IRS Logo
Print - Click this link to Print this page

Safeguards Technical Assistance – Managerial, Operational and Technical Policies

Request for Technical Assistance
Please provide samples of policies for the following that address the Managerial, Operational and Technical controls:

  1. Security Planning Policy (H-2)
  2. Security and Accreditation Policy (H-4)
  3. Configuration Control Policy (H-6)
  4. Systems and Information Integrity Policy (H-8)
  5. Systems and Communication Policy (H-14)

Response

The IRS office of Safeguards does not maintain security policy templates or samples for state agencies, however the Internal Revenue Manual 10.8.1, IRS Information Technology Security Policy and Guidance provides an example for these policies written by the IRS, however they are not specific to the Safeguards program.  

IRM 10.8.1 – Part 1 
IRM 10.8.1 – Part 2
IRM 10.8.1 – Part 3

This memo will provide guidance on creating the policies noted above and integrating them with an organizational security policy and program.  There are two aspects to security policy development that ensure the policy will comply with IRS Safeguard and NIST 800-53 requirements:

1) Create an issue-specific policy that provides directives, establishes goals and assigns responsibilities.  The policy should address these key sections:

  • Purpose – define the purpose of the policy – what is the goal or desired outcome?  What are the drivers or triggers that make this policy a requirement?
  • Scope – define the scope of the policy – what will it cover, e.g., all agency IT systems that store, process, transmit or receive FTI?  All agency IT systems regardless of function?
  • Roles and Responsibilities – define the departments and people that are responsible for policy creation, policy implementation and monitoring policy compliance. Use titles instead of actual people’s names.
  • Management Commitment – to be effective the policy needs organizational visibility and management support.  Identify the management lead for the policy with a statement emphasizing their commitment to the policy.
  • Coordination Among Organizational Entities – What other internal/external organizations must be coordinated with to carry out the policy?  Define these relationships here.
  • Compliance – How will compliance with the policy be measured to ensure requirements are being met?
  • Policy Statements – This is the crux of the policy.  Since each policy is specific to a NIST 800-53 control family, the policy statements should align with each of the controls in the control family.  Use each security control statement to craft the policy statements to ensure that all objectives of a control are made into policy.  Below are two examples for the PL-2 and PL-3 security controls.

System Security Plan (PL-2)
The agency shall develop, document, periodically update, and implement system security plans for agency information systems that process, store, transmit or receive Federal Tax Information.  The security plan describes the security controls in place or planned for the information system.  NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, shall be used as the guide for developing security plans.

System Security Plan Update (PL-3)
The agency shall review system security plans for agency information systems that process, store, transmit or receive Federal Tax Information annually and update system security plans a minimum of every three years or whenever there is a significant change to the system.

2) Create documented procedures that support the policy and detail how the policy will be implemented. These procedures assist the people responsible for implementing the policy in complying with applicable policy requirements.  They are detailed steps, i.e., standard operating procedures, to be followed by users, system operations personnel, or others to accomplish a particular task (e.g., developing a system security plan).

References/Related Topics:

Page Last Reviewed or Updated: 08-Apr-2014