5.1.2, Laptop Usage in Public Locations/Use of Public Wi-Fi (new section);

  26. IRM 10.8.26.5.2, System Configuration;

  27. IRM 10.8.26.5.3, Encryption;

  28. IRM 10.8.26.5.4, Network Protection and Design;

  29. IRM 10.8.26.6, Risk-Based Decisions (RBD);

  30. Exhibit 10.8.26-1, Glossary; and

  31. Exhibit 10.8.26-2, References.




Effect on Other Documents

IRM 10.8.26 dated March 15, 2011, is superseded.

Audience

This IRM applies to all IRS employees, contractors, and volunteers assigned laptop computers.

Effective Date

(10-03-2012)

Terence V. Milholland
Chief Technology Officer

10.8.26.1  (10-03-2012)
Purpose

  1. The purpose of this IRM is to provide guidance for safeguarding IRS laptop computers and the sensitive data stored on those devices from loss, theft, breach, or compromise.

10.8.26.1.1  (10-03-2012)
Overview

  1. This IRM lays the foundation to develop, implement, and manage security for laptop computers within the IRS.

  2. As a mobile (portable) device, laptop computers are vulnerable to theft and the loss of all data stored on them. Many theft rings operating today at airports, hotels, and other public places target laptops. The loss or theft of IRS computers places the information they contain at risk of loss, disclosure, or compromise. In addition, the use of laptops in public places (e.g., airports, restaurants, conferences, public transportation), presents a significant risk of unauthorized persons observing the information being processed. The use of a laptop to transmit information through public telecommunications networks also presents risks. Therefore, it is imperative that IRS employees, contractors, and volunteers ensure that they adhere to all guidance provided within this policy, to help protect IRS laptops and the information contained on them, from these risks.

10.8.26.1.2  (10-03-2012)
Scope

  1. This IRM establishes policy to implement the minimum security controls to safeguard IRS laptop computers and the data stored on them.

  2. This IRM does not address operating systems that may be loaded on an IRS laptop. For the minimum security requirements specific for an operating system loaded on an IRS laptop, see the IRM for the relevant operating system (e.g., Windows, UNIX).

  3. This IRM applies to all IRS personnel, contractors, volunteers and visitors that enter IRS facilities or that have access to IRS information and information systems.

10.8.26.1.3  (10-03-2012)
IRM Section Topics

  1. This manual contains information on the following subjects:

    • Authority

    • General Policy

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Risk-Based Decisions (RBD)

    • Glossary

    • References

10.8.26.1.4  (10-03-2012)
Authority

  1. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, establishes the security program and the policy framework for the IRS.

  2. The requirements within this IRM for laptop computers must comply with and supplement the security controls defined in IRM 10.8.1.

  3. In the event there is a discrepancy between this policy and IRM 10.8.1, IRM 10.8.1 has precedence, unless the security controls/requirements in this policy are more restrictive.

10.8.26.2  (10-03-2012)
General Policy

  1. Laptops that are connected to IRS networks or process IRS information shall comply with IRM 10.8.1 and the security requirements of those networks.

  2. Laptops are categorized as a portable electronic device (PED) with computing and communication (e.g., wireless, local area network (LAN)) capability, and shall comply with all IRM 10.8.1, Treasury Directive Publication (TD P) 85-01, Treasury Information Technology Security Program, and other related IRM policy requirements for PED and mobile processing devices.

  3. This IRM shall be evaluated a minimum of annually to ensure consistency with the IRS mission, functions, and associated laws, directives, regulations, and standards.

  4. IRS laptop users shall be responsible for the security of their laptop at all times.

  5. IRS laptop users shall never connect Personally Owned Equipment (printers, scanners, wireless devices, flash drives, etc.) to an IRS laptop.

    1. See the Personally-Owned and Other Non-Government Furnished Equipment section of IRM 10.8.1 for exceptions.

  6. IRS laptops shall not be used by anyone other than the person(s) to whom it is assigned.

    Note:

    The exception to this would be for IT personnel who are performing maintenance/repairs to the laptop.

  7. See IRM 10.8.40, Wireless Security Policy, for guidance related to the wireless capabilities (e.g., IEEE 802.11, Bluetooth, etc.) of laptops.

  8. IRS laptops shall be configured to prevent them from booting via a CD or thumb drive.

    Note:

    A privileged user authorized to perform a system recovery is exempt from this requirement.

10.8.26.2.1  (03-15-2011)
Roles and Responsibilities

  1. IRM 10.8.2, IT Security Roles and Responsibilities, defines service-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. The supplemental requirements provided in this policy are specific to IRS laptop users.

10.8.26.2.1.1  (10-03-2012)
IRS Laptop Users

  1. IRS laptop users shall be responsible for ensuring the security of their assigned equipment.

  2. Managers of employees who have been assigned IRS laptops shall ensure their employees exercise due diligence in safeguarding these devices and the data they contain.

10.8.26.3  (03-15-2011)
Management Controls

  1. Management security controls mitigate risk of IT applications and electronic information loss in order to protect the organization's mission. See IRM 10.8.1 for general information and computer security management control requirements.

  2. Management controls specific to laptop security are provided below in the following areas:

    1. Risk Assessment

    2. Sensitive Information

    3. Security Assessment and Authorization

10.8.26.3.1  (10-03-2012)
Risk Assessments

  1. Risk assessments of laptops shall be conducted using this guide, IRM 10.8.1, and the security checklist of other pertinent IRMs (e.g., operating system, wireless).

    1. Deficiencies in conformance shall be documented in a risk assessment report and brought to the attention of the responsible Authorizing Official (AO).

  2. IRS laptops with wireless capabilities shall have the additional risks and mitigations associated with non-government facilities identified in the risk assessment.

  3. IRS laptops shall adhere to the requirements defined in the risk assessment section of IRM 10.8.1 and any relevant IRMs (e.g., the operating system installed).

10.8.26.3.2  (10-03-2012)
Sensitive Information

  1. IRS sensitive information (e.g., Sensitive But Unclassified (SBU), Controlled Unclassified Information (CUI), and Personally Identifiable Information (PII)) stored or processed on IRS laptops shall be protected with the same requirements as hard-copy paper documents (e.g., markings, distribution, destruction) and in accordance with the requirements defined within IRM 10.8.1. (TD P 15-71)

    1. All IRS laptops with Classified information shall be marked with the sensitivity level of the information it contains.

    2. Classified information shall only be processed, stored, or transmitted on an authorized laptop or system at or beyond the authorized sensitivity level.

  2. Sensitive information (e.g., SBU, CUI, PII) shall not be downloaded to a laptop’s hard drive or other portable media devices if the data is available, accessible, and utilizable on other systems. IRS laptops and other portable media shall only include sensitive data that is necessary for the user to perform their duties.

10.8.26.3.3  (10-03-2012)
Security Assessment and Authorization

  1. Laptops that store, process, or transmit IRS information shall:

    1. Be documented in a Security Assessment and Authorization (SA&A) package in accordance with IRM 10.8.1, TD P 85-01, Information Technology (IT) Security Program, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems.

      Note:

      Each individual laptop does not need to have an SA&A for it, however each laptop configuration needs to go through the SA&A process and documented in the package.

  2. The use of government-owned PEDs to process, store, or transmit IRS information shall be approved by the AO. (TD P 85-01 S-LP D.8)

10.8.26.4  (10-03-2012)
Operational Controls

  1. Operational controls specific to laptop security are provided below in the following areas:

    • Physical and Environmental Protection

    • Travel

    • Incident Reporting Requirements

    • Security Awareness and Training

    • Sanitization and Disposal

  2. See IRM 10.8.1 for general information and computer security operational control requirements.

10.8.26.4.1  (10-03-2012)
Physical and Environmental Protection

  1. At all times, laptop users shall do the following:

    1. Be responsible for the physical security of their laptop;

    2. Secure their IRS laptop when not in their possession;

    3. Never leave their powered-on laptop unlocked when it is not in their presence;

    4. Secure their laptop (e.g., cable lock, screen lock) from theft or tampering when located in facilities other than an IRS facility (e.g., home, office); and

    5. See the Methods of Physically Securing Laptops section in this IRM for guidance on securing IRS laptops.

      Note:

      The best preventative tip is to treat IT assets like cash.

  2. The IRS Physical Security organization shall develop and implement procedures for physical laptop security compliance.

  3. See the 10.2 Physical Security Program suite of IRMs and IRM 10.4.1, Physical Security Program, Managers Security Handbook, for additional physical security requirements.

10.8.26.4.1.1  (10-03-2012)
Methods of Physically Securing Laptops

  1. IRS laptop users shall secure their IRS laptops by utilizing the following:

    1. An IRS Information Technology organization-approved, IRS-issued cable lock; or

    2. A secured enclosure, such as a lockable cabinet; or drawer.

      Note:

      Cable locks are not required, but highly recommended when working from home with an IRS laptop. However, when leaving your house, secure the laptop, and lock all doors and windows, along with turning on a home security system (if you have one).

  2. When using the cable lock, it shall be secured utilizing one of the following methods:

    1. Attach the cable lock to an immovable object or furniture of large size, to prevent removing the laptop from the area with the furniture still attached; and

    2. Attach the cable lock so that it cannot be removed without unlocking (e.g., by slipping the cable under a desk leg without unlocking it).

  3. The IRS Information Technology organization shall develop and implement procedures for acquisition, implementation, and use of cable locks.

10.8.26.4.2  (10-03-2012)
Travel

  1. IRS laptops shall be kept under the direct control of the employees to whom they are assigned (e.g., never leave a laptop unattended when at a conference or training seminar).

  2. When traveling, all IRS laptop users shall take a cable lock with them so they can secure their IRS laptop in accordance with guidance provided in the Methods of Physically Securing Laptops section within this IRM.

  3. Never store a laptop or any IRS issued equipment in checked luggage while traveling.

  4. When traveling and the IRS laptop is not in use, it shall be physically secured in accordance with guidance provided in this IRM and IRM 10.2.1, The Physical Security Program.

  5. See the Remote Access section of this IRM for additional guidance on remotely accessing IRS networks while traveling.

10.8.26.4.2.1  (10-03-2012)
Transit Travel

  1. When in transit, IRS laptop users shall take all possible measures to maintain the security of their laptop.

  2. IRS laptop users shall shut down the laptop instead of placing it in sleep mode when transporting the laptop.

  3. See the 10.2 Physical Security Program suite of IRMs for additional guidance for securing a laptop while in transit travel.

  4. When in transit, IRS laptop users shall not use overhead bins or other common storage areas and should take all possible measures to maintain the laptop within their presence.

10.8.26.4.2.2  (10-03-2012)
Foreign Travel

  1. The use of a laptop to transmit information through public telecommunication networks, presents potential vulnerabilities due to the susceptibility to eavesdropping and interception of the information transmitted. This is especially true because foreign telephone systems and networks may either be owned or controlled by the host government. This allows the foreign government to easily monitor transmissions of selected U.S. corporations, government agencies and American citizens.

    1. Based on guidance from the Department of State, travelers should assume that all overseas telecommunications can be intercepted, recorded, organized into reports, and reviewed for intelligence purposes. Employees should be aware of the following:
      i. Intelligence agencies of third-party nations, terrorists, and criminals monitor electronic transmissions;
      ii. Government, business, and technical data obtained from U.S. citizens may be, and often are, provided to terrorists; and
      iii. Personal information obtained may be used for financial gain, political, or other malicious purposes.

      Note:

      IRS employees are encouraged not to bring a laptop overseas unless there is a compelling reason to do so. If a laptop is needed they should request a loaner laptop if time permits. The traveler should only load the files or cases they need overseas to minimize potential loss of data, if the laptop is lost or compromised. If a loaner laptop is not available they must put in a ticket to have the wireless capabilities of their own laptop disabled. The traveler must only connect via ERAP using a LAN cable. Connecting via a wireless network or through wired or wireless telephone connections is prohibited overseas.

    2. For the purpose of requirements pertaining to overseas or foreign (international) travel with an IRS laptop, the following apply: (TD P 85-01)
      i. The term “U.S.” refers to the United States, its possessions, and territories (including the Commonwealth of the Northern Marianna Islands (CNMI), the U.S. Virgin Islands, Guam, and Puerto Rico); and unless explicitly stated otherwise, this requirement does not apply for travel to Mexico or Canada.
      ii. Treasury personnel permanently stationed overseas are not considered foreign travelers for the purpose of this section.
      iii. For Treasury employees at U.S. diplomatic facilities abroad, U.S. Department of State requirements prevail for all IT security requirements in lieu of TD P 85-01.
      iv. The IRS Tax Attache' with responsibility for the country you are traveling to may advise you of further restrictions for bringing laptops within their jurisdictions.

  2. Written approval from the AO/Designated Accrediting Authority (DAA) or Business Unit Head, shall be obtained before an IRS laptop is taken overseas (outside the U.S.). (TD P 85-01 S-LPD.7)

    Note:

    This requirement is satisfied when the employee's BOD executive signs approving with a laptop/PED in Section 4 of Form 1321 - Authorization for Official Travel.

  3. All laptops temporarily taken overseas shall adhere to the following requirements: (TD P 85-01 S-EC.9)

    1. Protected by full-disk, IRS Information Technology organization-approved, Federal Information Processing Standard (FIPS), validated encryption technology solution;

    2. All wireless capabilities, including but not limited to Wi-Fi, Bluetooth, and broadband cards, shall be disabled;

    3. Tamper-evident bags/seals/containers shall be used each time the laptop is left unattended (i.e., not under the direct and immediate control of a U.S. Government employee or authorized government contractor); and

    4. Any laptop not protected as described above, shall not be reconnected to IRS systems or networks until sanitized. Excluded, is the situation of transiting another country, provided the laptop remains under the immediate control of the user.

      Note:

      Sanitizing the computer means wiping all data and programs from the computer hard drive. To avoid loss of data the traveler should back up their files to the “I” drive prior to travel.

  4. IRS laptops containing IRS information categorized as FIPS 199 High or Moderate, shall not be connected to networks while outside the U.S., unless employing a separate hard drive or a secure partition (physical or virtual), with a separate operating system instance that contains no High or Moderate IRS information. (TD P 85-01 S-EC.18)

  5. Laptop hard drives or partitions that connect to a network while outside the U.S. shall not be connected to an IRS network at any time. (TD P 85-01 S-EC.19)

  6. Laptop batteries shall be removed and stored separately from the laptop when the device is left unattended (e.g., the user secures their laptop with a cable lock when they leave their hotel room). (TD P 85-01 S-EC.20)

    1. The battery shall also be removed if the laptop is within an audible range of sensitive conversations while overseas.

    2. Individuals with laptops whose battery cannot be removed shall request a loaner laptop prior to foreign travel.

  7. See the Remote Access section of this IRM, and IRM 10.8.1, for additional guidance on remotely accessing IRS networks while traveling.

  8. All users traveling outside North America or U.S. territories and protectors shall contact the Large Business and International (LB&I), who is the approving organization for all foreign travel.

    1. See the LB&I web site for additional guidance and controls for foreign travel: http://lmsb.irs.gov/international/dir_treaty/eoi_overseas/intl_coordination/travel.asp

10.8.26.4.3  (10-03-2012)
Incident Reporting Requirements

  1. Any incidents regarding mishandling, tampering, or loss of a laptop (the loss of any IT hardware) with IRS information shall be a reportable security incident.

  2. All users shall report within one (1) hour after detection of any incidents of loss or mishandling of IRS laptops, to the IRS Computer Security Incident Response Center (CSIRC), their immediate supervisor, and the U.S. Treasury Inspector General for Tax Administration (TIGTA).

  3. For additional incident reporting guidance, please use the following resources:

    1. IRM 10.2.8, Incident Reporting, and

    2. The IRS CSIRC, Cyber Incident Reporting Procedures, at http://www.csirc.web.irs.gov/reporting/.

10.8.26.4.4  (10-03-2012)
Security Awareness and Training

  1. IRS laptop users shall be trained and provided with the means to protect IRS laptops from theft. (TD P 85-01 S-WS.2)

    1. Training shall be included as part of the Security Awareness Training and Education (SATE) program.

  2. All supplemental policies required to implement laptop security solutions shall be documented and provided to laptop users.

  3. IRS laptop users shall receive remote access training prior to accessing IRS networks from remote locations (non-IRS locations).

  4. See the Awareness and Training section of IRM 10.8.1 for additional SATE guidance.

10.8.26.4.5  (10-03-2012)
Sanitization and Disposal

  1. The IRS Information Technology organization shall develop procedures for the disposal of IT assets.

    1. Procedures shall be followed to ensure that all IRS laptops that have processed sensitive information are disposed of; and

    2. Each laptop shall be cleansed by utilizing commercial disk-wiping software, or by degaussing the hard drive and all chips containing memory.

  2. The IRS Information Technology organization shall keep an inventory of all disposed IRS laptops.

  3. See the Sanitization and Disposal sections of IRM 10.8.1, for additional guidance.

10.8.26.5  (10-03-2012)
Technical Controls

  1. The implementation of technical controls shall be consistent with the management of security within the organization. See IRM 10.8.1 for general information and computer security, and technical control requirements.

  2. Technical controls specific to laptop security are provided for the following areas:

    1. Access Control;

    2. System Configuration;

    3. Encryption; and

    4. Network Protection and Design.

10.8.26.5.1  (10-03-2012)
Access Control

  1. The IRS and IRS laptop users shall ensure that only authorized personnel have access to IRS laptops and the data on them.

  2. IRS laptop users shall not view or process IRS sensitive information in public places.

  3. Measures shall be taken to protect laptops against the bypass of software controls arising from booting from any sources, other than those designated by the system administrator for such purpose (e.g., booting from a CD or thumb drive is not permitted). (TD P 85-01 S-LPD.5)

  4. Passwords, hardware tokens, and/or smart cards shall not be stored on/or with a laptop, unless encrypted or otherwise under the direct and continuous control of the authorized user. (TD P 85-01 S-LPD.4)

10.8.26.5.1.1  (10-03-2012)
Remote Access

  1. Remote access with an IRS laptop shall only be accomplished via an IRS Information Technology organization-approved Virtual Private Network (VPN) solution that uses FIPS-validated encryption technology.

  2. IRS laptops remotely connecting to an IRS network from outside the U.S. (whether for official or personal travel) shall only connect via Enterprise Remote Access Project (ERAP) (with two-factor authentication). (TD P 85-01 S-SDP.2)

  3. IRS laptops categorized as FIPS 199 HIGH or MODERATE with an established VPN connection (i.e., non-remote session) to an IRS network shall be configured to prevent the laptop from communicating outside the established communications path with resources in external networks (i.e., prevents split-tunneling). (NIST SP 800-53 SC-7 CE7)

  4. See the Remote Access section of IRM 10.8.1 and IRM 10.8.40, for additional guidance.

10.8.26.5.1.2  (10-03-2012)
Laptop Usage in Public Locations/Use of Public Wi-Fi

  1. The following security controls shall be adhered to when connecting IRS laptops to public Wi-Fi:

    1. Only connect your IRS laptop to a hotel or public Wi-Fi access point if you are going to immediately create an ERAP connection. Disconnect your laptop from the hotel or public Wi-Fi when not using ERAP;

    2. Never leave a powered-on laptop unattended in a hotel room or any location that is not your normal authorized work location;

    3. Be careful not to connect to a Wi-Fi access point unless you are reasonably sure it is legitimate, and that it is associated with the establishment where it is located. (e.g. The SSID “Free Public Wi-Fi” is most likely not legitimate.);

    4. When traveling, store your laptop temporarily in the locked trunk of your car, or secure it with a cable lock when it is not in use; and

    5. When using your IRS laptop in a public location, always shield the screen from the view of unauthorized persons.

10.8.26.5.2  (10-03-2012)
System Configuration

  1. Although Dynamic Host Configuration Protocol (DHCP) is utilized service-wide, operational experience has demonstrated the need to release Internet Protocol (IP) numbers when employees are in differing IRS offices, prior to IP release time frames. Unless DHCP properly releases the IP number, laptop users may be provided a shortcut to "ipconfig/release" executable.

  2. IRS laptops shall have the following basic input/output system (BIOS) options:

    1. The boot order shall be set to only boot from a hard drive;

    2. Infrared Port shall be set to DISABLED;

    3. Unless otherwise prohibited, embedded Wireless Local Area Network (WLAN) Devices may be set to ENABLED;

    4. Embedded Bluetooth Device shall be set to DISABLED; and

      Note:

      Bluetooth is currently DISABLED within the operating system; once the Bluetooth technology is approved for use with laptop computers by the IRS, the BIOS settings will be updated according to regulations. Users are currently restricted from using this process and should conform to IRS regulations.

    5. Intel Execution Bit functionality shall be set to DISABLED.

  3. For guidance on specific operating system configuration settings, see the IRM for the relevant operating system (e.g., IRM 10.8.20 for Windows operating system guidance).

  4. Requirements in the Foreign Travel section of this IRM take precedence over this section.

10.8.26.5.3  (10-03-2012)
Encryption

  1. All IRS information on an IRS laptop shall be encrypted with an IRS Information Technology organization-approved, FIPS-validated encryption technology solution. (TD P 85-01 S-LPD.3)

  2. The IRS Information Technology organization shall develop and implement end-user instructions and procedures for the encryption and decryption of laptop data.

10.8.26.5.4  (10-03-2012)
Network Protection and Design

  1. All IRS laptops shall be reviewed for security purposes prior to connection or reconnection to an IRS network (e.g., checks for malicious code and updated virus protection software, critical software updates and patches, operating system integrity, and disabled hardware). (TD P 85-01 S-LPD.6)

10.8.26.6  (10-03-2012)
Risk-Based Decisions (RBD)

  1. An exception to this policy requires that the AO make a Risk-Based Decision. RBD requests shall be submitted in accordance with IRM 10.8.1, and use Form 14201, as described in Request for Risk Acceptance and Risk-Based Decision Standard Operating Procedures (SOPs). Refer to IRM 10.8.1 for additional information.

Exhibit 10.8.26-1 
Glossary

Bluetooth - A wireless protocol developed as a cable replacement to allow equipped devices to communicate with each other within a short distance.

BIOS (Basic Input/Output System) - Software stored on a small memory chip on a computer’s motherboard that loads prior to the operating system and instructs the computer on how to perform a number of basic functions such as booting and keyboard controls.

Dynamic Host Configuration Protocol (DHCP) - A protocol used by network devices (clients) to obtain various parameters necessary for the clients to operate in an Internet Protocol (IP) network. By using this protocol, system administration workload greatly decreases, and devices can be added to the network with minimal or no manual configurations.

Encryption - Any procedure used in cryptography to convert plaintext into ciphertext to prevent anyone but the intended recipient from reading that data.

Executable Disable Bit (EDB) - Execute Disable Bit (EDB) - is an Intel hardware-based security feature that can help reduce system exposure to viruses and malicious code. EDB allows the processor to classify areas in memory where application code can or cannot execute. When a malicious worm attempts to insert code in the buffer, the processor disables code execution, preventing damage and worm propagation. To use Execute Disable Bit you must have a PC or server with a processor with Execute Disable Bit capability and a supporting operating system. EDB-enabled processors by Intel are indicated by a "J" after the CPU model number. Execute Disable Bit is abbreviated as EDB (by Intel) or XDB.

IEEE 802.11 - A family of IEEE standards that extend the common wired Ethernet local network standard into the wireless domain using the 5 GHz and 2.4 GHz public spectrum bands. It specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. It is commonly referred to as "Wi-Fi" because the “Wi-Fi Alliance” provides certification for 802.11 products.

Portable Electronic Device (PED) - Portable or mobile devices with computing and wireless or Local Area Network (LAN) connectivity capabilities. These include, but are not limited to: laptops with wireless capabilities, cellular/personal communication system devices, audio/video/data recording or playback devices, scanning devices, remote sensors, messaging devices, personal digital assistants (PDAs) (for example, Blackberries, Palm Pilots, Pocket PCs, iPhones, iPads), and two-way radios.

Personally Identifiable Information (PII) - All taxpayer information or any combination of information that can be used to uniquely identify, contact, or locate a person. A specific type of sensitive and SBU information that includes the personal information of taxpayers, and the personal information of employees, contractors, applicants, and visitors to the IRS. Examples of PII include, but are not limited to: name; home address; Social Security number; date of birth; home telephone number; biometric data (e.g., height, weight, eye color, fingerprints, etc.); and other numbers or information that alone or in combination with other data can identify an individual.

Sanitization - The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.

Sensitive Information - Information in which the loss, misuse, or unauthorized access to, or modification of, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), but has not been specifically authorized under criteria established by an Executive Order or an act of Congress to be kept classified in the interest of national defense or foreign policy. Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. § 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. § 423).

Sensitive But Unclassified (SBU) Information - Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or to the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.

Sleep Mode - Sleep mode can go by many different names, including Stand By (for Microsoft Windows 98-Server 2003), Sleep (for Mac OS 8-Mac OS X, Windows Vista, Windows 7, Windows Server 2008), and Suspend (Windows 95, Linux). When placed in this sleep mode, aside from the RAM, which is required to restore the machine's state, the computer attempts to cut power to all unneeded parts of the machine. Because of the large power savings, most laptops automatically enter this mode when the computer is running on batteries and the lid is closed. If however undesired, this behavior can be reconfigured in the operating system settings. .

Virtual Private Network (VPN) - A computer network that links two computers or devices through an underlying local or wide area network , while encapsulating the data and keeping it private. It is comparable to a pipe within a pipe. Even though the outer pipe contains the inner one, the inner pipe has a wall that blocks other traffic in the outer pipe from mixing with the inner traffic. To the rest of the network, the VPN traffic just looks like another traffic stream.

Wireless - A technology that enables devices to communicate without physical connections (without requiring network or peripheral cabling).

Exhibit 10.8.26-2 
References

  • IRM 10.8.1,Information Technology (IT) Security Policy and Guidance

  • IRM 10.8.2,Information Technology (IT) Security Roles and Responsibilities

  • Windows Security Policy.

  • IRM 10.8.20,Information Technology (IT) Security Windows Security Policy

  • IRM 10.8.40,Information Technology (IT) Security Wireless Security Policy

  • IRM 10.2.X, Physical Security Program Series

  • IRM 10.2.8,Physical Security Program, Incident Reporting

  • IRM 10.4.1,Physical Security Program Managers Security Handbook

  • Treasury Directive (TD) Publication (P) 15-71,Department of Treasury Security Manual

  • Treasury Directive (TD) Publication (P) 85-01, Treasury Information Technology Security Program, Volume I, Unclassified (Non-National Security) Systems (March 1, 2012)

  • Treasury Directive (TD) Publication (P) 85-01, Treasury Information Technology Security Program, Volume II, Classified (National Security) Systems (June 9, 2009)

  • Office of Management and Budget (OMB) Memorandum for Chief Acquisition Officers, Revisions to the Federal Acquisition Certification for Contracting Officer's Representatives (FAC-COR) (September 6, 2011)

  • NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations

  • NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices

  • Defense Information Systems Agency (DISA) Wireless Security Technical Implementation Guide (STIG), Version 6, Release 2


More Internal Revenue Manual