Safeguards Technical Assistance by Topic
The IRS has recommendations and discussions on various Safeguards Program topics available for agencies to help stay in compliance. These documents may assist with preparation of reports, protecting federal tax information, and knowing the legalities of the Safeguards Program.
Auditing Controls of Federal Tax Information
Auditing controls are critical to successfully protecting federal tax information. Guidance is provided relative to the details to be captured and necessary monitoring of the events and transactions of the auditing logs.
Data Storage/Tape Drive Replacement for Human Service Agencies
This is for Human Resources Agencies Only. If an agency is looking to change the manner in which they back-up BEERS data, several options are discussed.
Encryption Requirements of IRS Publication 1075
Federal, State and local authorities who receive FTI from IRS must have adequate security controls in place to protect the information against unauthorized use, inspection, or disclosure. Data encryption is essential for safeguarding FTI. The encryption requirements of IRS Publication 1075 are defined and recommendations are provided for agencies to comply with the requirements in various scenarios.
Help for Completing the Required Safeguard Procedures Report.
An agency requesting Federal Tax Information (FTI) must submit a Safeguard Procedures Report (SPR) at least 45 days before the scheduled or requested receipt of FTI according to Section 2.0 of Publication 1075. In addition, a new SPR must be submitted whenever significant changes occur in an agency’s safeguard program or every six years. Two documents, Top Five Problems Agencies Encounter With SPR Processing and Helpful Hints-Preparing a Safeguards Procedures Report (SPR) are available to help agencies submit SPRs that contain clear and sufficient information in order to receive the requested FTI. Sample SPR is also available.
Incident Response Test and Exercise Guidance
Incident response capabilities have become necessary components of information security programs due to constant and evolving threats. This memo provides recommendations for testing and exercising incident response capabilities in accordance with the requirements set forth in IRS Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies. Specifically, incident response exercises must simulate the response to a Federal Tax Information (FTI) breach scenario and address Safeguard-specific requirements for reporting breaches of FTI to the appropriate organizations.
Managerial, Operational and Technical Policies
IRS has guidance on creating Managerial, Operational and Technical Policies and integrating them with an organizational security policy and program.
Managerial, Operational and Technical (MOT) SCSEM Assistance
Agencies that have not gone through the revised Publication 1075 (Tax Information Security Guidelines for Federal, State and Local Agencies and Entities) based Safeguard review often have questions related to the Managerial, Operational and Technical (MOT) SCSEM (e.g. what is it based on, why is it needed, and how can we prep for it). By proactively addressing these types of questions in a technical assistance memo, the IRS Office of Safeguards aims to provide consistent and timely information to the agencies. It will also assist in preparation for the upcoming Safeguard review.
Media Sanitation Methods
When confidential taxpayer information is no longer needed, CDs, DVDs, magnetic tapes, and other media need to be sanitized. Several factors need consideration when deciding the method for media sanitation. IRS and the National Institute of Standards & Technology have provided guidelines for choosing one of the four methods of sanitizing and ensuring the success of the disposed information.
Meeting IRS Safeguards Audit Requirements
Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities, provides very detailed audit requirements, but how these requirements cut across various IT layers e.g. Operating System, Database, and Application to provide end-to-end auditing might not be as apparent and straight forward. The IRS Office of Safeguards hopes to assist agencies in better understanding and implementing audit based requirements for Safeguards.
Meeting Safeguard Requirements with Agency Internal Audits
The IRS Office of Safeguards can provide guidance and clarification on how Agency Internal Audits can be helpful in meeting some of the Safeguarding requirements and also provide coverage for security evaluations on a continuous basis.
Memorandum and example for Self Attestation of Security Assessment
This section provides a sample for agencies to use to establish their authorization to operate and provide the required self-attestation of security assessment.
Operational Security Policies and Procedures
Several key operational security functions should be performed throughout the year to maintain confidentiality of FTI and compliance with Publication 1075. The IRS Office of Safeguards provides examples and resources to assist agencies in creating new operational security policies and procedures or to enhance their existing programs.
Planning to Contract Could Require an IRS Contact
Governmental agencies entrusted with FTI and holding the authority to re-disclose this information to contractors must follow the statutory/regulatory requirements with respect to safeguarding the FTI. The IRS must be properly notified at least 45 days prior to executing any agreement to disclose FTI to a contractor. If the specific procedures are not adhered to, an agency's continued access to FTI could be jeopardized.
Policy and Procedures Involving a Contractor
Clarification is provided on Publication 1075 Risk Assessment policy and procedures and the Safeguard Procedures Report (SPR): While a contractor can assist with implementing RA controls, it is important that the agency works closely with the contractor to ensure the policy being developed is aligned with the agency's overall mission and the requirements of Publication 1075. It is also important to address the five controls in the control family when creating Risk Assessment policy and procedures.
Possible Computer Virus Technical Assistance
It is extremely important that users be provided guidance on what to do if a virus infection occurs on their computer, because the users are the frontline, and improper handling of an infection could make a minor incident worse. Guidance is provided for handling potential computer virus incidents.
Preventing Data Leakage Safeguards Technical Assistance
Data leakage is becoming more common throughout industry and government, leading to the development of software and procedural techniques to detect and prevent such occurrences. Research and guidance on data leakage in the IRS Safeguards Program is available for agencies.
Protecting Federal Tax Information (FTI) in a Cloud Computing Environment
As defined by NIST, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.” As agencies look to reduce costs and improve reliability of business operations, cloud computing offers an alternative to traditional data center models. The IRS Office of Safeguards has developed this memo to assist agencies with protecting FTI in a cloud computing environment.
Protecting FTI in Databases through Labeling
It is recommended that FTI be kept separate from other information to the maximum extent possible to avoid inadvertent disclosures. However in situations where physical separation is impractical, IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, requires records to be clearly labeled to indicate that FTI is included in the record. The Office of Safeguards has observed a wide range of database data element labeling practices while reviewing labeling and auditing procedures. Organized, consistently applied labeling can help the agency better enforce access control to the data elements, easily identify what needs to be audited and logged, and be able to identify those network components which are required to be in compliance with Publication 1075. This memo provides recommendations for labeling FTI in databases.
Protecting Federal Tax Information: A Pocket Guide for Government Employees (PDF)
Publication 4761, Protecting Federal Tax Information: A Pocket Guide for Government Employees, is for federal, state and local agency employees who receive and use federal tax information (FTI). It provides basic disclosure concepts and warns of civil and criminal sanctions for misuse of FTI. It can be ordered by government agencies.
Protecting FTI by Proactive Auditing
Audit logs are a primary tool used by administrators to detect and investigate attempted and successful unauthorized activity. However, policies and procedures often do not specify the regular review of audit logs, reviews are too infrequent or not conducted on a routine basis, and/or the audit review is conducted after a security incident has occurred. The benefit of passive log analysis, while important, fails to realize the proactive benefit of knowing when a security violation is occurring in real-time. The purpose of this memo is to introduce agencies to some of the concepts for proactive auditing, and to start the dialog between the IRS Office of Safeguards and agencies for discussing proactive auditing techniques and methods.
Protecting FTI in Electronic Case Records
The IRS Office of Safeguards has recently received several inquiries from various tax agencies about the use of Federal Tax Information (FTI) in electronic case records. As these agencies move towards paperless models, a challenge has arisen for protecting FTI and complying with IRS Publication 1075, Tax Information Security Guidelines for Federal State and Local Agencies, when FTI is maintained as part of electronic case records. This memo will provide the minimum requirements for protecting FTI in electronic case records. While this memorandum addresses electronic case records, it is important to understand the requirements for protecting FTI in electronic case records are identical to the requirements for protecting FTI in paper case files. It is the implementation of those requirements that will differ in an electronic environment.
Protecting FTI From Social Media Sites and Collaboration Tools
Social media sites such as Facebook, LinkedIn and Twitter have increasingly become popular networking and communication tools. In addition to Web 2.0 applications like IM, web conferencing, VoIP, and blogs, a large number of social networking sites are available to anyone with a browser. Considering the rapid growth and popularity of these sites, organizations question whether they have the security tools and policies needed to deal with the accelerating number of users, since these social networking sites have become a hot target for hackers. Considering the security risks, the IRS Office of Safeguards prohibits sharing FTI using any social media application and also prohibits FTI from being transferred using these communication tools. This memo provides recommended security controls that agencies should have in place to ensure FTI is properly protected and not transferred via social media or instant messaging collaboration tools.
Protecting FTI Through Network Defense-in-Depth
IRS Publication 1075 section 9.16 outlines the requirements for boundary protection in the System and Communications (SC) family of controls under SC-7, Boundary Protection. In accordance with Publication 1075, it is the responsibility of the organization to build effective security controls into their own Information Technology (IT) infrastructure to ensure that this information is protected at all points where FTI is received, transmitted, stored, and processed. This includes the need for the agency to adequately protect their network boundaries wherever FTI is received, processed, transmitted or stored. This memo provides guidance for boundary protection at both external (agency perimeter) and internal (internal sub-network) boundaries.
Protecting FTI within a Mobile Device Environment
Today’s working environment has become increasingly distributed, with increased telework and distributed employees, leading to a highly remote workforce. This has driven the need for distributed employees to stay connected to corporate computing resources and perform work remotely. This has in turn has created the need for government agencies and corporations to provide accessibility to proprietary or sensitive data (i.e., FTI) on mobile devices such as tablets and smartphones. Additionally, with the introduction of “BYOD” (Bring Your Own Device), allowing employees to use personally owned mobile devices to access data in the environment, the risk of introducing an untrustworthy and insecure device to the internal network increases substantially. The scope of this memo is focused on agency owned and BYOD devices such smartphones or tablets that rely heavily on network connectivity for many of their applications and functions.
Remote Access for Data Centers
Clarification on the multi-factor authentication for remote access requirement when agencies are accessing servers located at their consolidated data center.
Remote Access Requirement
IRS Internal Revenue Manual defines Remote Access as Access by users (or information systems) communicating external to an information system security perimeter. Guidance is provided regarding the multi-factor authentication for remote access requirement when tax offices are accessing servers located at their consolidated data center.
STAX Audit Logs
IRS Publication 1075 outlines the requirements and guidelines to ensure that FTI is properly audited. Guidance is provided on the handling and storage of STAX audit logs.
Use of Collaborative Tools
Agencies and businesses increasingly rely on digital forms of communication for computer-based real-time collaboration. These software applications provide virtual space, which enables participants to communicate via voice, video, chat, whiteboard, and can share user desktops, applications and documents. However, these types of collaborative tools are not suitable for transmitting FTI across encrypted tunnels.
Use of FTI in Open Source Software
Open source software, while it can be useful in many instances and appear to be cost effective, may present a security risk because open source developers don’t typically follow security best practices when developing their software. Additionally, support for the open source software is not always provided by the vendor, and open source vendors can be slow to respond to identified flaws in their applications with a security fix. This memo provides recommendations for agencies considering using FTI in open source software.
Use of Live FTI in System Testing
The use of live FTI in test environments should generally be avoided and is not approved unless specifically authorized by the IRS Office of Safeguards. Dummy data should be used in place of live FTI wherever possible. This memo provides guidance to federal, state and local agencies that receive, store, process or transmit FTI on the requirements for the approval, acquisition, handling, protection, and disposition of live FTI used in system testing activities. This guidance further expands upon the Live Data Testing requirements provided in IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Section 9.18.8 – Live Data Testing.
Virus Scanning Tools
IRS Publication 1075, Section 5.6.16, requires any information system that stores, processes, or transmits FTI be protected against malicious code transported by electronic mail, electronic mail attachments, Internet accesses, removable media, or other common means. Guidance is provided for anti-virus prevention.
Warning Banner Must be Used When Housing Federal Tax Information
In accordance with Section 6.2 of Publication 1075, warning banners must be used during initial logon on computers housing federal tax information. The Office of Safeguards recommends text to fulfill this requirement.
- Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities
- Safeguards Program