IRS Publication 1075, Tax Information Security

IRS Publication 1075, Tax Information Security

Publication 1075 Tax Information Security Guidelines For Federal, State and Local Agencies Safeguards for Protecting Federal Tax Returns and Return Information IRS Mission Statement Provide America’s taxpayers top-quality service by helping them understand and meet their tax responsibilities and enforce the law with integrity and fairness to all. Office of Safeguards Mission Statement The Mission of the Office of Safeguards is to promote taxpayer confidence in the integrity of the tax system by ensuring the confidentiality of IRS information provided to federal, state, and local agencies. Safeguards verifies compliance with IRC 6103(p)(4) safeguard requirements through the identification and mitigation of any risk of loss, breach, or misuse of Federal Tax Information held by external government agencies. Changes for September 2016 Revision This publication revises and supersedes Publication 1075 (October 2014) and is effective September 30, 2016. Feedback for Publication 1075 is highly encouraged. Please send any comments to [email protected]. Following are the highlighted changes: 1) Editorial changes have been made throughout this document to update website references and links, as well as to renumber sections and to clarify guidance 2) Table of Contents updated. Please find “tables” listed under respective sections rather than at the end of the Table of Contents 3) Section 1.3 – “Access Safeguards Resources Online” changed to “Access Safeguard Resources” 4) Section 1.3.1 – Added “Website Resources” 5) Section 1.3.2 – Added “Mailbox” 6) Section 1.4.1 – “Federal Tax Information (FTI)” – Added reference to include the Centers for Medicare and Medicaid and IRC 6103(p)(2)(B) Agreements 7) Section 2.7 – Created Section 2.7.1 “On-Site Review Process” and 2.7.2 “Computer Security Review” to elaborate on the Safeguard Review Process 8) Section 2.9 – Added “Voluntary Termination of Receipt of FTI” 9) Section 2.9.1 – Added “Archiving FTI” 10) Section 2.9.2 – Added “Termination Documentation” 11) Section 3.2 – Updated “Electronic and Non-Electronic Logs” requirements and deleted duplicate log sample 12) Section 4.4 – Deleted duplicate paragraph for FTI in transit 13) Section 4.6 – “Offsite Storage Requirements” – Updated to show agency-type specific requirements 14) Section 4.7.1 – “Equipment” - Added exception for use of VDI and updated to include personally-owned devices 15) Section 5.1.1 – Added “Background Investigation Minimum Requirements” 16) Section 5.4.2 – Added guidance for use of Consolidated Data Centers 17) Section 5.4.2.1 – Added all contractor and shared sites to be included in Safeguard reviews Publication 1075 (September 2016) i 18) Section 5.4.3 – Added “Review Availability of Contractor Facilities” 19) Section 6.3 – Updated “Disclosure Awareness Training” 20) Section 7.2.1 – Renamed from “SSR Update Submission and Instructions” to “Initial SSR Submission Instructions-New Agency Responsibility” 21) Section 7.2.2 – Renamed from “SSR Update Submission Dates” to “Instructions for Agencies Requesting New FTI Data Streams” and includes the mandatory requirement for providing evidence of security testing and ATO before the system is operational 22) Section 7.2.3 – Renamed from “SSR Update Submission Instruction” to “Annual SSR Update Submission Instructions” 23) Section 7.2.2 – Renumbered “SSR Update Submission Dates” to Section 7.2.4 24) Section 7.4 – Added table for 45 Day Notification Reporting Requirements 25) Section 7.4.4 – Removed requirement to notify Safeguards prior to implementing a data warehouse 26) Section 7.4.5 – “Non-Agency Owned Systems” updated 27) Section 7.4.8 – Removed requirement to notify Safeguards prior to locating FTI in a virtual environment 28) Section 8.3 – “Destruction and Disposal” – Updated section to include new requirements regarding shredding and updated regarding whenever physical media leaves the physical or systemic control of the agency 29) Section 9.2 – Updated Table 8 for Automated Compliance and Vulnerability Assessment Testing to include profiles used with these tools can be downloaded from the Office of Safeguards’ website 30) Section 9.3.1.7(b) – “Unsuccessful Log On Attempts (AC-7) - Updated automatic lock period to 15 minutes 31) Section 9.3.1.10 – “Session Termination (AC-12)” – Updated to show information system must automatically terminate a user session after 30 minutes of inactivity 32) Section 9.3.1.15 – “Use of External Information Systems (AC-20) – Updated to reflect personally-owned device requirements. 33) Section 9.3.2.3 – Added definition of personnel with security roles and responsibilities and added distinction from Section 6.3, Disclosure Awareness and 9.3.2.2, Security Awareness Training (AT-2) 34) Section 9.3.3.8(c) – “Time Stamps (AU-8)” – Updated regarding synchronization of internal information system clocks Publication 1075 (September 2016) i 35) Section 9.3.3.10 – “Audit Record Retention (AU-11)” – Added clarification on retention 36) Section 9.3.7.3 – “Device Identification and Authentication (IA-3)” – Added clarification 37) Section 9.3.8.3 – Updated Incident Response Testing to remove the word, “systems” as testing requirements apply to both paper and electronic FTI 38) Section 9.3.11.7 – Updated to reflect 5 year retention period requirement 39) Section 9.3.12.3(c) – Added to Rules of Behavior (PL-4), “review and update at a minimum annually” 40) Section 9.3.15.6 – “Security Engineering Principles” (SA-8) - Added clarification of what security engineering principles include 41) Section 9.4.8 – “Mobile Devices ” - Updated to reflect current restrictions with BYOD 42) Section 9.4.9 – Updated Multi-Functional Devices to include High-Volume Printers 43) Section 9.4.11(g) – “Storage Area Networks” - changed audit review to weekly 44) Section 9.4.13 – “Virtual Desktop Infrastructure” – updated to include agency and non-agency owned requirements 45) Section 9.4.14 – “Virtual Environment” Removed requirement to notify Safeguards prior to locating FTI in a virtual environment 46) Section 9.4.17 – “Web Browser” – Removed requirement a) Private browsing must be enabled on the Web browser and configured to delete temporary files and cookies upon exiting the session 47) Section 10.0 – Updated Reporting Improper Inspections or Disclosures including Table 9: TIGTA Field Division Contact Information 48) Section 12.1 – Updated guidelines for agencies authorized to produce statistical reports in “Return Information in Statistical Reports – General” 49) Exhibit 7 – “Safeguarding Contract Language” - added additional requirements in Section I Performance and Section III Inspection 50) Exhibit 10 – Changed to reflect updated SSR Requirements 51) Exhibit 12 – Glossary and Terms is no longer labeled, but is still found in the back of the publication Publication 1075 (September 2016) i Table of Contents 1.0 Introduction .................................................................................................................................................... 1 1.1 General ..................................................................................................................................... 1 1.2 Overview of Publication 1075 ................................................................................................... 2 1.3 Access Safeguards Resources ................................................................................................. 3 1.3.1 Website Resources .......................................................................................................................... 3 1.3.2 Mailbox ............................................................................................................................................... 3 1.4 Key Definitions .......................................................................................................................... 4 1.4.1 Federal Tax Information (FTI) .......................................................................................................... 4 1.4.2 Return and Return Information ........................................................................................................ 4 1.4.3 Personally Identifiable Information ................................................................................................. 5 1.4.4 Information Received From Taxpayers or Third Parties ............................................................. 5 1.4.5 Unauthorized Access ........................................................................................................................ 6 1.4.6 Unauthorized Disclosure .................................................................................................................. 6 1.4.7 Need to Know .................................................................................................................................... 6 2.0 Federal Tax Information and Reviews ...................................................................................................... 7 2.1 General ..................................................................................................................................... 7 2.2 Authorized Use of FTI ............................................................................................................... 8 2.3 Secure Data Transfer ............................................................................................................... 8 2.4 State Tax Agency Limitations ...................................................................................................

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    180 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us