2.13.8  Voice Systems Security

Manual Transmittal

July 24, 2013

Purpose

(1) This transmits revised IRM 2.13.8, Enterprise Networks, Voice Systems Security.

Material Changes

(1) This IRM has been prepared in accordance with requirements resulting from the IRM restructuring and IRS modernization efforts. It provides guidance and directions for telecommunications services and knowledge of the processes and standards that are in place for voice systems security.

(2) Enterprise Networks was changed to User and Network Services throughout the document.

(3) MITS was changed to IT throughout the document.

Effect on Other Documents

IRM 2.13.8 dated January 21, 2009, is superseded.

Audience

This standard is to be used by the Information Technology (IT) organizations and other divisions and functions needing telecommunications services.

Effective Date

(07-24-2013)

Related Resources

The following resources were used to develop this IRM.

  • IRM 1.15.2, Types of Records and their Life Cycles

  • IRM 1.16.12, Physical Security Standards - Facility and Property Protection

  • IRM 2.13.2, Telecommunications Asset Tool, Waste, Fraud, and Abuse

  • IRM 2.13.3, Voice Premise Communications

  • IRM 2.13.4, Voice Messaging System

  • IRM 10.8.1, Information Technology (IT) Security Policy and Guidance

  • IRM 10.8.2, IT Security Roles and Responsibilities

  • IRM 11.3.12, Disclosure of Official Information - Classification of Documents

  • IRS Document Number 7281, Universal Wiring Handbook (soon to be IRM 2.13.19, Universal Wiring Guide)

  • IRS Facilities Design Standards, May 2002

  • Commissioner’s Delegation Order on all IT equipment, specifically No. 261 (Rev. 1) Authority to Govern all Areas Related to Information Resources and Technology Management

  • Treasury Directive, TDP 85-01, Department of the Treasury Information Technology (IT) Security Program

  • Communications Act of 1934 as amended by the Telecommunications Act of 1996, Public Law No. 104-104, 110 Stat. 56 (1996)

  • Federal Information Security Management Act of 2002, Public Law No. 107-347, Title III, 116 Stat. 2946 (2002))

  • Electronic Communications Privacy Act of 1986, Public Law No 99-508, 100 Stat. 1848 (1986)

  • Executive Order 12472, Assignment of National Security and Emergency Preparedness Telecommunications Functions

  • OMB Circular No. A-123, Management’s Responsibility for Internal Control

  • OMB Circular No. A-130, Management of Federal Information Resources

  • Privacy Act of 1974, 5 U.S.C. 552a

  • NIST Special Pub. 800-24, PBX Vulnerability Analysis

  • National Fire Protection Standard No. 75.

Terence V. Milholland
Chief Technology Officer

2.13.8.1  (07-24-2013)
Purpose

  1. This IRM provides guidance for all User and Network Services (UNS) voice systems managed at the Internal Revenue Service (IRS) and provides procedures and processes for all IRS personnel and contractors who must ensure telecommunications systems security. UNS voice systems include Private Branch Exchange (PBX) and the Electronic Key Telephone System (EKTS). Refer to IRM 2.13.3, Voice Premise Communications for more information on these voice systems.

  2. Unauthorized access to a PBX or an EKTS is a major concern at the IRS. Since the capabilities of remote access, Voice Messaging Service (VMS), Automated Attendant Services (AAS), and Automated Call Distribution (ACD) have been added to the newer voice systems, the risks of security violations and fraud have increased dramatically at the IRS.

  3. This IRM provides guidance and the processes used to ensure adequate levels of protection for the telecommunications environment and to assist operational staff members and management at the IRS in the planning and maintenance of telecommunications systems security.

  4. This IRM also provides guidance and the processes used for documenting initial guidelines for the IRS’ Voice Switching Systems in order to:

    • Minimize the risk of unauthorized usage

    • Increase security

    • Reduce vulnerability to fraud

    • Document local configurations for inventory control, disaster recovery, and legacy documentation.

  5. In the unlikely event that compliance with this IRM, in any part, would negatively impact the manufacturer’s hardware performance or security capability or cause an unplanned budget impacting funding need, then an exception to this IRM must be requested as a Waiver from the Associate Chief Information Officer (ACIO) of User and Network Services (UNS). The waiver is available at the UNS web site at: http://en.web.irs.gov/default.aspx.

  6. This IRM excludes guidance on:

    • Analog circuits covered by the Data Communications Utility (DCU) network

    • Automatic Call Distribution (ACD) sites

    • Local Area Networks (LANs)

    • File and Print Servers and Routers

    • Telecommunication system(s) under the exclusive control of the Department of the Treasury’s Digital Telecommunications Service (DTS), Treasury Inspector General for Tax Administration (TIGTA), Criminal Investigation (CI), Counsel, and the IRS’s Joint Operations Center (JOC)

    • Common Premise Capabilities (CPC) and Voice Over Internet Protocol (VoIP)

    • e-911 systems.

  7. The guidance provided by this IRM shall be followed by all IRS personnel and contractors regardless of the technology deployed.

2.13.8.2  (05-31-2013)
Roles and Responsibilities

  1. The ACIO of UNS is responsible for providing technical guidance for protecting systems and associated facilities and ensuring that customers are kept apprised of emerging technologies, trends, and options in the area of telecommunications fraud prevention.

  2. End User Equipment and Services (EUES) and UNS local management are responsible for establishing, implementing, and maintaining telecommunications security procedures in accordance with this IRM.

  3. EUES and UNS local management are responsible for certifying that all telecommunications facilities are in compliance with this IRM and for verifying that action is taken on the recommendations made in the security reviews performed by the Information Technology (IT) Cybersecurity Office (Refer to Section 2.13.8.3, Validation, Compliance, and Certification of this IRM for more information). The ACIO of UNS is also responsible for following recommendations established by UNS and the IT Cybersecurity Office.

  4. EUES and UNS local management are responsible for the day-to-day security analysis which includes reviewing Station Message Detail Recording (SMDR) reports and monitoring the voice systems switch using the appropriate software.

  5. EUES and UNS local management are responsible for establishing, implementing and maintaining local telecommunications security procedures in accordance with the guidelines presented in this IRM. This responsibility includes ensuring that assigned operational staff has relevant training in switch management, voice management, and voice security. In addition, the local EUES and UNS management will clearly delineate the roles, responsibilities, and priorities of assigned staff members related to these systems.

  6. The IT Cybersecurity Office and UNS local management are responsible for validation, compliance, and certification of voice systems and their security at the IRS. Refer to Section 2.13.8.3, Validation, Compliance, and Certification of this IRM for additional information.

2.13.8.3  (05-31-2013)
Validation, Compliance, and Certification

  1. The ACIO of UNS is the agency official responsible for the overall procurement, development, integration, modification, and operation and maintenance of voice systems at the IRS. In accordance with the National Institute of Standards and Technology (NIST), the Federal Information Security Management Act of 2002 (FISMA) and Treasury Directive TD P 85-01, Department of the Treasury Information Technology (IT) Security Program the Business and Functional Unit Owner (agency official) shall: develop organizational assignments and operational procedures to implement the roles and responsibilities defined in this standard; complete the annual review of system security controls for the annual FISMA system security program review; and conduct annual testing of the system.

  2. Under the auspices of the ACIO of UNS and the UNS Security Officer, an annual security review of voice systems at the IRS is conducted with the assistance from the Director of Cybersecurity Operations, within the IT Cybersecurity Office. This review consists of validating current subscribers, re-validating modem requirements, ensuring system compliance, and certifying the security of IRS applications and general support systems.

    Note:

    Although UNS owns the voice system equipment at the IRS, EUES is responsible for operating and maintaining it. Refer to Section 2.13.8.2 for more information on voice systems roles and responsibilities at the IRS.

  3. All deviations from criteria must be documented by the local telecommunications site administrator using Form 13125, Information Technology Deviation Request. Information on this form must describe the deviation from the standard and provide a justification and any additional security mitigation to compensate for the deviation. The document is then forwarded to management for a waiver approval. Form 13125, Information Technology Deviation Request can be obtained at: http://core.publish.no.irs.gov/forms/internal/pdf/32356g01.pdf.

    Note:

    Depending on the type of deviation determines the level of management approval. It is up to the telecommunications site administrator’s manager to forward Form 13125, Information Technology Deviation Request to the appropriate level of management.

  4. Voice systems that utilize a Windows, Linux, UNIX, IBM mainframe, or Unisys mainframe operating system must comply with existing IRS standards for these operating systems. Operating system standards identified in the IRMs and Law Enforcement Manuals (LEMs) including IRM 10.8.1, Information Technology (IT) Security Policy and Guidance apply. All services not specifically required by voice systems shall be removed from the system. Any configuration not in compliance with existing IRS standards must require an approved waiver from management.

  5. EUES and UNS local management must certify in writing to the Area or Computing Center Director that all telecommunications facilities comply with this IRM. This certification process must be completed by the beginning of each Fiscal Year by the local telecommunications site administrator.

  6. IRM 10.8.1, Information Technology (IT) Security Policy and Guidance states that all IRS major applications and general support systems must be certified. This means that all existing and new systems must complete a Certification and Accreditation process before implementation, which includes a System Risk Assessment. For those systems already operational without the necessary Certification and Accreditation approval, there will be a mandatory three (3)-year timeframe for that process to be completed.

  7. The Certification Function within UNS is the process of performing a comprehensive assessment of the management, operational, and technical security controls in information systems at the IRS. This process is performed in support of security accreditation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the overall IRS security requirements for the system.

  8. As part of the Certification Function, UNS must analyze the information system or application to ensure compliance with the applicable regulations specified by the IRS. The procedures and processes that UNS uses to perform these analytical duties are identified as follows:

    • Review device or system configurations to ensure compliance with IRMs, Law Enforcement Manuals (LEMs), Interim Guidance Memoranda, and other IRS security standards

    • Perform quarterly compliance scans (such as LEM Checkers) on Windows and UNIX systems and forward results to UNS management and other authorized IRS personnel.

  9. Refer to IRM 10.8.1, IT Security Policy and Guidance and IRM 10.8.2, IT Security Roles and Responsibilities for information and procedures for IT Cybersecurity's Certification and Accreditation responsibilities.

    Note:

    The Designated Approval Authority (DAA) signs the Accreditation Letter as part of the Certification Function within UNS.

2.13.8.4  (05-31-2013)
Telecommunications Record Keeping

  1. Detailed records must be established and maintained by the local operational staff at each site where a telecommunications system is installed. The local operational staff is defined as the local IT System Administrators who are responsible for the day-to-day operation of the voice systems at the IRS.

  2. The operational staff must develop and maintain a current representation of the logical layout of the major voice network pieces. This representation must include major switch components, voice-response-units (including but not limited to the IRS VMS system), commercial and Federal Technology Service (FTS) circuits and trunks connected to the telecommunications system, and connectivity to the users of the system through the wiring distribution infrastructure.

  3. The local operational staff must maintain records that document all circuits connecting to the switch. These circuits include the Local Exchange Carrier circuits, FTS circuits, and any other circuits that connect into the switching system. These records must include the vendor’s circuit identification number(s), type of circuit, and the circuit termination location. These records must also include any power-failure-transfer lines.

  4. The operational staff must maintain records of any voice circuits at the site which do not connect through the switch. These records include direct analog lines to designated telephones for specific functions and pay telephones. The local operational staff is not required to maintain records of any circuits under the operational control of another organizational unit (such as, Treasury Inspector General for Tax Administration (TIGTA) or Criminal Investigation (CI).

  5. The local operational staff must maintain detailed wiring plans showing the major parts of the main components, such as the Main Distribution Frame (MDF), Intermediate Distribution Frame (IDF) terminations, and distributions to the Workstation Interfaces (WSIs). Sites must consistently use a numbering schematic that is either site specific or follow a commercial standard to document the locations of the WSIs. Per IRS Document 7281, Universal Wiring Handbook, Appendix A, Sections P and Q states that labeling shall be completed at both ends of the wiring infrastructure. At the MDF, labeling must include cable numbers and cable pair numbers. At the IDF, each backbone or riser cable must be labeled with cable numbers and cable pair numbers. These records shall be maintained in both hardcopy and softcopy with the softcopy available in a database format at the local site, as the records are site specific.

    Note:

    All softcopies of Sensitive but Unclassified (SBU) data stored offsite will need to be encrypted. Any SBU data that cannot be encrypted will be stored properly (hardcopies, CDs, and other storage material will be locked in a secure area) according to IRS standards and procedures. Refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

  6. All new system installations must include Station Message Detail Recording (SMDR), Call Detail Record (CDR), or equivalent record keeping capabilities, as well as third-party hacker alarm software. In recognition that not all embedded systems have such capabilities; this software shall be acquired for existing switches as the budget permits. Local management is responsible for ensuring that the need for this software must be assigned a high priority in formulating budget requests. These software applications allow the responsible staff to remotely monitor these systems and download system generated reports, as well as provide the capability to send alarms from remote systems.

  7. Operational staff members must print out the SMDR and CDR information on an as-needed basis. These reports and documents will be treated as "Official Use Only" and shared with only authorized individuals with a need to know. Note that the" Official Use Only" designation must be approved by IRS officials authorized by Delegation Order No. 89, per IRM 11.3.12, Disclosure of Official Information - Classification of Documents. Requests to provide any such information to personnel, other than operational staff monitoring switch performance, must be made in writing and submitted to the Territory Manager or Computing Center Director. The request must show the name and organization of the requestor and the justification for the request. When the SMDR/CDR records are no longer needed, refer to and follow local site procedures to render these documents unrecoverable.

    Note:

    Refer to IRM 1.15.2, Types of Records and their Life Cycles for more information on records management at the IRS.

  8. The operational staff must maintain records of phone number assignments. The IRS recommends that switch software reports be used to assist in maintaining records of feature assignments, such as class-of-service and designations. These records must be updated by the operational staff at a minimum of once per quarter.

  9. For analog lines operational staff must annotate records as to whether the lines are used for fax machines, text-telephone (TTY)-device lines, security-approved modems, or other approved devices. Where applicable, the records must show the analog line’s physical location, WSI connections and port assignments on the switch, as well as the assigned user.

  10. The operational staff must use the Telecommunications Asset Tool (TAT) to document the voice switch system. This asset record will not decompose the system to uniquely identify each internal component nor telephone instrument. Remote switches should be entered and tracked separately from the main switch. Refer to IRM 2.13.2, Telecommunications Asset Tool - Waste, Fraud, and Abuse for more information on the TAT.

  11. The operational staff must ensure that all backup copies are stored off-site. Back-up hard copies of system records will be maintained in off-site Disaster-Recovery storage facilities. Retrieval and restoration of backup materials must be performed in accordance with local procedures.

    Note:

    When documents are scanned and/or digitized or saved in hard or soft back up copies, such as compact disk (CD), that copy can be substituted for the paper copies. Refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance for more information.

2.13.8.5  (05-31-2013)
Physical Switch Access, Security and Controls

  1. All authorized IRS personnel and contractors must adhere to the procedures described in this section for accessing, securing, and controlling the main telecommunications switch room and/or Main Distribution Frame (MDF) space. Refer to paragraph (3) of this section for procedures pertaining to non-authorized IRS personnel and contractors. Note that the local UNS site management must control access to the intermediate distribution frame (IDF).

  2. All access doors to the main telecommunications switch room and/or MDF space must be locked using a card-key or combination lock system for entry. The card key and/or combination-lock system must be kept current in accordance with local site standards to ensure that only authorized staff members have access to the main telecommunications switch room and/or MDF space. Refer to the IRS’ Facilities Design Standards published by the Agency-Wide Shared Services (AWSS) for more information on physical security. This document is available at: http://awss.web.irs.gov/Facilities/A&E/pffdc.pdf . In addition, refer to IRM 1.16.12, Facility and Property Protection for more information on physical security.

  3. Non-authorized personnel and contractors must complete and sign IRS Form 5421, Restricted Area Register, in order to gain access to any controlled telecommunications switch room or MDF space. This form is available at: http://core.publish.no.irs.gov/forms/internal/pdf/42517k06.pdf.

  4. At all times, an authorized IRS employee must escort all non-authorized personnel and contractors, who do not have staff-like access while in an IRS-managed telecommunications switch room and/or MDF space. Non-authorized personnel and contractors are temporarily authorized access after completing the required form as indicated in paragraph (3) of this section. If non-authorized IRS personnel and contractors have not completed the required forms, they should not have access to the telecommunications switch room and/or MDF space, whether they are escorted or not.

  5. IRS personnel associated with escorting new on-site vendor personnel must request from the Contracting Officer’s Technical Representative (COTR) that the following confirmations are included in the Statement of Work:

    • The vendor contractual instrument has language addressing non-disclosure agreements and background checks.

    • The vendor has successfully passed the required IRS background check.

    • The vendor has valid and appropriate identification upon request.

    • The IRS personnel escort needs to validate the need and authorization of the vendor being escorted into the telecommunications switch room and/or MDF space.

2.13.8.6  (05-31-2013)
Switch Control Access

  1. All authorized IRS personnel and contractors must adhere to the procedures described in this section for switch control access.

  2. Any maintenance port available for remote access that has a modem connected for access to IRS networks will be locked and in the control of the IRS operational staff or other designated officials.

  3. The local operational staff (or designated official) will unlock and connect a modem to the switch upon a verified vendor maintenance request and disconnect and secure the modem, when the vendor has completed the maintenance work. The modem cannot remain attached to the port and be continually active unless a Security Certification and/or Waiver have been granted by the local security official within the IT Cybersecurity Office. The local operational staff must contact the IT Cybersecurity's local security official/specialist assigned to that location if a Security Certification and/or Waiver is required.

  4. If practical and approved by Security, dial-back authentication on maintenance modem port connections will be utilized.

  5. Local management must protect access to switch software and feature management through authentication controls. These controls must comply with Security procedures for passwords on IRS computing systems, including password configuration and aging feature requirements. Timed auto-logoff features are to be enabled on the switch. Terminal devices are not to be left logged on when unattended. Passwords for access are to be provided only to those employees as designated by local management to warrant access into the switch. Each approved telecommunication specialist with access to the switch must have a unique login and password to access the system.

  6. Such access requires completion of Form 5081, Information System User Registration/Change Request and approval by local management. This form is available at: http://core.publish.no.irs.gov/forms/internal/pdf/23590b00.pdf .

  7. When the switch’s operating system is reset or restored, ensure the manufacturer's default embedded logins and passwords are not automatically reset when the operating system is reset or restored.

  8. If the system does not feature automatic logoffs based upon timed console inactivity, the local management must develop procedures to ensure that logoffs occur at the site.

  9. Any administrative terminal with access to the switch will be provided with physical controls and placed in a location to prevent unauthorized viewing or access.

  10. All individuals with a need to know must protect any printouts, documents of system records, or sensitive voice related documents in compliance with IRS standards. To dispose of sensitive voice related documents, use site procedures that render Sensitive But Unclassified (SBU) documents unrecoverable. Refer to IRM 1.15.2, Types of Records and their Life Cycles for more information on records management at the IRS.

2.13.8.7  (05-31-2013)
User Access to Telecommunications Services

  1. Users can request IRS telecommunication services by completing a service request through the Operations Support (OS) Get It Services at: http://ds00001d.dcc.irs.gov:11182/oaa/login.jsp . A documented service request, including management authorization, using currently prescribed local procedures, is required for all adds, moves and changes in existing voice service(s).

  2. The following features are to be disabled (prohibited or deactivated) or restricted on the IRS telecommunications switch, as indicated.

    • Prohibit 900 number access.

    • Prohibit trunk-to-trunk transfer outside of the IRS telephone network.

    • Prohibit access to outgoing trunks via voice-mail systems.

    • Restrict Class of Service restriction levels (set to the lowest appropriate level for the business unit/job function requirements).

    • Prohibit access for transfer to Trunk Activation Codes on those switches with this feature.

    • Deactivate all Trunk Verification Codes.

    • If an automated attendant port is utilized, restrict the port’s transfer capability so that callers cannot transfer from the attendant menu to an outside area utilizing trunk access codes.

    • Restrict Facility restriction levels (set to the highest level appropriate for user needs). Separate Facilities Restriction levels are to be established for voice mail trunks.

    • Prohibit access to commercial long distance calling.

    • Prohibit direct selection of a trunk.

    • Allow for call forwarding on a case by case basis, provided the action is approved by local management, and for only local or toll free numbers. If the switch cannot be programmed to allow call forwarding on a case by case basis, then call forwarding outside the switch is prohibited, unless prior approval has been obtained by the ACIO of UNS, for only local or toll free numbers.

    • Prohibit 411 access. Users must use FTS directory assistant services, (NPA) 555–1212, in lieu of 411.

    • Prohibit access to any cost-impacting area codes or local exchanges. In this context, the intent is to prohibit calls to those area codes or exchanges where the call imposes an additional charge beyond the cost of the call. Some of these calls include exchanges for pay-services (such as area code 976) or area codes outside the United States where additional charges are added beyond the cost of the call (such as area code 809).

    • Prohibit calls to Telephone Company operators.

    • Prohibit all Direct Inward System Access (DISA) services.

    • Prohibit international calling, unless subject to business need justification.

      Note:

      If international calling is justified, the Business Unit employee's first level manager must approve the service and submit the request to the local Designated Agency Representative (DAR) to be registered using the Telecommunications Asset Tool (TAT). This will suffice for approval and an exception request will not be required. However, EUES is responsible for coordinating the features and functionality of the telecommunication systems at the IRS. EUES will coordinate with each Business Unit telephone feature needed for individual employees to effectively complete their work assignments. Once international calling is approved, the local Federal Technology Service (FTS) DAR must submit an FTS service request order using the TAT web site at: http://tat.web.irs.gov/ to add the phone number(s) to the current General Service Administration's (GSA) FTS contract.

  3. The IRS will restrict all provided telephones for taxpayers use in public-contact areas to only allow internal, local, and toll free calls.

  4. Feature exceptions will be approved on a case-by-case basis. The exception request requires the customer’s organizational management approval as well as approval by local management and for certain exceptions, as noted below, approval by the ACIO of UNS. Exceptions can be written on a per-employee basis or per-business unit basis as warranted (for example, if an entire group requires international calling, one exception can cover the entire group; separate exceptions are not needed for each individual employee in this case). Local operational staff must maintain copies of approved exemptions with switch records and they are to be made available for reference during Security reviews. On an annual basis, the customer/business unit and local management will review these exceptions and re-certify as required.

    Note:

    The Manager of Enterprise Voice Services within UNS maintains the records of all exception requests. All exception requests must processed through this branch for consideration.

  5. Unless prior written authorization is obtained from the local management, contractor personnel will not have access to IRS voice-mail services. The local management will maintain a list of approved exceptions.

  6. No modems will be connected to any system without a prior approved Security Certification or approved Waiver by Security officials.

  7. As appropriate for the site, Time-of-Day options will be used to block toll calls outside routine office hours. To minimize inconvenience to employees working overtime, care should be taken to only impose such restrictions during times when it would reasonably be expected that there are no users in need of the IRS telephone system.

  8. Guidance shall be in place to notify IRS personnel and contractors of the following additional restrictions (subject to approved exceptions):

    • Collect Calls are not to be accepted.

    • Use of services offering the automated dialing of numbers obtained via directory assistance is prohibited.

    • Transferring any call from an unknown caller to an outside line, except for a direct transfer to an IRS assistance line (i.e., 800-829-1040) is prohibited.

    • Regardless of whether switch capabilities for such features have been blocked, IRS employees or contractors are not to call 900 numbers, 411 for directory assistance, 0 for operator, international numbers unless a business need exists and has been submitted for approval, and any of the cost-impacting area codes described above. System Administrators should use the FTS for employee information assistance (Ex: 1-XXX-555-1212).

  9. Local operational staff must provide the following telecommunications services to all voice subscribers on the switch:

    • Emergency services, including but not limited to 911, will be provided to all users.

  10. Local UNS management must ensure that prompt action be taken to remove access to telecommunications services and voice mail to any IRS employee or contractor in the case of their departure.

2.13.8.8  (05-31-2013)
Switch Monitoring

  1. All IRS telecommunication switches are monitored at all times and are required to be equipped with SMDR, CDR, or equivalent capabilities, as well as hacker alarm software.

  2. The telecommunications switch is dependent on vendor system administrative logging capabilities. Authorized IRS personnel must activate or identify the following auditable events (refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance for more information):

    • System logon

    • System logoff

    • Password changes

    • Start-up/disable/clearing audit logs

    • Dial-up access system configuration change events

    • Any other events pertinent to security oversight of PBX operations.

  3. On a monthly basis, the local operational staff must run and analyze system reports to include SMDR, CDR, and trunk utilization to determine possible areas of misuse or abuse of telecommunication resources or changes in system resources. Information must be recorded using a monthly checklist. Any inconsistencies must be reported to management.

    Note:

    The operational staff members who run and analyze the system reports must not have administrative capabilities on the system in order to avoid a conflict of duties. Additionally, the local UNS management receiving the results of the reports should not have any administrative capabilities on the system.

  4. The following list is an indicator of what items and conditions local IRS operational staff must review.

    1. Review SMDR and/or CDR information and hacker tracker software

    2. Note any excessively long calling/holding times, which could indicate modem access, a line in trouble, or some form of misuse.

      Note:

      IRM 2.13.2, Telecommunications Asset Tool, Waste, Fraud, and Abuse provides the major concerns that the IRS reviews for limiting waste, fraud, and abuse of telecommunications assets. These concerns include: Phone card calls for 60 minutes or more to non-government locations; Government telephone calls for 60 minutes or more to non-government locations; Same non-government number called 5 times or greater in one month for an aggregate of 200 minutes or more; Non-government locations called after hours (8:00 PM - 4:00 AM); Non-government locations calls to questionable destinations, i.e., Area Code 809 (Caribbean) or 702 (Nevada) with additional destinations added based on review; Cancellation fines for conference calls not cancelled timely; and calls over 1,440 minutes (1 day). Refer to IRM 2.13.2, Telecommunications Asset Tool (TAT), Waste, Fraud, and Abuse for more information.

    3. Note any evidence of usage problems with incoming lines (which could signal possible modem access attempts and/or attempts at denial of service). An example of such evidence could include large numbers of short-duration attempted calls.

    4. Record any sudden changes in normal calling patterns, such as increases in after-hours, weekend, or holiday calls.

    5. Record out of the ordinary number of international calls.

    6. On a semi-annual basis, review trunk reports to verify all-trunks-busy frequency. This review will assist in determining whether the site may warrant additional trunks.

      Note:

      This function is performed semi-annually and not on a day-to-day basis.

    7. Indicate if Trunk Group reports show overflow (such as, FTS calls frequently overflowing onto local circuits). This indication will assist in determining whether the site may warrant additional dedicated FTS trunking.

      Note:

      Trunks that show little or any usage could show the system is over-trunked and could be reduced. Reports could also indicate trunk failure if there is no utilization, requiring corrective action (this is more likely when the trunk with little/no use is in the middle of a trunk group).

    8. Perform trend analysis on an ongoing basis on the data collected as referred to in paragraphs 1 through 7 above to provide a historical baseline.

      Note:

      Local operational staff must maintain enough data to perform this analysis. Also, this procedure is performed on a day-to-day basis.

    9. Monitor any patterns indicated by user complaints, such as frequent busy signals or slow responses; incoming numbers on phones appearing without rings; increase of wrong-number calls or silent hang-ups; and high-pitched noises evident on phone lines.

    10. Where available, enable Security Violation Notification features. Security-related parameters will be set to alert the System Administrator when established limits are exceeded and/or violated.

    11. If any of the above conditions (refer to items 1 through 10) occur, appropriate steps and/or reporting the discrepancies will be made by the operational staff to the IT Cybersecurity staff and will be forwarded up to management for resolution.

2.13.8.9  (05-31-2013)
Voice System Backup

  1. The local operational staff must perform voice system backups at a minimum of once per month and prior to any major modifications, as stipulated in IRM 10.8.1, Information Technology (IT) Security Policy and Guidance . Information to back up includes the system software and subscriber database. The voice system backup must include all phone number assignments, user features, and classes of service. This will facilitate restoration in the event of a switch failure. If there is no convenient IRS or secure facility that can be used for off-site storage, a waiver must be granted until such time as funds are made available for appropriate off-site storage.

  2. A current copy of documentation (noted in Section 2.13.8.4, Telecommunications Record Keeping of this IRM), a backup copy of the current switch operating system, and any support documentation (Service Level Agreements (SLAs) or other agreements with switch service providers and/or local exchange carriers) must be secured and stored at the off-site facility.

  3. A back up copy of the current switch operating software and a list of current emergency contact telephone numbers for representatives of Local Exchange Carriers and switch service providers must be maintained in a secure on-site area.

  4. The off-site storage location must meet the guidelines specified in the local Security and Disaster Recovery procedures, as stipulated in IRM 10.8.1, Information Technology (IT) Security Policy and Guidance.

2.13.8.10  (05-31-2013)
Switch Installation and Relocation

  1. Local management shall ensure that all IRS telecommunication switches are installed in secure facilities and in accordance with applicable electrical codes and manufacturer’s recommendations, as stipulated in IRM 1.16.12, Physical Security Standards - Facility and Property Protection.

  2. IRS voice telecommunications equipment co-located with other computer operations, must comply with requirements established in IRM 1.16.12, Physical Security Standards - Facility and Property Protection; IRS Facilities Design Standards, and any other IRS standard relating to IRS co-located facilities.

  3. Local operational staff must monitor the temperature and humidity within each switch room. Local facilities management must control the temperature and humidity to ensure ongoing conformance with manufacturer’s specifications. Authorized IRS employees must document occurrences of extreme variances, and take appropriate action to rectify any problems including shutting down equipment if necessary.

  4. Exterior walls for telecommunications switch rooms must be slab-to-slab. Slab-to-slab is defined to be from the structural floor to the structural ceiling. Local operational staff must ensure compliancy with the physical descriptions as stated in IRM 1.16.12, Physical Security Standards - Facility and Property Protection. Refer to IRM 1.16.12, Physical Security Standards - Facility and Property Protection for more information.

2.13.8.11  (05-31-2013)
Modems

  1. All modem installations require documented business justifications and must receive prior formal management review by Business Unit management (if applicable), the local IT management, and the local IT security specialist (through the IT Cybersecurity Office). Any connection of modems to the telecommunications system(s) require a prior Security review as well as a Certification approved by authorized IRS officials.

  2. Once approved, computers with modem connections are to be restricted to lines that are dial out only, phantom numbers, or in-house only (not Direct Inward Dial (DID) numbers). DID lines may only be used provided sufficient justification and approval is obtained by management and the local security specialist.

  3. In the event that a system connected to the network requires a DID line for diagnostic purposes the modem must be disconnected from the system except at such times when a problem occurs requiring diagnostic access. The DID line is to remain connected to the system only for the duration of the diagnostic session and disconnected immediately after the diagnostics have been completed. The diagnostic sessions are usually completed by the modem vendor that monitors the IRS modem. Local operational staff must verify the vendor diagnostics are completed by ensuring that the modem operates correctly after it is disconnected from the DID line. Once the operation is verified that the modem is working correctly, the local operational staff must obtain a signed verification from the modem vendor. This verification is kept on file at the site.

  4. Any request for such DID modem access will require a specific justification for this access, approved by two levels of Business Unit management (if applicable) as well as the local IT management and the local IT security specialist through the IT Cybersecurity Office.

  5. Modems routing through the voice switch shall be identified by the station number in the line inventory and will be re-validated annually. This re-validation is to include a statement of the ongoing need approved by the Business Unit user (two levels of management) (if applicable) and the local security specialist.

2.13.8.12  (05-31-2013)
Voice Mail

  1. The majority of voice-mail services for the IRS are provided by the Voice Messaging System (VMS). The Enterprise Voice Messaging Office has already established security procedures for managing and administering the VMS system. Refer to IRM 2.13.4, Voice Messaging System for more information.

  2. Voice-mail systems and services that are generic voice mail on local key systems have additional guidelines, as stipulated below:

    1. Acquisition of new voice-mail systems must be coordinated with the VMS Office.

    2. Call transfers through voice mail are to be restricted to only in-house numbers.

    3. All voice-mail lines with out-calling capabilities shall be restricted to local and toll-free dialing. Access to long-distance trunks shall be blocked.

    4. Any collect call options on the automated attendant are to be blocked.

    5. Login retries should be restricted to no more than four attempts before automatic system disconnect.

    6. New user accounts shall force change of password on first login attempt.

    7. Password-aging features are activated to ensure passwords are changed at a minimum of every 90 days.

2.13.8.13  (05-31-2013)
Training

  1. Offices supporting voice operations must follow a training curriculum appropriate to the voice telecommunications environment and in collaboration with the operational staff and IRS employees as stipulated by UNS management. Enterprise Voice Messaging System training is available at the IRS as well as advanced vendor training, which is external training at the IRS.

2.13.8.13.1  (05-31-2013)
Operational Staff Training

  1. Formal operational staff training plans must be related and tailored to staff areas of responsibility and skill levels.

  2. Additional individual training may include the following telecommunication topics, depending on the voice system and level of staff operation:

    • Voice Switch Architecture

    • Voice Switch Systems Management and Administration

    • Universal Wiring Implementation

    • Integrating Voice Mail

    • Video Conferencing

    • Telephony Integration Issues (i.e., Voice over Internet Protocol [VoIP), etc.)

    • Voice Switch Security Oversight

    • Privacy and Disclosure Considerations

    • Maintaining Voice Switch Hardware

    • Security Awareness

    • Social Engineering

    • Carrier Tariff and Legal Issues

    • Technological and Industry Trends

    • Switch Performance Management

    • Automatic Call Distribution

    • Mobile Communications and Wireless.

  3. Local management must ensure that adequate training of staff is provided before responsibilities are assigned, that there is follow-up training for IRS employees, and that as new staffing is hired they receive adequate training for their jobs. Local Management must also ensure that there is a program of continuing training for all operational staff.

  4. All telecommunications training must maximize the use of IRS core curriculums.

    Note:

    Specialized equipment may require additional training from equipment vendors or other outside sources.

2.13.8.13.2  (05-31-2013)
IRS Staff Awareness Training

  1. Telecommunications security must be part of the annual security awareness briefing to all IRS employees as well as new employee orientation, as stipulated in IRM 10.8.1, Information Technology (IT) Security Policy and Guidance.

  2. Security awareness topics to be covered for all IRS employees and contractors include:

    • Effective password construction and protection.

    • IRS’ prohibition on accepting collect telephone calls, unless an approved exception is in place.

    • Prohibited access to outside lines via transfer to unknown parties.

    • User awareness of voice-mail or pager messages that could result in special toll charge calls (i.e., to 809 and 491 area codes).

    • User awareness to not return calls when a return call is requested by an automated system.

    • User awareness to not provide information to callers regarding the organization’s telephone systems.

    • Proper disposal of media (paper, disks, tapes, etc.) containing IRS employee names and telephone numbers and other Sensitive but Unclassified information are disposed of, as stipulated in IRM 1.15.2, Types of Records and their Life Cycles.

    • User awareness to ensure that only phone numbers used for public contact are published in directory services, on web sites, or posted in buildings.

    • User awareness on safeguarding telephone contact information placed on intranet and Internet web sites.

    • User awareness on how to report any unusual line behavior, such as frequent clicking, high-pitched noises, and frequent hang-ups on received calls to the local operational staff.

  3. On an annual basis the ACIO of UNS will issue written reminders to all IRS employees on these practices, as well as the proper and authorized use of telecommunications services throughout the Enterprise.

2.13.8.14  (05-31-2013)
Theft of Telephone Service

  1. Government agencies, such as the IRS, accepting high call volumes from the public at large are often targeted for theft of telephone services with second or third parties. Perpetrators may ask to verify calls illegally charged; to place a call for them; request transfer to an operator; request an outside line after hours; or solicit requests for personal or proprietary information. They may also represent themselves as technicians or management personnel. Actions to prevent this form of fraud include:

    • Training employees on potential risks and construction of effective passwords. Voice risk criteria shall be included in new hire orientations and annual security awareness training must be provided.

    • Utilizing strategies such as not accepting collect or third-party calls and not placing blind transfers outside of a local calling area. Appropriate authorization is required for exceptions from the ACIO of UNS.

    • Not providing information to a caller regarding the organization’s telephone systems or organizational locations.

      Note:

      If an IRS employee is suspicious that a caller is attempting to commit a fraudulent use on the IRS Telecommunications System, record caller’s number and name, if possible, and report the caller to management.

    • Not publishing sensitive phone numbers in directory services, on web sites, or on data or voice services banners. Sensitive phone numbers must not be posted in buildings or verbally communicated to unknown entities.

    Note:

    Refer to the systems vendor manuals for additional information on blocking area codes and 411 calls.

2.13.8.15  (05-31-2013)
Contingency Planning

  1. The Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III mandates that "Agencies shall establish policies and assign responsibilities to assure that appropriate contingency plans are developed and maintained by end users of information technology applications."

  2. All operational staff must provide input and identify issues related to the site Disaster Recovery Plan and coordinate activities as required during planned tests and actual emergencies, using a general checklist for contingency planning. UNS has sample forms of general checklists used at the IRS available on their web site at: http://en.web.irs.gov/default.aspx. These forms include:

    1. Recovery Checklist

    2. IT Manager's Checklist

    3. Sample On-Site Log

    4. Sample Off-Site Log.

2.13.8.15.1  (05-31-2013)
General Checklist for Contingency Planning

  1. Operational staff must use one of the four types of general checklists for contingency planning. The general checklist is a tool used for evaluating equipment and resources in the telecommunications switch room or MDF space. It clarifies the criteria that should be considered when evaluating equipment and resources in a particular area. It is a useful tool for planning, monitoring, and guiding operations and assessing outcomes.

  2. The General Checklist for Contingency Planning is used for:

    1. Maintaining a comprehensive and current inventory of voice telecommunications equipment, as described in Section 2.13.8.4, Telecommunications Record Keeping of this IRM, to include switching equipment, multiplexers and concentrators, diagnostic devices, modems, telecommunications controllers, telecommunications lines, and software configurations.

    2. Maintaining descriptions of bandwidth and circuit identification of telecommunications channels.

    3. Maintaining applicable vendor contracts on site. On-site manufacturer operations manuals must reflect current editions.

    4. Maintaining voice system backup provisions consisting of contracts with the telephone company provider to automatically reroute lines on the basis of proper IRS notification; location of company switching devices outside of the main facility; and procedures for switching facilities to one or more alternate sites.

      Note:

      All plans must include IRS technical personnel and vendor availability.

    5. Evaluating an alternate contingency site as to sufficient trunking for voice and test annually. Media, hardware, and software serialization compatibility must be considered during the planning stage.

    6. Off-site storage locations must meet the guidelines specified in the local Security and Disaster procedures, as stipulated in IRM 10.8.1, Information Technology (IT) Security Policy and Guidance. The voice system backup media shall be made readily available to the local operational staff, as required.

    7. Specifying vendor technician response time minimums in all maintenance and other support agreements.

    8. Reviewing and updating the Disaster Recovery Plan on an annual basis and making updates to the plan as required.

    9. Testing Uninterruptible Power Supply (UPS) capability on a semi-annual basis.

    10. Maintaining current emergency telephone numbers for local exchange carriers, inter-exchange carriers, and vendor help lines.

    11. Storing network documentation and backup data files off-site.

    12. Maintaining emergency procedures for protection of hardware, system software, messaging software, distribution, mailbox information, and audit trails.

2.13.8.15.2  (05-31-2013)
Security Incident Reporting

  1. A security incident at the IRS is an adverse event associated with an information system that results in a failure to comply with security regulations or directives; attempted, suspected, or actual compromise of information; or waste, fraud, abuse, loss or damage of government property or information. The report form is available at: https://www.csirc.web.irs.gov/incident/ . Include the following information in the report:

    • Describe the incident, its impact, current status, any notifications, and follow-up actions.

    • Maintain information concerning past security incidents.

    • Evaluate the effectiveness of incident response procedures on an annual basis.

    • Provide incident reporting information to the local data security office when an incident may affect multiple sites.

      Note:

      Employees should contact their manager or an Information Services (IS) security specialist for assistance. The incident report routing and follow-up actions really depend upon the reported situation.


More Internal Revenue Manual