Safeguards 2 Building New Processes or Procedures

To view this page ensure that Adobe Flash Player version 11.1.0 or greater is installed.

JANET MINER: Hello.

I'm Janet Miner, director of the IRS Office of Safeguards.

We are responsible for ensuring the protection of federal tax information, or FTI as you'll hear it referred to, which the IRS provides to local, state, and federal agencies.

While the IRS has an oversight role in protecting FTI, our agency partners receiving the data play the most important role.

Each of the more than 300 agencies who receive FTI from the IRS must build effective security controls into their processes, procedures, and systems to ensure that the confidentiality of tax information is continuously protected from the time of planning for the receipt of FTI throughout its life cycle until the FTI is destroyed or returned to the IRS.

You and I, your agency and the IRS, are in this together.

We must be successful in our efforts to guard the security of FTI.

Neither of us can afford the fallout that comes from the unauthorized disclosure of federal tax information.

The American public expects two things from both of us - first, that we protect the right to privacy and confidentiality of their tax information and, secondly, that we work together proactively to be as efficient as possible.

When we are exchanging their sensitive financial information, we must ensure that their personal data is not inappropriately shared with others.

As part of working in tandem to protect FTI, we routinely discuss with agencies the security requirements to include in new processes, procedures, or policies which they may be building.

Many times the new processes or procedures are needed due to changes in the data an agency may be receiving or because system improvements have afforded an agency with the opportunity to change the way they do business.

Anything Safeguards can do on the front end to partner with an agency building or implementing new processes or procedures involving FTI is in all of our best interests.

This information is designed to assist local, state, and federal agencies to be fully compliant with Publication 1075 requirements.

It will cover key elements an agency should include for data protection.

Before we move into the substance of our discussion, let me just say thank you for everything you do to protect the confidentiality of federal tax information.

I truly appreciate it.

SHAWN BUCKNER: Hi.

I'm Shawn Buckner, and I will be the moderator for today's discussion.

I'm the Acting Chief, Program Operations, in the IRS Office of Safeguards.

Joining me on the panel today are Sammi Shultz, the project manager for our office, and Jonathan Isner, the project lead from Booz Allen Hamilton, our contractor for computer security support.

Today, we want to talk about building safeguarding requirements into the new processes, procedures, or policies which involve the use of federal tax information.

Okay.

Let's get started.

Before we get too far, Sammi, can you talk about what federal tax information is?

SAMMI SHULTZ: Sure.

Federal tax information is return and return information where the IRS is the source of the information that's provided to the state or federal agencies.

It always comes back to who was the source of the data.

Now, for some different types of agencies, the IRS isn't directly who provides the information to the agency.

For instance, there's the Financial Management Service, or FMS, which is the sister agency for Treasury, or Social Security.

They process on our behalf, and so the agencies may actually receive it from those agencies instead of us.

But it's still our data.

The source is really what makes up federal tax information.

Federal tax information never loses its integrity as federal tax information.

So, once an agency receives it, it always is federal tax information as long as we are the source of that data.

SHAWN BUCKNER: What are the circumstances when an agency will most likely be establishing a new process or procedure for FTI?

SAMMI SHULTZ: Generally there's two.

One would be if an agency is already an existing data-sharing partner with the IRS but they're receiving a new data set.

So, for some reason they're getting new data that they previously haven't had.

So, as they start using that data, they're going to have to come up with the process and procedure around that new data.

The other is if they're a new trading partner - they're someone that's never received federal tax information from the IRS before.

So, for those agencies, they're starting from scratch.

They don't have existing processes to build off of.

They have to build them completely from scratch.

SHAWN BUCKNER: Jonathan, on that note, any advice you'd give to agencies starting down that path?

JONATHAN ISNER: Yeah, absolutely.

I mean, a great first step is to really get the I.T.

support collaborating with the business side and have them come together.

It's a great opportunity to talk through what the data flow is going to be through your environment once you receive that data and really map it out.

A simple way to approach it could just be looking at the who, what, when, where, why, and how.

You know, just ask yourself those questions.

Who's going to need access, you know, from what departments within the organization?

How are they going to get access, whether it's systemically or on paper?

Those simple questions are a great first start.

SHAWN BUCKNER: Sammi, where should an agency begin with starting their process?

SAMMI SHULTZ: First they need to begin with getting themselves familiar with the Publication 1075 since that puts all the requirements in place, and they need to be real familiar with this.

And then my second recommendation is to build off what Jonathan said - start with the process that you have set down with the I.T.

and the program side and figure out what the data flow is going to be.

And the next step on the requirements is then the logging requirements.

Federal tax information has to be logged from the time it's received to the time it's destroyed.

And since you already know what the data flow is, determining where your logging opportunities are as the federal tax information goes from one person to the next, that's probably the easiest thing to do first.

And it also builds off the work you've already been doing to come up with what the data flow is.

SHAWN BUCKNER: Jonathan, how would an employee know what data needs to be logged and what is FTI?

JONATHAN ISNER: What we're going to talk about here is labeling.

You can't really know if you have FTI unless there's a label on it that says such, so you can't really restrict access to something if the outside of it is not labeled properly for the recipient to understand what it is they have in their possession.

So, we're talking labeling for paper media, as well as digital media.

So, any scanned copy or printed file, it needs to have some sort of label identifying it as federal tax information.

Now, you know, with over 300 agencies that Safeguards provides oversight for, we can't tell you how to do that for everybody.

So we leave that part up to the agency to really figure that out.

But it's just that identifying label that's going to let someone know that they're handling federal tax information and that they need to take care when handling it.

SAMMI SHULTZ: Building on what he's saying, for a piece of paper that has federal tax information - a screen print, if you will - there's a myriad of different ways that an agency can go about marking it or labeling it.

Literally they can take a pen and write across the top of it "federal tax information."  They can use stamps.

And we know of several agencies that have a stamp that every time they print something, it gets stamped.

There are labels that we provide to the agencies - that's Notice 129 - which are like an address label that says that this document contains federal tax information.

Folders that contain federal tax information - you can put those 129 labels on the front of them.

Backup tapes - You were talking about electronic media.

There are little, tiny - they're really tiny - Notice 129-Bs that are for the outside of backup tapes that says, "This contains federal tax information."  So, regardless of whether it's an electronic media, which could be a backup tape, a server, whatever it may be...

JONATHAN ISNER: A hard drive.

SAMMI SHULTZ: ...a hard drive, right, or it's a piece of paper or a file folder, it just needs to be marked as federal tax information.

The other thing that needs to be marked as federal tax information is actually the federal tax information on the screen that someone may see.

By having that marked and then you do a screen print, you'll be able to identify exactly that that's federal tax information.

So, labeling is a really key concept.

SHAWN BUCKNER: Does the IRS provide any tools for labeling that agencies can get their hands on?

SAMMI SHULTZ: As I said, we have the 129-A and B, which are basically to put on either backup tapes or paper.

What we normally suggest as far as a systems backup is that they use a naming convention.

So, they may use "FTI," for instance, somewhere in their naming convention, or they may use something that makes sense to them.

And it doesn't matter to us.

We don't really care what they do use.

They just need to somehow name it in such a way that they know that that's federal tax information.

SHAWN BUCKNER: So, there's no wrong way to do it, per se, as long as you're in the constraints of what the rules require.

SAMMI SHULTZ: Right.

As long as you label it, there's really no wrong way to do it.

SHAWN BUCKNER: So, Sammi, can agencies use federal tax information for anything they'd like to use it for?

SAMMI SHULTZ: No.

Agencies are provided federal tax information in accordance with Title 26, Section 6103, which is basically the disclosure law in the tax code.

In the disclosure law, it specifically says what they can use the data for.

So, the data that's provided to them - they have to use it only for that purpose that is provided to them.

For instance, the data that's provided to the tax administration agencies around the country - they can only use that data for tax administration.

They can't use it for anything else.

SHAWN BUCKNER: Even if there is an efficiency that a state agency might feel they have a legitimate use that they could use that information for but it's not stated in 6103(p)(4), can they still use it?

SAMMI SHULTZ: No.

If the authority under which they get the data doesn't cover whatever it is that they're wanting to use it for, then they're not allowed to use it.

The data's given to them for a very specific purpose, and they have to use it for that purpose.

That's basically the way Congress wrote the law.

SHAWN BUCKNER: And that purpose only?

SAMMI SHULTZ: And that purpose only.

SHAWN BUCKNER: Are there other components that agencies need to consider when restricting access?

SAMMI SHULTZ: There's a couple, actually.

One has to do with "need to know."  "Need to know" is an underlying concept for disclosure, which is if you don't have a need to know federal tax information, then you shouldn't have access to it.

So, it comes down to - Think if you have two or three different groups of employees that do different tasks.

So, they use different federal tax information.

Each of those groups should have access to only the data elements that they actually need to be able to do their job, but they shouldn't have access to everything because they don't need everything.

So, "need to know" is a key concept when trying to decide who should have access to what pieces of federal tax information.

The whole "need to know" provision really needs to be looked at and followed.

And that's a place - back to the comment you made several minutes ago - about working together with the I.T.

shop and the program side will help you determine who really does need to know.

The program side's going to be able to provide the information that this group of people need this group of information, and a different group may need a different group.

But if they don't talk to the I.T.

side and be able to tell them exactly how they need those roles set up within their systems, then, again, you're having people that don't necessarily have access to the right federal tax information.

When you're developing your process, you need to make sure that the right information is provided to the right people for the purpose for which the data is given to them.

Now, of course, the other complication that comes in on the access side has to do with contractor access.

Some of the authorities by which an agency can receive federal tax information allows for contractor access, and some of them don't.

So, depending on the type of agency and whether they are allowed to have contractors or not, then access to contractors is another piece that would have to be figured out.

JONATHAN ISNER: And that's particularly important in an outsourced data-center environment, when your I.T.

support may not be embedded within your agency, but it may be either run by the state I.T.

department or, you know, outsourced to a commercial vendor.

SAMMI SHULTZ: Right.

Absolutely.

SHAWN BUCKNER: So, it sounds like there are several wrinkles.

I mean, just because an agency has access - is allowed access by the statute to federal tax information, everyone in that agency is not necessarily allowed to have access to everything.

SAMMI SHULTZ: Absolutely.

SHAWN BUCKNER: Individuals get that access on a need-to-know basis, and then there are even additional wrinkles within that, whether you're a contractor or you're a person who works for the agency itself.

Everyone is on that need-to-know, which is dictated by the statute.

SAMMI SHULTZ: You know, Shawn, an example of maybe what an agency needs to follow is what your and my access here at the IRS is.

We don't work in positions that need to have access to federal tax information.

So, we don't have access to federal tax information.

So, if an agency receiving federal tax information has folks like you and I, who, based on what we do every day all day, don't need to have access to federal tax information, then they shouldn't allow those employees to have access, as well.

SHAWN BUCKNER: So, Sammi, if an agency contracts with a vendor, are there additional requirements that that agency must abide by since the vendor has access or potentially has access to federal tax information?

SAMMI SHULTZ: There's two things that the agency needs to do.

The first is a 45-day notification to us.

It's a requirement out of the 1075.

They can follow the Exhibit 12 bullets and fill out their document and send it in to the mailbox.

What the 45-day notice does is it tells the IRS that the agency has contracted with a vendor that is going to have access.

What they tell us in their notification is basically what data they'll have access to and how they're going to protect it.

The other piece that the agency needs to do is ensure that the Exhibit 7 language, which is language that basically puts the contractor on notice, again, that they're going to have access to federal tax information and that there are sanctions associated with the misuse of federal tax information - that language needs to be part of the contract.

If they do those two pieces, then they should be fine.

The one thing to remember, though, as we talked about a few minutes ago, is some agency types are not allowed to have contractor access.

So, if you're one of those types of agencies and you put in a 45-day notice, we're going to deny it because you can't have contractor access to begin with.

SHAWN BUCKNER: So, this isn't a loophole?

This is just clarifying that you would like to add your contractor on to have access to do work that's consistent with the statute.

SAMMI SHULTZ: Right, and that they're supporting your mission.

For instance, if you were a tax agency, that they're supporting your mission for tax administration.

Obviously there has to be support of what the agency's doing.

It puts us on notice that there are additional folks within that agency - their contractors - that have access to federal tax information.

JONATHAN ISNER: It also gives us an opportunity to talk to those agencies and understand what it is they're going to be doing in the outsource environment.

And, you know, maybe we can provide some insight on other questions or issues that that agency might have at that point.

SHAWN BUCKNER: Are there instances where agencies aren't exactly clear on how to navigate writing this letter or what they need to do?

And if those instances arise, what do agencies do?

SAMMI SHULTZ: The Exhibit 12 in the 1075 gives them bullet points to speak to.

The place we actually get the most questions is if an agency is hiring expert witnesses for the next year and they know they're going to use expert witnesses, but they don't know exactly who they're going to hire and when they're going to hire them.

Then what we do is we have them go ahead and put the notification together and just in the notification don't say who they're hiring and the dates and instead give us some information - add a paragraph, if you will - that talks about this is sort of a blanket for a particular - what we usually do is for a year.

And so it's almost like a blanket 45-day.

And then later when they do hire someone who's an expert witness, they just send the notification in to the mailbox to say, "We hired Shawn Buckner for these dates."  And we just associate it with the approved 45-day.

But that is coming up more and more as we have folks that hire people like expert witnesses or even the computer end, where you know you're going to have somebody in because you know you're going to break a server somewhere during the year, but you don't know exactly what vendor it's going to be.

And so we do these blanket 45-days that are usually for a particular year for a particular type of task.

And then they just notify us who they hired under that contract to come in.

SHAWN BUCKNER: Sammi, what physical security controls should an agency be mindful of when it comes to storing federal tax information?

SAMMI SHULTZ: The basic rule is "two barrier."  There always needs to be two barriers between federal tax information and someone who's not authorized to see it.

In most instances, the easiest way would be putting the - you know, say this is federal tax information - locking it in a filing cabinet and then it's in a locked office.

In some instances, your space is such that you really don't have where you have multiple offices, so during the day, if the federal tax information is locked in the filing cabinet and the staff have a badge above their waist, then they could actually serve as a second barrier.

But generally you just have to always have two barriers between the federal tax information and someone who's not authorized to see it.

And so it counts for paper, but it also counts on the I.T.

end.

If you have servers in a computer room, then you have to lock up your servers in such a way that you also have two barriers for those servers.

So, it's federal tax information regardless of whether it's electronic or whether it is paper.

That federal tax information always has to have two barriers.

JONATHAN ISNER: So, Sammi, in the instance where there's an outsource data center and you have multiple agencies being hosted in one data center and it's not necessarily that everyone in that room is authorized for federal tax information but they need to be there to do their job, does that second barrier instance where the badge can serve as a second barrier - does that still ring true there?

SAMMI SHULTZ: No.

Good question.

No, it doesn't.

In those kinds of instances, then you need to come up with a different way to have your two barriers, especially if you have folks from different agencies that need to be in that computer room.

What we see most often is that an agency will lock their servers into the server rack and then they'll lock the server rack and they keep control of the keys.

And they make sure that someone who's not authorized for federal tax information doesn't have those keys.

A lot of times, a secure storage isn't high-tech kind of answers.

Most of the time it's going to the low-tech answers to be able to make sure that whatever you're doing, you're building two barriers between someone who's not authorized to have federal tax information and the federal tax information.

The thing to remember is you always start at the federal tax information and work out.

Don't start at the outside door and work in.

Start at the federal tax information, whether it's a piece of paper or whether it's a server, and then work out to make sure that you have your two barriers in place.

SHAWN BUCKNER: Let's build on that.

Say, for example, you have a agency that has the authority to have federal tax information - let's say it's the headquarters - and they want to send their information to a field office.

What do they do?

SAMMI SHULTZ: They still have to keep two barriers in play.

So, they can double-envelope if it's a small package if it's just paper.

They can put it in double-boxed - so, you put one cardboard box inside of another cardboard box.

You can use a locked container, so you put it in an envelope and then put it in some type of locked container.

You have to continue to have two barriers in place.

The other piece that has to be in place is that there needs to be a transmittal.

Generally the transmittal needs to say, "We're sending this information from this place to that place."  And there's actually three copies of the transmittal made.

One is retained by the person who is sending it.

The other two are sent - Say I'm sending it to you.

I would send you the double-wrapped information and two transmittals.

You would sign both transmittals, send me one back, and you would keep one.

So, both you and I would have a signed transmittal with both sets of signatures saying when it went and when it came back.

If for some reason you knew something was coming and you hadn't received it, then you could call me and I could trace through what I have on the transmittal.

And if I haven't received back the signed transmittal where you've signed for receipt, then I know it may not have received - Excuse me.

I know you may not have received it.

And then I have to go check and find out where it is.

So, by having the transmittal form where it goes with the data and then it comes back, both of us, the recipient and the person sending, can make sure that there is no federal tax information that's lost in transit.

SHAWN BUCKNER: And does that double wrapping also require double labeling?

SAMMI SHULTZ: Yes.

It should be double-labeled, as well.

SHAWN BUCKNER: And why is the double labeling important?

SAMMI SHULTZ: Because if the first box fails, the first envelope fails, you still have something there saying where it needs to go so that hopefully the federal tax information doesn't get lost in the mail or lost in transit.

That second address then ensures that hopefully, if the outside box or outside envelope gets torn, it's still going to get where it needs to be.

SHAWN BUCKNER: So, Jonathan, once an agency is done with the FTI they have, how do they dispose of it?

JONATHAN ISNER: Right, so, this really depends on, first of all, what type of media it is and then what do they plan to do with that media, whether it's, you know, final destruction or if they plan to repurpose it.

So, for paper media, it needs to be shredded at 5/16 of an inch, crosscut shredding.

So, that really prevents you from reading it or really even reconstructing that paper.

For electronic media such as backup tapes or hard drives, discs, things like that, if the agency intends to reuse that media for another purpose, the data needs to be cleared electronically, which means it needs to be - the tracks on that disc need to be overwritten at a minimum of three times in order to electronically clear that data before it's transitioned on to its next use.

Now, if they don't plan to use that media anymore, they first need to clear it in that same manner, but then they need to go through another step of destroying the media, either electronically degaussing or using other methods to destroy.

SAMMI SHULTZ: Now, one of the things they also need to do is they need to test every third one to make sure that it really is clear.

It's sort of a random - You know, every third piece that they are going to go ahead and either degauss or just clear so that they can reuse they need to test to make sure that they really are clear.

SHAWN BUCKNER: So, Sammi, once an agency builds its new procedure, documents it in writing, what's next?

SAMMI SHULTZ: The real next part is training.

They need to make sure their employees understand that they have federal tax information and what they're going to do with it.

Obviously training is a huge piece of protecting federal tax information because an employee can't be expected to protect federal tax information when they don't know what they have really is federal tax information.

And so once an agency has developed their procedures, they've put them into writing, they've distributed them to their employees, our recommendation is they go ahead and have some type of training with their employees, as well, especially over what is different from what they may have done previously now that they're using federal tax information to make sure that all of the protocols for protecting the federal tax information really have been told to the employee, the employee understands them, and they're ready to roll.

SHAWN BUCKNER: So, we covered a lot of things.

In the event that an agency needs some additional help, how do they get assistance?

SAMMI SHULTZ: There's actually two different ways that I would recommend an agency get assistance.

One, they can go out to the IRS.gov Website that is Safeguards.

And if they'll go into IRS.gov and then put "safeguard reports" in the search box, we should come up the second order down.

They click on that, and they'll be at our main landing page.

Off that landing page, there is a "technical topics" link that they can go into.

As agencies around the country have asked us questions over the last five years, we've created answers for them based on what their questions were.

And anytime we really thought that the answer was something that other agencies may need to see, we've gone ahead and put a lot of those technical topics up on IRS.gov.

So, that would be my first place to go look to see if there's something up there already.

If not, the agency needs to send an e-mail to us - to safeguardreports@IRS.gov, the normal mailbox we use for everything - and ask their question.

Now, if it's something that they think is fairly simple and they're just asking for clarification, then they should just type it out, kind of lay out what they're asking, and send it in.

The other thing they can do is if they want a conference call - if what they're doing is complex and they really want to have a dialogue with us, again, they would send an e-mail in, but they need to say in their e-mail that, "We would like a conference call," and that, "This is basically our topic," so that we can staff it properly.

But we're more than happy to talk to the agencies.

Jonathan and I do dozens of these a month to sit down and help agencies as they're trying to figure out the how.

The 1075 says this is what you have to do.

The agencies have to figure out the how, and we're more than happy to help agencies figure that out.

JONATHAN ISNER: Yeah, I think that's a great tool for agencies because we do get a lot of the same questions all the time, believe it or not.

But, you know, the answers are highly subjective.

So, it's really nice to just be able to talk through what their issues are in specific.

And the conference call, I think, is a great tool to do that.

SAMMI SHULTZ: Well, and Jonathan makes a great point because while there's generally only, you know, five or six ways for any given question to pretty much implement it, it's so constrained by the context of that agency - what kind of I.T.

do they have, what kind of resources do they have, how are their offices laid out.

And all of those variables make an answer for one agency very different than an answer for another agency because it's all about context and circumstances.

So, we're more than happy to sit and talk with an agency, to be able to say, you know, "This is what you need to do," and then work it through with them if whether that really works in their environment or not.

SHAWN BUCKNER: Sammi, Jonathan, thank you.

We've gone through a lot of information today, and we hope that it's been helpful.

We look forward to working with you in the future.

Please don't hesitate to send your questions to our mailbox at safeguardreports@IRS.gov.

Thanks for joining us this afternoon.

JANET MINER: Good security protocols are founded on the idea of continued vigilance such as completing disclosure-awareness training, conducting routine reviews of the agency's policies and processes, and reviewing information-technology systems to ensure access and password protocols are up to the appropriate standards.

We hope that you've found the video informative.

We look forward to working with you as you develop new or revised requirements for working with FTI to accomplish your agency's key mission.

If you need to discuss the Publication 1075 requirements, please do not hesitate to send an e-mail to our mailbox at safeguardreports@IRS.gov to request a conference call.

Again, thank you for your attention and for your efforts to protect the confidentiality of federal tax information.

Goodbye.