Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 26. Laptop Computer Security Policy

10.8.26  Laptop Computer Security Policy

10.8.26.1  (03-15-2011)
Purpose

  1. (1) The purpose of this Internal Revenue Manual (IRM) is to provide guidance to IRS employees, contractors, and volunteers for safeguarding IRS laptop computers (i.e., laptops), and the sensitive data they contain from loss, theft, breach, or compromise. The purpose of this Internal Revenue Manual (IRM) is to provide guidance to IRS employees, contractors, and volunteers for safeguarding IRS laptop/notebook computers, and the sensitive data they contain from loss, theft, breach, or compromise.

10.8.26.1.1  (03-15-2011)
Overview

  1. This IRM lays the foundation to develop, implement, and manage security for laptop computers within the IRS.

  2. As a mobile (portable) device, laptop computers are vulnerable to theft and the loss of all data contained on them. Many theft rings operating today at airports, hotels, and other public places target laptops. The loss or theft of IRS computers places the information they contain at risk of loss, disclosure, or compromise. In addition, the use of laptops in public places (e.g., airports, restaurants, conferences, public transportation) presents a significant risk of unauthorized persons observing the information being processed. The use of a laptop to transmit information through public telecommunications networks also presents vulnerabilities. To protect IRS information from these risks it is necessary to protect both the laptop computer and the information contained on them.

10.8.26.1.2  (03-15-2011)
Scope

  1. This IRM establishes policy to implement the minimum security controls to safeguard IRS laptop computers and the data stored on them.

  2. This IRM does not address operating systems that may be loaded on an IRS laptop. For the minimum security requirements specific for an operating system loaded on an IRS laptop, see the appropriate operating system IRM (e.g., Windows, UNIX).

  3. This IRM applies to all IRS personnel, contractors, and visitors that enter IRS facilities or that have access to IRS information and information systems.

10.8.26.1.3  (03-15-2011)
IRM Section Topics

  1. This manual contains information on the following subjects:

    • Authority

    • General Policy

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Deviations

    • Glossary

    • References

10.8.26.1.4  (03-15-2011)
Authority

  1. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, establishes the security program and the policy framework for the IRS.

  2. The requirements within this IRM, for laptop computers, must comply with and supplements the security controls defined in IRM 10.8.1.

  3. In the event there is a discrepancy between this policy and IRM 10.8.1, IRM 10.8.1 has precedence, unless the security controls/requirements in this policy are more restrictive.

10.8.26.2  (03-15-2011)
General Policy

  1. Laptops that are connected to IRS networks or process IRS information shall comply with IRM 10.8.1 and the security requirements of those networks.

  2. Laptops are categorized as a portable electronic device (PED) with computing and communication (e.g., wireless, local area network) capability and shall comply with all IRM 10.8.1, Treasury Directive Publication (TD P) 85-01, Treasury Information Technology Security Program, and other related IRM policy requirements for PED and mobile processing devices.

  3. This IRM shall be regularly evaluated and updated in accordance with IRM 10.8.1.

  4. IRS laptop users shall be responsible for the security of their laptop at all times.

  5. IRS laptop users shall never connect Personally Owned Equipment (printers, scanners, wireless devices, flash drives, etc.) to an IRS laptop.

    1. See the Personally-Owned and Other Non-Government Furnished Equipment section of IRM 10.8.1 for exceptions.

  6. IRS laptops shall not be used by anyone other than the person(s) to whom it is assigned.

  7. See IRM 10.8.40, Wireless Security Policy for guidance related to the wireless capabilities (e.g., IEEE 802.11, Bluetooth) of laptops.

10.8.26.2.1  (03-15-2011)
Roles and Responsibilities

  1. IRM 10.8.2, Information Technology (IT) Security Roles and Responsibilities defines service-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. The supplemental requirements provided below are specific to IRS laptop users.

10.8.26.2.1.1  (03-12-2007)
IRS Laptop Users

  1. IRS laptop users shall be responsible for ensuring the security of their assigned equipment.

  2. Managers of employees assigned IRS laptops shall ensure their employees exercise due diligence in safeguarding these devices and the data they contain.

10.8.26.3  (03-15-2011)
Management Controls

  1. Management security controls mitigate risk of IT applications and electronic information loss in order to protect the organization's mission. See IRM 10.8.1 for general information and computer security management control requirements.

  2. Management controls specific to laptop security are provided below in the following areas:

    1. Risk Assessment

    2. Sensitive Information

    3. Security Assessment and Authorization

10.8.26.3.1  (03-15-2011)
Risk Assessments

  1. Risk assessments of laptops shall be conducted using this guide, IRM 10.8.1, and the security checklist of other pertinent IRMs (e.g., operating system, wireless). Deficiencies in conformance shall be documented in risk assessment reports and brought to the attention of the system’s Authorizing Official (AO).

  2. IRS laptops with wireless capabilities shall have the additional risks and mitigations associated with non-government facilities identified in the risk assessment.

  3. IRS laptops shall adhere to the requirements defined in the risk assessment section of IRM 10.8.1 and any relevant IRMs (e.g., the operating system installed).

10.8.26.3.2  (03-15-2011)
Sensitive Information

  1. IRS sensitive information (e.g., Sensitive But Unclassified (SBU), Personally Identifiable Information (PII)) stored or processed on IRS laptops shall be protected with the same requirements as hard-copy paper documents (e.g., markings, distribution, destruction, etc.) and in accordance with the requirements defined within IRM 10.8.1. (TD P 15-71)

    1. All IRS laptops with Classified information shall be marked with the appropriate sensitivity level.

  2. Sensitive information (e.g., SBU, PII) shall not be downloaded to a laptop’s hard drive or other portable media devices if the data is available, accessible, and utilizable on other systems. IRS laptops and other portable media shall only include sensitive data that is necessary for the user to perform their duties.

10.8.26.3.3  (03-15-2011)
Security Assessment and Authorization

  1. Laptops that store, process, or transmit IRS information shall:

    1. Obtain Security Authorization/Certification and Accreditation (C&A) in accordance with IRM 10.8.1, TD P 85-01, Information Technology (IT) Security Program, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems; and

    2. Be approved by the AO. (TD P 85-01 S-LPD.8)

10.8.26.4  (03-15-2011)
Operational Controls

  1. Operational controls address security mechanisms that primarily are implemented and executed by people versus systems. They often require technical or specialized expertise and rely on management activities as well as technical controls. See IRM 10.8.1 for general information and computer security operational control requirements.

  2. Operational controls specific to laptop security are provided below in the following areas:

    • Physical and Environmental Protection

    • Travel

    • Incident Reporting Requirements

    • Security Awareness and Training

    • Sanitization and Disposal

10.8.26.4.1  (03-15-2011)
Physical and Environmental Protection

  1. IRS laptop users shall be responsible for the physical security of their laptop at all times.

  2. IRS laptop users shall secure their IRS laptop when not in their possession.

  3. IRS laptops shall never be left unattended while located in facilities other than IRS facilities (e.g., home or office) unless the work space has been physically secured.

  4. The IRS Physical Security organization shall develop and implement procedures for physical laptop security compliance.

  5. See IRM 10.2.16, Physical Security Program Laptop Random Screening Concepts and IRM 10.4.1, Physical Security Program Managers Security Handbook for additional security requirements.

10.8.26.4.1.1  (03-15-2011)
Methods of Physically Securing Laptops

  1. IRS laptop users shall secure their IRS laptop with:

    1. A Modernization and Information Technology Systems (MITS) approved IRS-issued cable lock; or

    2. A secured enclosure, such as a lockable cabinet; or drawer.

      Note:

      Cable locks are not required, but highly recommended, when working from home with an IRS laptop. However, when leaving your house, properly secure the laptop, and lock all doors and windows along with turning on a home security system (if you have one).

  2. When using the cable lock it shall be secured:

    1. To an immovable object or furniture of such size to prevent removing the laptop from the area with the furniture still attached; and

    2. In such a way that the cable lock cannot be removed without unlocking (e.g., by slipping the cable under a desk leg) without unlocking it.

  3. The MITS organization shall develop and implement procedures for acquisition, implementation, and use of cable locks.

10.8.26.4.2  (03-15-2011)
Travel

  1. IRS laptops shall be kept under the direct control of the employees to whom they are assigned (e.g., never leave a laptop unattended when at a conference or training seminar).

  2. When traveling, all IRS laptop users shall take a cable lock with them, so they can properly secure their IRS laptop in accordance with guidance provided within this IRM.

  3. When not in use, IRS laptops shall be physically secured in accordance with guidance provided within this IRM and IRM 10.2.1, The Physical Security Program.

  4. IRS laptop users, when staying at a hotel, shall:

    1. Secure an IRS laptop in accordance with guidance provided within this IRM;

    2. Not store an IRS laptop in the hotel safe (e.g., front desk), unless a tamper- evident bag is used and a receipt is provided; and

    3. Not give an IRS laptop to the bellhop, concierge, or any other hotel employee.

  5. See the Remote Access section of this IRM for additional guidance on remotely accessing IRS networks while traveling.

10.8.26.4.2.1  (03-15-2011)
Transit Travel

  1. When in transit, IRS laptops users shall take all possible means to maintain the security of their laptop.

  2. See IRM 10.2.16, Laptop Random Security Screening Concepts, for additional guidance for securing a laptop while in transit travel.

10.8.26.4.2.2  (03-15-2011)
Foreign Travel

  1. The use of a laptop to transmit information through public telecommunication networks presents potential vulnerabilities due to the susceptibility to eavesdropping and interception of the information transmitted. This is especially true since foreign telephone systems and networks may be either owned or controlled by the host government. This allows the foreign government to easily monitor transmissions of selected U.S. corporations, government agencies and American citizens.

    1. Based on guidance from the Department of State, travelers should assume that all overseas telecommunications can be intercepted, recorded, and organized into reports, and reviewed for intelligence purposes. Employees should be aware of the fact that:
      i. Intelligence agencies of third-party nations, terrorists, and criminals monitor electronic transmissions;
      ii. Government, business and technical data obtained from U.S. citizens may be, and often are, provided to terrorists; and
      iii. Personal information obtained may be used for financial gain, political, or other malicious purposes.

    2. For the purpose of requirements pertaining to overseas or foreign (international) travel with an IRS laptop: (TD P 85-01)
      i. The term “U.S.” refers to the United States, its possessions, and territories (including the Commonwealth of the Northern Marianna Islands (CNMI), the U.S. Virgin Islands, Guam, and Puerto Rico); and
      ii. Unless explicitly stated otherwise, a requirement does not apply for travel to Mexico or Canada.
      iii. Treasury personnel permanently stationed overseas are not considered foreign travelers for the purpose of this section.
      iv. For Treasury employees at U.S. diplomatic facilities abroad, U.S. Department of State requirements prevail for all IT security requirements in lieu of TD P 85-01.

  2. Written approval from the AO authorizing official/DAA or Business Unit Head shall be obtained before an IRS laptop is taken overseas (outside the U.S.). (TD P 85-01 S-LPD.7)

  3. All laptops temporarily taken overseas shall adhere to the following requirements: (TD P 85-01 S-EC.9)

    1. Protected by full-disk MITS-approved Federal Information Processing Standard (FIPS) validated encryption technology solution;

    2. All wireless capabilities, including but not limited to Wi-Fi, Bluetooth, broadband cards, shall be disabled;

    3. Use tamper-evident bags/seals/containers each time the laptop is left unattended (i.e., not under the direct and immediate control of a U.S. Government employee or authorized government contractor); and

    4. Any laptop not protected as described above, it shall not be reconnected to IRS system or network until sanitized. Excluded is the situation of transiting another country provided the laptop remains under the immediate control of the user.

  4. IRS laptops containing IRS information categorized as FIPS 199 High or Moderate shall not be connected to networks while outside the U.S., unless employing a separate hard drive or a secure partition (physical or virtual) with a separate operating system instance that contains no High or Moderate IRS information. (TD P 85-01 S-EC.18)

  5. Laptop hard drives or partitions that connect to a network while outside the U.S. shall not be connected to an IRS network at any time. (TD P 85-01 S-EC.19)

  6. Laptop batteries shall be removed and stored separate from the laptop when the device is left unattended (e.g., the user secures their laptop with a cable lock when they leave their hotel room). (TD P 85-01 S-EC.20)

    1. The battery also shall be removed if the laptop is within audible range of sensitive conversations while overseas.

  7. See the Remote Access section of this IRM and IRM 10.8.1 for additional addition guidance on remotely accessing IRS networks while traveling.

  8. For additional foreign travel requirements, contact the IRS’s International Travel Office. Employees may obtain information and procedures from the IRS International Travel Office website.

10.8.26.4.3  (03-15-2011)
Incident Reporting Requirements

  1. All users shall report within 30 minutes after detection, any incidents of loss or mishandling of IRS laptops to the IRS Computer Security Incident Response Center (CSIRC) and their immediate supervisor.

  2. Any incidents of mishandling, tampering, or loss of a laptop (the loss of any IT hardware) with IRS information shall be a reportable security incident.

  3. For additional incident reporting guidance, refer to:

    1. IRM 10.2.8, Physical Security Program, Incident Reporting; and

    2. The IRS CSIRC Computer Security Incident Reporting Procedures, http://www.csirc.web.irs.gov/reporting/

10.8.26.4.4  (03-15-2011)
Security Awareness and Training

  1. IRS laptop users shall be trained and provided the means to adequately protect IRS laptops from theft. (TD P 85-01 S-WS.2)

    1. Training shall be included as part of the Security Awareness Training and Education (SATE).

  2. All supplemental policies required to implement laptop security solutions shall be documented and provided to laptop users.

  3. IRS laptop users shall receive remote access training prior to accessing IRS networks from remote locations (non-IRS locations).

  4. See the Awareness and Training section of IRM 10.8.1 for additional addition SATE guidance.

10.8.26.4.5  (03-15-2011)
Sanitization and Disposal

  1. The IRS MITS organization shall develop procedures for the disposal of IT assets.

    1. Procedures shall be followed to ensure that all IRS laptops that have processed sensitive information are properly disposed.

    2. Each laptop shall be cleaned by utilizing commercial disk-wiping software or by degaussing the hard drive and all chips containing memory.

  2. The IRS MITS organization shall keep an inventory of all disposed IRS laptops.

  3. See the sanitization and disposal sections of IRM 10.8.1 for additional guidance.

10.8.26.5  (03-15-2011)
Technical Controls

  1. Technical controls focus on the security controls computer systems execute. These controls provide automated protection from unauthorized access or misuse, facilitate detection of security violations, and support security requirements for the systems or applications. The implementation of technical controls shall be consistent with the management of security within the organization. See IRM 10.8.1 for general information and computer security technical control requirements.

  2. Additional technical controls specific to laptop security are provided below in the following areas:

    1. Access Control;

    2. System Configuration;

    3. Encryption;

    4. Network Protection and Design

10.8.26.5.1  (03-15-2011)
Access Control

  1. The IRS and IRS laptop users shall ensure that only authorized personnel have access to IRS laptops and the data on them.

  2. IRS laptop users shall not view or process IRS sensitive information in public places.

  3. Measures shall be taken to protect laptop against the bypass of software controls arising from booting from any sources other than those designated by the system administrator for such purpose, (e.g., booting from a CD or thumb drive is not permitted). (TD P 85-01 S-LPD.5)

  4. Passwords, hardware tokens, and/or smart cards shall not be stored on or with a laptop unless encrypted or otherwise under the direct and continuous control of the authorized user. (TD P 85-01 S-LPD.4)

10.8.26.5.1.1  (03-15-2011)
Remote Access

  1. Remote access with an IRS laptop shall only be accomplished via a MITS-approved Virtual Private Network (VPN) solution that uses FIPS-validated encryption technology.

  2. IRS laptops remotely connecting to an IRS network from outside the U.S. (whether for official or personal travel) shall only connect via Enterprise Remote Access Project (ERAP) (with two-factor authentication). (TD P 85-01 S-SDP.2)

  3. IRS laptops categorized as FIPS 199 HIGH or Moderate with an established VPN connection (i.e., non-remote session) to an IRS network shall be configured to prevent the laptop from communicating outside the established communications path with resources in external networks (i.e., prevents split-tunneling). (NIST SP 800-53 SC-7 CE7)

    1. See the Foreign Travel section of this IRM for additional foreign travel guidance.

  4. See the remote access section of IRM 10.8.1 and IRM 10.8.40 for additional addition guidance.

10.8.26.5.2  (03-15-2011)
System Configuration

  1. Although Dynamic Host Configuration Protocol (DHCP) is utilized service-wide, operational experience has demonstrated the need to release Internet Protocol (IP) numbers when employees are in differing IRS offices prior to IP release time frames. Unless DHCP properly releases the IP number, laptop users may be provided a shortcut to "ipconfig /release" executable.

  2. IRS laptops shall have the following basic input/output system (BIOS) options:

    1. The boot order shall be set to only boot from a hard drive;

    2. Infrared Port shall be set to DISABLED;

    3. Unless otherwise prohibited, embedded Wireless Local Area Network (WLAN) Devices may be set to ENABLED;

    4. Embedded Bluetooth Device shall be set to DISABLED; and

      Note:

      Bluetooth is currently DISABLED within the operating system. Once the Bluetooth technology is approved for use with laptop computers by the IRS, the BIOS settings will be updated according to regulations. Users are currently restricted from using this process and should conform to IRS regulations.

    5. Intel Execution shall be set to DISABLED.

  3. For guidance on specific operating system configuration settings, see the appropriate IRM for the relevant operating system (e.g., IRM 10.8.20 for Windows operating system guidance).

  4. Requirements in the Foreign Travel section of this IRM take precedence over this section.

10.8.26.5.3  (03-15-2011)
Encryption

  1. All IRS information on an IRS laptop shall be encrypted with a MITS-approved FIPS-validated encryption technology solution. (TD P 85-01 S-LPD.3)

  2. IRS laptop users shall shut down the laptop instead of placing it in sleep mode when the laptop is equipped with a storage encryption technology solution.

  3. The IRS MITS organization shall develop and implement end-user instructions and procedures for the encryption and decryption of laptop data.

10.8.26.5.4  (03-15-2011)
Network Protection and Design

  1. All IRS laptops shall be appropriately reviewed for security purposes prior to connection or reconnection to an IRS network, e.g. checks for malicious code and updated virus protection software, critical software updates and patches, operating system integrity, and disabled hardware. (TD P 85-01 S-LPD.6)

10.8.26.6  (03-15-2011)
Risk-Based Decisions

  1. An exception to this policy requires that the Authorizing Official (AO) make a Risk-Based Decision. Risk-Based Decision requests shall be submitted in accordance with IRM 10.8.1 and use Form 14201, as described in Request for Risk Acceptance and Risk-Based Decision Standard Operating Procedures (SOPs). Refer to IRM 10.8.1 for additional information.

Exhibit 10.8.26-1 
Glossary

Bluetooth - A wireless protocol developed as a cable replacement to allow equipped devices to communicate with each other within a short distance.

BIOS (Basic Input/Output System) - Software stored on a small memory chip on a computer’s motherboard that loads prior to the operating system and instructs the computer on how to perform a number of basic functions such as booting and keyboard controls.

Dynamic Host Configuration Protocol (DHCP) - A protocol used, by networked devices (clients), to obtain various parameters necessary for the clients to operate in an Internet Protocol (IP) network. By using this protocol, system administration workload greatly decreases, and devices can be added to the network with minimal or no manual configurations.

Encryption - Any procedure used in cryptography to convert plaintext into ciphertext to prevent anyone but the intended recipient from reading that data.

IEEE 802.11 - A family of IEEE standards that extend the common wired Ethernet local network standard into the wireless domain using the 5 GHz and 2.4 GHz public spectrum bands. It specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. It is commonly referred to as "Wi-Fi" because the “Wi-Fi Alliance” provides certification for 802.11 products.

Portable Electronic Device (PED) - Portable or mobile devices with computing and wireless or Local Area Network (LAN) connectivity capabilities. These include, but are not limited to: laptops with wireless capabilities, cellular/personal communication system devices, audio/video/data recording or playback devices, scanning devices, remote sensors, messaging devices, personal digital assistants (PDAs) (for example, Blackberries, Palm Pilots, Pocket PCs), and two-way radios.

Personally Identifiable Information (PII) - All taxpayer information or any combination of information that can be used to uniquely identify, contact, or locate a person. A specific type of sensitive and SBU information that includes the personal information of taxpayers, and the personal information of employees, contractors, applicants, and visitors to the IRS. Examples of PII include, but are not limited to: name; home address; Social Security number; date of birth; home telephone number; biometric data (e.g., height, weight, eye color, fingerprints, etc.); and other numbers or information that alone or in combination with other data can identify an individual.

Sanitization - The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.

Sensitive Information - Information in which the loss, misuse, or unauthorized access to, or modification of, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), but has not been specifically authorized under criteria established by an Executive Order or an act of Congress to be kept classified in the interest of national defense or foreign policy. Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. § 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. § 423).

Sensitive But Unclassified (SBU) Information - Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.

Virtual Private Network (VPN) - A computer network that links two computers or devices through an underlying local or wide area network , while encapsulating the data and keeping it private. It is comparable to a pipe within a pipe. Even though the outer pipe contains the inner one, the inner pipe has a wall that blocks other traffic in the outer pipe from form mixing with the inner traffic. To the rest of the network, the VPN traffic just looks like another traffic stream.

Wireless - A technology that enables devices to communicate without physical connections (without requiring network or peripheral cabling).

Exhibit 10.8.26-2 
References

  • IRM 10.8.1,Information Technology (IT) Security Policy and Guidance

  • IRM 10.8.2,Information Technology (IT) Security Roles and Responsibilities

  • Windows Security Policy.

  • IRM 10.8.20,Information Technology (IT) Security Windows Security Policy

  • IRM 10.8.40,Information Technology (IT) Security Wireless Security Policy

  • IRM 10.2.8,Physical Security Program, Incident Reporting

  • IRM 10.2.16,Laptop Random Screening Concepts

  • IRM 10.4.1,Physical Security Program Managers Security Handbook

  • TD P 15-71,Department of Treasury Security Manual

  • Treasury Directive (TD) Publication (P) 85-01, Treasury Information Technology Security Program, Volume I, Unclassified (Non-National Security) Systems (February 19, 2010)

  • Treasury Directive (TD) Publication (P) 85-01, Treasury Information Technology Security Program, Volume II, Classified (National Security) Systems (June 9, 2009)

  • NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations

  • NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices

  • Defense Information Systems Agency (DISA) Wireless Security Technical Implementation Guide (STIG), Version 6, Release 2


More Internal Revenue Manual