Agency Type: Department of Human Services
Request for Technical Assistance: Data Storage/Tape Drive Replacement
The agency has decided to discontinue maintenance of their 3490 tape drive currently used to create the Beneficiary Earning Exchange Record (BEER) tape cartridges that contain FTI. Due to this discontinuation, the agency wants to change the media on which BEERs files are stored. The agency wants to know if it would be possible for the person/people/group that receives the 3490 tape cartridge to accept this data on some other media or in another format.
The agency is considering the following options:
- Secure FTP file transfer straight from the z/OS New Heights mainframe.
- CD Media
- DVD Media
This memo provides a discussion of the IRS Safeguards requirements for each of the three options identified by the agency to replace tape cartridges. All of the three options, Secure FTP, CD media, DVD media are acceptable methods of transferring data per Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies.
For each of these options, the Publication 1075 requires certain security controls be in place. The agency is required to have security policies and procedures that cover the Publication 1075 requirements for the selected option. If not these procedures should be developed, documented, disseminated, and updated as necessary.
Once the 3490 tape cartridges with FTI are no longer needed, the IRS policy requires agencies either return the tapes to the IRS or destroy the tapes using an acceptable method of destruction in accordance with Publication 1075.
Option 1 - SFTP
Unlike standard FTP, SFTP is a program that uses SSH to transfer files. It encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. If the agency chooses to utilize SFTP, these best practices should be followed when transferring FTI files via SFTP:
- Account Permission – Assign SFTP users who are authorized to handle the FTI file transfers. Disable anonymous access to the SFTP service. Limit access to the FTP directory to authorized accounts.
- Password Policies – Require a password for SFTP transmissions, and implement a strong password policy compliant with IRS Publication 1075 password requirements.
- Trusted Access Lists - Restrict access to your SFTP port to only trusted networks.
- Activity Logging – Enable logging to capture SFTP connection details.
Options 2&3 – CD/DVD Media
CD and DVD media are combined for this memo because the Publication 1075 security requirements for both media types are the same. If the agency chooses to utilize the use of removable media such as DVDs or CDs, then the agency is required to implement these controls per Publication 1075.
Media Protection Policy and Procedures
The agency has media access policies and procedures that are documented, disseminated, and updated as necessary to facilitate the media protection policy. These policies should address the purpose, scope, responsibilities, and management’s commitment to implementing associated controls.
The agency restricts access to the CDs/DVDs with BEER data to authorized individuals only. Authorized employees of the recipient agency must be responsible for electronic media from receipt through destruction. Inventory records must be maintained for purposes of control and accountability, and semi-annual inventories must be conducted. Any media containing FTI or any file resulting from the processing will be recorded in a log that will permit all media containing FTI to be readily identified and controlled and identifies:
- Date received
- Control number and/or file name & contents
- Number of records, if available
- If disposed of, the date and method of disposition.
The agency should account for any missing electronic media, document search efforts taken, and notify the appropriate authorities as directed in Section 10.0 of Publication 1075 of the loss.
The agency labels each BEERs CDs/DVDs with the notation “Federal Tax Information”. IRS Notice 129-A or Notice 129-B can be used for this purpose or the agency can create their own labels. The agency can order these Notices which are adhesive labels directly from the IRS distribution center, following the instructions found on the Safeguards Program page or send a request for assistance to the IRS Office of Safeguards at firstname.lastname@example.org.
The agency physically controls and securely stores the CDs/DVDs with BEERs data within controlled areas that meet the Secure Storage requirements of Publication 1075 Section 4. Responsible officials should ensure that electronic media containing FTI that is removed from the storage area, is properly recorded on charge-out records.
Media Transport and Encryption
The agency protects and controls information system media during transport outside of controlled areas (e.g., to off-site storage) and restrict the activities associated with transport of such media to authorized personnel. All shipments of FTI should be monitored to ensure that each shipment is properly and timely received and acknowledged. The agency should use transmittals or an equivalent tracking method to ensure FTI reaches its intended destination. All removable media (e.g., CDs/DVDs/flash drives or other removable media) containing FTI must be encrypted to prevent unauthorized access, whether in storage or in transport, in accordance with the encryption standards of IRS Publication 1075, Exhibit 10.
Media Sanitization and Disposal
The agency sanitizes CD/DVD media with FTI prior to disposal or release for reuse. NIST SP 800-88, Guidelines for Media Sanitization, provides additional information for media disposal. The NIST guidance outlines the following recommendations for destruction of DVD/CD media:
- Removing the information bearing layers of DVD/CD media using a commercial optical disk grinding device.
- Incinerate optical disk media (reduce to ash) using a licensed facility.
- Use optical disk media shredders or disintegrator devices to reduce to particles that have a nominal edge dimensions of five millimeters (5 mm) and surface area of twenty-five square millimeters (25 mm2).
State human services agencies obtaining BEERs data from SSA under the authority of IRC section 6103(l)(7) may not contract for services that involve the disclosure of FTI, including media destruction.
References and Related Topics
- IRS Publication 1075, Tax Information Security guidelines for Federal, State and Local Agencies, (Rev. 08-2010) (PDF)
- NIST Special Publication 800-88, Guidelines for Media Sanitization