10.8.34  IDRS Security Controls

Manual Transmittal

April 01, 2014

Purpose

(1) This transmits revised IRM 10.8.34, Information Technology (IT) Security, IDRS Security Controls.

Background

TD P 85-01, "The Department of Treasury Information Technology Security Program" and Federal regulations require that senior agency officials establish an Information Technology (IT) security program, which includes security controls for audit and accountability; ensuring that appropriate identification and authentication controls, audit logging, and integrity controls are implemented on all information systems.

This IRM provides policy for the administration of the security program for the Integrated Data Retrieval System (IDRS).

IRM 10.8.34 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRS Information Technology Cybersecurity

FIPS 200 mandates the use of NIST Special Publication 800-53 as baseline for the creation of agency IT security policy.

Material Changes

(1) Effective July 1, 2012, the Modernization and Information Technology Service (MITS) organization changed its name to IRS Information Technology (IT). All instances of MITS within this IRM have been updated to IRS Information Technology organization to reflect the change. (Link to IT website communication is: http://it.web.irs.gov/ProceduresGuidelines/ITNameChange.htm)

(2) The following sections have been updated/clarified with this version of policy:

  1. Effects on Other Documents: Language updated to incorporate Interim Guidance.

  2. IRM 10.8.34.3.1.3, Manager: Subsection titled changed from Front/First Line Manager to Manager to as role changed in IRM 10.8.2 September 5, 2013.

  3. IRM 10.8.34.3.2.3, IRS Information Technology (IRS IT) Enterprise Operations, Security Operations & Standards Division (EOPS-SOSD) Management: Subsection title changed from MITS Enterprise Operations, Operation Security Program Management Office (EPS-OSPMO) Management due to organization name change from MITS to IT and organization name changed.

  4. IRM 10.8.34.2.3, Authorized Access, Added reference to IRM 10.5.5 IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements for UNAX guidance

  5. IRM 10.8.34.3.2.4, IRS Information Technology (IRS IT) Cybersecurity Operations Management: Subsection title changed from MITS Cybersecurity Operations Management due to organization name change from MITS to IT.

  6. IRM 10.8.34.3.2.5, IDRS Security Account Administrator: Subsection titled changed due to removal of role Campus IDRS Security officer per 2011 published version of this IRM.

  7. IRM 10.8.34.3.2.6, IDRS Security Analyst: Subsection title changed from IDRS Security Account Administrator to IDRS Security Analyst moved from subsection 10.8.34.3.2.7.

  8. IRM 10.8.34.3.2.7.1, Campus IDRS Security Analyst: Subsection moved from 10.8.34.3.2.8.1.

  9. IRM 10.8.34.3.2.7.2, Computing Center IDRS Security Analyst: Subsection moved from 10.8.34.3.2.8.2.

  10. IRM 10.8.34.3.2.8, Unit Security Representative (USR): Subsection title changed from IDRS Security Representative to Unit Security Representative (USR) moved from subsection 10.8.34.3.2.9.

  11. IRM 10.8.34.3.2.9, Alternate USR: Subsection title changed from Unit Security Representative (USR) to Alternate USR moved from subsection 10.8.34.3.2.10.

  12. IRM 10.8.34.3.2.10, Terminal Security (TSA): Subsection title changed from Alternate USR to Terminal Security (TSA), moved from subsection 10.8.34.3.2.11.

  13. IRM 10.8.34.3.2.11, IORS Report Reviewer: Subsection title changed from Terminal Security (TSA) to IORS Report Reviewer moved from subsection 10.8.34.3.2.12.

  14. IRM 10.8.34.3.2.11.1, IORS Primary Report Reviewer: Subsection moved from subsection 10.8.34.3.2.12.1.

  15. IRM 10.8.34.3.2.11.2, IORS Secondary Report Reviewer: Subsection moved from subsection 10.8.34.3.2.12.2.

  16. IRM 10.8.34.5.1.2.1, Mananger Training, Subsection titled changed from Front/First Line Manager Training to Manager training to as Front/First Line Manager role changed to Manager in IRM 10.8.2 September 5, 2013.

  17. IRM 10.8.34.6.2.1.2.2, IRS Information Technology (IRS IT) Staff to IDRS: Subsection title changed due to organization name change from MITS to IT.

  18. IRM 10.8.34.6.2.1.2.4, IRS Information Technology (IRS IT) EOPS-SOSD: Subsection title changed due to organization name change from MITS to IT.

  19. IRM 10.8.34.6.2.1.2.5, IRS Information Technology (IRS IT) Cybersecurity Personnel: Subsection title changed due to organization name change from MITS to IT.

  20. IRM 10.8.34.6.2.1.4, Authorizing IDRS User Access to Other IRS Campuses' Databases (Multiple Accesses Capability), Added language.

  21. IRM 10.8.34.6.2.1.5.2, Unit Command Code Profile (UCCP), Incorporation of IG IT-10-0613-12.

  22. IRM 10.8.34.6.2.1.5.8, Automate Command Codes Access Control, Incorporation of IG IT-10-0613-11.

  23. IRM 10.8.34.6.2.1.5.8, Automate Command Codes Access Control, Added language to paragraph (4).

  24. IRM 10.8.34.6.2.1.5.8, Automate Command Codes Access Control, Added language to paragraph (5).

  25. IRM 10.8.34.6.2.1.5.8, Automate Command Codes Access Control, Added language to paragraph (7).

  26. IRM 10.8.34.6.2.1.7.1, Online 5081 (OL5081), Removed reference to Paper 5081 and shall reference to IDRS Security Account Administrators..

  27. IRM 10.8.34.6.2.1.7.1, Online 5081 (OL5081), Added command codes.

  28. IRM 10.8.34.6.2.1.9.1, IDRS Security Command Codes for IDRS Users, Added command codes to paragraph (1).

  29. IRM 10.8.34.6.2.1.9.4, Command Codes Restricted to IDRS Security Program Office, Added command codes to paragraph (1).

  30. IRM 10.8.34.6.2.2.2.3, Session Lockout and Termination (Automatic Session Lockout): Subsection title changed from Session Termination (Automatic Session Lockout) to Session Lockout and Termination (Automatic Session Lockout) and additional controls added.

  31. Exhibit 10.8.34 - 1, Glossary: Added Glossary. Added information in regards to Campus IDRS Security Officer and Definition of Grandfathering.

  32. Exhibit 10.8.34-2, Acronyms: Moved from Exhibit 10.8.34-1 and corrected acronyms.

  33. Exhibit 10.8.34-3, References: Moved from Exhibit 10.8.34-2.

  34. Exhibit 10.8.34-4, Distributions: Moved from Exhibit 10.8.34-3.

  35. Exhibit 10.8.34-5, Command Code Combinations: Moved from Exhibit 10.8.34-4.

  36. Exhibit 10.8.34-6, Sensitive Command Code Combinations: Moved from Exhibit 10.8.34-5.

  37. Exhibit 10.8.34-7, Command Codes with Sensitive Connotation: Moved from Exhibit 10.8.34-6.

  38. Exhibit 10.8.34-8, Restricted Command Codes for the Role: Revenue Agents, Tax Compliance Officers, and Estate Tax Attorneys (RSTRK Definer A): Moved from Exhibit 10.8.34-7.

  39. Exhibit 10.8.34.9, Restricted Command Codes for the Role: "Manual Refined Authorities and Manual Refined Certifying Officers" (RSTRK Definer M): Moved from Exhibit 10.8.34-8.

  40. Exhibit 10.8.34 -9, Restricted Command Codes for the Role: "Manual Refined Authorities and Manual Refined Certifying Officers" (RSTRK Definer M): Incorporation of IG IT-10-0613-12.

  41. Exhibit 10.8.34-10, Restricted Command Codes for the Role: 809 Receipt Book Users and Submission Processing Employees That Issue, Verify, or Reconcile Blank Form 809 (RSTRK Definer R): Moved from Exhibit 10.8.34-9.

  42. Exhibit 10.8.34-10, Restricted Command Codes for the Role: 809 Receipt Book Users and Submission Processing Employees That Issue, Verify, or Reconcile Blank Form 809 (RSTRK Definer R): Incorporation of IG IT-10-0613-11.

  43. Exhibit 10.8.34-11, Restricted Command Codes for the Role: Remittance Perfection Technicians Who Do Not Have Blank Form 809 Responsibilities (RSTRK Definer U): NEW Exhibit.

  44. Exhibit 10.8.34-12, IDRS Office Identifiers, Organization Code Ranges, and Unpostable Holding Units: Moved from Exhibit 10.8.34-10.

  45. Exhibit 10.8.34-13, IDRS Organization Codes — IRS Campuses: Moved from Exhibit 10.8.34-11.

  46. Exhibit 10.8.34-14, IDRS Organization Codes - W & I Area Offices: Moved from Exhibit 10.8.34-12.

  47. Exhibit 10.8.34-15, IDRS Organization Codes - SB/SE Area Offices: Moved from Exhibit 10.8.34-13.

  48. Exhibit 10.8.34-16, IDRS Organization Codes - Other Business Divisions: Moved from Exhibit 10.8.34-14.

  49. Exhibit 10.8.34-17, IDRS Audit Trail Record Format — SAAS: Moved from Exhibit 10.8.34-15. Removed Table and Added language and link to exhibit.

  50. Exhibit 10.8.34-18, IDRS Audit Trail Record Format — IAP: Moved from Exhibit 10.8.34-16. Removed Table and Added language and link to exhibit.

  51. Exhibit 10.8.34-19, Campus TSID Domain Index Table: Moved from Exhibit 10.8.34-17.

  52. Exhibit 10.8.34-20, Automated Delete and Lock System Rules: Moved from Exhibit 10.8.34-18.

  53. Exhibit 10.8.34-21, IDRS Applications and Command Codes with IDRS Organization Code Controls: Moved from Exhibit 10.8.34-19.

  54. Exhibit 10.8.34-22, GUF Unpostable Table Conversions for Campus Functions: Moved from Exhibit 10.8.34-20. Removed Table and Added language and link to exhibit.

  55. Exhibit 10.8.34-23, GUF Unpostable Table Conversions for Area Office and Other Business Organization Functions: Title changed from GUF Unpostable Table Conversions for Area Office Functions and moved from Exhibit 10.8.34-21 and combined with Exhibit 10.8.34-22. Removed Table and Added language and link to exhibit.

(3) Editorial changes (including grammar, spelling, and minor clarifications) were made throughout the IRM.

Effect on Other Documents

IRM 10.8.34 dated October 14, 2011, is superseded. This IRM supersedes all prior versions of IRM 10.8.34. Additionally, this IRM was updated to incorporate Interim Guidance IT-10-0613-11 and IT-10-0613-12.

Audience

IRM 10.8.34 shall be distributed to all personnel responsible for ensuring that adequate security is provided for IDRS. This policy applies to all employees, contractors and vendors of the Service.

Effective Date

(04-01-2014)

Terence V. Milholland
Chief Technology Officer

10.8.34.1  (10-14-2011)
Purpose

  1. This manual provides policies and guidance to be used by IRS organizations to carry out their respective responsibilities related to the security of the Integrated Data Retrieval System (IDRS).

  2. The term, "IDRS," in the context of this policy, is inclusive of Corporate Files On-Line (CFOL) and the Security and Communications System (SACS).

10.8.34.1.1  (10-14-2011)
Overview

  1. It is the policy of the IRS to protect its information resources and allow the use, access, and disclosure of information in accordance with applicable laws, policies, federal regulations, Office of Management and Budget (OMB) Circulars, Treasury Directives, National Institute of Standards and Technology (NIST) Publications, and other regulatory guidance. All IT resources belonging to, or used by the IRS, shall be protected at a level commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that IT resource.

  2. This policy delineates the security management structure, assigns responsibilities, and lays the foundation necessary to measure progress and compliance. Requirements in this policy are subdivided under three major security control areas: management, operational, and technical.

  3. This IRM establishes the IT security requirements framework for subordinate IRMs, and subordinate Standard Operating Procedures (SOPs), Desk Procedures, Job Aids, etc., which shall be used to provide the detailed guidance for implementing the requirements of this IRM. If there is a conflict with or variance from this IRM within the subordinate documents, this IRM has precedence.

10.8.34.1.2  (10-14-2011)
Scope

  1. The provisions of this issuance are applicable to all individuals who use, manage users of, or support the security of the IDRS.

  2. The provisions in this manual apply to all offices, business, operating, and functional units within the IRS. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers.

  3. Internal Revenue Manual 10.8 Chapter 34, IDRS Security Controls, shall be available to:

    1. Individuals with responsibilities related to the security of IDRS.

    2. Individuals who manage employees accessing IDRS.

    3. Individuals responsible for development, testing, and maintenance of IDRS features.

    4. Individuals with a need to know in Treasury Inspector General for Tax Administration (TIGTA).

10.8.34.1.3  (10-14-2011)
IRM Section Topics

  1. This manual contains information on the following subjects:

    • Purpose

    • General Policy

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Risk Acceptance and Risk-Based Decisions

10.8.34.1.4  (10-14-2011)
Authority

  1. This IRM further defines the requirements found in IRM 10.8.1, "Information Technology (IT) Security, Policy and Guidance" , as they pertain to IDRS security. In the event there is a discrepancy between this policy and IRM 10.8.1, IRM 10.8.1 has precedence, unless the security controls/requirements in this policy are more restrictive, or unless otherwise noted.

  2. This IRM further defines the requirements found in IRM 10.8.2, "Information Technology (IT) Security, IT Security Roles and Responsibilities" as they pertain to IDRS security roles and responsibilities.

10.8.34.2  (10-14-2011)
General Policy

  1. In accordance with Title III of the E-Government Act of 2002, known as the Federal Information Security Management Act (FISMA) of 2002, the IRS shall develop, document, and implement a service-wide information security program supporting the operations and assets of this agency. This manual provides policies and guidance related to the security of the IDRS.

    1. There shall be no grandfathering of requirements contained in this IRM.

    2. There shall be no exceptions to the requirements of this IRM based on past practices.

  2. The IRS IDRS Security Program shall assure the objectives of applicable federal laws, regulations, policies, and guidance, including that contained in OMB Circulars and Memoranda, NIST publications, and Treasury directives, are met by establishing and ensuring compliance with security requirements, procedures, and guidelines to properly implement management, operational, and technical controls.

    Note:

    In situations where regulatory guidance has been released and IRS requirement documents are not at the same point in their lifecycle, the intent of the requirements within the regulatory guidance shall be ensured.

10.8.34.2.1  (04-01-2014)
Integrated Data Retrieval System (IDRS)

  1. The Integrated Data Retrieval System is designed primarily to accomplish the following:

    1. Provide employees with instantaneous access to taxpayer accounts.

    2. Provide better, faster, more responsive, and more personal service to the taxpayer.

    3. Facilitate and speed the work of employees in campuses and area offices by providing the most current information on tax accounts and by furnishing the most up-to-date data processing tools available today.

  2. IDRS capabilities include:

    1. The ability to research taxpayer account information.

    2. The ability to request tax returns and account transcripts.

    3. The ability to input transactions, such as adjustments, entity changes, etc.

    4. The ability to input collection information for storage and processing in the system.

    5. The ability to generate notices, collection documents, and other outputs.

  3. Each user account is associated with an IDRS unit that is associated with a campus IDRS database.

  4. Each campus database is associated with one of two computing centers listed below:

    1. Enterprise Computing Center - Martinsburg (ECC-MTB) (formerly the Martinsburg Computing Center):
      - Campus databases that are associated with ECC-MTB are: Andover, Austin, Brookhaven, Ogden, and Philadelphia.

    2. Enterprise Computing Center - Memphis (ECC-MEM) (formerly the Tennessee Computing Center):
      - Campus databases that are associated with ECC-MEM are: Atlanta, Cincinnati, Fresno, Kansas City, and Memphis.

10.8.34.2.2  (10-14-2011)
IDRS Security System

  1. The Security and Communications System (SACS) is the IDRS Security System and provides security and auditing for IDRS.

    • SACS is designed to meet the security controls defined in IRM 10.8.1

    .

  2. SACS provides identification and authorization for every input.

    1. The system's Employee Security File contains significant data required to recognize each employee authorized to use IDRS.

    2. The system's Terminal Security File includes terminal identification to recognize each workstation capable of accessing IDRS.

  3. All actions taken on IDRS, both authorized and unauthorized, are recorded in the IDRS audit trail.

  4. The IDRS Security System is designed to provide protection to both the taxpayer and IDRS user.

    • The taxpayer shall be protected from unauthorized disclosure of information concerning their account as well as unauthorized access, inspection, and changes.

    • The IDRS user employee shall be protected from other personnel using their identification to access or make changes to an account.

10.8.34.2.3  (10-14-2011)
Authorized Access

  1. IDRS users shall only access accounts necessary for accomplishing their official duties.

  2. IDRS users shall not access:

    • Their own account

    • The account of their spouse or former spouse

    • The account of a friend or relative

    • Any account in which they have a personal or financial interest

    • Tax account information to satisfy personal curiosity or for fraudulent purposes

  3. IDRS users shall not access the account of a celebrity or another IRS employee unless it is part of their official duties.

  4. The willful unauthorized access or inspection of taxpayer records is referred to as Unauthorized Access (UNAX).

    1. See IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements for UNAX.

  5. Under the Taxpayer Browsing Protection Act:

    1. Willful unauthorized access or inspection of non-computerized taxpayer records, including hard copies of returns - as well as computerized information - is a crime, punishable upon conviction, by fines, prison terms and termination of employment.

    2. Taxpayers have the right to take legal action when they are victims of unlawful access or inspection - even if a taxpayer’s information is never revealed to a third party.

    3. When managers or employees are criminally charged, the Service is required to notify taxpayers that their records have been accessed without authorization.

  6. The provisions and applicable criminal penalties under the Taxpayer Browsing Protection Act also applies to all contractors and contractor employees.

10.8.34.2.4  (10-14-2011)
Communications Protocol

  1. This section defines the communications protocol to be followed when addressing IDRS security issues.

  2. Unless otherwise stated, IDRS users shall direct IDRS security related concerns to their manager or Unit Security Representative (USR).

  3. Unless otherwise stated, managers and USRs shall elevate the following:

    1. Any IDRS account administration related concern they are unable to resolve to the IDRS Security Account Administration staff.

    2. Any IDRS security report related concern they are unable to resolve to their home campus Cybersecurity IDRS Security Analyst.

    3. Any IDRS security policy related concern they are unable to resolve to the IDRS Security Program Management Office.

  4. Unless otherwise stated, the IDRS Security Account Administration staff and Cybersecurity IDRS Security Analysts shall elevate any IDRS security related concern they are unable to resolve to the IDRS Security Program Management Office.

  5. IDRS Security Business Division Points-Of-Contact (POC) shall direct IDRS security related concerns to the IDRS Security Program Management Office or the Cybersecurity IDRS Security Analysts that support their business organization.

  6. IDRS security related concerns that involve multiple business divisions or campus domains shall be elevated to the IDRS Security Program Management Office.

  7. IDRS users, their managers, or USRs rarely have a need to contact a Computing Center IDRS Security staff. Unless otherwise stated, any communication with Computing Center IDRS Security staff shall be routed through the IDRS Security Program Management Office.

10.8.34.3  (10-14-2011)
Roles and Responsibilities

  1. In accordance with IRM 10.8.1, the IRS shall implement security roles and responsibilities in accordance with federal laws and IT security guidelines that are appropriate for specific operations and functions. This IRM establishes the IT security roles and responsibilities for IDRS. See IRM 10.8.2, "Information Technology (IT) Security, IT Security Roles and Responsibilities" , for general policy related to IT security roles and responsibilities.

  2. This section provides functional roles and responsibilities for personnel who have security-related governance responsibility for the protection of information systems they operate, manage and support. These roles are defined in accordance with and are based on Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), and The Department of Treasury and IRS policy and guidelines.

10.8.34.3.1  (10-14-2011)
Key Governance and Related Roles & Responsibilities

  1. This section provides functional roles and responsibilities for personnel who have security-related governance responsibility for the protection information systems they operate, manage and support. These roles are defined in accordance with IRM 10.8.2.

10.8.34.3.1.1  (10-14-2011)
Senior Management/Executives

  1. Senior management/executives are officials subordinate to the Commissioner.

  2. Senior management/executives have responsibility for the implementation and administration of the IDRS Security in their jurisdiction.

  3. Senior management/executives shall perform the following as a part of their responsibilities:

    1. Ensure IDRS Security policies and guidance are implemented in their jurisdiction.

    2. Identify at least one individual as the POC and coordinator for their organization's IDRS security activities. The security role of these individuals is IDRS Security Business Division POC. The POCs name, Standard Employee Identifier (SEID), and contact information shall be provided to the IDRS Security Program Management Office.

    3. Ensure Unit Security Representatives (USRs) and IDRS Online Reports Services (IORS) Primary Report Reviewers are appointed to cover all IDRS units and users.

    4. Ensure for each IDRS unit, IDRS Security Account Administrators are provided with the name, SEID, and contact information for all current USRs, alternate USRs, Terminal Security Administrators, and IORS Security Report Reviewers.

    5. Ensure the IDRS Security Account Administrators or the IDRS Security Program Management Office are notified of any business division reorganizations that may require the realignment or renumbering of IDRS units.

    6. Ensure IDRS security issues are the topic of discussion at managerial meetings annually at a minimum.

    7. Ensure IDRS security reports are reviewed, and certified timely; and that any required report actions are completed timely.

    8. Ensure corrective actions are taken when IDRS security report reviewers fail to meet their IDRS security report responsibilities.

    9. Ensure required responses related IDRS security report compliance are timely submitted to the IDRS Security Program Management Office and/or Cybersecurity Operations staff.

    10. Ensure that all reported accesses and violations for USRs and alternate USRs are independently reviewed at the next management level that is higher than the USR's or Alternate USR's level.

    11. Ensure any user who is being investigated for a UNAX violation is promptly removed from IDRS.

    12. Ensure all users who have a proven UNAX violation have satisfied all requirements of their disciplinary actions before being added to IDRS.

    13. Ensure USRs and Alternate USRs complete the required initial and annual refresher training.

    14. Ensure IDRS users complete the required initial and annual refresher awareness training.

    15. Ensure IDRS users recertify (re-acknowledge) the rules of behavior annually in order to maintain access privileges.

    16. Fulfill any additional IDRS security responsibilities of the Senior Management/Executive stated elsewhere in the IRM.

10.8.34.3.1.2  (10-14-2011)
IDRS Security Program Officer

  1. The IDRS Security Program Officer is the Senior Manager/Executive (or designee) responsible for ensuring that the appropriate IDRS security posture is maintained.

  2. The Director, Cybersecurity Architecture & Implementation (or designee) serves as the IDRS Security Program Officer.

10.8.34.3.1.3  (04-01-2014)
Manager

  1. The manager of IDRS users shall be responsible for day-to-day implementation and administration of IDRS security in their unit/group.

  2. The manager shall perform the following:

    1. Ensure IDRS Security policies and guidance are implemented in their unit/group.

    2. Reinforce employees awareness and compliance with UNAX rules prohibiting access to any taxpayer or personnel data not required to accomplish official duties.

    3. Conduct periodic re-orientation sessions to ensure employees remain alert and aware of IDRS security requirements.

    4. Ensure employees who are IDRS users complete the required initial and annual refresher training.

    5. Ensure weekly and monthly IDRS Security reports are reviewed and certified timely and that any required report actions are completed timely.

    6. Ensure the Maximum Profile Authorization File (MPAF), the Unit Command Code Profile (UCCP), and the Employee Security Record File (ESRF) for all employees and IDRS units are reviewed at least monthly and any necessary corrective actions are competed timely.

    7. Ensure the command code usage of employees with sensitive command code combinations in their profiles is reviewed at least monthly.

    8. Ensure new IDRS users review the rules of behavior and that each IDRS user recertifies the rules of behavior annually via the Online 5081 (OL5081) application.

    9. Ensure questionable activity or potential UNAX violations are timely reported to TIGTA.

    10. Report any IDRS user who refuses to certify or recertify the rules of behavior to employees' division management for appropriate disciplinary action. Users who refuse to certify or recertify the rules of behavior will not be allowed to access IDRS and their IDRS user account shall be deleted.

    11. Ensure all requirements associated with a disciplinary action have been met prior to reinstating an IDRS user who has been deleted from IDRS because of an illegal or improper activity. If the employee's disciplinary action resulted because of one or more unauthorized actions, the manager shall ensure the employee has met the recertification requirements, which includes having the employee review the UNAX briefing and signing the UNAX Recertification Certificate before the employee may be added or re-added to IDRS or receives access to taxpayer information and return information. The manager's signature on the UNAX Recertification form indicates that the employee has met all disciplinary actions for Recertification.

    12. Fulfill any additional IDRS security responsibilities of the manager stated elsewhere in the IRM.

  3. Managers who have been officially designated as the USR for their unit/group (via an approved Form 13230, IDRS Security Personnel Designation) shall perform the IDRS security duties of a USR as described by this IRM as well as the manager duties.

  4. Managers who have not been designated as the USR for their unit/group perform the following:

    1. Coordinate with the USR to help ensure IDRS security is effectively implemented for the unit/group.

    2. Ensure the USR is notified immediately, when an IDRS user no longer needs system access.

    3. Provide the USR with written or electronic documentation for all requests to update the unit's MPAF or UCCP or to update an employee's ESRF.

  5. See IRM 10.8.2, for general policy related to the IT security role and responsibilities of the manager.

10.8.34.3.2  (10-14-2011)
Organization/Functional Roles and Responsibilities

  1. This section provides functional roles and responsibilities for personnel who have IDRS security related responsibilities. These roles are defined in accordance with IRM 10.8.2.

10.8.34.3.2.1  (10-14-2011)
IDRS Security Program Management Office

  1. The IDRS Security Program Management Office is a function in the IRS Information Technology (IRS IT), Cybersecurity organization that was established to manage the IDRS Security Program.

  2. The IDRS Security Program Management Office consists the following:

    1. IDRS Security Program Officer - the senior manager/executive (or designee) responsible for ensuring that the appropriate IDRS security posture is maintained.

    2. IDRS Security Program Manager - the individual who coordinates day-to-day IDRS Security Program Management Office activity.

    3. IDRS Security Program Analyst(s) - individuals who support the day-to-day IDRS Security Program Management Office activity.

  3. The IDRS Security Program Management Office shall perform the following:

    1. Establish policy and procedures for managing the IRS IDRS Security Program.

    2. Identify security activities that will help improve IDRS security.

    3. Perform activities that promote and maintain a continuing awareness of IDRS security.

    4. Disseminate information to IRS management, IDRS Security personnel, and IDRS users regarding changes in policy, procedures, and practices.

    5. Provide IDRS Security subject matter expert support to IRS management and staffs.

    6. Define the minimum content required for IDRS user security awareness training.

    7. Develop, review, and update the required initial and annual refresher for Unit Security Representatives; and monitor compliance with the training requirement.

    8. Review the implementation of IDRS security at IRS campuses, computing centers, field offices, and other locations.

    9. Evaluate the implementation of IDRS security by IDRS Security Account Administrators, IDRS Security Analysts, Unit Security Representatives, and business unit management. Any oversight and evaluation activities performed by or for the IDRS Security Program Management Office will not substitute or replace any monitoring, training, or oversight activities required to be performed by IDRS Security Account Administrators, IDRS Security Analysts, Unit Security Representatives, or business unit management.

    10. Support Cybersecurity staffs in the review of requests to deviate from IDRS security policy stated in IRM 10.8.34, IDRS Security Controls.

    11. Fulfill any additional IDRS security responsibilities of the IDRS Security Program Management Office stated elsewhere in the IRM.

10.8.34.3.2.2  (10-14-2011)
IDRS Security Business Division Point-Of-Contact

  1. IDRS Security Business Division POC helps ensure their business organization effectively performs IDRS security administration and monitoring.

  2. IRS business divisions are required to identify at least one individual as their IDRS Security Business Division POC.

  3. IDRS Security Business Division POC shall:

    1. Serve as their business organization's point of contact with the IDRS Security Program Management Office.

    2. Serve as a liaison between the IDRS Security Program Management Office and their business organization in addressing IDRS security issues.

    3. Coordinate their business organization's response to IDRS security related issues.

    4. Coordinate their business organization's response to IORS security report certification related issues.

    5. Represent their business organization at IDRS Security related stakeholder meetings.

    6. Fulfill any additional IDRS security responsibilities of the IDRS Security Business Division Point-Of-Contact stated elsewhere in the IRM.

  4. Because the needs of each business division are different, additional duties may be assigned by the business division.

  5. The names of current IDRS Security Business Division Points-Of-Contact can be found on the IDRS Security web site: http://idrssecurity.web.irs.gov/IDRS/IDRSSecurityPOC.asp

10.8.34.3.2.3  (04-01-2014)
IRS Information Technology ( IRS IT) Enterprise Operations, Security Operations & Standards Division (EOPS-SOSD) Management

  1. IRS IT EOPS-SOSD Management shall assign security specialist(s) and/or security assistants as IDRS Security Account Administrators.

  2. IRS IT EOPS-SOSD Management shall assign security specialist(s) and/or security assistants as Computing Center IDRS Security Administrators.

  3. IRS IT EOPS-SOSD Management shall perform the following:

    1. Ensure IDRS Security Account Administrators and Computing Center IDRS Security Administrators are properly trained to perform the necessary IDRS Security related tasks;

    2. Monitor the activity of IDRS Security Account Administrators and Computing Center IDRS Security Administrators to ensure activity is both effective and appropriate;

    3. Ensure IDRS Security Account Administrators and Computing Center IDRS Security Administrators are not assigned duties that conflict with their security responsibilities. Any security matters that arise shall be given priority consideration over non-security duties or assignments; and

    4. Fulfill any additional IDRS security responsibilities of IRS IT EOPS-SOSD Management stated elsewhere in the IRM.

10.8.34.3.2.4  (04-01-2014)
IRS Information Technology (IRS IT) Cybersecurity Operations Management

  1. IRS IT Cybersecurity Operations Management assign security specialist(s) and/or security assistants as Campus IDRS Security Analysts.

  2. IRS IT Cybersecurity Operations Management assign security specialist(s) and/or security assistants as Computing Center IDRS Security Analysts.

  3. IRS IT Cybersecurity Operations Management shall perform the following:

    1. Ensure Campus IDRS Security Analysts and Computing Center IDRS Security Analysts are properly trained to perform the necessary IDRS Security related tasks.

    2. Monitor the activity of Campus IDRS Security Analysts and Computing Center IDRS Security Analysts to ensure activity is both effective and appropriate.

    3. Ensure Campus IDRS Security Analysts and Computing Center IDRS Security Analysts are not assigned duties that conflict with their security responsibilities. Any security matters that arise shall be given priority consideration over non-security duties or assignments.

    4. Fulfill any additional IDRS security responsibilities of IRS IT Cybersecurity Operations Management stated elsewhere in the IRM.

10.8.34.3.2.5  (04-01-2014)
IDRS Security Account Administrator

  1. The IDRS Security Account Administrator performs tasks relating to the administration of IDRS user and unit accounts.

  2. The IDRS Security Account Administrator shall be a non-bargaining unit employee who is a member of the EOPS-SOSD staff.

  3. To help ensure proper separation of duties, the IDRS Security Account Administrator shall not simultaneously serve as Computing Center IDRS Security Administrator.

  4. IDRS Security Account Administrator shall perform the following unit and account administration related tasks:

    1. Process, maintain (or be able to acquire), and explain how to complete and submit IDRS security related requests that are submitted via OL5081, Form 13230, and Form 9937.

    2. Add, modify, or delete employee access to IDRS; ensuring that user accounts are established in the proper unit, Office Identifier (OI), and organization code range.

    3. Review and update, at a minimum semi-annually, pertinent IDRS user information in the Master Register of Active IDRS Users report for completeness and accuracy. This includes Employee Name, SEID, Social Security Number (SSN), and background investigation status.

    4. Assign temporary passwords when adding users to IDRS, or as requested per an OL5081 request.

    5. Add or delete security command codes to user profiles.

    6. Ensure employees designated as USRs or Alternate USRs have completed the required training before adding security command codes to their profile.

    7. Ensure, in coordination with the IDRS Security Program Management Office, that security command codes are removed from the profiles of USRs and Alternate USRs who have not completed the required training.

    8. Ensure employees designated as primary USRs are non-bargaining employees with a "completed" background investigation status before adding security command codes to their profile.

    9. Coordinate with USRs and managers to create new IDRS units that fall under the managers’ jurisdictions; ensuring the Office Identifier (OI) and Organization code for the new unit are consistent with the unit number ranges established by in IRM 10.8.34. See IRM 10.8.34.6.2.1.6 for more information on IDRS Organization Code Management.

    10. Develop or update the Maximum Profile Authorization File (MPAF) and the Unit Command Code Profile (UCCP) based on signed Form 9937 requests;

    11. Lock any unit that has active IDRS users, but does not have a designated USR or IORS Primary Report Reviewer.

    12. Add or delete terminals to IDRS (in coordination with a Computing Center IDRS Security Administrator).

  5. IDRS Security Account Administrator shall perform the following IDRS Unit and USR Database (IUUD) related tasks:

    1. Maintain a current record of Unit Security Representatives (USRs), Alternate USRs, Terminal Security Administrators (TSAs), managers, and the designated Primary Report Reviewers for all IDRS units in the IUUD.

    2. For all persons listed, ensure the IUUD includes their name, SEID, address, and phone number; indicate when command code ASNPW is in the individual’s profile.

    3. For all IDRS units listed, ensure the IUUD includes the USR, manager, IORS Primary Report Reviewers, and any Alternate USRs, TSAs; to the extent possible include a description of the unit and any alternate unit mailing address.

    4. Assist managers and business organization security personnel in getting access to, using, and requesting updates to information in the IUUD.

  6. IDRS Security Account Administrator shall perform the following IORS related tasks:

    1. Review and certify IDRS security reports requiring IDRS Security Account Administrator action.

    2. Assit managers and business organization security personnel in getting access to IORS.

    3. Add or delete employee access to the IORS. Ensure employees designated as IORS Primary Report Reviewer are non-bargaining employees before adding command code REPTS to their profile (REPTS is added to a user's profile to allow IORS access).

    4. Lock any unit that has active IDRS users, but where IORS Primary Report Reviewer has NOT been designated to review/certify IDRS security reports.The IDRS Security Account Administrator will also designate the primary USR for the unit as the IORS Primary Report Reviewer until the IDRS Security Account Administration staff is notified to the contrary.

  7. IDRS Security Account Administrator shall also perform the following:

    1. Assist USRs and managers in addressing issues relating to the administration of IDRS user and unit accounts.

    2. Support the IDRS Security Program Management Office as reviewers of policy and procedural documents, SACS and IORS system changes, job aids, and training material related to the administration of IDRS user and unit accounts.

    3. Identify potential and actual IDRS security administration related problems, probable causes, and recommend corrective actions.

    4. Have access to all necessary security command codes pertaining to IDRS security.

    5. Have access to all security reports, forms, manuals, and handbooks pertaining to the administration of IDRS user and unit accounts.

    6. Fulfill any additional IDRS security responsibilities of the IDRS Security Account Administrator stated elsewhere in the IRM.

10.8.34.3.2.6  (04-01-2014)
Computing Center IDRS Security Administrator

  1. The Computing Center IDRS Security Administrator performs tasks relating to the administration Computing Center IDRS security activity.

  2. The Computing Center IDRS Security Administrator shall be a non-bargaining unit employee who is a member of the EOPS-SOSD staff.

  3. To help ensure proper separation of duties, the Computing Center IDRS Security Administrator shall not simultaneously serve as IDRS Security Account Administrator.

  4. The Computing Center IDRS Security Administrator shall perform the following tasks:

    1. Add console operators, using command code TPFCN.

    2. Add/change host-to-host passwords using command code UPHPW.

    3. Change or display the list of command codes in a host profile using command code UPHST.

    4. Add/delete command codes from the prohibited command code tables for various employee role restrictions based on direction from the IRS IT, International Business Machines (IBM) Support Services Branch and the IDRS Security Program Management Office.

    5. Have access to all necessary security command codes pertaining to Computing Center IDRS Security Administration.

    6. Fulfill any additional IDRS security responsibilities of the Computing Center IDRS Security Administrator stated elsewhere in the IRM.

10.8.34.3.2.7  (04-01-2014)
IDRS Security Analyst

  1. The IDRS Security Analyst performs IDRS security policy support and oversight related tasks for IDRS campus domains and/or IDRS computing centers.

10.8.34.3.2.7.1  (04-01-2014)
Campus IDRS Security Analyst

  1. The Campus IDRS Security Analyst performs IDRS security policy support and oversight related tasks for the IDRS campus domains.

  2. The Campus IDRS Security Analyst shall be a non-bargaining unit employee who is a member of the Cybersecurity Operations staff.

  3. The Campus IDRS Security Analyst shall perform the following tasks:

    1. Monitor and review the implementation and administration of the IDRS security program in their campus domain(s) to help ensure the program is properly implemented and maintained.

    2. Process, maintain (or be able to acquire), and explain how to complete Form 9936 requests for audit trail extracts.

    3. Review and certify IDRS security reports requiring IDRS Security Analyst action.

    4. Review IORS utility reports on a weekly basis to determine whether IORS Primary Report Reviewers in their campus domain(s) are reviewing and certifying IDRS Security reports in a timely manner, and provide business organizations in their campus domain(s) with a report of uncertified reports.

    5. Work with business organizations in their campus domain(s) to address IORS security report certification related issues.

    6. Notify business organizations in their campus domain(s) of any units where a Primary Report Reviewer has not been designated.

    7. Ensure IORS Primary Report Reviewers, managers, and/or USRs have documented the appropriateness of all accesses to taxpayer accounts identified in the weekly IDRS security reports.

    8. Review, in an oversight capacity, the various IDRS security reports for trends, for compliance with IDRS security policy, and for ensuring that reports are being reviewed in a timely and appropriate manner.

    9. Assist managers and business organization security personnel in their campus domain(s) in using IORS.

    10. Respond to inquiries from business organizations in their campus domain(s) regarding IDRS security policy, procedures and processes.

    11. Perform activities that promote and maintain a continuing awareness of IDRS security.

    12. Identify potential and actual IDRS security problems, probable causes, and recommend corrective actions.

    13. Advise management on matters relating to IDRS security.

    14. Support the IDRS Security Program Management Office as reviewers of policy and procedural documents, SACS and IORS system changes, job aids, and training material related to IDRS security.

    15. Have access to all necessary security command codes pertaining to IDRS security.

    16. Have access to, or be able to acquire, IDRS security related documentation requests which include OL5081, Form 13230 ,and Form 9937 requests.

    17. Have access to all security reports, forms, manuals, and handbooks pertaining to the implementation and administration of IDRS Security.

    18. Fulfill any additional IDRS security responsibilities of the IDRS Security Analyst stated elsewhere in the IRM.

10.8.34.3.2.7.2  (04-01-2014)
Computing Center IDRS Security Analyst

  1. The Computing Center IDRS Security Analyst, like the IDRS Security Analyst, performs IDRS security policy support and oversight related tasks for the IDRS campus domains.

  2. The Computing Center IDRS Security Analyst also performs IDRS security policy support and oversight related tasks unique to IDRS Computing Centers.

  3. The Computing Center IDRS Security Analyst shall be a non-bargaining unit employee who is a member of the Cybersecurity Computing Center Operations staff.

  4. The Computing Center IDRS Security Analyst shall perform the duties of the Campus IDRS Security Analyst. See section IRM 10.8.34.3.2.7.1 above for a list of these duties.

  5. The Computing Center IDRS Security Analyst shall also perform the following tasks unique to IDRS Computing Centers:

    1. Process requests for ICS/ACS/Print (IAP) IDRS Audit Trail extracts.

    2. Provide USR and IORS Primary Reviewer support for IDRS units containing IDRS Security Program Management Office staff or Computing Center IDRS Security Administrators.

    3. Fulfill any additional IDRS security responsibilities of the Computing Center IDRS Security Analyst stated elsewhere in the IRM.

10.8.34.3.2.8  (04-01-2014)
Unit Security Representative (USR)

  1. The USR is an individual assigned by their business organization to implement and administer IDRS security at the IDRS unit level.

  2. The USR is sometimes referred to as a unit's "Primary USR" , especially when other individuals have been designated to serve as Alternate USR for the unit.

  3. Each IDRS unit shall have a designated USR. Designations shall be approved by a second level or higher manager who is in the direct chain of command of the IDRS users being supported. The designation shall be submitted to a IDRS Security Account Administrator for approval on Form 13230.

  4. The USR may or may not be the IDRS user's immediate manager, but will have the requisite authority to perform USR duties.

  5. The USR shall be a non-bargaining unit employee.

  6. The USR shall have a "completed" background investigation status.

  7. The USR shall complete initial USR training prior to performing USR duties; and shall complete USR refresher training at least annually.

  8. USR shall perform the following unit and account administration related tasks:

    1. Approve OL5081 for:
      - "Add User" requests for all users who need to be added to IDRS units covered by the USR
      - Any action that requires an OL5081 request be submitted to an IDRS Security Account Administrator with the exception of a request for a temporary password for an existing IDRS user.

    2. Update a current user's IDRS profile for the command codes that are available in the unit's MPAF as appropriate for the user to perform their assigned work; the USR shall add or delete command codes to and from user profiles, with the exception of security command codes, which shall be added or deleted by an IDRS Security Account Administrator.

    3. With the concurrence of the unit manager, prepare, approve, and submit requests to the IDRS Security Account Administrator to add or delete command codes to/from the MPAF and the UCCP. USRs are authorized to approve Form 9937 in IORS for the unit manager if the USR has written or electronic documentation that supports the managers concurrence with the action taken. Documentation shall include the date, action to be taken, the IDRS unit number, and validation of the manager agreement such as an e-mail or a signed or initialed memo from the manager.

    4. Ensure user profiles are locked no later than the first day the employee is on leave if the employee is going to be on leave for 15 consecutive calendar days or more or goes into non-pay status with an expectation of returning to duty within 60 consecutive calendar days. Users going on leave are to be encouraged to lock their own profiles if the leave is not expected to exceed 45 days. For users who are going into non-pay status for less than 60 days, the USR shall lock the user's IDRS profile to prevent the user from being deleted from IDRS.

    5. Delete employees from IDRS who either do not need access to IDRS for a period of 60 consecutive calendar days or longer or who do not need future access to IDRS. The employee shall be removed from IDRS on the first day they no longer need access to IDRS.

    6. Unlock the profile of employees at the request of the employee or manager, if there is no cause to keep the profile locked.

    7. Unlock IDRS terminals when requested to do so by a manager or known user and notify the manager of any questionable activity that caused the workstation to be locked.

    8. Initiate the transfer of employee profiles into an IDRS unit under the USR's jurisdiction when requested to do so by a known manager. This task is the responsibility of the receiving unit's USR.

    9. Coordinate the creation of new IDRS units and the deletion of deactivated IDRS units with the IDRS Security Account Administrators.

    10. Ensure IDRS users who meet the criteria for restricted roles, have the appropriate restrictions added to their profiles.

    11. Modify IDRS terminal availability times to be consistent with the need to access IDRS. USRs shall set time off-the-air/on-the-air to coincide with access need, using command code UPTRM.

  9. The USR shall perform the following security monitoring and review related tasks:

    1. Monitor each IDRS user's command code usage/non-usage, and coordinate with the manager to delete command codes from the employee's profile that are not being used and are no longer needed.

    2. Timely review various IDRS security reports for the unit/group and take appropriate action to correct security weaknesses and breaches.

    3. Review the command code usage via the Monthly IDRS Security Profile Report, and in coordination with the manager, submit requests to the IDRS Security Account Administrator to delete the command codes that were not used or no longer needed in the MPAF and UCCP.

    4. Review the profile of each IDRS user at least monthly to identify any unauthorized command codes.

    5. Ensure command codes are not in the training mode unless the employee is in training, except for the specific case of User Support Specialists.

    6. Ensure managers are aware of and monitor command code usage of employees with sensitive command code combinations in their profiles.

    7. Monitor compliance with sign-off requirements by reviewing the IDRS Security Profile Reports to determine if IDRS users have 15 or more automatic sign-offs for the month. IDRS users meeting this criteria shall be advised of the need to sign-off IDRS when IDRS is not needed and how to refresh their IDRS activity clock if the user needs to have continuous access to IDRS.

    8. Ensure, in coordination with the manager, that any questionable activity or potential UNAX violations are timely reported to TIGTA.

    9. Review the Master Register of Active IDRS Users at least monthly to ensure only authorized users are in their IDRS units and all information included in this report is correct and complete.

    10. Review the IUUD at least monthly to ensure the accuracy of information for their IDRS unit(s); submit updates and corrections to the IDRS Security Account Administration staff.

  10. The USR shall perform the following training and awareness related tasks:

    1. Ensure management annually reviews the rules of behavior with IDRS users.

    2. Ensure security procedures and instructions that relate to IDRS security are explained to the users prior to adding the user to IDRS.

    3. Perform periodic security awareness training (at least annually) for each IDRS user.

    4. Ensure managers are aware of their IDRS security responsibilities.

    5. Train Terminal Security Administrators on when and how to unlock IDRS terminals and user profiles, and train Terminal Security Administrators to report any unusual circumstances to the USR.

  11. The USR shall perform the following password management related tasks:

    1. USRs are to encourage all users to activate their IDRS password management capability.

    2. USRs, who are authorized to provide temporary passwords to IDRS users, shall maintain documentation to support user requests.

    3. If a USR provides a temporary password, the issuance of the temporary password shall be supported by an OL5081 request, e-mail, or written notification from a manager. At a minimum, the documentation shall include the following:

    • The date the temporary password was requested for the employee

    • The name of the employee who is to receive the temporary password

    • The reason for requesting the temporary password

    • The name of the manager or USR who requested the temporary password for the employee

  12. The USR shall also perform the following:

    1. Identify potential and actual IDRS security related problems, probable causes, and recommend corrective actions.

    2. Support the IDRS Security Program Management Office as reviewers of policy and procedural documents, SACS and IORS system changes, job aids, and training material related to IDRS security.

    3. Have access to all manuals and handbooks pertaining to IDRS security.

    4. Fulfill any additional IDRS security responsibilities of the USR stated elsewhere in the IRM.

10.8.34.3.2.9  (04-01-2014)
Alternate USR

  1. The Alternate USR is an individual who assists and/or performs the duties of the primary USR when that individual is not available.

  2. Alternate USR designations shall be approved by a second level or higher manager who is in the direct chain of command of the IDRS users being supported.

    1. The designation shall be submitted to a IDRS Security Account Administrator on a Form 13230.

    2. Before submission, the Form 13230 shall be coordinated with the primary USR(s) to ensure the primary USR(s) is aware of who is being designated as an Alternate USR.

  3. The Alternate USR shall be a non-bargaining unit employee or a bargaining unit employee (e.g., lead) who is familiar with IDRS security requirements and procedures.

  4. The Alternate USR shall have a "completed" background investigation status.

  5. The Alternate USR shall complete:

    1. Initial USR training prior to performing USR duties.

    2. Shall complete USR refresher training at least annually.

  6. The Alternate USR's manager shall submit an OL5081, "Modify User Profile Request," to the IDRS Security Account Administration staff to request the appropriate security command codes be included in the Alternate USR's IDRS employee profile. The OL5081 request shall be approved by the Alternate USR's primary USR to ensure primary USR is aware of who is being given security command codes.

  7. A non-bargaining unit Alternate USR is authorized to act as the primary USR when the primary USR is not available, including serving as a unit's Primary Report Reviewer for the review and certification of security reports. A non-bargaining unit Alternate USR may perform all related security duties when officially acting as the primary USR and is authorized to have the full suite of USR security command codes.

  8. A bargaining unit Alternate USR cannot act as primary USR and cannot perform the full duties of a USR. They support a non-bargaining unit USR and can perform non-managerial duties of the USR, such as updating a user's profile. The bargaining unit Alternate USR shall not review another employee's IDRS actions.

  9. For IDRS security purposes, the Alternate USR's security activity is under the purview of the designated primary USR for that unit or area. If the primary USR has concerns regarding security actions taken by the Alternate USR, the primary USR may request that the IDRS Security Analyst provide an audit trail extract of the Alternate USR's activities for a designated date or date range.

  10. The Alternate USR shall fulfill any additional IDRS security responsibilities of the Alternate USR stated elsewhere in the IRM.

10.8.34.3.2.10  (04-01-2014)
Terminal Security Administrator (TSA)

  1. The TSA is an individual assigned by their business organization to unlock IDRS terminals and unlock employee profiles locked due to 17 days of inactivity.

  2. Assigning individuals to serve as TSA is optional and the discretion of business organization management. The intent of the TSA role is to reduce USR workload.

  3. TSAs may either be a non-bargaining or bargaining unit employee.

  4. A TSA designation shall be approved by a second level manager or higher in their business organization. The designation shall be submitted to the IDRS Security Account Administration staff on Form 13230. Before submission, the Form 13230 shall be coordinated with the unit's primary USR to ensure the primary USR is aware of who is being designated as a TSA.

  5. The TSA's manager shall submit an OL5081 application modify user request to the IDRS Security Account Administrator to have the appropriate security command codes added to the TSA's IDRS employee profile. The OL5081 application shall be approved by the TSA's primary USR to ensure their primary USR is aware of who is being given security command codes.

  6. TSAs will not be required to complete specialized IDRS security training, but shall receive instruction from a primary USR before performing TSA duties.

  7. Command Code SECOP is to be placed in the user profile of TSAs (SECOP is the command code used to unlock IDRS terminals). At the request of the manager, TSAs may also be given command code UNLEM. (UNLEM is the command code used by a TSA to unlock an employee profiles that have been locked by the system because the user has been inactive for 17 days).

  8. For TSAs who are given the capability to unlock employee profiles, USRs are authorized to provide a copy of the "Master Register of Active Users" report or a Command Code SFINQA screen print to the TSA that lists the IDRS employee numbers of users in their unit(s). TSAs are only authorized to unlock IDRS profiles for known users.

  9. For IDRS security purposes, the TSA's security activity is under the purview of the designated primary USR(s) for that unit or area. If the primary USR has concerns regarding security actions taken by the TSA, the primary USR may request that an IDRS Security Analyst provide an audit trail extract of the TSA activities for a designated date or date range.

10.8.34.3.2.11  (04-01-2014)
IORS Report Reviewer

  1. The IORS Report Reviewer is an individual assigned by their business organization to review IDRS security reports in IORS.

  2. There are two IORS Report Reviewer roles:

    1. IORS Primary Report Reviewer

    2. IORS Secondary Report Reviewer

10.8.34.3.2.11.1  (04-01-2014)
IORS Primary Report Reviewer

  1. The IORS Primary Report Reviewer is an individual assigned by their business organization who is responsible for ensuring that the IDRS security reports for a designated IDRS unit(s) are timely reviewed and the appropriate actions are taken when necessary.

  2. IORS Primary Report Reviewers shall be non-bargaining unit employees. They normally serve as the unit's manager, USR, or have an IDRS coordinator's role.

  3. Each IDRS unit shall have a designated IORS Primary Report Reviewer and their designation shall be submitted to the IDRS Security Account Administration staff on Form 13230. Before submission, the Form 13230 shall be coordinated with the primary USR(s) to ensure the primary USR(s) is aware of who is being designated as IORS Primary Report Reviewer.

  4. The IDRS Security Account Administration staff will lock any unit that has active IDRS users, but where no IORS Primary Report Reviewer has been designated to review/certify IDRS security reports. The IDRS Security Account Administrator will also designate the primary USR for the unit as the IORS Primary Report Reviewer until the IDRS Security Account Administration staff is notified to the contrary.

  5. The IORS Primary Report Reviewer roles are recorded in the IUUD. This information is used by IORS to define Primary Report Reviewer permissions in IORS.

  6. The Primary Report Reviewer shall input report certifications, but may indicate in the certification that the certification is based on the documented review of others such as the manager or USR, if the Primary Report Reviewer does not perform either of these roles.

  7. The IORS Primary Report Reviewer will receive notification when the security reports are available for review and when security reports requiring certification have not been certified within the prescribed time frame.

  8. The Primary Report Reviewer may grant a proxy to another non-bargaining unit IORS user to act in their place when they are not available.

  9. The IORS Primary Report Reviewer may grant Secondary Report Reviewer permissions to other IORS users to view and comment on IDRS security reports for the unit. The IORS Primary Report Reviewer shall remove these permissions when they are no longer needed.

  10. IORS Primary Report Reviewer shall fulfill any additional IDRS security responsibilities of the IORS Primary Report Reviewer stated elsewhere in the IRM.

10.8.34.3.2.11.2  (04-01-2014)
IORS Secondary Report Reviewer

  1. The IORS Secondary Report Reviewer is an individual who has received permissions from an IORS Primary Report Reviewer to view one or more security reports for a unit.

  2. The IORS Secondary Report Reviewer is usually the manager of an unit where the Primary Report Reviewer role is being performed by another individual.

  3. The IORS Secondary Report Reviewer shall be a non-bargaining unit employee. However, bargaining unit employees (e.g., leads) who are experienced with IDRS may be given Secondary Reviewer permissions to assist the Primary Report Reviewer with the review and evaluation of security reports that do not involve the review of another employee's IDRS actions. These are reports that do not require a certification (the Master Register, Employee Count, Automated IDRS Sign-offs, and Password Management Activations reports). Bargaining unit employees shall not review reports that involve another employee's IDRS actions. These reports include the Security Violations, Sensitive Access, and Monthly and Quarterly Security Profile reports.

  4. The IORS Secondary Report Reviewer cannot input certifications for security reports, but they can input information to document they have reviewed data that appears on security reports. They can input relevant comments and indicate that they have taken any necessary actions.

  5. The IORS Secondary Report Reviewer cannot grant permissions to other IORS users to view IDRS security reports.

  6. The IORS Secondary Report Reviewer shall notify the Primary Report Reviewer immediately when they no longer need access to unit reports.

  7. IORS Secondary Report Reviewer shall fulfill any additional IDRS security responsibilities of the IORS Secondary Report Reviewer stated elsewhere in the IRM.

10.8.34.4  (10-14-2011)
Management Controls

  1. Per IRM 10.8.1 , IRS shall implement management security controls to mitigate risk of IT applications and electronic information loss in order to protect the organization’s mission. This IRM further defines the management security control requirements found in IRM 10.8.1 as they pertain to IDRS security.

10.8.34.4.1  (10-14-2011)
Planning

  1. Per IRM 10.8.1, the IRS shall establish enterprise-wide security planning policy and procedures that define and implement rules of behavior for all IT systems.

10.8.34.4.1.1  (10-14-2011)
Rules of Behavior

  1. IDRS users shall sign a statement acknowledging that they have read and understand the rules of behavior.

  2. The OL5081 system shall be used to document IDRS users' acknowledgement they have read and understand the rules of behavior.

    1. Prior to being added to IDRS, users shall sign the OL5081 rules of behavior statement acknowledging that they have read and understand the rules.

    2. In order to maintain access privileges, IDRS users shall annually sign the OL5081 rules of behavior statement to recertify (re-acknowledge) they have read and understand the rules of behavior.

  3. IDRS users who do not sign or annually re-acknowledge the security rules will be denied access to the system. The manager of an employee who refuses to sign security rules, may at the discretion of business organization management, brief the employee on the security rules in the presence of a second manager and both managers acknowledge in writing that the employee was briefed on the security rules.

  4. Failure to comply with the rules of behavior is subject to disciplinary actions. See IRM 6.751.1, "Discipline and Disciplinary Actions: Policies, Responsibilities, Authorities, and Guidance" , for further guidance.

10.8.34.5  (10-14-2011)
Operational Controls

  1. Per IRM 10.8.1, IRS shall implement operational security controls. This IRM further defines the operational security control requirements found in IRM 10.8.1 as they pertain to IDRS security.

10.8.34.5.1  (10-14-2011)
Awareness and Training

  1. Per IRM 10.8.1 , the IRS shall develop and implement an IT security awareness and training program.

10.8.34.5.1.1  (10-14-2011)
Awareness

  1. IRM 10.8.1 requires system users to complete security awareness training when being granted access to a system and annually for as long as they remain system users. This IRM further defines security awareness training requirements as they pertain to IDRS security.

10.8.34.5.1.1.1  (10-14-2011)
IDRS User Security Awareness Training

  1. The USR shall ensure new and returning users in their IDRS units receive an IDRS security awareness briefing prior to accessing IDRS.

  2. The USR shall ensure users in their IDRS units receive periodic (at a minimum annual) IDRS security awareness briefings.

  3. The IDRS security awareness briefings shall cover general IDRS security procedure and instruction. At a minimum, the briefings shall cover the following:

    1. The General IDRS Security Procedures found in IRM 2.3.9 Security Command for IDRS Users.

    2. The requirement to annually review and recertify the rules of behavior.

    3. Rules regarding unauthorized accesses.

    4. Use and protection of passwords and implementation and use of the IDRS password management capability.

    5. Necessity of locking workstation or signing off IDRS when the user's workstation is unattended and knowing when IDRS sign-offs are required.

    6. Necessity of clearing data from the screen when a terminal operation is completed.

    7. Procedures to follow if IDRS goes down.

    8. Necessity of promptly retrieving data from the printer.

    9. Use of command code LOKME which allows employees to lock their profiles up to 45 days.

    10. Use of command code SFDIS definer P for users to check the authorized command codes in their profile, their Multiple Accesses capability and Password Management status.

    11. Knowing who to contact if their IDRS terminal is locked or profile is locked.

    12. Advising users that all actions performed on IDRS are recorded in the IDRS audit trail, and audit trail records are retained for at least six years.

10.8.34.5.1.2  (10-14-2011)
Training

  1. This IRM section defines security training requirements and responsibilities as they pertain to personnel with significant IDRS security responsibilities.

10.8.34.5.1.2.1  (04-01-2014)
Manager Training

  1. The USR shall ensure the managers of their IDRS units are fully aware of their IDRS security responsibilities as outlined in IRM 10.8.34.3.1.3.

10.8.34.5.1.2.2  (10-14-2011)
IDRS Security Program Management Office Staff Training

  1. The IDRS Security Program Officer shall ensure IDRS Security Program Management Office staff are properly trained to perform their IDRS Security related tasks.

10.8.34.5.1.2.3  (10-14-2011)
IDRS Security Analyst and Computing Center IDRS Security Analyst Training

  1. IRS IT Cybersecurity Operations management shall ensure IDRS Security Analysts and Computing Center IDRS Security Analysts are properly trained to perform their IDRS Security related tasks.

10.8.34.5.1.2.4  (10-14-2011)
IDRS Security Account Administrator and Computing Center IDRS Security Administrator Training

  1. IRS IT EOPS-SOSD management shall ensure IDRS Security Account Administrators and Computing Center IDRS Security Administrators are properly trained to perform their IDRS Security related tasks.

10.8.34.5.1.2.5  (10-14-2011)
Unit Security Representative (USR) and Alternate USR Training

  1. Employees designated as USR or Alternate USR shall complete the required initial and annual refresher training.

  2. The required USR initial and annual refresher training courses shall be available on the IRS Enterprise Learning Management System (ELMS).

    Note:

    TIGTA employees who cannot access ELMS will be trained by Kansas City Campus IDRS Security Analysts. Kansas City Campus IDRS Security Analysts will provide TIGTA course completion records to the IDRS Security Program Management Office and the EOPS-SOSD IDRS Security Account Administration staff.

10.8.34.5.1.2.5.1  (10-14-2011)
Course Development and Revision

  1. The IDRS Security Program Management Office shall be responsible for developing and revising the required USR initial and annual refresher training.

    1. The IDRS Security Program Management Office shall develop the required USR initial and annual refresher training courses and ensure the courses are available on ELMS.

    2. The IDRS Security Program Management Office shall review the required USR initial and annual refresher training courses at least annually by end of each calendar year to ensure they reflect current IDRS security policies and procedures.

    3. The IDRS Security Program Management Office shall contact the IRS IT Learning & Education staff each year to notify them whether or not any course revisions are necessary.

    4. The IDRS Security Program Management Office shall update the required USR initial and annual refresher training courses as necessary.

10.8.34.5.1.2.5.2  (10-14-2011)
Initial Training

  1. Employees designated as USR or Alternate USR shall complete the ELMS Course # 29776 — IDRS Unit Security Representatives (USRs) Training.

    1. Security command codes shall not be placed in the profiles any USR or Alternate USR who has not completed this ELMS course.

    2. Security command codes shall be removed from the profile of any USR or Alternate USR who has not completed this ELMS course.

    3. Completing the course will satisfy the annual training requirement for the FISMA training year in which the course is completed.

      Note:

      The FISMA training year is July 1 thru June 30.

  2. New USRs and Alternate USRs shall complete the required initial training course before security command codes are added to their profile.

  3. Returning USRs and Alternate USRs who have not performed USR duties for more than one year shall be considered new and are required to complete the initial training course before security command codes are added to their profile.

  4. IDRS Security Account Administration staff shall remove security command codes from the profile of any USR or Alternate USR who received the command without completing the required initial training.


More Internal Revenue Manual