IRS Logo
Print - Click this link to Print this page

Helpful Hints - Preparing A Safeguards Procedures Report (SPR)

April 12, 2013Helpful hints references specific sections in the SPR template (as of June 2008). While the entire SPR template must be completed, the areas highlighted below are the most common questions or errors.

Section 1 (Responsible Officers) – Ensure complete contact information is included as contact information is especially important when it comes to clarifying information.

Section 2 (Location of Data) – If federal tax information (FTI) is resident in a separate computing center in a separate IT agency, clearly document that organization and its relationship to the agency receiving FTI.

Section 3 (Flow of the Data)

  • Document the entire life cycle of the FTI, from receipt to destruction, including data center notations, disposal organizations, etc.
  • Reviewers are looking at two elements
    • Documented process, procedures and policies
    • Execution against them.

Section 4 (System of Records)

  • Ensure clearly document required controls in place or compensating controls utilized.
  • Ensure auditing in place from receipt to destruction.

Section 5 (Secure Storage of the Data) – Ensure always have two barriers between FTI and unauthorized users.

Section 6 (Restricting Access to the Data) – Clearly document all access controls.

Section 7 (Disposal)

  • If use a disposal contractor, need to perform internal inspections and exercise due diligence.  Be sure to document process for conducting internal inspections.
  • Agencies cannot redelegate their safeguarding responsibilities.

Section 8 (Computer Security)

  • 8.1 – For data centers, organizational configurations and data partition issues are critical.
  • 8.4 SA4 – Ensure all contracts include Publication 1075, Exhibit 7 language.
  • 8.5 CA2 – Specify methodology for conducting annual assessments of security controls.
  • 8.5 CA5 – Detail the Plan of Action of Milestones (POAM) processes used internally to monitor corrective actions.
  • 8.11 IR1 – Policy should include provisions for simultaneous notification to TIGTA and IRS immediately upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents.
  • 8.15 AC14 – As more and more agencies look to use the Web to communicate with taxpayers, ensure that FTI is not accessible via the Web portal.
  • 8.15 AC18 – Highlight policies for use of Blackberries or similar devices.
  • 8.15 AC20 – Detail policies related to access to FTI from flexi-place locations, including two factor authentication practices.
  • 8.16 AU1 – Audit controls are key to tracking FTI. Need to account for FTI from the moment of receipt until the moment of destruction.
  • 8.16 AU5 – Ensure that not only the controls are in place but they have a processing failure notification built in.
  • 8.18 – Complete only if a data warehouse is implemented to receive, store, transmit or process FTI.

References/Related Topics

Page Last Reviewed or Updated: 12-May-2014