Additional Requirements for Publication 1075
Safeguarding requirements may be supplemented or modified between editions of Publication 1075 by guidance issued by the Office of Safeguards.
Data Warehouse Notification Requirements
When an agency implements a data warehouse containing FTI, the agency must provide written notification to the IRS Office of Safeguards, identifying the secure controls, including FTI identification and auditing within the data warehouse.
The IRS Office of Safeguards has recently observed an increase in the number of agencies using web portals to process and transmit federal tax information (FTI) to their external customers. Web portals present opportunities for agencies to provide a convenient method for customers to access account information that may include FTI. This method of providing FTI to customers opens a new avenue for accessing FTI over the Internet and potentially exposing the FTI to compromise of confidentiality. For this reason measures need to be taken to protect the FTI that is provided to customers through a web portal.
Access to FTI through an IVR system is generally prohibited. However, with proper approval from the IRS Office of Safeguards, access of FTI through an IVR may be granted in situations evaluated by IRS. Follow the guidelines on the Safeguards Technical Assistance for Protecting Federal Tax Information (FTI) in Integrated Voice Response (IVR) Systems Web page.
Section 9.18.8 - Live Data Testing Notification Requirements
This requires an agency wishing to use live federal tax information in testing environments to request prior approval, providing a detailed explanation of the safeguards in place to protect the data and the necessity for using live data during testing.
Section 9.18.12 - Protecting FTI in Virtual Environments
Exhibit 15, Virtualization Notification and Technical Requirements
Recent advances in CPU architectures have made full virtualization faster than it was just a few years ago, and similar advances are expected to continue to be made both by CPU vendors and virtualization software vendors. The current economic state may push agencies to adopt these new technology virtualization solutions and operating models earlier than anticipated. These new solutions and operating models offer operational benefits to agencies, but also come with unique challenges and potential pitfalls. Whether currently in use or planned to be deployed, there are FTI safeguarding measures required by the IRS Office of Safeguards to be in place given the security concerns associated with full virtualization technologies. This memo will provide the policy requirements for ensuing the confidentiality of FTI is maintained by agencies that provide access to customers and/or employees through a virtual machine.
Section 9.18.13 - Protecting FTI in Voice over IP Networks
Many state agencies have implemented or are considering Voice over IP (VoIP) networks as a way to leverage existing broadband networks for functions traditionally carried out over analog phone lines, such as call center operations. A VoIP solution offers agencies lower telecommunications costs and operational benefits for network management. Because of the integration of voice and data in a single network, establishing a secure VoIP and data network is a complex process that requires sound policy, technical controls and proactive risk management. VoIP systems include a variety of components such as call processors/call managers, gateways, routers, firewalls, and protocols. The guidance provided for protecting FTI in a VoIP network is applicable to the components managed by the agency, and do not include components of the PSTN.
Section 9.18.14 - Protecting FTI in a Cloud Computing Environment
Exhibit 16, Cloud Computing Notification and Technical Requirements
Technical Assistance Memorandum
As agencies look to reduce costs and improve operations, cloud computing may offer promise as an alternative to traditional data center models. By utilizing software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) cloud service models, agencies may be able to reduce hardware and personnel costs by eliminating redundant operations and consolidating resources. While cloud computing offers many potential benefits, it is not without risk. Limiting access to authorized individuals becomes a much greater challenge with the increased availability of data in the cloud, and agencies may have greater difficulties isolating federal tax information (FTI) from other information and preventing “commingling” of data.
- Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities
- Safeguards Program