Part 2. Information Technology

Chapter 13. Enterprise Networks

Section 11. Day-to-Day IT Security Procedures for Enterprise Networks

2.13.11  Day-to-Day IT Security Procedures for Enterprise Networks

2.13.11.1  (08-05-2009)
Purpose

  1. This IRM establishes the Information Technology (IT) security duties and day-to-day procedures and processes within Internal Revenue Service's (IRS) Enterprise Networks (EN).

  2. This IRM applies to all EN, IRS contractors, and IRS organizations and personnel that perform or support any telecommunication and networking information technology security activities. These activities include work with IRS sensitive but unclassified (SBU) systems and information as well as national security systems and information.

  3. As part of satisfying Congressionally mandated requirements, EN has established and implemented a comprehensive EN IT Security Program that works in concert, supplements, and enhances the security requirements provided in IRM 10.8.2, Information Technology Security Roles and Responsibilities.

  4. All EN personnel and contractors who perform administrator duties within the EN IT Security Program shall have a thorough working knowledge of the following IT Security IRMs:

    • IRM 1.16.1, Physical Security Program

    • All of IRM Part 2, Information Technology

    • IRM 10.8.1, Information Technology Security Policy and Standards

    • IRM 10.8.2, Information Technology Security Roles and Responsibilities.

2.13.11.2  (04-01-2007)
Deviations

  1. Deviations from the IRM 10.8.x series shall be processed according to IRM 10.8.1, Information Technology (IT) Security Policy and Standards.

  2. The deviation process and related information on deviations are located on the Cybersecurity web site. Refer to http://mits.web.irs.gov/Cybersecurity/Policy_Compliance/deviation_process.htm for information on deviations.

  3. Deviations must be signed and approved by the technical point of contact's manager.

  4. Requests are then to be sent to the EN IT Security Team for processing at *MITS EN SECURITY MAILBOX. The EN IT Security Team will distribute the request through the Cybersecurity deviation process, as the team functions as the Designated Accrediting Authority's (DAA) support staff.

    Note:

    If there is a need to deviate from the IRM 10.8.x series, use the same form provided on the Cybersecurity web site, forward the request to the EN IT Security Team, and follow the Cybersecurity concepts.

2.13.11.3  (04-01-2007)
Enterprise Networks Organization

  1. The Enterprise Networks organization is responsible for managing the design and engineering of the telecommunications environment. This responsibility includes the development of long-range enterprise networks strategies and infrastructures supporting the modernization projects, and the management of telecommunications projects for the current production environment and future business initiatives.

  2. EN consists of an Executive Management Team and six divisions. EN organization is comprised as follows:

    • Executive Management Team

    • Enterprise Networks Operations

    • Networks Architecture & Engineering

    • Treasury Net ( TNet) Program

    • Enterprise Voice Networks

    • Program Management & Finance

    • Contact Center Support Division

  3. Refer to IRM 2.13.1, Enterprise Networks Roles and Responsibilities, for more information about EN.

2.13.11.4  (04-01-2007)
Enterprise Networks IT Security Duties

  1. EN management and staff are assigned roles defined in IRM 10.8.2, Information Technology Roles and Responsibilities in addition to performing their EN duties.

  2. For information regarding the EN specific roles and responsibilities, refer to IRM 2.13.1, Enterprise Networks Roles and Responsibilities.

2.13.11.4.1  (04-01-2007)
EN Security Team

  1. The EN Security Team will support EN Designated Accrediting Authorities (DAA) in performing their security roles and responsibilities as defined in IRM 10.8.2, Information Technology Roles and Responsibilities.

  2. The EN Security Team will provide support to the Modernized Information Technology Services (MITS) Program Management Office (PMO) in performing the security roles and responsibilities as defined in IRM 10.8.2, Information Technology Roles and Responsibilities.

  3. The EN Security Team will provide support to EN and non-EN management and technical personnel maintaining EN-owned IT systems in performing their security roles and responsibilities as defined in IRM 10.8.2, Information Technology Roles and Responsibilities.

  4. The EN Security Team will consist of EN employees and IRS contractors serving as the Federal Information Security Management Act (FISMA) Liaisons, DAA Points of Contact (POC), and MITS POCs. Other EN employees and contractors can be assigned to the EN Security Team on an as needed basis.

  5. The EN Security team shall:

    1. Provide Designated Approval Authority (DAA) day-to-day support in order to meet FISMA requirements

    2. Act as liaisons among EN, the MITS PMO, and Cybersecurity in order to meet FISMA requirements

    3. Coordinate with other MITS organizations to ensure a consistent security posture

    4. Provide guidance to EN personnel on security related topics

    5. Provide support to EN personnel in order to meet FISMA requirements

    6. Coordinate support for Government Accountability Office (GAO) and Treasury Inspector General for Tax Administration (TIGTA) when conducting security audits and for providing status updates on findings and material weaknesses.

  6. The IT Security duties of the EN Security team include but are not limited to:

    • Coordinating Certification and Accreditation activities

    • Coordinating Continuous Monitoring activities

    • Tracking the mitigation of the weaknesses in the Plan of Action and Milestones (POA&M) through status updates, changes to milestones, and additional comments

    • Increasing the understanding of FISMA and other security policy requirements within EN

    • Enhancing FISMA coordination within EN and between EN and other organizations.

2.13.11.4.2  (04-01-2007)
Associate Chief Information Officer for Enterprise Networks

  1. Within MITS, the Associate Chief Information Officer (ACIO) for Enterprise Networks (EN) is the executive leader responsible for the MITS major service-delivery functions. The ACIO for EN reports directly to the IRS Chief Information Officer (CIO). The MITS organizational structure can be viewed on the MITS web site at http://mits.web.irs.gov/Organization/OrgChartRev1.htm.

  2. The ACIO for Enterprise Networks shall:

    • Assume the role of DAA

    • Assume the role of Information System Owner and Information Owner

    • Ensure the program manager(s) define the system security requirements for acquisitions

    • Manage the EN major service-delivery function

    • Support the CIO.

2.13.11.4.3  (04-01-2007)
Management

  1. EN Possesses systems and therefore shall designate one or more program managers for each system.

  2. See IRM 10.8.2, Information Technology Roles and Responsibilities for program manager security responsibilities.

2.13.11.4.4  (04-01-2007)
Operational Staff

  1. Persons assigned the role of Database Administrator assume the security responsibilities defined in IRM 10.8.2, Information Technology Roles and Responsibilities.

  2. Persons assigned the role of System Administrator assume the security responsibilities defined in IRM 10.8.2, Information Technology Roles and Responsibilities.

  3. Persons assigned the role of Network Administrator assume the security responsibilities defined in IRM 10.8.2, Information Technology Roles and Responsibilities.

2.13.11.4.4.1  (04-01-2007)
Web Administrator

  1. EN does perform Web Administration duties and follows security procedures as designated by Enterprise Operations. EN managed web sites are used exclusively for network administration and cannot be accessed by the general IRS user.

2.13.11.4.4.2  (04-01-2007)
Network Engineer

  1. The EN Network Engineer designs the network architecture and provides technical direction and engineering design as well as the development of configurations and capacity management standards for the IRS.

    Note:

    Within Enterprise Networks "Network Engineer" is synonymous with the "engineer " or "developer" as defined in IRM 10.8.2, Information Technology Security Roles and Responsibilities.

    Note:

    Enterprise Networks has been designated as the primary telecommunications and networking service provider for the IRS.

  2. Persons assigned the role of Network Engineer assume the security responsibilities defined in IRM 10.8.2, Information Technology Roles and Responsibilities for a developer.

  3. The IT Security duties of the Network Engineer include:

    • Developing, implementing, and monitoring standards and controls to ensure data accuracy, security, and legal and regulatory compliance throughout the system life cycle

    • Coding and documenting scripts and stored procedures

      Note:

      EN codes and documents scripts for network devises and their supporting systems. EN does not code or document scripts for non-telecommunications systems or support systems at the IRS.

    • Preparing and implementing data verification and testing methods

    • Holding review and approval authority for ensuring that developed products incorporate security and meet user requirements

    • Ensuring that for each information system or application, security is planned for, documented, and integrated into the system development life cycle from the information system or application’s initiation phase to its disposal phase

    • Identifying IT assets and determining the value of those IT assets to implement necessary safeguards.

2.13.11.4.4.3  (04-01-2007)
EN GAO/TIGTA Liaison

  1. The EN Government Accountability Office (GAO)/Treasury Inspector General for Tax Administration (TIGTA) Liaison is not a security role/responsibility specifically, but relates to FISMA activities.

  2. The EN GAO/TIGTA) Liaison in EN is responsible for:

    1. Providing DAA support to GAO and TIGTA audits

    2. Acting as the primary Point of Contact within EN for GAO and TIGTA auditors

    3. Coordinating with EN management and technical personnel in support of GAO and TIGTA audits

    4. Coordinating and consolidating all EN responses to GAO and TIGTA identified in material weaknesses, re-mediations, and corrective actions

    5. Providing support to EN personnel in GAO and TIGTA audit processes and procedures.

  3. The IT Security duties of the EN GAO/TIGTA Liaison include:

    • Analyzing the information system or application to ensure compliance with the applicable regulations

    • Providing assistance to fully document and update the information system or application in the Risk Assessment Report

    • Reviewing the accreditation documentation for all IRS information systems or applications to confirm that the residual risk is within acceptable limits, as specified by NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.

2.13.11.5  (04-01-2007)
Enterprise Networks IT Security Procedures and Processes

  1. The remainder of this IRM describes how EN personnel, IRS contractors, and other IRS organizations and personnel that perform or support any telecommunication and networking information technology security activities perform and support their IT Security functions and duties at the IRS. The function is first described, then the process and procedure of the duties are listed, and then a high-level description of each duty is provided.

2.13.11.5.1  (04-01-2007)
Security Inventory Function

  1. The Security Inventory Function within EN is the process of managing and controlling the supply, storage, and accessibility of systems’ items and resources in order to ensure an adequate supply is available at the IRS without excessive oversupply. EN builds and maintains a detailed, itemized list and regularly generates IRS systems inventory reports for management.

  2. FISMA compliant inventory is maintained in the Information Technology Contingency Plan (ITCP) documentation. The ITCP contains documents for all EN-owned General Support Services (GSS) and applications.

2.13.11.5.2  (04-01-2007)
Certification and Accreditation Function

  1. Cybersecurity is the certification authority at the IRS. EN follows and supports the Cybersecurity certification process. The Cybersecurity certification process and related information are located on the Cybersecurity web site. Refer to http://mits.web.irs.gov/Cybersecurity/Certification/default.htm for information on the certification process.

2.13.11.5.3  (04-01-2007)
Continuous Monitoring Function

  1. For continuous monitoring, EN follows and support the MITS-wide direction which supports the Cybersecurity continuous monitoring process.

2.13.11.5.4  (04-01-2007)
Account Administration Function

  1. The Account Administration Function within EN is the process of setting up and managing individual or group access to IRS information systems or application resources on an IRS network to ensure proper security access capabilities. Account administration includes granting IRS users the ability to access (read, write, execute, or traverse) files and directories on an information system or application and is consistent with IRS practices across the enterprise.

  2. EN follows the Account Administration functions stipulated in IRM 10.8.2, Information Technology Roles and Responsibilities.

2.13.11.5.4.1  (04-01-2007)
Assign and Manage End User Roles and System Privileges

  1. As part of the Account Administration Function, EN must assign and manage IRS end user roles and system privileges on information systems or applications to ensure proper security access capabilities. The procedures and processes that EN uses to assign and manage IRS end user roles and system privileges and how EN personnel perform these duties are identified as follows:

    • Determine or verify user needs for system access using the OL5081 system

    • Determine if user needs training for each system listed and provide assistance, as required

    • Ensure users’ access to an information system or application is restricted to the minimum (least privilege) necessary to perform their job

    • Coordinate with users and/or their manager to resolve any conflicts with level of access requests.

2.13.11.5.4.2  (04-01-2007)
Update and Delete User Accounts

  1. As part of the Account Administration Function, EN must update and delete IRS user accounts on information systems or applications to ensure proper security access capabilities. The procedures and processes that EN uses to update and delete IRS user accounts and how EN personnel perform these duties are identified as follows:

    • Determine or verify need for system access update or deletion using the OL5081 system

    • Update or delete users according to system rules based on IRM 10.8.1, Information Technology Security Policy and Standards (such as, 90 days inactive – disable, 120 day inactive, etc.).

      Note:

      In case of changes to user accounts due to inactivity, violations, or other suspicious activity, contact the user or manager for verification.

2.13.11.5.4.3  (04-01-2007)
Restrict User Access

  1. As part of the Account Administration Function, EN must ensure that user access to an IRS information system or application is restricted to the minimum (least privilege) necessary to perform the user’s job. The procedures and processes that EN uses to ensure user access is restricted and how EN personnel perform these duties are identified as follows:

    • Determine or verify need for system access restriction using the OL5081 system

    • Review user’s access to appropriate information systems and determine if privilege levels are adequate

    • Add, remove or change user’s system access, as required.

      Note:

      In case of changes to user accounts due to inactivity, violations, or other suspicious activity, contact the user or manager for verification.

2.13.11.5.4.4  (04-01-2007)
Assign Security Parameters to New Users

  1. As part of the Account Administration Function, EN must assign security parameters, such as initial identifications and passwords, security profiles, and other security characteristics to new users before they can access IRS information systems or applications. The procedures and processes that EN uses to assign security parameters and perform these duties are identified as follows:

    • Determine or verify need for system access using the OL5081 system

    • Review user’s access to appropriate systems and determine if privilege levels are adequate

    • Ensure that users’ access to an information system or application is restricted to the minimum (least privilege) necessary to perform their job

    • Create security profiles for new users as required and perform follow-up by contacting the user and/or manager

    • Logon to the appropriate information system and establish appropriate user access

    • Provide user with logon and password information.

2.13.11.5.4.5  (04-01-2007)
Change Security Profiles for Existing Users

  1. As part of the Account Administration Function, EN must change security profiles for existing users on IRS information systems or applications on an as needed basis. The procedures and processes that EN uses to assign security parameters and perform these duties are identified as follows:

    • Determine or verify need for system access update using the OL5081 system

    • Review user’s access to appropriate systems and determine if privilege levels are adequate

    • Ensure that users’ access to an information system or application is restricted to the minimum (least privilege) necessary to perform their job

    • Change security profiles for existing users, as required.

      Note:

      In case of changes to user accounts due to inactivity, violations, or other suspicious activity, contact the user or manager for verification.

2.13.11.5.5  (04-01-2007)
Database Administrator Function

  1. The Database Administrator (DBA) Function within EN is to administer and maintain a database on an IRS information system for proper use by authorized IRS personnel and contractors. The DBA is responsible for the design and management of the IRS database, the day-to-day system operations, and for the evaluation, selection, and implementation of any software that meets the requirements of the IRS’ enterprise architecture.

2.13.11.5.5.1  (04-01-2007)
Monitor and Maintain Database Security Software

  1. As part of the DBA Function, EN must monitor and maintain database security software, in cooperation with data security administration tasks as prescribed in IRM 10.8.2, Information Technology Security Roles and Responsibilities. The procedures and processes that EN uses to monitor and maintain database security and how EN personnel perform these duties are identified as follows:

    • Review database audit to verify database system security controls are adequate

    • Use Database Management Systems (DBMS) and/or utilities whenever possible to verify database integrity

    • Coordinate with system administrators to review platform system hardware or software security status, as required

    • Coordinate with vendor to obtain database software upgrades

    • Install new software or utilities, as required

    • Comply with established configuration management procedures for technical review and identify and document actions

    • Update all system documentation as required.

2.13.11.5.6  (04-01-2007)
Monitor and Manage Database Tasks

  1. As part of the DBA Function, EN must monitor and manage database tasks that include backups, access to logs and journals, and the restoring and/or recovering of data on IRS information systems, as required. EN must follow DBA IT Security procedures as prescribed in IRM 10.8.2 , Information Technology Security Roles and Responsibilities . The procedures and processes that EN uses to monitor and manage database tasks and how EN personnel perform these duties are identified as follows:

    • Monitor and manage database events and background processes

    • Monitor and manage database performance of processors, memory, cache, threads, and processes

    • Monitor and manage key information, such as libraries, data, logs, and thread activity

    • Monitor and edit database registry.

2.13.11.5.7  (04-01-2007)
Install, Maintain, and Upgrade Database Software

  1. As part of the DBA Function, EN must install, maintain, and upgrade database software on IRS information systems, as required. EN must follow DBA IT Security procedures as prescribed in IRM 10.8.2 , Information Technology Security Roles and Responsibilities . The procedures and processes that EN uses to install, maintain, and upgrade database software and how EN personnel perform these duties are identified as follows:

    • Coordinate with system administrator of platform system to verify platform system status, as required

    • Coordinate with vendor to obtain database software upgrades

    • Install new software or utilities, as required

    • Maintain database to ensure optimal system performance

    • Comply with established configuration management procedures for technical review and identify and document actions

    • Update all system documentation, as required

    • Retrieve database vendor updates and transmit to affected systems and organizations.


More Internal Revenue Manual