Tax Information Security Guidelines For Federal, State and ...
Publication 1075
Tax Information Security Guidelines
For Federal, State
and Local Agencies
Safeguards for Protecting Federal Tax Returns and Return Information
IRS Mission Statement Provide America's taxpayers top-quality service by helping them understand and meet
their tax responsibilities and enforce the law with integrity and fairness to all.
Office of Safeguards Mission Statement The Mission of Safeguards is to promote taxpayer confidence in the integrity of the tax system by ensuring the confidentiality of IRS information provided to federal, state, and
local agencies. Safeguards verifies compliance with Internal Revenue Code (IRC) ? 6103(p)(4) safeguard requirements through the identification and mitigation of any risk of
loss, breach or misuse of Federal Tax Information (FTI) held by external government agencies.
Office of Safeguards Vision Statement To serve as a trusted advisor to our Partners, ensuring they have full understanding and insight into FTI requirements and their risk profile, obtain consistent and timely guidance from a "single voice" and receive service and support that is aligned to their risk profile.
We will drive the customer experience and FTI compliance via a collaborative and empowered culture and a cross-trained workforce that is built around a risk-based operating model that integrates infrastructure and processes to enable efficient and
effective operations.
2
Contents
IRS Mission Statement_________________________________________________ 2 Office of Safeguards Mission Statement __________________________________ 2 Office of Safeguards Vision Statement ___________________________________ 2 Highlights for November 2021 Revision__________________________________ 12 Security and Privacy Control Table _____________________________________ 17 INTRODUCTION _____________________________________________________ 23
General__________________________________________________________________ 23 Overview of Publication 1075_________________________________________________ 24 SAFEGUARD RESOURCES____________________________________________ 24 Safeguards Website ________________________________________________________ 24 Safeguards Mailbox ________________________________________________________ 25 KEY DEFINITIONS ___________________________________________________ 25 Federal Tax Information _____________________________________________________ 25 Return and Return Information________________________________________________ 26 Personally Identifiable Information (PII) _________________________________________26 Information Received from Taxpayers or Third Parties _____________________________27 Access __________________________________________________________________ 27 Cloud Computing __________________________________________________________ 27 Inadvertent Access_________________________________________________________ 27 Inadvertent Disclosure ______________________________________________________ 27 Incidental Access __________________________________________________________ 27 Unauthorized Access _______________________________________________________ 27 Unauthorized Disclosure ____________________________________________________ 28 Need-to-Know ____________________________________________________________ 28 Adverse Action ____________________________________________________________ 28 Disciplinary Action _________________________________________________________ 28 Personnel Sanction ________________________________________________________ 28 1.0 FEDERAL TAX INFORMATION, REVIEWS and OTHER REQUIREMENTS ____ 29 1.1 General _________________________________________________________ 29 1.2 Authorized Use of FTI _____________________________________________ 29 1.3 Secure Data Transfer ______________________________________________ 30 1.4 State Tax Agency Limitations _______________________________________ 30
3
1.5 Coordinating Safeguards within an Agency ___________________________ 31
1.6 Safeguard Reviews _______________________________________________ 31
1.6.1 Before the Review _____________________________________________________ 31
1.6.2 During the Review _____________________________________________________ 32
1.6.3 After the Review ______________________________________________________ 32
1.7 Termination of FTI ________________________________________________ 33
1.7.1 Agency Request ______________________________________________________ 33
1.7.1.1 Termination Documentation _______________________________________________ 33
1.7.1.2 Archiving FTI Procedure __________________________________________________ 34
1.7.2 FTI Suspension, Termination and Administrative Review_______________________34
1.8 Reporting Improper Inspections or Disclosures ________________________ 34
1.8.1 Terms ______________________________________________________________ 34
1.8.1.1 Data Incident ____________________________________________________________ 34
1.8.1.2 Data Breach _____________________________________________________________ 35
1.8.2 General _____________________________________________________________ 35
1.8.3 Office of Safeguards Notification Process___________________________________36
1.8.4 Incident Response Procedures ___________________________________________ 37
1.8.5 Incident Response Notification to Impacted Individuals ________________________37
1.9 Disclosure to Other Persons ________________________________________ 38
1.9.1 General _____________________________________________________________ 38
1.9.2 Authorized Disclosure Precautions ________________________________________38
1.9.3 External Personnel Security _____________________________________________ 38
1.9.4 Disclosing FTI to Contractors or Sub-Contractors_____________________________38
1.9.5 Re-Disclosure Agreements ______________________________________________ 40
1.10 Return Information in Statistical Reports ____________________________ 40
1.10.1 General ____________________________________________________________ 40
1.10.2 Making a Request under IRC ? 6103(j)____________________________________41
1.10.3 State Tax Agency Statistical Analysis _____________________________________41
2.0 PHYSICAL SECURITY REQUIREMENTS ______________________________ 42
2.A Recordkeeping Requirement ? IRC ? 6103(p)(4)(A) _____________________ 42 2.A.1 General _____________________________________________________________ 42 2.A.2 Logs of FTI (Electronic and Non-Electronic Receipts) _________________________42 Figure 1 ? Sample FTI Logs__________________________________________________ 43 2.A.3 Converted Media______________________________________________________ 43 2.A.4 Recordkeeping of Disclosures to State Auditors______________________________43 2.B Secure Storage ? IRC ? 6103(p)(4)(B) ________________________________ 43
4
2.B.1 General _____________________________________________________________ 43
2.B.2 Minimum Protection Standards___________________________________________ 44
Table 1 ? Minimum Protection Standards _______________________________________44
2.B.3 Restricted Area Access_________________________________________________ 45
2.B.3.1 Visitor Access Logs ______________________________________________________ 45
Figure 2 ? Visitor Access Log ____________________________________________________ 46
2.B.3.2 Authorized Access List ___________________________________________________ 46
2.B.3.3 Controlling Access to Areas Containing FTI __________________________________ 47
2.B.3.4 Control and Safeguarding Keys and Combinations ____________________________ 47
2.B.3.5 Locking Systems for Secured Areas ________________________________________ 48
2.B.4 FTI in Transit_________________________________________________________ 48
2.B.4.1 Security During Office Moves ______________________________________________ 48
2.B.5 Physical Security of Computers, Electronic and Removable Media _______________48
2.B.6 Media Off-Site Storage Requirements _____________________________________49
2.B.7 Alternate Work Site ____________________________________________________ 49
2.B.7.1 Equipment ______________________________________________________________ 49
2.B.7.2 Storing Data ____________________________________________________________ 50
2.B.7.3 Other Safeguards ________________________________________________________ 50
2.C Restricting Access ? IRC ? 6103(p)(4)(C) _____________________________ 50
2.C.1 General _____________________________________________________________ 50
2.C.2 Policies and Procedures ________________________________________________ 51
2.C.3 Background Investigation Minimum Requirements ___________________________53
2.C.3.1 Background Investigation Requirement Implementation _______________________ 54
2.C.4 Personnel Actions_____________________________________________________ 54
2.C.4.1 Personnel Transfer_______________________________________________________ 54
2.C.4.2 Personnel Sanctions _____________________________________________________ 55
2.C.4.3 Personnel Termination____________________________________________________ 55
2.C.5 Commingling of FTI ___________________________________________________ 55
2.C.5.1 Commingling of Electronic Media __________________________________________ 56
2.C.6 Access to FTI via State Tax Files or Through Other Agencies___________________56
2.C.7 Offshore Operations ___________________________________________________ 57
2.C.8 Controls Over Processing_______________________________________________ 57
2.C.8.1 Agency-owned and Operated Facility _______________________________________ 57
2.C.8.2 Agency, Contractor or Sub-Contractor Shared Facilities _______________________ 57
2.C.9 Service Level Agreements (SLA) _________________________________________58
2.C.10 Review Availability of Contractor and Sub-Contractor Facilities_________________59
2.C.11 Restricting Access ? Other Disclosures ___________________________________59
2.C.11.1 Child Support Agencies--IRC ?? 6103(l)(6), (l)(8) and (l)(10)____________________ 59
2.C.11.2 Human Services Agencies--IRC ? 6103(l)(7)_________________________________ 60
2.C.11.3 Deficit Reduction Agencies--IRC ? 6103(l)(10) _______________________________ 60
2.C.11.4 Centers for Medicare and Medicaid Services--IRC ? 6103(l)(12)(C) ______________ 60
2.C.11.5 Disclosures under IRC ? 6103(l)(20) ________________________________________ 60
2.C.11.6 Disclosures under IRC ? 6103(l)(21) ________________________________________ 60
2.C.11.7 Disclosures under IRC ? 6103(i) ___________________________________________ 61
5
2.C.11.8 Disclosures under IRC ? 6103(m)(2)________________________________________ 61
2.D Other Safeguards - IRC ? 6103(p)(4)(D) _______________________________ 61
2.D.1 General _____________________________________________________________ 61
2.D.2 Training Requirements _________________________________________________ 61
Table 2 ? Training Requirements _________________________________________________ 62
2.D.2.1 Disclosure Awareness Training ____________________________________________ 62
2.D.2.2 Disclosure Awareness Training Products ____________________________________ 64
2.D.3 Internal Inspections and On-Site Reviews __________________________________64
2.D.4 Recordkeeping____________________________________________________________ 65
2.D.5 Secure Storage ___________________________________________________________ 65
2.D.6 Limited Access ___________________________________________________________ 65
2.D.7 Disposal _________________________________________________________________ 66
2.D.8 Computer Systems Security ________________________________________________ 66
2.D.9 Plan of Action and Milestones (POA&M) ______________________________________ 66
2.E Reporting Requirements ? IRC ? 6103(p)(4)(E) _________________________ 66
2.E.1 General _____________________________________________________________ 66
2.E.2 Report Submission Instructions __________________________________________ 66
2.E.3 Encryption Requirements _______________________________________________ 67
2.E.4 Safeguards Security Reports (SSR) _______________________________________67
2.E.4.1 Initial SSR Submission Instructions ? New Agency Responsibilities _____________ 68
Table 3 ? SSR Evidentiary Documentation ______________________________________69
2.E.4.2 Agencies Requesting New FTI Data Streams _________________________________ 71
2.E.4.3 Annual SSR Update Submission Instructions_________________________________ 72
2.E.4.4 SSR Submission Dates ___________________________________________________ 72
Table 4 - SSR Submission Dates __________________________________________________ 73
2.E.5 Corrective Action Plan _________________________________________________ 73
2.E.5.1 CAP Submission Instructions ______________________________________________ 74
2.E.5.2 CAP Submission Dates ___________________________________________________ 75
Table 5 ? CAP Submission Dates _________________________________________________ 75
2.E.6 Notification Reporting Requirements ______________________________________76
Table 6 ? Notification Reporting __________________________________________________ 76
2.E.6.1 Cloud Computing ________________________________________________________ 76
2.E.6.2 Contractor or Sub-Contractor Access _______________________________________ 77
2.E.6.3 Tax Modeling ____________________________________________________________ 77
2.E.6.4 Live Data Testing ________________________________________________________ 77
2.F Disposing of FTI ? IRC ? 6103(p)(4)(F) ________________________________ 77
2.F.1 General _____________________________________________________________ 77
2.F.2 Returning IRS Information to the Source ___________________________________78
2.F.3 Destruction and Disposal _______________________________________________ 78
Table 7 - FTI Destruction Methods ________________________________________________ 78
2.F.3.1 Media Sanitization________________________________________________________ 79
2.F.4 Other Precautions _____________________________________________________ 79
3.1 General_______________________________________________________________ 81
3.2 Assessment Process ____________________________________________________ 81
6
Table 8 ? Assessment Methodologies _____________________________________________ 82
3.3 Technology-Specific Requirements _________________________________________82
3.3.1 Cloud Computing __________________________________________________________ 82
3.3.2 Email Communications _____________________________________________________ 83
3.3.3 Facsimile and Facsimile Devices _____________________________________________ 84
3.3.4 Mobile Devices ____________________________________________________________ 85
3.3.5 Multifunction Devices (MFDs) and High-Volume Printers (HVPs) __________________ 85
3.3.6 Network Boundary and Infrastructure _________________________________________ 85
3.3.7 Virtual Desktop Infrastructure _______________________________________________ 86
3.3.8 Public-Facing Systems _____________________________________________________ 86
4.0 NIST 800-53 SECURITY AND PRIVACY CONTROLS _____________________ 88
4.1 ACCESS CONTROL ____________________________________________________ 88
AC-1 Access Control Policy and Procedures _______________________________________ 88
AC-2 Account Management ______________________________________________________ 88
AC-3 Access Enforcement _______________________________________________________ 90
AC-4 Information Flow Enforcement_______________________________________________ 91
AC-5 Separation of Duties _______________________________________________________ 91
AC-6 Least Privilege ____________________________________________________________ 91
AC-7: Unsuccessful Logon Attempts ______________________________________________ 92
AC-8: System Use Notification ___________________________________________________ 93
AC-11: Device Lock_____________________________________________________________ 93
AC-12: Session Termination _____________________________________________________ 94
AC-14: Permitted Actions Without Identification or Authentication _____________________ 94
AC-17: Remote Access__________________________________________________________ 94
AC-18: Wireless Access _________________________________________________________ 95
AC-19: Access Control for Mobile Devices _________________________________________ 96
AC-20: Use of External Systems __________________________________________________ 96
AC-21: Information Sharing ______________________________________________________ 97
AC-22: Publicly Accessible Content _______________________________________________ 97
AC-23: Data Mining Protection ___________________________________________________ 98
4.2 AWARENESS AND TRAINING ____________________________________________ 99
AT-1: Awareness and Training Policy and Procedures _______________________________ 99
AT-2: Awareness Training _______________________________________________________ 99
AT-3: Role-Based Training ______________________________________________________ 100
AT-4: Training Records ________________________________________________________ 101
AT-6: Training Feedback _______________________________________________________ 101
4.3 AUDIT AND ACCOUNTABILITY __________________________________________ 102
AU-1: Audit and Accountability Policy and Procedures ______________________________ 102
AU-2: Audit Events ____________________________________________________________ 102
AU-3: Content of Audit Records _________________________________________________ 103
AU-4: Audit Storage Capacity ___________________________________________________ 103
AU-5: Response to Audit Processing Failures _____________________________________ 103
AU-6: Audit Review, Analysis and Reporting_______________________________________ 104
AU-7: Audit Reduction and Report Generation _____________________________________ 104
AU-8: Time Stamps ____________________________________________________________ 105
AU-9: Protection of Audit _______________________________________________________ 105
AU-11: Audit Record Retention __________________________________________________ 105
AU-12: Audit Generation _______________________________________________________ 105
AU-16: Cross-Organizational Auditing Logging ____________________________________ 106
4.4 ASSESSMENT, AUTHORIZATION AND MONITORING________________________107
CA-1: Assessment, Authorization and Monitoring Policy and Procedures ______________ 107
CA-2: Control Assessments_____________________________________________________ 107
7
CA-3: Information Exchange ____________________________________________________ 108
CA-5: Plan of Action and Milestones _____________________________________________ 108
CA-6: Authorization ___________________________________________________________ 109
CA-7: Continuous Monitoring ___________________________________________________ 109
CA-8: Penetration Testing ______________________________________________________ 110
CA-9: Internal System Connections ______________________________________________ 110
4.5 CONFIGURATION MANAGEMENT _______________________________________112
CM-1: Configuration Management Policy and Procedures ___________________________ 112
CM-2: Baseline Configuration ___________________________________________________ 112
CM-3: Configuration Change Control _____________________________________________ 113
CM-4: Security and Privacy Impact Analyses ______________________________________ 114
CM-5: Access Restrictions for Change____________________________________________ 114
CM-6: Configuration Settings ___________________________________________________ 115
CM-7: Least Functionality ______________________________________________________ 115
CM-8: System Component Inventory _____________________________________________ 116
CM-9: Configuration Management Plan ___________________________________________ 117
CM-10: Software Usage Restrictions _____________________________________________ 117
CM-11: User-Installed Software __________________________________________________ 118
CM-12: Information Location ____________________________________________________ 118
CM-13: Data Action Mapping ____________________________________________________ 118
CM-14: Signed Components ____________________________________________________ 118
4.6 CONTINGENCY PLANNING _____________________________________________ 119
CP-1: Contingency Planning Policy and Procedures ________________________________ 119
CP-2: Contingency Plan ________________________________________________________ 119
CP-3: Contingency Training_____________________________________________________ 120
CP-4: Contingency Plan Testing _________________________________________________ 121
CP-9: System Backup __________________________________________________________ 121
CP-10: System Recovery and Reconstitution ______________________________________ 122
4.7 IDENTIFICATION AND AUTHENTICATION _________________________________123
IA-1: Identification and Authentication Policy and Procedures ________________________ 123
IA-2: Identification and Authentication (Organizational Users) ________________________ 123
IA-3: Device Identification and Authentication _____________________________________ 124
IA-4: Identifier Management _____________________________________________________ 125
IA-5: Authenticator Management_________________________________________________ 125
IA-6: Authenticator Feedback ___________________________________________________ 127
IA-7: Cryptographic Module Authentication________________________________________ 128
IA-8: Identification and Authentication (Non-Organizational Users) ____________________ 128
IA-9: Service Identification and Authentication _____________________________________ 128
IA-11: Re-Authentication _______________________________________________________ 129
IA-12: Identity Proofing_________________________________________________________ 129
4.8 INCIDENT RESPONSE _________________________________________________ 131
IR-1: Incident Response Policy and Procedures ____________________________________ 131
IR-2: Incident Response Training ________________________________________________ 131
IR-3: Incident Response Testing _________________________________________________ 132
IR-4: Incident Handling _________________________________________________________ 132
IR-5: Incident Monitoring _______________________________________________________ 133
IR-6: Incident Reporting ________________________________________________________ 133
IR-7: Incident Response Assistance ______________________________________________ 134
IR-8: Incident Response Plan____________________________________________________ 134
IR-9: Information Spillage Response _____________________________________________ 135
4.9 MAINTENANCE _______________________________________________________ 136
MA-1: System Maintenance Policy and Procedures _________________________________ 136
MA-2: Controlled Maintenance __________________________________________________ 136
8
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- leave request form authorization united states navy
- after action report sample office of the under secretary
- modifications guide
- tax information security guidelines for federal state and
- aid codes master chart aid codes medi cal
- sample schedule a letter veterans benefits administration
- scoring rubric for oral presentations example 1
Related searches
- federal guidelines for salaried employees
- vanguard state tax information 2018
- combined state and federal tax calculator
- federal taxes and social security income
- state and federal tax calculator
- state and federal income tax calculator
- federal sentencing guidelines for drugs
- federal income guidelines for housing
- federal guidelines for workers compensation
- information security roles and responsibilities
- federal income tax social security worksheet
- information security education and awareness