Example: stock market

Tax Information Security Guidelines - Internal Revenue Service

Publication 1075 Tax Information Security Guidelines For Federal, State and Local AgenciesSafeguards for Protecting Federal Tax Returns and Return Information IRS Mission Statement Provide America s taxpayers top-quality Service by helping them understand and meet their tax responsibilities and enforce the law with integrity and fairnes s to all. Office of Safeguards Mission Statement The Mission of t he O ffice of Safeguards i s to promote taxpayer confidence in t he integrity of the tax system by ensuring the confidentiality of IRS Information provided to federal, stat e, and local agencies. Safeguards verifies compliance with IRC 6103(p)(4) safeguard requirements through the identification and mitigation of any risk of lo ss, breach, or misuse of Federal Tax Information held by external government agencies. Publication 1075 (September 2016) i Changes for September 2016 Revision This publica tion revises and supersedes Publication 1075 (October 2014) and is effective September 30, 2016.

local agencies. Safeguards verifies compliance with Internal Revenue Code (IRC) § 6103(p)(4) safeguard requirements through the identification and mitigation of any risk of loss, breach or misuse of Federal Tax Information (FTI) held by external government agencies. Office of Safeguards Vision Statement

Tags:

  Services, Internal revenue service, Internal, Revenue, Internal revenue

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Tax Information Security Guidelines - Internal Revenue Service

1 Publication 1075 Tax Information Security Guidelines For Federal, State and Local AgenciesSafeguards for Protecting Federal Tax Returns and Return Information IRS Mission Statement Provide America s taxpayers top-quality Service by helping them understand and meet their tax responsibilities and enforce the law with integrity and fairnes s to all. Office of Safeguards Mission Statement The Mission of t he O ffice of Safeguards i s to promote taxpayer confidence in t he integrity of the tax system by ensuring the confidentiality of IRS Information provided to federal, stat e, and local agencies. Safeguards verifies compliance with IRC 6103(p)(4) safeguard requirements through the identification and mitigation of any risk of lo ss, breach, or misuse of Federal Tax Information held by external government agencies. Publication 1075 (September 2016) i Changes for September 2016 Revision This publica tion revises and supersedes Publication 1075 (October 2014) and is effective September 30, 2016.

2 Feedback for Publication 1075 is highly encouraged. Please send any comments to Following are the highlighted changes: 1) Editorial changes have been made throughout this document to update website references and links, as well as to renumber sections and to clarify guidance 2) Table of Contents updated. Please find tables listed under respective sections rather than at the end of the Table of Contents 3) Section Access Safeguards Resources Onli ne changed to Access Safe guard Resources 4) Section A dded Website Resources 5) Section A dded Mailbox 6) Section Federal Tax Informati on (FTI) Added reference to include the Centers for Medicare and Medicaid and IRC 6 103(p)(2)(B) Agreements 7) Section Created Section On-Site Review Process and Computer Security Review to elaborate on the Safeguard Review Process 8) Section A dded Vol untary Termination of Receipt of FTI 9) Section A dded Archiving FTI 10) Section A dded Termination Documentation 11) Section Updated Electronic and Non-Electronic Logs requirements and deleted duplicate log sample 12) Section Deleted duplicate paragraph for FTI in transit 13)

3 Section Offsite Storage Requirements Updated to show agency-type specific requirements 14) Section Equipment - Added exception for use of VDI and updated to include personally-owned devices 15) Section A dded Background Investigation Minimum Requirements 16) Section A dded guidance for use of Consoli dated Data Centers 17) Section Added all contractor and shared sites to be included in Safeguard reviews Publication 1075 (September 2016) i 18) Section Added Review Availability of Contractor Facilities 19) Section Updated Disclosure Awareness Training 20) Section Renamed from SSR Update Submission and Instructions to Initial SSR Submission Instructions-New Agency Responsibility 21) Section Renamed from SSR Update Submission Dates to Instructions for Agencies Requesting New FTI Data Streams and includes the mandatory requirement for providing evidence of Security testing and ATO before the system is operational 22) Section Renamed from SSR Update Submission Instruction to Annual SSR Update Submission Instructions 23) Section Renumbered SSR Update Submission Dates to Section 24) Section A dded table for 45 Day Notification Reporting Requirements 25) Section Removed requirement to notify Safeguards prior to implementing a data warehouse 26) Section Non-Agency Owned Systems updated 27) Section Removed requirement to notify Safeguards prior to locating FTI in a virtual environment 28)

4 Section Destruction and Disposal Updated section to include new requirements regarding shredding and updated regarding whenever physical media leaves the physical or systemic control of the agency 29) Section Updated Table 8 for Automated Compliance and Vulnerability Assessment Testing to include profiles used with these tools can be downloaded from the Office of Safeguards website 30) Section (b) Unsuccessful Log On Attempts (AC-7) - Updated automatic lock period to 15 minutes 31) Section Session Termination (AC-12) Updated to show Information system must automatically terminate a user session after 30 minutes of inactivity 32) Section Use of External Information Systems (AC-20) Updated to reflect personally-owned device requirements. 33) Section Added definition of personnel with Security roles and responsibilities and added distinction from Section , Disclosure Awareness and , Security Awareness Training (AT-2) 34) Section (c) Time Stamps (AU-8) Updated regarding synchronization of Internal Information system clocks Publication 1075 (September 2016) i 35) Section Audit Record Retention (AU-11) Added clarification on retention 36) Section Device Identification and Authentication (IA-3) Added clarification 37) Section Updated Incident Response Testing to remove the word, systems as testing requirements apply to both paper and electronic FTI 38) Section Updated to reflect 5 year retention period requirement 39) Section (c) Added to Rules of Behavior (PL-4), review and update at a minimum annually 40) Section Security Engineering Principles (SA-8)

5 - Added clarification of what Security engineering principles include 41) Section Mobile Devices - Updated to reflect current restrictions with BYOD 42) Section Updated Multi-Functional Devices to include High-Volume Printers 43) Section (g) Storage Area Networks - changed audit review to weekly 44) Section Virtual Desktop Infrastructure updated to include agency and non-agency owned requirements 45) Section Virtual Environment Removed requirement to notify Safeguards prior to locating FTI in a virtual environment 46) Section Web Browser Removed requirement a) Private browsing must be enabled on the Web browser and configured to delete temporary files and cookies upon exiting the session 47) Section Updated Reporting Imprope r Inspections or Disclosures including Table 9: TIGTA Field Division Contact Information 48) Section Updated Guidelines for agencies authorized to produce statistical reports in Return Information in Statistical Reports General 49) Exhibit 7 Safeguarding Contract Language - added additional requirements in Section I Performance and Section III Inspection 50) Exhibit 10 Changed to reflect updated SSR Requirements 51) Exhibit 12 Glossary and Terms is no longer labeled, but is still found in the back of the publication Table of Contents Introduction.

6 1 General .. 1 Overview of Publication 1075 .. 2 Access Safeguards Resources .. 3 Website Resources .. 3 Mailbox .. 3 Key Definitions .. 4 Federal Tax Information (FTI) .. 4 Return and Return Information .. 4 Personally Identifiable Information .. 5 Information Received From Taxpa yers or Third Parties .. 5 Unauthorized Access .. 6 Unauthorized Disclosure .. 6 Need to Know .. 6 Federal Tax Information and Reviews .. 7 General .. 7 Authorized Use of FTI .. 8 Secure Data Transfer .. 8 State Tax Agency Limitations .. 8 Coordinating Safeguards within an Agency .. 10 Safeguard Revie ws .. 10 Conducting the Review .. 10 Table 1 Safeguard Review Cycle .. 11 Computer Security Review Process .. 12 Table 2 IT Testing Techniques .. 13 Corrective Action Plan .. 13 Voluntary Termination of Receipt of FTI .. 14 Termination Documentation .. 14 Archiving FTI Procedure (for agencies terminating receipt of FTI but required by statute to retain FTI for designated periods).

7 14 Recordkeeping Requirement IRC 6103 (p)(4)(A).. 15 General .. 15 Electronic and Non-Electronic FTI Logs .. 15 Figure 1 Sample FTI Log .. 16 Converted Media .. 16 Recordkeeping of Disclosures to State Auditors .. 16 Secure Storage IRC 6103(p)(4)(B) .. 17 General .. 17 Minimum Protection Standards .. 17 Table 3 M inimum Protection Standards .. 18 Restricted Area Access .. 19 Figure 2 Sample Visitor Access Log .. 20 Use of Authorized Access List .. 20 Controlling Access to Areas Contai ning FTI .. 21 Control and Safeguar ding Keys and Combinations .. 21 Locking Systems for Secured Areas .. 22 FTI in 22 Physic al Security of Computers, Electronic, and Removable Media .. 23 Media Off-Site Storage Requirements .. 23 Telework Locations .. 24 Equipment .. 24 Storing Data .. 25 Other Safeguar ds .. 25 Restricting Access IRC 6103(p)(4)(C) .. 26 General .. 26 Background Investigation Minimum Requirements.

8 26 Implementing the Background Investigation Requirement .. 28 Commingling of FTI .. 29 Commingling of El ectronic Media .. 29 Access to FTI vi a State Tax Files or Through Other Agencies .. 30 Controls over Processing .. 31 Agency Owned and Operated 31 Contractor or Agency Shared Facility - Cons olidated Data Centers .. 31 Agency Shared Facilities: .. 31 Consolidated Data Centers: .. 32 Review Availability of Contracto r Facilities: .. 33 Child Support Agencies IRC 6103(l)(6), (l)(8), and (l)(10) .. 34 Human services Agencies IRC 6103(l)(7) .. 34 Deficit Reduction Agencies IRC 6103(l)(10) .. 34 Centers for Medicar e and Medicaid services IRC 6103(l)(12)(C) .. 35 Disclosures under IRC 6103(l)(20) .. 35 Disclosures under IRC 6103(l)(21) .. 35 Disclosures under IRC 6103(i) .. 35 Disclosures under IRC 6103(m)(2).. 36 Other Safeguards IRC 6103(p)(4)(D) .. 37 General .. 37 Training Requiremen ts .. 37 Table 4 Training Requirements.

9 37 Disclosure Awareness Training .. 38 Disclosure Awareness Training Products .. 39 Internal Inspections .. 40 Recordkeeping .. 40 2 Secure Storage .. 40 Limited Access .. 41 Disposal .. 41 Computer Systems Security .. 41 Plan of Action and Milestones .. 41 Reporting Requirements 6103(p)(4)(E) .. 42 General .. 42 Report Submission Instructions .. 42 Encryption Requirements .. 43 Safeguard Security Reports .. 43 Initial SSR Submission Instructions New Agency Responsibilities .. 43 Table 5 - Evidentiary Requirements for SSR approval before release of FTI .. 44 Agencies Requesting New FTI Data Streams .. 46 Annual SSR Update Submission Instructions .. 46 SSR Update Submi ssion Dates .. 47 Table 6 SSR Due Dates .. 47 Corrective Action Plan .. 48 CAP Submission Instructions and Submission Dates .. 48 Table 7 CAP Due Dates .. 48 45-Day Notification Reporting Requirements .. 50 Table 8 45-Day Notification Reporting Requirements.

10 50 Cloud Computing .. 51 Consolidated Data Center .. 51 Contractor or S ubcontractor Access .. 51 Data Warehouse Process ing .. 51 Non-Agency-Owned Information Systems .. 51 Tax Modeling .. 52 7 Live Data Testi ng .. 52 Virtualization of Information Technology Systems .. 52 Disposing of FTI IR C 6103(p)(4)(F) .. 53 General .. 53 Returning IRS Information to the Source .. 53 Destruction and Disposal .. 53 Table 9 FTI Destruction Methods .. 53 Other Precaut ions .. 54 Computer System S ecurity .. 55 General .. 55 Assessment Proce ss .. 55 NIST SP 800- 53 Control Requirements .. 56 Access Control .. 56 Awareness and 62 Audit and Acc ountabili ty .. 63 Table 10 P roactive Auditing Methods t o Det ect Unauthorized Access to FTI .. 66 Security Assessment and Authorization .. 68 Configuration Management .. 70 Contingency Plann ing .. 74 Identification and Authentication .. 76 Incident Response.


Related search queries