11.3.36 Safeguard Review Program11.3.36.1 Purpose11.3.36.2 Legal Requirements11.3.36.3 Awareness11.3.36.4 Implementing Requirements11.3.36.5 Responsibilities11.3.36.6 Documentation 11.3.36.7 Initial and Annual Safeguard Security11.3.36.7.1 Initial SSR11.3.36.7.2 Content of Initial SSR11.3.36.7.3 Annual SSR Preparation Guidelines11.3.36.7.4 Annual SSR Content11.3.36.8 Safeguard Security Report Analysis11.3.36.8.1 Delinquent or Incomplete Annual SSRs and Deficiencies11.3.36.9 Safeguard Review Preliminary Findings Report (PFR)11.3.36.10 Safeguard Review Reports11.3.36.10.1 Safeguard Review Report Format11.3.36.10.2 Safeguard Review Report Content11.3.36.11 Corrective Action Plan (CAP) Reporting11.3.36.12 Technical Inquires (TI)11.3.36.12.1 Timeliness for TI11.3.36.12.2 TI Assignment11.3.36.12.3 Initial TI Review11.3.36.12.4 TI Processing Procedures11.3.36.12.5 Ways to Resolve the TI11.3.36.12.6 Format of E-mail for Closure and QR11.3.36.12.7 Closure of TI11.3.36.13 45 Day Notifications11.3.36.13.1 Agency Submission of Reports and Correspondence11.3.36.13.2 Mailbox Staff Responsibilities11.3.36.13.3 Notification Assignments11.3.36.13.4 Analysis of Notification11.3.36.13.5 Report Timeliness11.3.36.13.6 DES 45 Day Notification Processing11.3.36.13.7 Notifications Involving Tax Modeling, Revenue Forecasting, or Statistical Analysis11.3.36.13.8 Notifications Involving Live Data Testing, Non-Agency-Owned-Information-Systems, Data Warehouse, Cloud Computing, VoIP, IVR, Web Portals and Virtual Environment11.3.36.13.9 DES Processing to Complete 45 Day Notice Package11.3.36.14 Quality Review11.3.36.14.1 Quality Review of SSR11.3.36.14.2 Quality Review of Safeguard Review Reports (SRRs)11.3.36.14.3 Quality Review of Technical Inquires (TI)11.3.36.14.4 Quality Review of Agency Corrective Action Plan (CAP)11.3.36.15 State and Local Agency Review11.3.36.15.1 Review Techniques11.3.36.15.2 Team Coordination11.3.36.15.3 Need and Use Reviews11.3.36.15.4 Preliminary Findings Report11.3.36.15.5 Closing Conference11.3.36.15.6 Work Papers11.3.36.16 Federal Agency Reviews11.3.36.16.1 Review Techniques11.3.36.16.2 Need and Use Reviews11.3.36.16.3 Preliminary Findings Report11.3.36.16.4 Closing Conference11.3.36.16.5 Work Papers11.3.36.17 Inventory and Management Reports11.3.36.17.1 Technical Inquires and Notifications11.3.36.17.2 Safeguards Review Report11.3.36.17.3 Safeguards Security Review Report11.3.36.17.4 Corrective Action Plan11.3.36.18 Safeguards Mailbox and Secure Data Transfer11.3.36.19 Management Information Reports11.3.36.20 Report to Congress11.3.36.21 Enforcement11.3.36.21.1 Guidelines for Safeguards Task Alliance Team (STAT) Enforcement of Safeguard Reporting Requirements11.3.36.21.2 Guidelines for Safeguard Review Team (SRT) Enforcement of Safeguard Requirements Other Than Reporting11.3.36.21.3 Reviewers Actions11.3.36.21.4 Directors Actions11.3.36.21.5 Alternative ActionsExhibit 11.3.36-1 Safeguard Evaluation GuideExhibit 11.3.36-2 Safeguard Review Report Format Findings and Recommendations Exhibit 11.3.36-3 Quality Review Safeguard Review Report Preparation Check SheetExhibit 11.3.36-4 Quality Review of Technical Inquires Preparation Check SheetExhibit 11.3.36-5 Quality Review Safeguard Security Report Preparation Check SheetExhibit 11.3.36-6 Quality Review Corrective Action Plan Preparation Check SheetExhibit 11.3.36-7 Artifact for ReviewExhibit 11.3.36-8 Recommendation for FTI Suspension and/or Termination Part 11. Communications and LiaisonChapter 3. Disclosure of Official InformationSection 36. Safeguard Review Program 11.3.36 Safeguard Review Program Manual Transmittal July 21, 2015 Purpose (1) This transmits revised text for 11.3.36, Disclosure of Official Information, Safeguards Review Program. Material Changes (1) Editorial changes have been made throughout this document to updated web site references and links, as well as to renumber sections and to clarify guidance. (2) IRM Section 11.3.36.5.1 title Agency Reports removed. (3) IRM Section 11.3.36.6 title Initial Safeguard Security Report renamed Initial and Annual Safeguard Security Report and renumbered IRM Section 11.3.36.7 rewritten to present related procedures. (4) IRM Section 11.3.36.6.1 Safeguard Security Report Preparation Guidelines rename Annual SSR Guidelines and renumbered IRM Section 11.3.36.7.2 (5) IRM Section 11.3.36.7.1 Initial Safeguard Security Report (6) IRM Section 1.3.36.7.2. Annual Safeguard Security Report Preparation Guidelines. (7) IRM Section 11.3.36.7.3 Annual Safeguard Security Report Content (8) IRM Section 11.3.36.8 title change renamed Safeguard Security Report Analysis. (9) IRM Section 11.3.36.8.1 Delinquent or Incomplete Reports or Reported Deficiencies renamed Delinquent or Incomplete Annual SSRs and Deficiencies. (10) IRM Section 11.3.36.8.2 Documentation renumbered IRM 11.3.36.6 (11) IRM Section 11.3.36.9 Need and Used removed (12) IRM Section 11.3.36.9.1 Need and Use Determinations removed. (13) IRM Section 11.3.36.9.2 Need and Used Reviews removed. (14) IRM Section 11.3.36.10 revised Safeguard Review Report On-site Safeguard Reviews removed (15) IRM Section 11.3.36.10.1 Planning and Review removed section revised Safeguard Review Report Format. (16) IRM Section 11.3.36.10.2 Opening Conference removed section revised Safeguard Review Report Content. (17) IRM Section 11.3.36.10.3 Review Techniques renumbered IRM 11.3.36.15.1. (18) IRM Section 11.3.36.10.4 Team Coordination renumbered IRM 11.3.36.15.2. (19) IRM Section 11.3.36.10.5 Safeguard Review Work Papers renumbered IRM 11.3.36.15.6 (20) IRM Section 11.3.36.10.6 Limited Reviews removed. (21) IRM Section 11.3.36.11 revised titled Correctives Action Plan (CAP) Reporting Safeguard Review Reports renumbered 11.3.36.10 (22) IRM Section 11.3.36.12 Management Information Reports renumbered IRM 11.3.36.19 and IRM 11.3.36.12 revised and titled Technical Inquires (TIs). (23) New Section IRM 11.3.36.12.1 Timeliness of TI added. (24) New Section IRM 11.3.36.12.2 TI Assignment added. (25) New Section IRM 11.3.36.12.3 Initial TI Review added. (26) New Section IRM 11.3.36.12.4 Initial TI Processing Procedures (27) New Section IRM 11.3.36.12.5 Ways to Resolve the TI (28) New Section IRM 11.3.36.12.6 Format of E-mail for Closure and QR (29) New Section IRM 11.3.36.12.7 Closure of TI (30) IRM 11.3.36.13 Report to Congress renumbered IRM 11.3.36.20 and IRM 11.3.36.13 revamped and titled 45 Day Notifications. (31) New Section IRM 11.3.36.13.1 Agency Submission Reports and Correspondence added. (32) New Section IRM 11.3.36.13.2 Mailbox Staff Responsibilities added. (33) New Section IRM 11.3.36.13.3 Notification Assignments added. (34) New Section IRM 11.3.36.13.4 Analysis of Notification added. (35) New Section IRM 11.3.36.13.5 Report Timeliness added. (36) New Section IRM 11.3.36.13.6 DES 45 Day Notification Processing added. (37) New Section IRM 11.3.36.13.7 DES Processing to Complete 45 Day Notice Package (38) IRM Section 11.3.36.14 Enforcement renumbered IRM 11.3.36.21 and IRM 11.3.36.14 revamped and titled Quality Review added. (39) IRM Section 11 .3.36.14.1 Reviewers Actions renumbered IRM 11.3.36.2.21 and IRM 11.3.36.14.1 revamped and titled Quality Review of Safeguard Security Report added. (40) IRM Section 11.3.36.14.2 Directors Action renumbered IRM 11.3.36.21.2 and IRM 11.3.36.14.2 revamped and titled Quality Review of Safeguard Security Report added. (41) IRM 11.3.36.14.3 Alternative Actions renumbered IRM 11.3.36.21.5. and IRM 11.3.36.14.3 Quality Review of Technical Reviews added. (42) IRM 11.3.36.14.4 Quality Review of Corrective Action Plan added (43) New Section IRM 11.3.36.15 State and Local Agency Review (44) New Section IRM 11.3.36.15.1 Review Techniques (45) New Section IRM 11.3.36.15.2 Team Coordination (46) New Section IRM 11.3.36.15.3 Need and Use Reviews (47) New Section IRM 11.3.36.15.4 Preliminary Findings Report (48) New Section IRM 11.3.36.15.5 Closing Conference (49) New Section IRM 11.3.36.15.6 Work Papers (50) New Section IRM 11.3.36.16 Federal Agency Reviews (51) New Section IRM 11.3.36.16.1 Review Techniques (52) New Section IRM 11.3.36.16.2 Need and Use Reviews (53) New Section IRM 11.3.36.16.3 Preliminary Findings Report (54) New Section IRM 11.3.36.16.4 Closing Conference (55) New Section IRM 11.3.36.16.5 Work Papers (56) New Section IRM 11.3.36.17 Inventory Management Reports (57) New Section IRM 11.3.36.17.1 Technical Inquires and Notifications (58) New Section IRM 11.3.36.17.2 Safeguards Review Report (59) New Section IRM 11.3.36.17.3 Safeguards Security Review Report (60) New Section IRM 11.3.36.14.4 Corrective Action Plan (61) New Section IRM 11.3.36.18 Safeguards Mailbox and Secure Data Transfer reserved to be published. (62) Exhibit 11.3.36-3 Quality Review Safeguard Report Preparation Check Sheet added. (63) Exhibit 11.3.36-4 Quality Review of Technical Inquires Preparation Check Sheet added. (64) Exhibit 11.3.36-5 Quality Review Safeguard Security Report Preparation Check Sheet added. (65) Exhibit 11.3.36-6 Quality Review Corrective Action Plan Preparation Check Sheet added. (66) Exhibit 11.3.26-7 Artifact for Review added (67) Recommendation for FTI Suspension and/or Termination Effect on Other DocumentsThis material supersedes IRM 11.3.36, Safeguard Review Program, dated September 11, 2014 AudienceAll Operating Divisions and Functions. Effective Date(07-21-2015)Edward KillenDirector, Governmental Liaison, Disclosure and Safeguards (GLDS)Privacy, Governmental Liaison and Disclosure (PGLD) 11.3.36.1 (09-11-2014) Purpose This section provides written guidance for all Office of Safeguards' personnel when performing safeguard evaluations and reviews. The Safeguards staff is responsible for ensuring that agencies and their contractors, who have access to Federal Tax Returns and Return information, collectively termed Federal Tax Information (FTI) from the Internal Revenue Service (IRS) maintain adequate safeguards for the protection of such information. Written procedures and instructional guidelines are included to help the reviewer determine whether the agencies provide adequate protection for FTI that is consistent with the Department of Treasury, Internal Revenue Service guidelines, manuals and regulations. Note: The term agency includes Federal, state, and local agencies, entities, and agency contractors. The term contractor will generally reference agency contractor , while IRS contractors will specifically be referred to IRS contractors.. The safeguard program is a cooperative effort with the recipient agencies and their contractors, to ensure the confidentiality of FTI. Outreach and communication are key elements in promoting protection of FTI. In order to fulfill legal requirements and IRS responsibilities, the program must also maintain viable enforceable standards and full time enforcement capabilities. 11.3.36.2 (09-11-2014) Legal Requirements In accordance with legal requirements of Internal Revenue Code (IRC) §6103 and written agreements, the IRS discloses FTI data to various Federal, state, and local agencies, as well as contractors. IRC §6103(p)(4) requires that agencies receiving tax returns and return information provide adequate safeguards to protect the confidentiality of the tax returns and return information to the satisfaction of the Secretary (of Treasury). IRC §6103(p)(4)(E) requires the following recipients of Federal tax returns or return information to report to the Secretary their safeguard procedures for protecting those returns and return information: Federal agencies that receive FTI information. The Government Accountability Office (GAO) State tax agencies, bodies, or commissions State and local child support enforcement agencies State public assistance and law enforcement agencies State Affordable Care Act (ACA) Note: This pertains to any agency, lender, and institution disclosing mailing addresses received pursuant to IRC §6103(l)(6)(A), (l)(12)(B), (m)(2), (m)(4), (m)(6), or (m)(7) to its agent(s) and contractor(s). Department of Corrections (DOC) agencies IRC 6103 (k)(10) The provisions of 26 CFR 301.6103(n)-1(d) authorize the IRS to determine the compliance with any safeguards imposed on agency contractors. IRC §6103(p)(8) requires that states provide safeguards to protect the confidentiality of paper copy and electronic media copy of the Federal return (or portion thereof) that is attached to or reflected on any State tax returns as may be required of taxpayers by the state. Note: When preparing for a Safeguard Review that includes IRC §6103(p)(8) data, refer to IRM 11.3.32.14.1 , Disclosure to States and Local Governments which "...authorizes the IRS to require the State agencies maintain adequate safeguard procedures for the returns and return information they receive pursuant to IRC §6103(d)." IRC §6103(p)(5) requires the Commissioner to furnish annual reports to the House Committee on Ways and Means, the Senate Committee on Finance, and the Joint Committee on Taxation. The reports describe procedures and safeguards established by the various agencies and their respective contractors who receive FTI , as well as indicating deficiencies on the part of the agencies and their contractors. IRC §7213 provides criminal penalties for unauthorized disclosures of FTI. IRC §7213A provides criminal penalties for unauthorized inspection of any return or return information by officers and employees of the United States, officers and employees of persons described in IRC §6103(n), state and other employees. IRC 7431 provides civil remedies for violations of the disclosure and inspection statutes. A complete listing of the applicable security laws, regulations, and other guidance is contained in Exhibits 2.1.10–1 and 2.1.10–2 of IRM 2.1.10-1 and IRM 2.1.10-2IRM 2.1.10 Automated Information Systems Security. 11.3.36.3 (09-11-2014) Awareness When an agency receives, or expresses an interest in receiving, FTI ensure that the agency obtains a copy of IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies . Copies of Publication 1075 can be obtain from http://www.irs.gov/uac/Safeguards-Program 11.3.36.4 (09-11-2014) Implementing Requirements Federal, State and local agencies listed in IRM 11.3.36.2 (3) and (4) must submit the following to the office of Safeguards: Initial SSR and Annual SSR These reports are described in detail in IRM 11.3.36.7 and IRM 11.3.36.8. The IRS reviews reports received from agencies to determine the adequacy of agency safeguards. If an agency fails to submit the required report or to provide sufficient information to allow the IRS to determine the adequacy of its safeguards, the IRS reviewer may recommend withholding FTI from that agency. , provides additional guidance. On-site Safeguard Reviews of agencies and their contractors are undertaken when the criteria IRM 11.3.36.15.1 are met. 11.3.36.5 (09-11-2014) Responsibilities The Office of Safeguards located within Governmental Liaison ,Disclosure and Safeguards(GLDS) function has oversight responsibility for the Safeguards Program. The Office of Safeguards also has specific program responsibility as listed in Exhibit 11.3.36–1 The Office of Safeguards has responsibility for the Safeguard Review program for state, federal and local agencies, and other entities. t. 11.3.36.6 (07-21-2015) Documentation All steps taken in the review process must be documented in one business day unless extenuating circumstances require additional time. All notes, worksheets, communication contacts, memoranda, and other correspondence will be retained in the file and in notes on e-Trak to support decisions. 11.3.36.7 (07-21-2015) Initial and Annual Safeguard Security IRC §6103(p)(4)(E) requires agencies receiving FTI to file an SSR that describes the procedures established and used by the agency for ensuring the confidentiality of the information received from the IRS. The SSR is a record of how FTI is processed by the agency; it states how it is protected from unauthorized disclosure by that agency. The agency shall file a SSR in accordance with Publication 1075Section 7.2.4 SSR Update Submission Dates The SSR should include: Future actions that will affect the agency’s safeguard procedures, Summary of the agency’s current efforts to ensure the confidentiality of FTI, Certification that the agency is protecting FTI pursuant to IRC §6103(p)(4) and the agency’s own security requirements. Modifications/changes to the procedures or safeguards described in a previous SSR Note: SSRs must be approved prior to initial release of FTI to agencies Disclosures Under Multiple Code Sections (Federal Agencies) - Some Federal agencies receive FTI from the IRS under the authority of more than one section of the Internal Revenue Code. In these cases, the agency must distinguish between the IRC sections, and provide safeguard procedures for each program or use. The agency must file a consolidated SSR for the various programs or uses. Federal, state, and local agencies using Form 83000, Reports of Cash Payments Over $10,000 Used in a Trade or Business, available information pursuant to IRC §6103(l)(15) must file a separate SSR for this program. All agencies requesting data under IRC §6103(l)(15) are referred to the Office of Safeguards. Note: Where IRS/CI and the U.S. Attorney’s Office are among the participants of a multi-agency task force, and there is an investigative need to obtain Form 8300 information, the Assistant U.S. Attorney (AUSA) assigned to the task force is the requestor of information. Safeguards FTI responsibility and authority will therefore be centralized with the AUSA’s office. 11.3.36.7.1 (07-21-2015) Initial SSR Agencies executing data exchange agreements involving access to FTI subject to safeguarding requirements must have an approved SSR prior to having access to FTI. Publication 1075 Section 7.2.1 Initial SSR Submissions Instructions. The SSR must be submitted for IRS Safeguards approval at least 90 days prior to the agency receiving FTI. The agency must address all elements in the SSR template at http://www.irs.gov/uac/Safeguards-Program additionally the initial SSR must contain the evidentiary requirements (artifacts) are focused on: Controls that in their absence would potentially leave FTI exposed to a threat IRS-specific controls that are critical for the protection of FTI. The Office of Safeguards will perform a comprehensive review of the agency’s entire SSR and each control description for compliance with standards to understand the agency’s overall security posture before approving the SSR and may request additional artifacts as needed. 11.3.36.7.2 (07-21-2015) Content of Initial SSR General: Responsible officers or employees. Functional organizations using the data. Computer facilities or equipment and system security. Physical security. Retention policy and disposal methods. Safeguard activities shall include , a minimum, the following items: Disclosure Awareness Program- Describe the efforts to inform all employees an contractors having access to FTI of the confidentiality requirements of the Internal Revenue Code, the agency’s security requirements, and the sanctions imposed for unauthorized inspection or disclosure of FTI. Functional organizations using the data Computer Facilities or Equipment and System Security- Changes or enhancements Physical Security- Changes or enhancements. Agency Disclosure Awareness Program -The agency should describe the efforts to inform all employees having access to FTI of the confidentiality requirements of the IRC, the agency’s security requirements, and the sanctions imposed for unauthorized inspection or disclosure of return information. Reports of Internal Inspections -The agency should provide copies of a representative sampling of the Inspection Reports and a narrative of the corrective actions taken (or planned) to correct any deficiencies should be included with the annual SSR. Disposal of FTI -The agency should report the disposal or return of FTI to the IRS or source. The information should be adequate to identify the material destroyed and the date and manner of destruction, including copies of destruction logs. Note: Including taxpayer information in the disposal record is not necessary and should be avoided. Other information -The agency should provide other information to support the protection of FTI, in accordance with IRC §6103(p)(4) requirements. Planned Actions Affecting Safeguard Procedures --Any planned agency or contractor action which would create a major change to current agency procedures or safeguards will be reported. Such major changes would include, but are not limited to, new computer equipment, facilities or systems to perform programming, processing or administrative services requiring access to FTI. Agency Use of Contractors - Agencies must account for the use of all contractors, permitted by law or regulation, to do programming processing or administrative services requiring access to FTI. 11.3.36.7.3 (07-21-2015) Annual SSR Preparation Guidelines Preparation of an Annual SSR begins with a review of the previous SSR submission: Cover outstanding actions list Identify areas where there is no change (NC) Identify areas that are not applicable (NA) Address content changes When agency requests extension to file their annual SSR, refer them Publication 1075 Section 7.2.2 SSR Update Submission Dates 11.3.36.7.4 (07-21-2015) Annual SSR Content Agencies are required to submit an annual SSR encompassing any changes that impact the protection of FTI: New data exchange agreements. New computer equipment, systems, or applications (hardware or software). New facilities; and Organization changes, such as moving IT operations to a consolidated data center from an embedded IT operation. The following information must be updated in the SSR to reflect updates or change regarding the agency or safeguarding procedures within the reporting period: Changes to information or procedures previously reported Current annual period safeguard activities Planned actions affection safeguard procedures Agency use of contractors (non-agency employees) Location of the Data- Include an organization chart or narrative description of the receiving agency organization, which includes all functions where tax data must be processed or maintained. If the information is to be used or processed by more than one function, t hen the pertinent information must be included for each function. Flow of the Data- The report must contain a flow chart or narrative description of: The agency flow of the FTI data from is receipt through its return to the IRS or its final destruction How FTI is to be used or processed How FTI is tracked and protected as it passes through the organizational levels within the agency Describe how FTI is commingled with agency data or separated Describe the paper or electronic products created from FTI Where contractors are involved in the flow of FTI including, Note: It will be indicated and noted as to how FTI is commingled or transcribed into non-tax data that is being used and kept by the agency System of Records- A description of the permanent record(s) used to document requests for, receipt of, dissemination of (if applicable), and final disposition (return to the IRS or destruction) of the FTI (including all electronic media). Agencies and their contractors are expected to be able to provide an "audit trail " for all information requested and received; the trail is to also include copies or distribution beyond the original document/media. Secure Storage of the Data The agency will provide a description of the security measures employed to provide secure storage for the FTI when it is not in current use. Secure storage encompasses such diverse considerations as locked files or containers, secured facilities, key or combination control, off-site data storage facilities, and restricted areas. Restricting Access to the Data- A description of the procedures or safeguards to ensure access of FTI is limited to those individuals who have authorized access and have a need to know. Describe any physical barriers to how the information will be protected from unauthorized access when in use by the authorized recipient. Describe any physical barriers to unauthorized disclosure (including all security features where FTI is assessed, used or processed) as well as systemic and/or procedural barriers. Disposal- For all FTI provided by the IRS, and/or produced by the agency and/or contractor (e.g., print-outs, back-up tapes and the like), and not returned to the IRS, provide written agency report that documents the method of destruction by which records were destroyed (See paragraph (5), System of Records above) Information Technology (IT) Security The written report must describe all automated information systems and networks that receive, process, store, or transmit FTI. We not that all such systems are required to have safeguard measures in place which address all key components of IT security to restrict access to sensitive data. See Publication 1075, Section 9.0. The written report should : Describe the systemic controls employed to ensure all IRS data is safeguarded from authorized access or disclosure Include the procedures to be employed to ensure secure storage of the disks and the data, limit access to the disk(s), or computer screens, and the destruction of the data Have additional comments regarding the safeguards employed to ensure the protection of the computer Describe in detail the security precautions undertaken if the agency’s computer systems are connected or planned to be connected to other systems. The SSR must include procedures for ensuring that all data is safeguarded from unauthorized access or disclosure. Disclosure Awareness Program- Each agency and contractor who receives returns and return information must have an awareness program wherein employees having access to FTI certify annually of the training received and receipt of the confidentiality provisions of the Internal Revenue Code, as well as, the civil and criminal sanctions for unauthorized inspections or disclosure of FTI. A description of the formal program should be included in the SSR. 11.3.36.8 (07-21-2015) Safeguard Security Report Analysis In order to make supportable recommendations to the SSR, reviewers need to have a thorough understanding of applicable statutes, Treasury regulations, agency agreements and contracts, and the agency’s and their contractor's system of processing FTI. The SSR team lead assigns this case to an analyst in e-Trak and provides the reviewer 35 business days to complete an analysis. The reviewer will not accept SSR sections missing evidentiary documents. The reviewer will work directly with the agency to submit required evidentiary documents. The reviewer will work with the agency to revise any incomplete documents or incomplete sections of the SSR. The reviewer will provide comments in blue font for sections which require additional information. 11.3.36.8.1 (07-21-2015) Delinquent or Incomplete Annual SSRs and Deficiencies Delinquent Safeguard Security Reports (SSR) with incomplete information should initially be resolved through informal telephone contact between the reviewer and the agency. If a SSR is missing critical information to determine whether FTI is adequately, protected, reasonable attempts, including at least one written request, must be made to obtain the missing information. Formal procedures to withhold FTI will be initiated if an agency fails to: Send in an acceptable report or Send in the requested material or Take action to correct a deficiency . Reasonable attempts, including at least one written request, must be made to obtain missing information, or corrective action to be implemented . If an SSR deficiency is minor and will not cause unauthorized disclosures, and the deficiency cannot be immediately corrected then the report will be accepted with the deficiencies noted with the comment in the SSR. Example: An agency may not have adequate disclosure awareness training for its employees. The agency agrees, but it may take a couple of months to develop a program and complete initial training. The report may be accepted if this condition is documented, including planned follow-up action. If a control has not been fully implemented, document the current state of the control and anticipated implementation date. Completing Review Process The reviewer will complete the transmittal letter that is sent to the agency, the SSR Analysis, SSR Acceptance Checklist and Deliverable Acceptance Form. Load documents to the Documents file on e-Trak, make a case note on e-Trak with the actions taken, update the Comments field on the case with the status, update Email Notification Comments field on the case and submit the package to quality review. Upon completion of the review, the SSR will be submitted to the head of the agency via U.S. mail and via softcopy to the agency POC. Note: It is 60 calendar days from receipt of a SSR to deliver the approval back to the agency. Of these 60 days, DES/CSR has 35 days to conduct the analysis and submit to quality review. 11.3.36.9 (07-21-2015) Safeguard Review Preliminary Findings Report (PFR) The Preliminary Findings Report (PFR) identifies the items requiring correction to improve the safeguarding of Federal tax information in accordance with Publication 1075 and must be completed during the on-site safeguard review. The PFR is the only document the agency will receive during the on-site review. For each finding, the evaluated risk for potential loss, breach or misuse of FTI establishes the recommended timeframe for resolution. The risk category is noted next to each finding in risk category order in the report to assist the agency in establishing priorities for corrective action. Note: The findings are reflective of offices visited during the review but must be implemented at all agency locations. Risk Category Associated Timeframe for Resolution Critical 3 months from the date of the review closing conference Significant 6 months from the date of the review closing conference Moderate 9 months from the date of the review closing conference Limited 12 months from the date of the review closing conference A preliminary closing is conducted when the review is still in progress – when additional locations will be visited or outstanding issues need to be resolved, in which case the review closing conference scheduled by the reviewer will generally be held via teleconference. The DES must inform the Chief, SRT prior to the closing if there is a need for a preliminary closing and be granted approval to proceed with a preliminary close out. See section 8 below. Pre-Review Preliminary Findings Report Obtain the latest PFR template from the Share Point site Complete the cover page of the report to include the state, department name, if applicable, agency name, agency code, month/day/year of closing conference and Preliminary Closing, if applicable. Example: State of (State Name) State of Wyoming Example: Department Name if applicable Department of Social Services Example: Agency Name (STACN-TYPE) Child Support Enforcement (WY82X-CS) Example: Month, DD, YYYY - October 26, 2014 (Preliminary Closing) if applicable. Note: The DES should complete the PFR to the extent possible prior to the on-site Safeguard Review. Add the name of all on-site safeguard review reviewers to the template. On-site Review PFR Completion of Findings - Computer Security Reviewer Completing PFR with Off-site Support Complete SCESEMs with finding statement for failed tests Encrypt and attach completed SCSEMs to the email with the information in the following table: Information Explanation Primary Agency Include the agency code and type (e.g. MO43X-CS) Shared Agencies Include agency codes/types for any applicable shared agencies Risk Level Critical, Significant, Moderate, or Limited SCSEM Type Technology Type (e.g., Windows 2003, Network Assessment, etc) PFR Title & Hostname Document how the system title should be documented on the PFR e.g., Windows 7 Tumbleweed Server (WINTWX01) Completing PFR without Off-site support Complete the PFR template with technology type and hostname and risk level using a high water mark file i.e. Cisco Firewall-(FWSM01) - (Significant) Include numbers and percentage rates for each finding header Passed, Failed, Additional information requested, N/A. Total Number of Tests Performed and Current Pass Rate. Include the following information for each finding SCSEM Test ID#, NIST Control, and Brief and concise finding statement. Compile technologies and use the following order when applicable MOT and Network Assessment. On-Site Review PFR Completion of Findings-Disclosure Specialist The on-site safeguard reviewer must keep track of all findings during the on-site safeguard review. The reviewer has discretion to determine the process for tracking the findings throughout the on-site review. During the on-site safeguard review, as findings arise, the DES and Computer Security Reviewer should apprise the agency point of contacts (physical and IT) and provide recommendations for mitigation. The DES should go over the findings with the POC again prior to the closing conference, if at all possible. This will help to eliminate any unexpected issues/concerns during the closing conference. The Standard Findings for PFR document should be utilized to prepare the PFR while on-site . Note: The Standard Findings for the PFR document is different than the Standardized Language which are used in completing the Safeguard Review Report The PFR should be updated daily to include all the review findings. Step PFR Update Procedures 1. Input the findings in the appropriate section by risk category order beginning with the highest level risk. Example: All critical findings, all significant findings, all moderate findings, and all limited findings within each section. 2. Critical findings need to be reported to the Chief, SRT immediately. The agency will have one week to report to the Chief, their mitigation strategy for those findings. 3. The risk category is listed immediately following the finding in parenthesis. Example: The agency fails to maintain a system of records (logs) identifying the date information was received, its exact location, who has access to data and, if disposed, the date and method of disposition. See Publication 1075 Section 3.2 and Exhibit 9 (Significant) 4. Include a comment after each finding in parenthesis that briefly describes the issue. Example: The FTI reports electronically sent to the field offices are not logged. Add the mandatory comments as required on the PFR for your agency type. Example: The agency does not allow state auditors access to FTI. Section H will be provided to the DES as soon as possible in accordance with directions from the on-site SRT Chief. The DES should combine the Section H with the A-G portion of the PFR to provide a complete document to the agency. The lead CSR should be available to assist and/or combine the documents in this process if the DES encounters difficulties. Remove the Outstanding Items at the Time of Closing Conference page. Note: If Preliminary Closing following guidelines outlined in 8 below Use the Safeguard Naming Convention to save the electronic document. Note: WY82X-CS-PFR-102614 (Note: Date is the date of closing) Review the PFR for technical accuracy, grammatical, and formatting errors. A quality product must be provided to the agency. The DES portion of the PFR must be emailed to the Chief, SRT as soon as possible in accordance with directions from the on-site SRT Chief. Provide the completed PFR to the agency Point of Contact prior to the closing conference. The lead CSR should be available to assist in this process should the DES encounter difficulties to ensure that the closing goes forward as scheduled. The document should be provided in enough time to allow the agency POC to make enough copies prior to the closing conference. The DES will need to provide the agency with the number of copies needed for the IRS staff, including contractors, if applicable. Post Review (Closing Conference held) PFR Submission Load a copy of the PFR to the Documents file in e-Trak. The should be done no later than Monday following the review. Notify the designated support person that the document is loaded. (Check with SRT Analyst for designated support person). Input a case note in Note(s) in e-Trak of the actions taken on the case. Preliminary Closing Conferences - if you were unable to complete the review and a preliminary closing has been approved the following procedures must be taken: On the title page of the PFR leave the wording “Preliminary Closing”. Complete the Outstanding Items at the Time of Closing Conference page (last page of report). Establish with the agency POC a date/time for the closing teleconference and apprise the Chief, SRT. The official closing conference should be scheduled, if possible, within one week of the on-site review. Once the outstanding issues have been resolved, the PFR must be updated. For further guidance see the procedures outlined in Sections 4 and 5 above. 11.3.36.10 (07-21-2015) Safeguard Review Reports The Safeguard Review Report serves as a record of the IRS’s evaluation of an agency’s compliance with the safeguard requirements for the protection of tax returns or return information as prescribed in IRC §6103(p)(4). The requirements in the Internal Revenue Code have been augmented by other Treasury Department or Internal Revenue Service requirements as well as National Institute of Standards & Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls ; these requirements must be addressed as well. Example: NIST SP 800-53 mandates that all automated information systems and networks which process, store, or transmit sensitive but unclassified (SBU) information are to meet the requirements for Management Security Controls, Operational Security Controls and Technical Security Controls. Treasury’s and NIST SP 800-53 requirements have been incorporated as IRS requirements, and have been included in IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies as requirements for recipient agencies. It is important that a SRR addresses all of the specified requirements, and clarifies actions, agencies and/or authorized contractors must take to achieve compliance with the requirements. The report should be a complete document that provides a description of all findings and recommended actions. Reports should adhere to the Office of Safeguards reporting guidelines. Exhibit 11.3.36-2 The letter transmitting the report to the agency will serve as a transmittal document. The letter must completed using the most current template. The letter must be addressed to the head of the agency. The current primary POC must be named in the body of the letter. Note: Both the head of the agency and the POC must be correctly listed on the Agency screen in e-Trak The next agency CAP due date must be listed correctly in accordance with Publication 1075 Table 5. All safeguard reviews must address the adequacy of computer security. The report must contain a review of the agencies and contractor's compliance with the computer security requirements contained in the current IRS Publication 1075 (as revised). The Corrective Action Plan (CAP) accompanies the report. This is the document used by the agency to respond to the report and Safeguards to track the agencies progress. The agency will report actions taken on safeguard review recommendations in their semi-annual Corrective Action Plan (CAP) the deficiencies that are outstanding. Refer to Publication 1075Section 7.3.1 CAP Instruction and Submission Dates for further guidance. All actions taken and pertinent information regarding the entire review process and the report should be clearly outlined in e-Trak case notes. Safeguards standard report and letter templates in addition to standardized findings language should be used to assist in preparing quality reports using a standard format that will improve consistency, accuracy, and the quality of reports issued to the agency partners. The reviewer should make reference to specific sections in Publication 1075 for all findings. Timeliness of Reports - SRR should be issued to the agency within 45 days of the final closing conference to convey our commitment to ensuring the confidentiality of the FTI and return information. Management should be apprised of circumstances involving reports that have not been forwarded timely. Note: A review is completed when the SRR is issued to the agency. Designated support staff will create a case on e-Trak and hold it in intake status until it is ready for Analysis/Prep. When the official closing of the review has occurred the DES will load the PFR to the documents file on e-Trak. The DES will send Management Assistant an email indicating that the PFR had been loaded. Management Assistant will move the case from intake status to analysis/prep status based on DES assignment. The case will show in the DESs tracking inbox on e-Trak. The DES will create assignments for the Computer Security Reviewers (CSRs) for completion of Section H and/or any other team members that need to work aspects of the case. Note: The case should have a Case Sub Type of interim while it is in the DES status. After the report had been generated, and prior to moving the case to Quality Review, the Case Sub Type must be changed from interim to final. A SRR is issued even if there is no agreement with the agency on all findings and/or recommendations. The IRS and the agency will continue in a cooperative effort to ensure that the FTI is adequately protected from unauthorized access or disclosure. 11.3.36.10.1 (07-21-2015) Safeguard Review Report Format In order to promote uniformity in the format of SRR and to ensure that all reviews and reports address the key areas of the IRS’s safeguard requirements, all SRR will be prepared according to this standard format. Title Page or Cover Sheet- Each report will have a cover sheet, which must be updated with the agency specific information: The State, Municipality or Federal Agency. Agency name an in parenthesis specific agency state/fed abbreviation, agency code and agency type. Example: MAXX-DOR or FDXX-FED-XXX Month/Year of Report (based on month report issued) Table of Contents (TOC) - After completing the full report the TOC must be updated to ensure the page numbers are correct. The F9 key will update the TOC for Sections A-H. A manual update must be don for the Introduction, Background and Scope sections. Acronyms Listing- Update the Acronyms Listing with acronyms used throughout the report. Spell out acronyms the first time the acronym is used. Subsequently, use the acronym only. 11.3.36.10.2 (07-21-2015) Safeguard Review Report Content INTRODUCTION - Verify that the Introduction used matches the code authority for which the agency is receiving information. The DES must choose the correct template to use. If not template exist for the agency, such as for federal agencies, briefly outline the statutory provisions, in general, which permit the disclosure of returns or return information, and the intended purpose or benefit(s) of the disclosures. Any limitations or restrictions imposed by the IRC or regulation can be included in the introduction portion of the report, especially if it is germane to a finding or recommendation elsewhere in the report. Note: For federal agencies the (d) template may be used but the introduction must be changed to correspond with the agency and the code authority for which the agency receives FTI. BACKGROUND - Verify the Background used matches the code authority for which the agency is receiving information. If using the e-Trak generated template, you must chose the correct template. This section, which is agency and contractor specific, should contain the name of the agency reviewed, and if applicable, the specific organization(s) or function(s) within that agency. If several, separate, programs are being reviewed, the background section should give a brief description of each program. Note: For federal agencies the (d) template may be used but the Background must be changed to correspond with the agency and the code authority for which the agency receives FTI. Insert the information highlighted in red on the template in the SRR. Develop the information highlighted in blue on the template in the SRR. For HS and CS agencies you must identify the relationship between the field office/county offices and the state, i.e. state run/county administered or state run/state administered. In the contractor portion you must develop a comprehensive list of all contractors the agency uses that have access to FTI or are listed in the Findings of the report. Contract language must be addressed for each contractor unless all contracts either contain or do not contain the language then a blanket statement can be used for all. In the IT portion you must develop a description of how the agency’s IT services are provided. If the agency uses an embedded IT as well as a consolidated data center, the services that each provides to the agency should be clear. The Service Level Agreement (SLA) or contract with the agency providing the IT services must be addressed. The last sentence of the IT paragraph should state who at the agency will be required to address the Section H findings. Example of the contractor and IT portion of the SRR.12XCS utilizes the following contractors for services that involve the disclosure of FTI. ABC processes FTI for the 12XCS application XLECS and manages the data center operation in Albuquerque, NM. Contract language included or not for each or statement for all or none having the language. District Attorney Offices are employed under cooperative agreements with 12XCS to provide child support services. 123, Inc. provides off-site storage of backup tapes containing FTI for ABC. The XXXX Department of Human Resources, Information Services Division (XDHR ISD) provides hardware and software maintenance, application support, end user support, workstation management, and systems development for all of the divisions within the Department of Human Resources. In addition, information technology services are provided by the XXXX Department of Finance, Information Services Division (XDOF ISD). The XDOF ISD operates the consolidated state data center that provides information technology infrastructure to directly serve a number of government entities. The XDOF ISD provides infrastructure monitoring, support services, including mainframe support, server management, network services, and development services. XDOF is a separate agency than XDHR. FTI is received at the XDOF ISD Data Center through CyberFusion connection to a RACF mainframe. The FTI is transmitted to a mainframe hosted at ABC located in City, State. The XXXX Location, Enforcement, and Collection System (XLECS) application resides on the mainframe. End users access the XLECS application from their workstations. In addition, reports containing FTI are generated on the mainframe at the XDOF ISD Data Center and are sent electronically to a server maintained by XDOF ISD residing at the State House Data Center. The Service Level Agreement (SLA) with the agency contains the required Safeguards language. The computer security findings in Section H will require corrective action by XXX and XXX (agency IT Divisions used to process FTI). See Section C. of this report for further discussion of the required actions to ensure safeguarding language is in all contracts and agreements with entities with access to FTI to ensure the continuous protection of taxpayer privacy and confidentiality of FTI. SCOPE - This section contains descriptive reviewer information regarding the conduct of the review. This section of the report should give the reader a sense of how the review was conducted and what programs and procedures were included or excluded from the review. In addition, the scope and objectives section should also indicate: The highlighted information in red from the template. Correct spelling of reviewers names. Correct dates of review. GL should be shown if participated in the review. Agency POC listed as coordinating the review and their title. In the locations section, list every location that was visited for your agency. If someone else visited a location for you, it must be listed and annotated who visited the site. In the personnel section, list every one interviewed and their title, including personnel reviewed for Section H. Note: When an SRR is generated from e-Trak the Title page or Cover Sheet, Table of Contents, Acronym Listing, Introduction, Background and Scope must be completed accordingly. FINDINGS AND RECOMMENDATIONS - All safeguard review reports will address each requirement enumerated in IRC §6103(p)(4), and other requirements determined to be necessary to ensure the confidentiality of FTI and return information. To ensure that all the requirements of the IRC, Publication 1075, and the IRM have been addressed, each subsection of this section will contain a statement of the requirement, followed by a description and discussion of the findings and recommendations for each item under this subsection. Begin creating the SRR Create “Parent” Findings for Section A-G by clicking SRR Findings-<New SRR Findings Input a finding number: A.1, A.2, G.1, etc., as with the current process Select Open or Held In Abeyance for status Select the appropriate Pub 1075 Section Select Risk Category, as determined during onsite review – Risk categories in the report need to be in order by severity. Input Targeted Implementation Date in mm/dd/yyyy based on the risk category. Remember when calculating the date use days not months (90, 180, 270, 365). No should be selected for “Repeat Finding” (repeat findings), if not please change. We no longer capture repeat findings, therefore no should always be selected. Select No “Components Exist” (default) for A-G findings. H findings will have components and therefore, yes will need to be checked Initialization Date will be populated by Operations staff but should be validated by DES Finding Box: Input standardized language (be sure to use current version) for the finding and amend as necessary. You must include the risk category after the finding in parenthesis. Findings in the PFR should be shown in the report, however, the wording in parenthesis in the PFR is not in the SRR. This information is used to develop the narrative. Use complete sentences when writing. Add the finding narrative. In most cases the narrative should be as short as possible and describe the issue in the finding. Brackets in the Narrative should be removed. Names of offices, locations, etc used in the findings should be consistent. Example: If the finding shows the Central Office then the discussion should refer to the Central Office, not headquarters, and should be spelled the same. Finding Example: The agency does not maintain an adequate system of records (logs) for tracking the receipt, movement, and disposal of FTI received in paper in Central Registry at the Headquarters Office. (Significant) The agency must maintain a system of records to track FTI Form 8796, specific requests, TDS prints, etc as appropriate] from request to destruction. The log must contain all FTI received or photocopied in accordance with Publication 1075Section 3.3 Converted Media. The log must include the following elements and be maintained for a minimum of 5 years or the applicable records control schedule, whichever is longer: taxpayer name, tax year(s), type of information (e.g. revenue agent reports, Form 1040, work papers) , reason for the request, date requested , date received , exact location of the FTI , who accessed the data and if disposed, the date and method of disposition Recommendation Box: Input standardized language and amend as necessary. You recommendation should resolve your finding. Verify that the targeted implementation dates used in the recommendation match the date in the Targeted Implementation Date box and are calculated accordingly. The dates for each risk category must match the dates in Section H. Recommendation Example: The agency must establish a system of records (log) for recording requests and receipts of interstate cases and payment updates containing FTI. The targeted implementation date for this recommendation is [DATE], which is 6 months from the date of the closing conference. To close this finding, please provide a copy of the system of records (logs) template used to track the receipt, movement, and disposal of paper FTI with the agency’s CAP. Note: Once the information for numbering, dates, findings/description, recommendation, and the issue codes is filled in, Click Save. If you do not save your data, you will lose it and have to re-enter. The DES will input all Section H Parent Findings and component findings from the document loaded to e-Trak by the CSR. Parent findings and component findings will be created for every Section H finding even if only 1 component exists. Input a finding number: H.1, H.2, H.3, etc., as with the current process Select Open for status Select the appropriate Pub 1075 Section Select Risk Category, as determined during onsite review – Risk categories in the report need to be in order by severity. Input Targeted Implementation Date in mm/dd/yyyy based on the risk category. Remember when calculating the date use days not months (90, 180, 270, 365). No should be selected for “Repeat Finding” (repeat findings), if not please change. We no longer capture repeat findings, therefore no should always be selected. Select Yes “Components Exist” (default) for H findings. H findings will have components and therefore, yes will need to be checked. Finding Box: Cut and paste language from the Section H document. You must include the risk category after the finding in parenthesis. If information is missing from the document or is incorrect the DES must work with the CSR as necessary to resolve. The DES needs to input the issue codes for all Findings. Issue Codes: Use the 1-to-1 mapping to select the correct issue code. Select Issue Code Group A-G . Select the appropriate Issue Code in the drop down. Select Issue Code Group H . Select the appropriate Issue Code in the drop down. If no direct mapping, choose other. Note: Once the information for numbering, dates, findings/description, recommendation, and the issue codes is filled in, Click Save. If you do not save your data, you will lose it and have to re-enter. Note: Once all findings have been input the DES will generate the SRR. The DES must validate the information in the report, ensure the correct information is included in the Title page or Coversheet, Table of Contents, Acronym Listing, Introduction, Background and Scope and that the report includes all findings and matches the data in e-Trak. The DES uploads the report back to the case using the proper naming convention. The file should be uploaded with a .doc extension. Example: MA104-DOR-SRR-111414.doc Prepare SRR Letter - If the template is not available on e-Trak you must obtain the latest version from SharePoint. Verify the appropriate code authorities are listed. Verify the current head of agency name and address are listed in the Agency Contacts on the Agency screen in e-Trak and are current. If they are not, you must add. Verify if agency has Secure Data Transfer (SDT) on Agency screen in e-Trak. Verify correct CAP dates are shown. Verify the signature authority (name and title) on the letter The letter should follow the naming convention format and be dated accordingly. Example: ME01X-CS-SRR-L-091014.doc Upload the completed SRR and letter by clicking Documents-<new Documents and Inputting the appropriate information: Click Document-<New Document Select Yes for “Ready for Management Approval” Input a comment that the document is ready for QR Click Browse, then Select the document from your file system Click Save Upload other pertinent documents and create case notes as appropriate. The CSR should upload the documents associated with the Section H. If they are not loaded, you must check with the CSR. In addition to uploading the letter and the report, the following documents are reviewed in QR and need to be complete and uploaded prior to moving the case to QR status: SDSEM – These are considered your review work papers and should be completed with all failures and include a description of the failure. It should cover the sites visited. The coversheet should be completed with the required information. Deliverable Acceptance Form (DAF) – Ensure that the DAF has been loaded to e-Trak if the computer security portion of the review was conducted by BAH. State Agency contact Information PFR Note: Use the correct naming convention for all documents loaded in accordance with the naming convention document. Verify that the findings from the previous review are closed out. This includes all Section H component findings. Make a case note in the previous review case as well as the current case stating the reason for closing the findings (due to a new review). Prior to moving to QR make sure all notes on the case are updated. Make a note in Comments section on Case screen. Example: 11/14/14 – Forwarded SRR to QR - CB ADD the following to the Email Notification Comments on Case screen: PRIORITY (if report is under 45 days) . Report Name: ST/CODE-AGENCY-SRR-DATE . Number of days open Movement = To QR Example: Priority CO84X-CS-SRR-091014, 30 days, to QR If the package is returned for edits a new document must be loaded. The new submission must be updated with the date it is submitted, all edits completed, all track changes and comments removed. DES (Case Responsible) moves case to Quality Review step Select “Submit for Quality Review” from the Workflow Step dropdown Select the appropriate Quality Reviewer from the dropdown, if not already populated Click Save Time Frames to complete the SRR: Computer Security Reviewer has 20 Days from official closing to provide the Section H DES has 35 Days from official closing to submit the SRR to QR Safeguards has 45 Days from official closing to issue the SRR 11.3.36.11 (07-21-2015) Corrective Action Plan (CAP) Reporting Corrective Action Plans or CAPs are the mechanism by which an agency responds to open findings from the SRR. When the SRR is issued to the agency, they also receive a CAP document. Each open finding on the SRR has a corresponding item on the CAP. Each CAP item is part of the overall Safeguards POAM. The agency must submit the CAP semi-annually, as and attachment to the SSR . The next CAP due date, which is six months from the scheduled SSR due date. For a schedule of when the report is due, please refer to Publication 1075, Section 7.3.1, CAP Submission Instructions and Submission Dates. If the SRR was issued within 60 calendar days from the upcoming CAP due date in Publication 1075, Section 7.3.1, CAP Submission Instructions and Submission Dates the agency’s first CAP will be due on the next subsequent reporting date to allow the agency adequate time to document all corrective actions proposed and taken. 11.3.36.12 (07-21-2015) Technical Inquires (TI) Technical Inquires (TI) are communications routed through the Mailbox (safeguards@irs.gov) requesting assistance with interpretations of Publication 1075 and routine Safeguards matters. If a qualified inquiry is received by Safeguards verbally or via direct email forward the inquiry to safeguardreports@irs.gov for processing. Please see Section below for instances that do not qualify as Technical Inquiry. A TI requires a prompt and accurate response for assistance on proper safeguarding FTI in accordance with Publication 1075. TI responses should be brief and direct specifically addressing the agency’s inquiry. TI responses should clearly state current IRS Safeguards policy and close the matter to avoid on-going discussions on the same issue. The objective of the TI process is to provide timely and appropriate answers to agency inquires in application of existing guidance. 11.3.36.12.1 (07-21-2015) Timeliness for TI TI’s are considered timely if the case in eTrak is released within 30 calendar days. All TI’s in inventory should be worked timely and consider the time sensitive nature of the agency’s inquiry. TI’s must be forwarded to Quality Review within 20 calendar days after case creation. See IRM 11.3.36.14.3 Quality Review of Technical Inquires for more information regarding the TI Quality Review Process. If additional information is needed from the inquirer in order to process the TI, the case responsible party will attempt contact by phone or email to obtain the needed information as soon as possible after case assignment. If a timely response is not received the case responsible party will close the TI with an e-mail advising the agency of closure and advise of: Information required in order to answer the question Inquiry can be resubmitted with the required information 11.3.36.12.2 (07-21-2015) TI Assignment Generally DES will be assigned the following types of Technical Inquires: FOIA Physical Security Publication 1075 clarification CAP questions relative to SRR Section’s A to G findings Report Generally Computer Security Reviewers will be assigned the following types of Technical Inquires VOIP SCSEM Vulnerability scanning Computer Security Publication 1075 clarification questions CAP questions relative to SRR Section H findings SSR Physical Security Inquires from agencies under an open review will generally be handled by the DES assigned to conduct the review. The DES is the agency’s primary POC for all SSR, CAP, and inquires from their agency POC. An Open Review is easily identified on e-Trak by the calendar year the review is scheduled to occur and can also be identified by referencing the Review Schedule. 11.3.36.12.3 (07-21-2015) Initial TI Review If the case responsible party determines the TI is an issue that is not covered in Publication 1075 or generally a Safeguards issue do not delay, discuss with Chief, SRT for reassignment and resolution. If the scope of the inquiry is beyond your expertise, is not from an agency subject to safeguards oversight or does not pertain to the safeguard program, do not delay, discuss with Chief, SRT for reassignment and resolution. 11.3.36.12.4 (07-21-2015) TI Processing Procedures Assigned individual will acknowledge receipt of TI by updating notes in e-Trak case summarizing inquiry. Research and contact other Safeguards personnel as needed. Contact the requester, resolve the question(s) at hand and close the TI over the phone whenever possible. Confirm it a written response is needed. Add appropriate e-Trak notes describing: Discussion with requester Research Contact type(s) made i.e., phone, email, etc. Contact with other Safeguards or IRS personnel 11.3.36.12.5 (07-21-2015) Ways to Resolve the TI Resolve the inquiry during the initial phone discussion. Document the discussion and answer provided in e-Trak case notes as described above Section Load original e-mail with your response to the Document file in e-Trak and forward to QR Complete required research and preparation of written response. Complete research, document in e-Trak case notes. Load original e-mail with your response to the Document file in e-Trak and forward to QR Facilitate discussion with the inquirer in coordination with computer security reviewer/DES if necessary (coordinate with Chief or Chief-designated party to determine appropriate CSR assignment) Arrange the telephone discussion Document the discussion in e-Trak case notes If written response is required, load original e-mail with your responses to the Document file e-Trak and forward to QR. 11.3.36.12.6 (07-21-2015) Format of E-mail for Closure and QR Prepare written response, on the original incoming inquiry loaded to e-Trak, and load to Outgoing Documents in e-Trak and load to Outgoing Documents in e-Trak. Always use the original incoming TI message. If there were intervening e-mail threads, they may be included in the response loaded to e-Trak Document file for QR to provide amplifying information. A separate attachment providing the response is not appropriate. Include all attachments to be sent to the agency as part of the response. As written, response should be appropriate for forwarding to the agency personnel in response to the original incoming message. Example format is shown below: Subject: OH531-SWA-TI, 30-2013-00915 for QR, 20 days Opening: Hello (Agency POC), this is in response to your inquiry dated (Month,DD,YYYY), concerning (State the subject) Body: Type narrative paragraph restating agency question with specific answer Closing sentence: I hope this fully responds to your inquiry. Cite Publication 1075 references as appropriate. Answer should provide guidance that is complete but does not just restate Publication 1075 text. Ensure that the agency will fully meet Publication 1075 standards on the issue if they follow the guidance provided. Do not provide telephone number or e-mail contact information 11.3.36.12.7 (07-21-2015) Closure of TI All Technical Inquires do not require email/written response (see above Ways to Resolve the TI). Utilize the most appropriate method pending the type an extent of issues/inquires raised. When an e-mail response is required the DES will create an email to the agency requestor, copy to all individuals on original incoming message, using the email dropped into Documents in e-Trak. DES will upload a copy of the e-mail response in Documents. Technical Inquires are closed on e-Trak by support staff who will: Locate e-mail to send in Outgoing Correspondence (if written response is required) Ensure the to line is addressed to initial party that sent the inquiry and copy all appropriate personnel from original e-mail Upload a copy of the sent email in Outgoing Correspondence Add not to e-Trak case “TI closed; response sent to POC” Change Workflow Step<Approve for Release Final Save To meet the timeliness metric for Technical Inquires the case must be Released in e-Trak within the 30 day prescribed timeframe 11.3.36.13 (07-21-2015) 45 Day Notifications Publication 1075 requires agencies to notify the Office of Safeguards prior to executing any agreement to disclose FTI to a contractor no less than 45 days prior to the disclosure of FTI. In addition to the initial receipt of FTI Publication 1075 Section 2.1 the following circumstances or technology implementations also require the agency to submit notification to the Office of Safeguards via the Safeguards mailbox, a minimum of 45 days ahead of the planned implementation, for the following activities that involve FTI: Activities that involve FTI Response FTI in subject to Advance approval required to proceed Cloud computing Yes, by Safeguards Consolidated data center No Disclosure to a contractor No, and only applicable for agencies specifically authorized pursuant to 6103 statute or regulation Re-disclosure by contractor to sub-contractor Yes, by Safeguards and only applicable agencies specifically authorized pursuant to 6103 statute or regulation Data Warehouse Processing Yes, by Safeguards Non-agency owned information systems Yes, by Safeguards Test modeling for tax administration Yes, by Disclosure Test Environment Yes, by Safeguards Virtualilzation of IT systems Yes, by Safeguards The agency is required to provide notification which includes all of the information requested in Exhibit 6 Note: Live Data Testing form is not needed in production environment only pre-production. 11.3.36.13.1 (07-21-2015) Agency Submission of Reports and Correspondence All correspondence should be sent electronically by Secure Data Transfer or encrypted using SecureZip, to the Safeguardsreports@irs.gov mailbox and include a cover letter signed by the head of the agency or authorized delegate. Use of a template will enhance the agency’s ability to provide all of the information to process the notification. Template suggested for the agency to use is embedded below. The use of this template will minimize processing errors as well as eliminate the a contractor check sheet as the comments will confirm notification compliance. 11.3.36.13.2 (07-21-2015) Mailbox Staff Responsibilities Retrieve the 45-Day Notification Letter from the mailbox Assign an e-Trak case to DES and/or for Computer Security Reviewer (CSR) assignment rules are subject to occasional change and the most current version is located on Data Services SharePoint site) Upload notification from agency into the created e-Trak case. Acknowledge receipt of 45 Day Notification via email response Upload acknowledgement email into created e-Trak case. Update the e-Trak Case Notes Notify case assignment to SRT Chief, Mailbox Staff, IRS contractor, CSR and DES via email and update e-Trak. 11.3.36.13.3 (07-21-2015) Notification Assignments 45 Day Notification Letters for contractor and/or sub-contractor access to FTI are assigned to DES (see Data Services SharePoint site for the most current version of the assignment rules) Generally 45 Day Notification Letters for Live Data Testing, Non-Agency-Owned-Information-Systems, Data Warehouse, Cloud Computing, VoIP, IVR, Web Portals, and Virtual Environment which requires Information Technology (IT) review are assigned: Computer Security Reviewer (IRS contractor) as e-Trak Case Responsible. Disclosure Enforcement Specialist (DES”) as e-Trak Analyst Copy to Supervisor of Mailbox Staff Note: Agencies seeking to implement VoIP and IVR should seek advice from the office of Safeguards. The use of contractors for these services will require a 45 Day Notice. 11.3.36.13.4 (07-21-2015) Analysis of Notification DES Process Retrieve the agency’s notification letter from e-Trak Contract agency for additional information as needed. Reach out to Chief or Senior Technical Advisor as needed. Work to completion according to DES 45 Day Notification Processing IRM 11.3.36.13.6 IT related contractor notifications complete the contractor portion, upload the documents to e-Trak, and notify IRS contractor of completion Document any delays in e-Trak and notify Chief of any delays Completed and upload the acknowledgement letter to be issued to the Agency to eTrak Documents (template located in Safeguards SharePoint site) Upload case cover sheet Submit to Chief or Associate Director for signature (approval authority rules located in Safeguards SharePoint site) Computer Security Reviewers Process Retrieve the agency’s notification letter from e-Trak Contact agency for additional information as needed Work to completion within prescribed timeframe Contact DES to inform them of status of account Upload the acknowledgement letter of Agency to e-Trak Documents (template located in Safeguards SharePoint site) DES will perform a quality review of above noted letter prior to sending for approval. Note: If the agency needs a 45 day letter issued on an emergency basis they should send the notification to the Safeguards mailbox. If necessary the DES will notify the Chief and/or Senior Technical Advisor if additional guidance is needed. 11.3.36.13.5 (07-21-2015) Report Timeliness 45 Day Notices are timely if processed to completion (Release status in eTrak) within 30 days of case creation in eTrak. Des will notify their Chief if there is a delay in processing beyond 30 days and update eTrak notes. Processing Tax Modeling and IT notification letters often required additional time, DES will work with Statistics of Income (SOI), CSR, IRS contractor, and Senior Technical Advisor as applicable to complete this process in a timely manner. Notify Chief of expected extended time frame if expected to exceed the 30 day due date. Note: Non-processible letters are appropriate for use if the agency fails to meet the sufficient requirements in the Publication 1075, Exhibit 6 , within a reasonable time period after submission of a 45 Day Notice. Case Responsible party should attempt to perfect the Notices as soon as possible after assignment but within 30 day timeframe for processing using the appropriate method of communication (email, telephone contact) and by issuing appropriate deadlines for response. If the agency fails to meet the deadline a non-processible letter will be issued. (insert letter in exhibit) 11.3.36.13.6 (07-21-2015) DES 45 Day Notification Processing After receipt of assignment notice, retrieve notification form the eTrak document folder and save to your hard drive. Acknowledge receipt in eTrak by entering eTrak Note. Review the information provided to ensure it is within the standards in Publication 1075 and all Exhibit 6 information was provided. In additional information is needed from the agency to process the notification, call and/or email the agency POC listed in the notification as soon as possible after case assignment. The agency should respond directly to you and/or mat respond to SafeguardsReports@irs.gov and cc you. Provide the agency with a specific due dare for the response that is reasonable and within the 30 days allowed for processing 45 Day Notices. Document any delays in eTrak along with the cause for such delays and notify Chief if delays are expected to exceed the 30 day metric for resolution. If the agency fails to appropriately respond by the due date issued prepare the non-processible letter. Document all information received from the agency in the eTrak case created for the Notice and load documents and emails as appropriate. Prepare Safeguards response letter for approved/confirmed Notices. Always address the letter to the Head of Agency, Director, Deputy Director, etc, if the letter has been signed by them. Do not send the letter addressed to the POC unless this is the only name identified on the letter. 11.3.36.13.7 (07-21-2015) Notifications Involving Tax Modeling, Revenue Forecasting, or Statistical Analysis DES must coordinate with the SOI. Specific current email contacts for coordination with SOI can be found in the desk guide for processing 45 Day Notices. Provide the following in this coordination: Copy of the agency’s notification Copy of the agency’s current Need and Use document If no current Need and Use document is on file, obtain a signed copy from the agency and email to the Disclosure Manager for approval. Copy of the agency’s separate statement detailing the methodology and date to be used by the contractor. Notate eTrak with actions taken throughout the process. Resume process of request - Once approved, incorporate SOI’s approval statement in the closing letter template. Upload response letter to outgoing correspondence and checklist to document (each of which are templates found in Safeguards SharePoint site) Submit to Associate Director for signature. 11.3.36.13.8 (07-21-2015) Notifications Involving Live Data Testing, Non-Agency-Owned-Information-Systems, Data Warehouse, Cloud Computing, VoIP, IVR, Web Portals and Virtual Environment If the letter includes contractor notification for Live Data Testing, Non-Agency-Owned-Information-Systems, Data Warehouse, Cloud Computing the process is the same as that for any 45 Day Notification letter IRM 11.3.36.13.3 . Complete the combination 45 day letter and/or Live Data Testing, Non-Agency-Owned-Information-Systems, Data Warehouse, Cloud Computing when the notification includes contractor notice using the template found in Safeguards SharePoint site upload to eTrak under documents, enter eTrak case note and notify CSR assigned case. If the Live Data Testing, Non-Agency Owned-Information-Systems, Data Warehouse, Cloud Computing notification does not include contractor notification complete the response letter using the template located at Safeguards SharePoint site, upload e-Trak under documents, enter e-Trak case notes and notify CSR. The letters/agency responses are signed by the Associate Director (AD). Once CSR has determined that the letter is ready for approval they are to notify the DES assigned as analyst in e-Trak. The DES will then conduct a quality review of the response and the case and submit to AD for signature if the response is appropriate and the case is complete. Note: Currently Live Data Testing, Tax Modeling, Outsourcing Mainframes and sub-contractors require Safeguards approval. Contractor Notice must be made by the Agency, not by their contractor. If Safeguards is in receipt of 45 Day Notice from a contractor, request the Agency resubmit as the requesting official. All 45 day letters must be on agency letterhead and signed by the Head of the Agency. Close the 45 Day Notification e-Trak case using the non-processible template. A new eTrak case will be opened upon receipt of appropriate Notice. 11.3.36.13.9 (07-21-2015) DES Processing to Complete 45 Day Notice Package Enter a new note in eTrak reflecting: 45 Day Notice Processing Check sheet completed and uploaded in documents Letter to agency completed and uploaded to eTrak documents Forwarded to approving official (Chief/Associate Director) for signature Documents to be uploaded into eTrak case The original agency notification (this should already be uploaded by Mailbox staff when case was created) Additional information provided by agency, if applicable Closing letter (to eTrak outgoing correspondence) Checklist (notification template) Letter to agency should be uploaded under outgoing correspondence in eTrak and input should include these instructions: Select type “Notification” Input dare received/created Complete title Upload file Write description (letter) Instructions for submission for approval within eTrak include: Subject line of email comment “Naming convention, eTrak case #, To (Chief’s initials) for signature mm/dd/yy, # of days Note: Priority 35X-IN-CS-45D-ITTrans-050913, N-2013-00748, To GR for signature 06/05/13, 28 days Enter “Priority” at the beginning of email notification comment if case is 30 days old or less Update case screen select “workflow step” submit for management approval 11.3.36.14 (07-21-2015) Quality Review The Quality Review (QR) process provides a method to monitor, measure, and improve the quality of work. QR data may be used to identify trends, problem areas, training needs, and opportunities for process improvement. The QR process builds commitment capability among Safeguard employees to continually improve customer service, employee satisfaction and business results. The QR process should provide for the following: Finding/ Recommendation Accuracy: providing the correct finding that describes the agency issue with the correct recommendation/resolution Statutory/Regulatory/Publication 1075 Accuracy: adhering to statutory/regulatory and Publication 1075 requirements when preparing reports/responses to partnering agencies Process/Procedural Accuracy: adhering to non-statutory/non-regulatory internal process/procedure requirements when preparing reports/responses to partnering agencies. Professionalism: promoting a positive image of the Service by using effective communication techniques. Timeliness: submitting reports/responses in a timely manner through the use of proper workload management and time utilization techniques. Documentation: All steps taken in the review process must be documented in one business day unless extenuating circumstances require additional time. All notes, worksheets, communication contacts, memoranda, and other correspondence will be retained in the file and in notes on e-Trak to support decisions. Quality Reviews are conducted for the following case types: Safeguard Review Report Technical Inquiry SSR Corrective Action Plan 11.3.36.14.1 (07-21-2015) Quality Review of SSR The following documents should be loaded in the Documents file in e-Trak when the Quality Reviewer receives the case file. Each of these documents should be reviewed by the Quality Reviewer. Deliverable Acceptance Form (DAF Safeguard Security Review Acceptance Checklist Safeguard Security Review Cover Letter Safeguard Security Review Analysis Written responses should be appropriate for forwarding to the agency personnel in response to additional information needed. If any documentation is missing, the Quality Reviewer should contact the DES/CSR to load the documentation. Verify that the SSR has provided guidance that is complete. There should be a response for every field within the SSR. The Quality Reviewer should review the SSR for grammar, punctuation, spelling and formatting throughout the report. Minor corrections (grammar, punctuation, formatting, etc.) can be made by the Quality Reviewer without returning/notifying the DES/CSR. The following items should be reviewed in the SSR. SSR responses should clearly state current IRS Safeguards policies. Publication 1075 and NIST references should be cited as appropriate. Ensure that the agency will fully meet Publication 1075 and NIST standards on the issue if they follow the guidance provided. Ensure title page references the correct agency. Outstanding Actions – compare and verify that every item listed is covered in each individual section. Quality Review of SSR Transmittal Letter-The Quality Reviewer should review the transmittal letter that is sent to the agency. The Quality Reviewer should make minor corrections to the letter. If there are major changes to the letter the Quality Reviewer should wait until the report is reviewed to load and return the case to the DES/CSR for re-work. Review the transmittal letter for the following: Verify that correct letter template is used. Check spelling, grammar, punctuation throughout letter. Verify that the official is named correctly. Verify proper title is used in the salutation. Verify agency name correct. Verify the acceptance (or non-acceptance) statement’s validity. Verify correct due dates and referenced. Note: Safeguards has 60 calendar days from receipt of a SSR to deliver the approval back to the agency. Of these 60 calendar days, DES/CSR has 35 days to conduct the analysis and submit QR. When corrections are made that must be addressed by DES/CSR, the SSR will need to be returned using the following procedures: Rename the documents using the proper naming convention and the current date. If returning the documents on the same date as received, place that comment after the date, so that it can be distinguished from the original file. Load the documents to the Documents file on e-Trak. Make a case not on e-Trak with actions taken and the necessary corrective actions to be taken by DES/CSR. Update the Comments field on the case with the status: Example: 11/04/14 -Ret’d to DES/CSR for edits-SS Update the Email Notification Comments field on case. “Priority” should be used for cases less than 60 calendar days. Example: Priority MAXXX-DOR-SSR-102614, 35 days, ret’d for edits Completion of SSR Quality Review - Upon completion of quality review (SSR ready for approval/signature) the following procedures should be taken: Add any final notes to the case. The Comments field should be updated to reflect the status. The letter and the report should be loaded to the Outgoing Correspondence file. Example: Example Comments Field: QR Complete. Agree with acceptance and sending signature 11/24/14 -CL The Email Notification Comments field should be updated to reflect the current date and number of days open and status. Example: Email Notification Comments Field: MAXXX-DOR-SSR-102614, 30 calendar days, for approval/signature Choose from the Workflow Step - Submit for Management Approval. Choose the Associate Director as the Management Approver Example: SSR responses do not get forwarded to the Chiefs for approval. SSR responses are forwarded to the Associate Director for approval. 11.3.36.14.2 (07-21-2015) Quality Review of Safeguard Review Reports (SRRs) SRRs must be forwarded to QR within 35 days review. The following documents should be loaded in the Documents file in e-Trak when the Quality Reviewer receives the case file. Each of these documents should be reviewed by the Quality Reviewer. If any file is missing, the Quality Reviewer should contact the DES to load the file. Deliverable Acceptance Form (DAF) State Agency Contact Information sheet Safeguards Disclosure Security Evaluation Matrix (SDSEM) Safeguard Review Report Letter Safeguard Review Report Prior to the Safeguard Review, the DES should have received the State Agency Contact Information sheet and the Safeguards Disclosure Security Evaluation Matrix (SDSEM) from the agency. At the end of the review, the DES should complete the SDSEM, listing all failures. Comments should be associated with every failure. Note: If the computer security portion of the review was conducted by the contractor, the DES should complete a Deliverable Acceptance Form . Previous Review Open Findings - The Quality Reviewer must ensure previous open review findings are closed on e-Trak. Previous review findings and all components should be closed by the DES or someone otherwise directed by the Chief upon conducting the on-site review. The DES should have input a note on the current review case and the previous review case indicating that the findings have been closed. Note: If the previous review finding has not been closed by the DES, the report can still move forward; however, the DES should be notified to correct. Open CAP Case -If there is an open CAP case associated with the previous review, the DES should forwarded this along with the SSR to OR r. If an open CAP was not received with the report, the Quality Reviewer should conduct a search to determine if one is open. In most instances, an open CAP case would be in analysis/prep status. If there is an open case with the DES that has not been moved to QR, the Quality Reviewer must notify the DES to forward the case. A note must be placed in the Comments field on the case indicating the status, that a new review has been conducted and that nothing is to be sent to the agency with this case. This is to avoid unnecessary confusion in the issuance of CAPs. The Email Notification Comments field should also be updated accordingly. See examples: Example: Comments Field Example: To Chief, SRT 2 for approval/closure. A new review has been conducted. Nothing is to be sent to the agency. -CB Example: Email Notification Comments field: MAXXX-DOR-CAP, 39 days, for approval/closure. Nothing to be sent to the agency. Verify the DAF that is loaded matches the agency if not notify DES to obtain and reload. Verify that the SDSEM has been completed with failures notated. There should be a comment for every failure. In most cases the failures should match the findings in the PFR and the SRR. If the SDSEM is not complete, notify the DES to correct and reload. A missing or incomplete SDSEM should not hold up the timeliness of an SRR. The SRR and transmittal letter should be moved to the Quality Reviewers's desktop to work. The SRR and letter should be saved by the DES in a doc format. Note: e-Trak saves documents in .rtf. Therefore, if the DES does not change, the document it must be changed by the Quality Reviewer. The Quality Reviewer should correct the report and letter using the auto correct tool. The Quality Reviewer should review the report for grammar, punctuation, spelling and formatting throughout the report. Minor corrections (grammar, punctuation, formatting, etc.) to Introduction, Background and Scope, and spacing issues between findings can be made by the Quality Reviewer without returning/notifying the report and/or letter to the DES. The following items should be reviewed in the SRR: COVERSHEET - verify coversheet – month, agency name, agency code (agency code for etrak should be used), correct format. TABLE OF CONTENTS - make sure all pages are updated. Note: A manual change of the pages for the Introduction, Background and Scope is required. To update Table of Contents for Sections A – H press the F9 key. If these are not correct in the report Quality Reviewer should update. ACRONYM LISTING - verify acronyms used in report are included in listing. Acronyms used in the report for the first time should be spelled out and the acronym in parenthesis. INTRODUCTION - verify that the correct report template is used for the type of agency- (d), (l)(6), (l)(7), (l)(21). Use the (d) template for federal agencies; however, the DES must change the Introduction, Background and Scope as well as Section G to be specific to the agency. BACKGROUND -verify that the information required in the templates based on agency type is reflected in the report. Ensure the information technology services to the agency and what services they provide. paragraph in Background describes who provides the information technology services to the agency and what services they provide. Verify the sentence “The computer security findings in Section H will require corrective action by XXX and XXX.” (may just be one), is included. SCOPE - The Quality Reviewer should review the following: Make sure reviewers names are spelled correctly. Governmental Liaison should be shown if participating in review. Responsible agency employees listed should include the person’s title. Locations visited should be named consistently throughout report. If there is a finding for a location that is not listed, you may need to verify with DES. Verify dates of last Safeguard Review and report (check SP or e-Trak) FINDING/NARRATIVE AND RECOMMENDATION -The Quality Reviewer should review the following: Findings in PFR should be those shown in report. Verify that the risk category is shown at the end of the finding in parenthesis. Findings/Narrative and Recommendation must work together. The recommendation should resolve the issue described in the finding/narrative. Review findings for consistency. Names of offices, locations, should be shown the same throughout the report. Verify that correct standardized language is used throughout report (findings and recommendations match). Verify the narrative provides a description of the issue, if appropriate. It must make sense. For example: Doors unlocked. This is not enough of a description. The DES must tell what doors are unlocked and where. Note: Brackets in the narrative used in standardized language should be removed and not shown in the report. Dates – verify that the DES has used the correct number of days (not months). Dates should be consistent throughout all sections of the report. Section H Quality Review -Verify Section H Introduction and MOT and Technology Specific Findings headers are included – DES has to copy and paste. Verify findings listed in the Section H Introduction are shown in the report number for number. Verify risk categories are shown in parenthesis in the parent finding. Verify all findings and components are included Note: Additional spacing or incorrect numbers in finding/component numbers input in e-Trak may cause findings/components not to print QUALITY REVIEW- SRR TRANSMITTAL LETTER-The Quality Reviewer should review the transmittal letter that is sent to the agency. The Quality Reviewer should make minor corrections to the letter. If there are major changes to the letter the Quality Reviewer should wait until the report is reviewed to load and return the case to the DES for re-work. Review the transmittal letter for the following: Verify that correct letter template is used. Check spelling, grammar, punctuation throughout letter. Verify that the official is named correctly. Verify proper title is used in the salutation. Verify agency name is correct. Verify correct code authorities cited. Agencies that received Beneficiary Earning Exchange Record (BEER) data Note: For (l)(7) agencies, verify (from report) if receiving BEER data that SSA is included in letter; if not, it should not be listed. For agencies receiving IRC § 6103(l)(10) , verify (from report) both are listed Verify correct CAP dates are shown in letter. Verify that the agency POC in letter is listed on the Agency Contacts in e-Trak. If not, notify DES to validate/update. Verify the signature authority (name and title) is correct. RETURNING REPORT TO DES FOR CORRECTIONS- When corrections are made that must be addressed by the DES, the report and/or letter will need to be discuss and/or returned to the DES for revision. When possible, discuss with the DES and make corrections. Return SRR to DES when major corrections are needed or a correction affects another part of the SRR. The Quality Reviewer will notify SRT Chief by email from e-Trak. Rename the documents using the proper naming convention and the current date. If returning the documents on the same date as received indicate after the date, so that it can be distinguished from the original file. Load the documents to the Documents file on e-Trak. Make a case note on e-Trak with the actions taken and the necessary corrective actions to be taken by the DES. Update the Comments field on the case with status. Example: Priority MAXXX-DOR-102614, 30 calendar days, ret’d for edits COMPLETION OF QUALITY REVIEW- Upon completion of quality review (report ready for approval/signature) the following procedures should be taken: The letter and the report should be loaded to the Outgoing Correspondence file. Add any final notes to the case. The Comments field should be updated to reflect the status. Example: 10/26/14 - To Associate Director for approval/signature - CB The Email Notification Comments field should be updated to reflect the current date and number of days open and status. Example: Priority MAXXX-DOR-SRR-102614, 34 days, for approval/signature Choose from the Workflow Step-Submit to Management Approval. Choose from Associate Director as the Management Approver. 11.3.36.14.3 (07-21-2015) Quality Review of Technical Inquires (TI) TIs must be forwarded to QR within 20 days for review The following documents should be loaded in the Documents file in e-Trak when the Quality Reviewer receives the case file. Each of these documents should be reviewed by the Quality Reviewer: Written response, in informal e-mail format. Always use the original incoming TI message. If there were intervening e-mail threads, they may be included in the response forwarded for QR to provide amplifying information. A separate attachment providing the response is generally not appropriate. Do not include attachments that should be sent to the agency as part of the response. Telephonic responses, documented discussion and answer provided in e-Trak case notes. As written, response should be appropriate for forwarding to the agency. If any documentation is missing, the Quality Reviewer should contact the DES to load the documentation. Verify that the TI has provided guidance that is complete. There should be a response for every question within the TI. If the TI is not complete, notify the DES to correct and reload. The Quality Reviewer should correct the TI using the autocorrect tool. The Quality Reviewer should review the TI for grammar, punctuation, spelling and formatting throughout the report. Minor corrections (grammar, punctuation, formatting, etc.) can be made by the Quality Reviewer without returning/notifying the DES. The following items should be reviewed in the TI: TI responses should clearly state current IRS Safeguards policy and close the matter to avoid on-going discussions on the same issue. Narrative paragraph should restate agency question with specific answer. Publication 1075 references should be cited as appropriate. Answer should provide guidance that is complete but does not just restate Publication 1075 text. Ensure that the agency will fully meet Publication 1075 standards on the issue if they follow the guidance provided. If the discussion was held by phone, and the TI response is inaccurate it will be returned to DES and Chief, SRT to clarify our position with the agency POC, preferably with a follow up phone call. Subsequent action must be documented in the e-Trak case notes and forwarded to Technical Advisor for approval and closure. When corrections are made that must be addressed by the DES, the TI will need to be returned using the following procedures: Rename the documents using the proper naming convention and the current date. If returning the documents on the same date as received indicate after the date, so that it can be distinguished from the original file. Load the documents to the Documents file on e-Trak. Make a Case note on e-Trak with the actions taken and the necessary corrective actions to be taken by the DES. Update the Comments field on the case with the status. Example: 11/04/14 - Ret’d to DES for edits - BG Update the Email Notification Comments field on the case. “Priority” should be used for cases less than 30 days. Example: Priority MAXXX-DOR-TI-102614, 20 days, ret’d for edits. Note: When returning TI's to the DES for correction, or making corrections (other than minor corrections), when possible, discuss with the DES. Ensure that the SRT Chief is copied on all returned TI's for correction. Completion of Quality Review – Upon completion of quality review (TI ready for approval/signature) the following procedures should be taken: The written response, in e-mail format should be loaded to the Outgoing Correspondence file The telephonic response, should be documented in the Note file. Add any final notes to the case. The Comments field should be updated to reflect the status. Example: Example Comments Field: Approved for Closure, Reviewed written TI response regarding. No additional Safeguards action required. Written response required to agency or No written response required to agency. The Email Notification Comments field should be updated to reflect he current date and number of days open and status. Example: Email Notification Comments Field: MAXXX-DOR-TI-102614, for QR, 30 days, To Technical Advisor for approval/closure. BG. Choose from the Workflow Step - Submit for Management Approval. Choose the Technical Advisor as the Management Approver, unless otherwise directed by the SRT Chief or other management official. Example: TI responses do not get forwarded to the Chiefs for approval. TI responses are forwarded to the Technical Advisor for approval. Technical Advisor will review response for clarity, accuracy, and consistency with current policy. The Advisor will either: Return to the originator with a request for edits, or Approve and forward to the mailbox for release to the agency. 11.3.36.14.4 (07-21-2015) Quality Review of Agency Corrective Action Plan (CAP) A-CAP cases must be forwarded to QR within 30 days for review. The following documents should be loaded in the Documents file in e-Trak when the Quality Reviewer receives the case file. Quality Reviewer should contact DES for missing letters: If Section H of CAP has been worked by contractor, a DAF should be uploaded to the documents file of the CAP case. Complete letter to IRS Point of Contact (POC) Complete letter to Head of Agency CAP loaded by CPU Note: For older cases there may be more than one CAP. In those instances, the Agency CAP response must be worked in the order received, which is determined by the date in the naming convention. The Quality Reviewer should correct the transmittal letters using the autocorrect tool. The Quality Reviewer should review the letters, and the Agency Response and IRS Comments in the SRR case for grammar, punctuation, spelling, formatting and spacing issues. Minor corrections (grammar, punctuation, formatting, spacing, etc.) can be made by the Quality Reviewer without returning the case for re-work and/or notifying the DES. Quality Review Sections A-G Verify the Agency Responses for each finding has been migrated correctly Verify the Technical Response in the IRS Comment is appropriate. Verify the Status Box shows the appropriate status: Open or Closed. Open Status: Verify the Planned Implementation Date is appropriate. Closed Status: Verify the Actual Closed Date is correct. Quality Review Section H Verify the Agency Responses have migrated correctly Verify the IRS Comment is appropriate Verify the Status Box shows the appropriate status: Open or Closed Open Status: Verify the Planned Implementation Date is appropriate Closed Status: Verify the Actual Closed Date is correct Verify the Next CAP Due Date is documented correctly in Comments field Note: If all Component Findings have been closed, remember to verify the Parent Finding is closed. Quality Review of CAP Responses. DES/CSR should have addressed all open findings. Deficiencies within the SRR findings must be clearly noted in the Notes on the CAP case to allow the DES/CSR to correct. Finding Accepted: Agency response is accepted and the finding is closed. IRS Comments: Agency response is accepted. No further reporting is required. Agency response is accepted and the finding is open. IRS Comments: Agency response is accepted. Please (Critical or Significant Findings - Provide information listed in recommendation and) report the finding status and actual implementation date on the next CAP update. Finding Not Accepted: Agency response is not accepted for Critical or Significant Finding. IRS Comments: Agency response is not accepted. The agency must [Action given in Recommendation]. To close this finding, please provide [Documentation requested in Recommendation] and report the finding status, and actual implementation date on the next CAP update. Agency response is not accepted for Moderate or Limited Finding. IRS Comments: Agency response is not accepted. The agency must [Action given in Recommendation]. Please report the finding status and actual implementation date on the next CAP update. Parent Finding: All Components Closed. IRS Comments: All component findings have been addressed. No further reporting is required. Note: Verify if the Finding has Components; if it does review all Components. When all Component Findings are closed, the Parent Finding should be closed. Finding Not Accepted: Agency response was not received for Critical or Significant Finding. IRS Comments: Agency response has not been received. The agency must (Action given in Recommendation). Please report the finding status and actual implementation date on the next CAP update. Agency response was not received for Moderate or Limited Finding. IRS Comments: Agency response has not been received. The agency must (Action given in Recommendation). Please report finding status and actual implementation date on the next CAP update. Agency has planned implantation date long after the targeted implementation date IRS has requested. IRS Comments: Corrective action is overdue. Please report the finding status and actual implementation date on the next CAP update. Quality Review of IRS Point of Contact and Head of Agency Letters Verify the correct letter templates are used. Check spelling, grammar, punctuation throughout letter. Verify that the official is named correctly. Verify proper title is used in the salutation. Verify agency name is correct. Verify Agency Head and POC named in letters are listed on Agency Screen in e-Trak Verify the next CAP due date is correct Note: If there are major changes to the letters, the Quality Reviewer may contact the DES to reload while working through the CAP. Returning CAP to DES for Corrections - When corrections are made that must be addressed by the DES/CSR, the CAP case and/or letters will need to be returned to the DES for revision using the following procedures: Name the documents using the proper naming convention and the current date. If returning the documents on the same date as received indicate after the date, so that it can be distinguished from the original file. Load the letters to the Documents file on e-Trak. Make a Case note on e-Trak with the actions taken and the necessary corrective actions to be taken by the DES. Update the Comments field on the case with the status. Example: 10/26/14 - Ret’d to DES for edits - BG Update the Email Notification Comments field on the case. “Priority” should be used for cases less than 45 days. Example: Priority MAXXX-DOR-A-CAP-102614, 30 days, ret’d for edits. Note: When returning CAP or letters to the DES for correction, or if making corrections (other than minor corrections), send email notification to DES cc: SRT Chief and discuss with the DES. Completion of Quality Review: Upon completion of quality review CAP and letters ready for approval/signature should be taken. The letters should be loaded to the Outgoing Correspondence file. Add any final notes to the case. The Comments field should be updated to reflect the status. Example: 10/26/14 -To Chief SRT for approval/signature - BG. Choose the appropriate Chief SRT as the Management Approver. The Email Notification Comments field should be updated to reflect the current date and number of days open and status. Example: Priority MAXXX-DOR-A-CAP-102614, 30 days, for approval/signature Choose from the Workflow Step - Submit for Management Approval. 11.3.36.15 (07-21-2015) State and Local Agency Review Preparation - 90-120 calendar days before review Telephone or email the agency point of contact (POC) to introduce yourself, confirm current POC and review dates. Email the review contact questionnaire to POC and set and appropriate deadline (approx. 7 days) Note: If you are unable to determine the primary IRS POC or receive a request for different review dates please contact the Chief Safeguards Review Team (SRT) for assistance. Once review contact questionnaire is received, upload to documents file in e-Trak the proper naming convention. Example: MAXXX-DOR-SACI-102614 Input new contact information into e-Trak Document the date received in e-Trak note(s) Send the review contact questionnaire to the IRS contractor representative to schedule the Preliminary Security Evaluation call (PSE) with the agency. Prepare Safeguard Review Report (SRR) Notification Letter. Address the SRR notification letter to the Agency Director. Use the address provided by the agency on the Review Contract Questionnaire. In the event the agency does not respond to attempts at contact or complete the Review Contract Questionnaire DES will complete SRR Notification Letter to Agency Head using information located via internet research, SRR, and eTrak contact information. DES will notate this in e-Trak notes. Official Notification Letter will be issued to the agency no later than 60 calendar days from the scheduled on site review. Chief concurrence must be obtained to refrain from issuing the Official Notification under 60 calendar days from scheduled on site review. Notation by the Chief in e-Trak Notes is the acceptable method for acknowledging delay in issuing Official Notification Letter. Upload the SRR notification letter to documents in e-Trak using the proper naming convention. E-mail the appropriate team Chief advising the notification letter is ready for review and approval. Carbon copy (cc) the Management Assistant. Example: MAXXX-DOR-SRR-N-L-111314 Update e-Trak agency contact screen if there if there is a change in the Head of Agency, information technology (IT) POC and IRS primary POC on the contact questionnaire. Contact the appropriate Governmental Liaison and Disclosure Manager. Inform them of the upcoming agency review and scheduled dates. Determine if there are any issues or concerns with the agency. Document the contact and/or if there are issues or concerns with the agency in e-Trak. State Agencies: State Agencies Revenue Child Support Health and Human Services Labor Affordable Care Act Correctional Facilities Attorneys General Tribal Comptroller Department of Transportation Research and review agency documents to determine physical and logical locations of federal tax information. Determine state or county administration use of FTI. Determine contractor access to FTI. Request copies of access list to FTI. Using the information below attempt to determine who use the tax information and how its used. Review and analyze the following documents and any other sources that may provide information for the review: Step Information for the Review 1 The SSR should always be reviewed against the subsequent and prior SSRs. The SSRs provide useful information regarding current Responsible Officer(s), the number of offices inspected, latest FTI destroyed, enhancements to computer systems, locations of federal tax information. 2 Publication 1075 Tax Information Security Guidelines for Federal, State and Local Agencies 3 Studies and audits - GAO and other studies conducted of an agency’s general and data processing operation may give pertinent information. 4 Safeguard Review Report - If previous reviews were conducted, the reports are examined for previous findings, recommendations, and follow-up actions. 5 Treasury Inspector General for Tax Administration (TIGTA) - TIGTA may have information about the agency that could have an impact on the sharing of FTI. 6 Data Services Report - Review report to determine the type and volume of disclosures made to the agency and to the contractor. Review their Transcript Delivery System (TDS) report to determine what transcripts were requested and printed by state agencies. 7 Corrective Action Plan (CAP) 8 Safeguard Disclosure Security Evaluation Matrix (SDSEM) 9 Technical Inquires 10 45 day notification Note: Document research results in e-Trak Preparation - 60-90 calendar days before the review Ensure the agency has the latest copy of Publication 1075 if not refer them to irs.gov/safeguards. Provide SDSEM, Sample Data Request specific to each agency type, sample agenda, background data list and Policy & Procedures checklist. Include Internal Inspection templates, Visitor Access Log sample, Data Tracking Log sample and Disclosure awareness products list. Include Internal Inspection templates, Visitor Access Log sample. Data Tracking Log sample and Disclosure awareness products list. Schedule conferences call(s), discuss documents needed for review, particularly the SDSEM, data flow example, sample agenda, and the expectations for the agency before and during the review. Set a deadline for receipt of the above listed documents Preparation- 30-60 calendar days before the review Schedule call with the POC to discuss SDSEM in depth. Explain the different tabs & importance of information Prior to the PSE call explain the purpose of the Preliminary Security Evaluation (PSE) call and importance of getting the correct IT staff involved. Discuss data flow documents and stress the PSE call cannot be conducted without the Preliminary Security Evaluation Form received prior to the call. Remind agency of final deadline for documents, data flow and SDSEM (if necessary) The Safeguard DES/CSR must conduct PSE call and address any open questions to assist with determining the scope. The PSE call will focus on: Number and type of computer platforms operational within the agency. Data requests for controls, requirements and verification of evidence. Note: Advise PSE scheduler that a country run office needs a separate PSE call scheduled. Attend PSE calls for county run field offices, contracted collection agencies and contractor/subcontractor sites that have non agency owned technologies that contain FTI. Preparation - 0-30 calendar days before the review Follow up with agency for remaining documentation 3 weeks prior to on-site review this should just be a reminder. DES should be communication with their assigned CSR. Review the agenda with the POC; dates, times and addresses for site locations and provide a copy to IRS contractor /CSR and Chief SRT1/SRT2 Review policies, procedures and SDSEMs and document in e-Trak note(s) that the documentation was reviewed and note any issues or concerns that will need to be cleared while on site. Prepare the Safeguard On-site Review Preparation Check List and upload the document to e-Trak not later than working day prior to the call using proper naming convention. DES must work with the CSR t with completion of the Computer Security section of the Review Prep Doc. Example: MAXXX-DOR-SRR-N-111314 One week prior to review; print Review Opening Presentation, sign in sheets for opening and closing conference and coordinate with the CSR assigned to your agency regarding logistics. Provide the Governmental Liaison with the opening conference date and time. Prior to the on-stie review, a preparation call will be conducted and will include the responsible SRT Chief, DES, CSR and the appropriate GL representative. Hold final discussion with the agency POC, make changes to the agenda if needed, ensure the agency will have appropriate IT, policy or business related employees at opening conference. Make sure the opening conference room will have a white board or easel for use and that Safeguards and IRS Contractor reviewers will have a room to work from. Additional documentation by Agency type may be required as listed below: Department of Revenue or 6103(d) may also review: Computer Matching Agreement (CMA), Governmental Liaison Data Exchange Program (GLDEP) enrollments, GLDEP Need in Use Justification, Memorandum of Understandings (MOUs) agency (p)(2) agreements and TDS records. Department of Human Services or 6103 (l)(7) may review: Computer matching agreement with SSA for review of Beneficiary Earning and Exchange Record (BEER). IRS Computer Matching Agreement (CMA) from Data Services and the agency. Income and Eligibility Verification Systems (IEVS) counts from Data Services for previous 3 years. Child Support Services 6103(I)(8), and (I)(10) Review Service Level Agreements (SLAs) 45 day contractor notification letters and agency contracts. Travel Coordination No more than 30 calendar days prior to the review, the DES should have the travel authorization complete, signed and ready for management approval. This needs to include the airline reservation and car rental. If the DES will be traveling by private vehicle ensure a cost comparison worksheet is included in the authorization. Verify cost accounting string on authorization. Each traveler will fill out the travel itinerary by required deadline. The returned travel information must be compiled into one document and then shared to all parties on the review. On-site Safeguard Review Management Processes The Chief SRT is responsible for all actions occurring during the course of the on-site review If Associate Director, is not present on the review, the SRT Chief should provide a daily summary of key issues. Provides oversight for travel coordination issues while on-site Manage the review process on-site by maintaining good communications with team members, and by being available to the agencies if necessary Conduct daily post-review meetings to review that day’s events. Topics should include review of critical findings, commonalities between agencies, future items for review the following day, and any other concerns deemed necessary Chiefs are responsible for time tracking adherence by all personnel Provide guidance and oversight to any applicable contractor personnel on-site Attend at least one opening and all closings, and be on-site with as many agencies as possible based on logistical constraints Prior to closings review and recommend edits for all Preliminary Findings Report (PFR) documents Be the final arbiter for any on-site mitigation proposed by the agency Note: Chief is responsible for determining if a review is held as a preliminary closing and will provide oversight for coordinating follow-up activities for preliminary closings On-site Safeguards Reviews Communicate with the CSR regarding travel times and locations for the review The purpose of the opening conference is to acquaint agency officials with plans for the on-site review and to make any adjustments to the necessary arrangements and accommodations for this review On site Review Opening Conferences are generally held at 9:00 am the first day of the review but this is subject to adjustment based on the scope of the review and travel logistics. This decision will be made by and between the DES leading the review, the Chief and the State CSR Lead. Have sign in sheets and confidentiality statements prepared. The opening conference power point available on SharePoint, is used to facilitate this meeting. Following the power point the CSR will lead the Data Flow discussion. Note: The DES needs to understand the movement of the data sets they are responsible for reviewing. Work with the CSR, the State IT POC and the IRS POC to ensure they have the correct personnel available for testing technologies that are identified as in scope In general, the walk-through of the data center is scheduled for immediately following the opening conference and is attended by all DES who have verified data at the data center. Exceptions will be made on a case by case basis and approved by the Chief. A set time will be scheduled for all team members to conduct one review of a State consolidated data center Lead DES and Chief will work with members of the team to ensure alternate sites are covered during the review (example: the DES assigned to DOR might cover an offsite storage facility for the DES’s assigned to child support and human services) Continue with the pre-scheduled review of (2) field offices and other facilities. Advise Chief SRT or management of any additional devices that need to be added to the IT scope DES/CSR should update findings for there PFR as they conduct the review. 11.3.36.15.1 (07-21-2015) Review Techniques Interviews-During the on-site review, agency employees, contractors and subcontractors will be interviewed. Interviews are valuable in that they provide information based on personal experience. This information can help determine the extent of disclosure, safeguards and security awareness as well as awareness of penalty provisions of IRC §7213, IRC §7213A and IRC § 7431. Additionally, interviews can provide answers to questions regarding operations and procedures. Interviews do not have to be restricted to employees; they may also be conducted with third parties (e.g., custodians, security guards, other tenants) to gather information on the measures used to restrict access to areas housing tax data. Observation - Observing actual agency on-site operations is a required step in the review process. The DES must tour the areas or departments which handle or store FTI, including the data processing center, regardless of whether it is agency-operated, a shared facility or a contractor facility that receives processes, transmits or stores FTI. The DES should note actual written policy and procedures, actual operational execution of these policies and procedures, as well as work flow. The inspection should also provide information about the following security measures: Perimeter security Containerization Keys and combination controls Intrusion alarms Presence of Fire detection and annunciation equipment Physical access controls Storage and handling Emergency procedures, including data breaches and incident management Destruction and disposal Computer system security (including alternate work sites) Call and payment centers Collection agencies Additional contractor and sub-contractor physical and logical access when reviewing additional locations. Note: Address contractor and subcontractor physical and logical access when reviewing additional locations Background Check- DES will during an on-site Safeguard Reviews inspect and evaluate agency policy and procedure related to background investigations of employees and contractors with access to and use of FTI as well as a sample of completed employee and contractor background investigations. DES will document on a SRR and CAP a finding and require corrective action by agency of any failure to comply with IRS published standards for agency background investigation requirements. DES will not on a SDSEM any compliance failures associated with specific test cases established with regard to IRS published standards for agency background investigation requirements. SDSEM Test cases to evaluated for compliance include: Does the agency have a policy requiring a background investigation of each employee and contractor with access to and use of FTI? Does the policy require the initiation of a background investigation prior to permitting newly hired employees or contractors access to or use of FTI? Does the policy establish an unfavorable background investigation result criterion for each required element which, if found, would result in preventing or removing an employee’s or contractor access to and use of FTI? Does the policy require that reinvestigations are initiated for each existing employee and contractor with access to our using FTI not less than 10 years from the date of their previous background investigation? Does the policy specify that, at minimum, background investigations must include: Step Background Investigations 1. Fingerprinting or review of Federal Bureau of Investigations (FBI) fingerprint results? 2. Checks at local law enforcement agencies where the subject have lived, worked, and/or attended school within the last 5 years, and if applicable, of the appropriate agency for any identified arrests? 3. Citizenship/residency checks conducted to verify an employee’s or contractor’s eligibility to legally work in the United States? 4. Credit Checks to verify an employee’s or contractor’s financial status through a search of all three major credit bureaus covering all locations where the employee or contractor has resided, been employed, or attended school for six months or more for the past seven years? Does the agency have a procedure that describes the roles, responsibilities and actions required to ensure background investigation policy requirements are timely initiated, completed, and unfavorable results are adjudicated? Did the agency provided sample of completed employee and contractor background investigations include documentation of: Background Investigation Documentation Example Citzenship/Residency Check For example -a dated screen print from the E-Verify website or a green card? Fingerprint Check For example - FBI fingerprint results of dated certification by a memorandum official that favorable FBI fingerprint results were received? Local Criminal Check For example - a dated certification from a local law enforcement agencies regarding the existence or non-existence of any record of criminal activity or dated certification by a management official that favorable local law enforcement criminal check was completed? Review Guide -Exhibit 11.3.36-1 which contains a security outline that can be used as a tool in evaluating reports and planning Safeguard Reviews. This exhibit is not all inclusive and is used only as a guide to be modified or expanded to meet the requirements of a specific review. Not all questions and review topics may arise as a result of information gathered during the evaluation. Case file reviews - These consist of spot checks of agency files and the examination of records that contain FTI. 11.3.36.15.2 (07-21-2015) Team Coordination Communication between team members, as the review is progressing, is vital and beneficial, as it can identify problems and provides information that may alter or expedite the review plan. The DES should communicate shared findings with other DES reviewing other agencies. c Ensure shared findings match on all agencies PFRs. Set aside time the closing conference to discuss the findings with POC. This allows the agency the opportunity to hear the findings and start of remediation. The PFR and recommendations should be discussed at the closing conference. This allows the agency the opportunity to better understand what the reviewer/team has found and provide additional information, should the agency see the need to do so. Critical findings must be reported to the Chief immediately, who will then communicate to the Associate Director. Check with CSR and DES must maintain regular communication during review. Example: Potential increases in scope is discovered, IT contacts are identified and any other information that may affect the review. Set a deadline with the agency POC’s for needed policies and procedures generally not later than 2:00 p.m. the day before the closing.. 11.3.36.15.3 (07-21-2015) Need and Use Reviews An on-site Need an Use Review of each agency receiving FTI will conducted as part of the Safeguard Review. A Need and Use Review is considered verification or confirmation of the Need and Use Justification made prior to the release of the requested tax information to the state agency Compare FTI the agency is using versus FTI received. Determine if the agency should continue to receive all the FTI. If not advise the GL and the Disclosure Manager as appropriate. Document the PFR with appropriate findings Ensure the agency is compliant with IRS statutes, Federal regulations, existing agency agreements (basic and implementing) service policies and MOU’s. The scope of the review should be broad enough to provide the reviewer with sufficient information to document a conclusion as to the agency’s need for and use of FTI. Other key areas to be reviewed would include (but are not limited to): Routine exchanges Joint projects or other specific exchanges SLAs and MOUs Verify the Need and Use Justification Statement for Use of Federal Tax Information for Tax Modeling, Revenue Estimation or other Statistical Purposes. Note: Non-use of tax data does not necessarily constitute FTI misuse. However, the objective is to reduce or eliminate unnecessarily disclosures of FTI. If the original Need and Use Justification was valid, but the actual utilization has been postponed, the reviewer's responsibility is to evaluate whether there is a reasonable expectation that continued retention of the data will be of value to the state for tax administration within a reasonable and logical timeframe. 11.3.36.15.4 (07-21-2015) Preliminary Findings Report The PFR identifies the items requiring correction to as a result of an IRS Office of Safeguards on-site review. For each finding, the evaluated risk for potential loss, breach or misuse of FTI establishes the recommended timeframe for resolution. The risk category is noted next to each finding in this report to assist the agency in establishing priorities for corrective action. See also IRM 11.3.36.9. The DES must complete the PFR during the on-site review. The title page, footer and Section E should be complete prior to the review. The document must be completed including the computer security review findings in Section H and printed before the closing conference. The standardized findings with associated risk category are available on the PFR Standardized Findings Document. Note: The DES is responsible for the PFR in its entirety to include Section H. If any corrections need to be made or are identified during the Closing Conference the DES is responsible for incorporating the corrections and uploading the accurate PFR to eTrak post closing. This includes any Section H corrections. SRT Required actions to initiate IRC 6103(p)(7) recommendation: Ensure that all actions regarding attempts to secure successive instances of reporting non-compliance are well documented in e-Trak. Complete IRC 6103(p)(7) Recommendation for FTI Suspension and/or Termination of FTI Disclosures form. Prepare GLDS Director letter to Head of Agency advising of 6103(p)(7) determination and intent to terminate FTI disclosures and appeal rights. Submit IRC 6103(p)(7) Recommendation for FTI Suspension and/or Termination of FTI Disclosures form to AD for approval along with Action Routing Sheet and STAT prepared GLDS Director letter to Head of Agency advising of 6103(p)(7) determination and intent to terminate FTI disclosures and agency’s appeal rights. Note: See Exhibit 11.3.36-8 Recommendation for FTI Suspension and/or Termination 11.3.36.15.5 (07-21-2015) Closing Conference In general, the closing conference time will be discussed during the first evening meeting with the Chief and finalized as soon as possible thereafter. Closings should be scheduled according to scope, resources, agency availability and Safeguards availability with the final time and date signed off by the Chief. E-mail the agency POC the time of the closing conference . Review the risk categories – emphasizing the critical and significant risks. The DES will review findings in sections A-G and the CSR will review section H. Remind agency personnel that changes in procedures made to comply with recommendations should be documented in the CAP. Remind agency when the next SSR and CAP is due. Always ask the agencies if they have any questions before the close of conference Note: During the closing conference inform the agency that DES is the point of contact until the final report SRR and CAP are issued 11.3.36.15.6 (07-21-2015) Work Papers SDSEM, Policy and Procedures Checklist, Agenda with physical locations and contact numbers, Review Contact Questionnaire. 11.3.36.16 (07-21-2015) Federal Agency Reviews Federal Agencies receive data per various statutory code authorizations from various sections of the IRS and Social Security. The level of detail on how the agencies use the data received must be determined to conduct a quality review. The size and diversity of the agency operations makes the determination of the flow of the FTI challenging. Data received is generally different than state agencies and more challenging to identify exact data sets and data elements. Level of detail on both what data they received and what they do with it is generally much less. Size and diversity of agency operations makes identifying the flow of FTI challenging. The following Federal agencies receive FTI under statutory authority:: Department of Defense Department of State Department of Treasury Federal Bureau of Investigations (FBI) Department of Justice United States Postal Service Secret Service General Accounting Office (GAO) Department of Homeland Security Department of Health and Human Services CMS Federal Tax Administration Child Support Enforcement (OCSE) Pre-review planning (link to State Agency Review) Identify the agency point of contact (POC) solicit agency POC assistance to identify the current use, flow and locations of FTI. Research and analyze internal documents SSR, SRR, CAP, Technical Inquires (TI) and 45 Day Contractor Notifications. Conduct an analysis and include pertinent information for the appropriate sections of the Federal scope document; to include the highlights of issues and challenges. Verify reporting status (e.g., SSR, CAP etc) For Federal agencies, identify the data provided, its flow and how the Federal agency uses the FTI data is has received. . Seek input from Data Services regarding any Computer Matching Agreement (CMA) in effect Seek input from Government Liaison if the agency is part of the Federal Intergovernmental Partnering Program or has an IRS point of contact Identify agency structure and other general agency information by researching their internet website If an organizational chart is available, load this into e-Trak documents Work with the agency point of contact to determine where the FTI is flowing and organizational segments/locations currently in possession of FTI. Identify and work with the agency POC to determine the current use and the flow (including specific organizational units and their locations) of all FTI. Complete agreed upon agenda Identify computer security needs and consult with the Federal Governmental Liaison and Chief Safeguards Review Team (SRT) if additional resources are required Identify locations, organizational segments and points of contacts covered in the review and the proposed timing of those on-site visits If the agency is using Federal Tax information (FTI) for tax modeling, publishing on the internet or disclosing for congressional inquiries, invite the Office of Statistics of Income (SOI) to conference calls and ask if they would like to be included in emails to the agency Include the organizational component and name of the program manager alongside the data being reviewed when developing the FSR document. This will help to identify who the Disclosure Enforcement Specialist (DES) is speaking with in each responsible office relative to the different data pieces. Example: USDA – National Agriculture Statistical Service, point of contact (POC) Name (Title) Once the Review Contact Questionnaire is received prepare the Safeguard Review Report (SRR) Notification Letter. Obtain current template from SharePoint site. Address SRR notification letter to the Agency Director that is documented on the Review Contact Questionnaire. Load SRR notification letter to documents in e-Trak using the proper naming convention Example: FDXXX-FED-AGENCY-SRR-N-111814 Note: If the scope of the review is large (e.g. US Census) schedule an initial conference call to discuss steps to the upcoming Safeguard Review. The call should include agency contacts, Federal Liaison or Chief SRT, Computer Security Reviewer (CSR) and DES. Complete Federal Scope Document with suggested topics each agency will require different topics: Code Authority, all locations where FTI resides, IT Data Flow, Computer Security Scope, Previous SRR-F Notes, Previous SRR Notes, Previous CAP notes showing open findings ,Organizational Chart, list of FTI received in past year, list of FTI re-disclosed in past year and list of contractors with access to FTI type of FTI accessible. Federal Review Scope (FSR) Document - The FSR documents is divided into tabs that should be complete by the DES and CSR. Additional tabs may be added depending on the scope of the agency. Each tab should contain the following: Scope- Agency name (e.g. FDXXX: Agency name, review prep meeting to be held list dates, dates of review, worksheets list a summary of each tab. Authority - List each IRC code for all FTI received by the agency and the appropriate definitions for each and any potential use of the FTI Example: IRC § 6103(l)(21) provides for disclosure of specific FTI to officers, employees and contractors of the Department of Health and Human Services (HHS). HHS may, in turn disclose such information to an Exchange (established under the Patient Protection and Affordable Care Act (ACA), contractors of Exchange, or to a state agency administering a state program establishing eligibility determinations for Medicaid, Children’s Health Insurance Programs or a basic health program under section 1331 of the ACA. Such FTI may be used only for the purposes of establishing eligibility for participation in the state program or Exchange and verifying the appropriate amount of any credit or reduction. These disclosures to HHS, Exchanges, their contractors and state agencies are subject to the safeguard requirements. Locations of each physical site - Sites, address, services the site provides, and notes. CSR IT Scope- Technology Management, Operational and Technical (MOT), (e.g., SUSE Linux), Platform Function-agency/IT Policy and Procedures, Safeguards Computer Security Evaluation Matrix (SCSEM) Filename, Estimated Time for Testing (each piece of IT equipment), List of IT equipment per agency SSR List of IT location and equipment IT flow chart (provided in the PSE call) Safeguard Review Report Final and/or Safeguard Review Report Brief overview of final report including physical sites, employees and A-G findings Opening findings list open findings from last review Organizational Chart Contractors and subcontractors list names, company name and duties performed Re-disclosures list of Federal agencies that receive FTI through re-disclosure FTI received list of tax data received electronically on paper Example: Treasury Offset Program: Federal agency sends a consolidated Weekly Collection File from TOP to Federal agencies and the States. The agencies and the States use this information to update their debt collection and accounts receivable systems. (this would be sensitive information and not published on IRM for public viewing) FTI data flow to be provided by the Agency. Description of how FTI flows once released to the receiving agency Memorandum of Understanding (MOU) and Agreements. List of MOU’s and Agreements List of agency contacts name, email, phone number (include office and cell phone if available) and job title Note: As part of the post review process the DES should prepare a summary with agency specific information regarding the type of extracts received and any nuances specific to the agency being reviewed. The post review summary should include the reviewer’s recommendations on potential areas of focus during the next review and any known changes that may occur in the next several years. The summary should include FIT extracts, agency components, sub-agencies, data types and recommendations on potential areas of focus during the next review. Identify and research any Computer Matching Agreements/Intergovernmental Partnering Program/Memorandum Agreements/Intergovernmental Partnering Program/Memorandums of Understanding /Agreements Managerial Prep Meeting Before the opening conference is scheduled, the DES and CSR should meet (conference call acceptable) with the Associate Director, Governmental Liaison for Federal agencies and Manager or Management Official to discuss the plan for conducting the review The review plan should be outlined in the FSR document, which must be submitted to the Associate Director, Governmental Liaison for Federal agencies and Manager or Management Official with the calendar invite. The FSR document should cover all items shown in the tabs Note: Not all tabs will be complete some may be added later depending on the timeline and scope of the agency Once the FSR document has been approved by the Associate Director, Governmental Liaison for Federal agencies and Manager or Management Official , the DES may schedule the opening conference. If documents are not readily available the DES may schedule the opening conference with the approval of the Manager or Management Official. The Associate Director, Governmental Liaison for Federal agencies and Manager or Management Official will be invited to the opening conference. . The DES is required to send a calendar invite detailing the time, date, location and logistics to the Associate Director, Governmental Liaison for Federal agencies and as part of their preparation activities. In addition, the calendar invite should specify the agency officials (names, titles) that are expected to participate in the opening Status Updates before the review (recommend timeline 30-120 calendar days) Since Federal reviews tend to last longer than state reviews, the DES is required to schedule bi-weekly (unless Associate Director, Governmental Liaison for federal agencies and Manager an Management Official agree to different frequency) conference calls to discuss the developments of the review and any issues identified to date It is the DES’s responsibility to schedule the calls and send calendar invites to the Associate Director, Governmental Liaison for Federal agencies and Manager and Management Official. Attend PSE calls (several will be added if the scope is large) Review final agenda from POC; review dates, times and addresses for site locations to be reviewed and provide a copy to CSR, contractor, Associate Director, Governmental Liaison for Federal agencies and Manager and Management Official. If changes are made or added to FRS document send it to the Associate Director no more than 1 month before the review (timeframe may vary) On-Site Safeguard Review Management Processes IRM 11.3.36.15 On-Site Safeguards Reviews IRM 11.3.36.15 11.3.36.16.1 (07-21-2015) Review Techniques See IRM 11.3.36.15.1. 11.3.36.16.2 (07-21-2015) Need and Use Reviews See IRM 11.3.36.15.3 11.3.36.16.3 (07-21-2015) Preliminary Findings Report See IRM 11.3.36.15.4 11.3.36.16.4 (07-21-2015) Closing Conference The Associate Director, Federal Liaison and Chief SRT will be invited to the closing conference. Generally, since the closings are generally in Washington, DC, the Associate Director will attend the closing conference. The DES is required to send a calendar invite detailing the time, date, location and logistics to the Associate Director, Federal Liaison and Review Team. 11.3.36.16.5 (07-21-2015) Work Papers FSR documents, SDSEM, Policy and Procedures Checklist, Agenda with physical locations and contact phone numbers, Review Contact Questionnaire and Summary of agency after closing conference included: The SDSEM will be used to document the findings for the agency. After the review, complete Pass/Fail in column H on each tab of the SDSEM. If the agency has failed a test, complete the IRS Comments and Supporting Evidence in column J. 11.3.36.17 (07-21-2015) Inventory and Management Reports Overview- Inventory management is critical to effective safeguarding of FTI. Inventory Management occurs on a daily basis, and is to be reported out to the Associate Director at the minimum of once per week. Team Chiefs, Analysts, Technical Advisers, and contractor support are required to work in concert to give the AD the most accurate snapshot of inventory status possible. This will include reporting out on current status of the following items: Technical Inquiries and notifications, SRRs, SSRs, and CAPs. 11.3.36.17.1 (07-21-2015) Technical Inquires and Notifications The Technical Inquiry & Notification weekly inventory report is based on an e-Trak query that focuses on the case types of Technical Inquiries and Notifications. All states EXCEPT release are included in the query. TIs and Notifications have a due date of 30 days from receipt of inquiry . 11.3.36.17.2 (07-21-2015) Safeguards Review Report The Safeguards Review Report (SRR) weekly reporting is based on an e-Trak query that focuses on “DES assignment” and “due date”. All states Except “Release” are included in the query. SRR’s have a 45 day completion date with a start time based on the closing conference date of the review. Each Safeguards Review Team analyst will be responsible for producing a weekly SRR inventory report. The SRR will be shared with each SRT Chief on a weekly basis (or as required by SRT Chief) to maintain workload accountability and inventory control. The query will be produced in Excel format unless otherwise determined by SRT Chief. 11.3.36.17.3 (07-21-2015) Safeguards Security Review Report The Safeguards Security Review Report (SSR) weekly reporting is based on an e-Trak query that focuses on “ IRS contractor assignment” and “due date”. All processing status Except “Release” are included in the query. SSR’s have a 60 day completion date with a start time based on the date the SSR was received in the Safeguards mailbox. Each Safeguards Review Team analyst will be responsible for producing a weekly SSR inventory report. The SSR will be shared with senior management and each SRT Chief on a weekly basis (or as required by SRT Chief) to identify any areas of concern and to ensure timely processing of reports in compliance with contractual guidance, maintain workload accountability and inventory control. IRS Contractor will be assigned as “Case Responsible” for all SSR cases. IRS Contractor will be responsible for reporting the status of active SSR’s during weekly inventory call (see note below). The query will be produced in Excel format unless otherwise determined by senior management and/or SRT Chief. 11.3.36.17.4 (07-21-2015) Corrective Action Plan The Safeguards Corrective Action Plan (CAP) weekly reporting is based on an e-Trak query that focuses on agencies where open findings exist on the POAM. This indicates that the findings need to be addressed in a CAP. The report focuses on DES assignment, contractor assignment and due date. All processing status Except “Release” are included in the query. CAP’s have a 45 day completion date with a start time based on the date the CAP was received in the Safeguards mailbox. Each Safeguards Review Team analyst will be responsible for producing a weekly CAP inventory report. This report will be shared with senior management and each SRT Chief on a weekly basis (or as required by SRT Chief) to identify any areas of concern and to ensure timely processing of reports in compliance with contractual guidance, maintain workload accountability and inventory control. SRT Analysts will be assigned on an alternating basis as “Case Responsible”, with subordinate assignments to DES staff (for sections A-G), and to the IRS contractor (for section H) for all CAP cases . IRS Computer Security Reviewers, commonly referred to as 2210, will be responsible for assisting with working Section H of the CAPs on an as needed basis as determined by the SRT Chief. The IRS Contractor will be responsible for reporting the status of active CAP’s during weekly inventory call (see note below). The query will be produced in Excel format unless otherwise determined by senior management and/or SRT Chief. 11.3.36.18 (07-21-2015) Safeguards Mailbox and Secure Data Transfer Reserved. 11.3.36.19 (09-11-2014) Management Information Reports In order to assist in monitoring and assessing the success of the Safeguard Review Program, and to provide input for Reports to Congress see also IRM 11.3.36.20, the Disclosure Enforcement Specialists (DES) will submit statistical reports to the Director, Office of Safeguards, as may be required, for tracking purposes. In addition, all DES actions will be reflected in the e-Trak history. Accurate program tracking requires that all data maintained reflect all agencies subject to safeguards, and accurate recording of reviews scheduled, in process, and completed. Reminder: This data will be cross-checked with the data reflected in the e-Trak database. SSR submission and acceptance, and Need-and-Use Reviews are also tracked in an effort to ensure agency and contractor compliance with program requirements. Occasionally, empirical reports are requested in conjunction with narrative reports describing program accomplishments and shortcomings to establish program goals or guidance for subsequent program emphasis. 11.3.36.20 (09-11-2014) Report to Congress An annual report to Congress regarding the procedures and safeguards of recipients listed in IRM 11.3.36.2 (3) is prepared by the Office of Safeguards. The responsible analyst/specialist, in the Office of Safeguards, will submit the report on or before March 31st to the Associate Director, Office of Safeguards. The report is channeled through appropriate management levels for the Commissioner's signature. The report will be based on information entered into the e-Trak database and other safeguards activity throughout the calendar year, e.g., workshops such as FTA, speaking engagements at external agencies, serving on IRS implementation teams for new legislation, review/commenting on agreements (e.g., CMAs, IAGs, MOUs), etc. All information for Safeguard Review is to be entered by December 31. The information on safeguard review findings is based on the final Safeguard Review Reports. 11.3.36.21 (09-11-2014) Enforcement IRC§6103(p)(4)provides that IRS may take such actions as are necessary to ensure that the safeguard requirements are being met. Such actions may include refusing to disclose returns or return information until it is determined that the requirements have been or will be met. 11.3.36.21.1 (07-21-2015) Guidelines for Safeguards Task Alliance Team (STAT) Enforcement of Safeguard Reporting Requirements Follow required actions below when Safeguard Security Reports (SSRs) have not been filed for two consecutive reporting years as follows: No filing for first reporting year after: a. STAT team has received no response within 2 business days after calling POC regarding late SSR b. STAT team has received no response within 2 business days to follow-up email advising POC of late SRR c. Associate Director has sent STAT prepared letter to advise Head of Agency of efforts to secure late SSR and advised of next SSR deadline d. Automatic/granted extensions may exceed a total of 60 days deadlines have passed e. Associate Director has sent STAT prepared letter to advise Head of Agency of efforts to secure late SSR and advised of next SSR deadline No filing for successive reporting year when: a. Filing deadline has passed not extension permitted b. AD has sent STAT prepared leter to remind Head of Agency of the previous year’s non-filing and warning that guidelines have been met to initiate 6103(p)(7) recommendation c. No filing is received within six months of filing deadline Follow required actions below when CAP have not been filed for two consecutive reporting periods as follows: No filing for first reporting period after: a. STAT team has attempted call to POC regarding late SSR b. STAT team has sent follow-up email to advise POC of late SRR c. Associate Director has sent STAT prepared letter to advise Head of Agency of efforts to secure late CAP and advised of next CAP deadline d. Automatic extension may not exceed a total of 30 days deadline has passed No filing successive reporting period when: a. Filing deadline has passed no extension permitted b. Associate Director has sent STAT prepared letter to remind Head of Agency of previous periods non-filing and warning guidelines have been met to initiate IRC 6103(p)(7) recommendation c. No filing received within two months of filing deadline STAT required actions to initiate IRC §6103(p)(7) recommendation: a. Ensure that all action regarding attempts to secure successive instances of reporting non-compliance are well documented in e-Trak b. Complete IRC §6103(p)(7) recommendation for FTI suspension and/or termination of FTI Disclosures form c. Prepare GLDS Director letter of Head of Agency advising of IRC §6103(p)(7) determination and intent to terminate FTI disclosures and appeal rights d. Submit IRC §6103 (p)(7)Recommendation for FTI Suspension and/or Termination of FTI Disclosure form AD for approval along with Action Routing Sheet and STAT prepared GLDS Director letter to Head of Agency advising of IRC §6103(p)(7)determination and intent to terminate FTI disclosures and agency’s appeal rights. 11.3.36.21.2 (07-21-2015) Guidelines for Safeguard Review Team (SRT) Enforcement of Safeguard Requirements Other Than Reporting Initiate enforcement recommendation below if agency continues to make unauthorized FTI accesses/disclosures after the following has occurred: DES has issued Preliminary Findings Report (PFR) notifying agency of unauthorized FTI access/disclosures. DES has received no response in the week following PFR issuance regarding actions taken to cease unauthorized FTI accesses/disclosures. Associate Director has sent SRT prepared letter to advise Head of Agency of efforts to secure confirmation of agency actions to cease unauthorized FTI accesses/disclosures and warning that guidelines have been met to initiate 6103(p)(7) recommendation. No confirmation of agency actions to cease unauthorized FTI accesses/disclosures is received within 90 days of PFR issuance. Initiate enforcement recommendation below if agency does not mitigate or provide a plan to mitigate critical and significant review findings after the following has occurred: SRT has issued Preliminary Findings Report notifying agency of critical and significant review findings. SRT has issued SRR and CAP soliciting agency’s response to mitigate or provide an approved plant to mitigate critical and significant review findings. SRT documents that the agency in it’s first CAP submission subsequent to SRR issuance has not mitigated or provided an approved plan to mitigate critical and significant review findings. Associate Director has sent SRT prepared letter to advise Head of Agency of next CAP deadline and warning that the next agency CAP submission without mitigation of or an approved plan to mitigate critical and significant review findings will meet our guideline for initiation of IRC 6103(p)(7) recommendation. SRT documents that the agency in its second CAP submission subsequent to SRR issuance has not mitigated or provided an approved plan to mitigate critical and significant review findings. Initiate enforcement recommendation below if agency will not allow Safeguards to conduct on-site reviews without non-IRS additional background investigations/confidentiality statements will be required to conduct on-site reviews; or will not allow the use of automated tools to evaluate security configurations of IT devices after the following has occurred: SRT has conducted phone and/or email contact with agency POC to notify of impending on-site review and agency indicates that non-IRS additional background investigations/confidentiality statements will be required to conduct on-site reviews; or will not allow the use of automated tools to evaluate security configurations of IT devices, SRT has received a response from agency after sending on-site review engagement letter to Head of Agency regarding impending on-site review and advising of use of automated tools to evaluate security configurations of IT devices indicating that non-IRS additional background investigations/confidentiality statements will be required to conduct on-site reviews; or will not allow the use of automated tools to evaluate security configurations of IT devices, SRT Chief has contacted agency POC and Head of Agency by phone and/or e-mail but has been unable to secure agency cooperation with conduct of the on-site review based on sufficiency of IRS background check/confidentiality statement sufficiency and of the use of automated tools to evaluate security configurations of IT devices for on-site review. Associate Director has sent SRT prepared letter warning Head of Agency that not allow Safeguards to conduct on on-site review without the requirement of non-IRS background investigations/confidentiality statements and/or using automated tools evaluate security configurations of IT devices will meet or guideline for initiation of IRC 6103(p)(7) recommendation. SRT required actions to initiate IRC 6103(p)(7)recommendation: Ensure that all actions regarding attempts to secure successive instances of reporting non-compliance are well documented in e-Trak. Complete IRC 6103(p)(7) Recommendation for FTI Suspension and/or Termination of FTI Disclosures form. Prepare GLDS Director letter of Head of Agency advising of IRC 6103(p)(7) determination and intent to terminate FTI disclosures and appeal rights. Submit IRC 6103(p)(7) Recommendation for FTI Suspension and/or Termination of FTI Disclosures form for to AD for approval along with Action Routing Sheet and STAT prepared GLDS Director letter to Head of Agency advising of IRC 6103(p)(7) determination and intent to terminate FTI disclosures and agency’s appeal rights. 11.3.36.21.3 (07-21-2015) Reviewer’s Actions In all cases where serious deficiencies are found or where required reports are not submitted, the responsible reviewer will attempt to obtain voluntary compliance through discussion and negotiation. (Delegation Order) When an impasse occurs, involving recipients subject to IRC §6103(p)(4) , the matter should be elevated to the appropriate GLDS management level. The reviewer should initiate enforcement recommendation if the agency will not allow Safeguards to conduct on-site reviews without non-IRS additional background investigations/confidentiality statements or will not allow the use of automated tools to evaluate security configurations of IT devices after the following has occurred: Reviewer has conducted phone and/or email contact with the agency POC to notify of impending on-site review and agency indicates that non-IRS additional background investigations/confidentiality statements will be required to conduct on-site reviews, or will not allow the use of automated tools to evaluate security configurations of IT devices, or Reviewer has received a response from the agency after sending on-site review engagement letter to the Head of Agency (HOA) regarding impending on-site review and advising of use of automated tools to evaluate security configurations of IT devices indicating that non-IRS additional background investigations/confidentiality statements will required to conduct on-site reviews; or will not allow the use of automated tools to evaluate security configurations of IT devices, and The SRT Chief has contacted the agency POC and HOA by phone and/or e-mail but has been unable to secure agency cooperation with the conduct of the on-site review statement sufficiency of IRS background check/confidentiality statement sufficiency and of the use of automated tools to evaluate security configurations of IT devices for on-site review; and The Associate Director, Safeguards has sent a letter warning HOA that not allowing Safeguards to conduct an on-site review without the requirement of non-IRS background investigations/confidentiality statements and/or using automated tools to evaluate security configurations of IT devices will meet our guidelines for initiation of IRC 6103(p)(7) recommendation. Required actions to initiate IRC 6103(p)(7)recommendation include: Ensure that all actions regarding attempts to secure successive instances of reporting non-compliance are well documented in e-Trak. Complete IRC 6103(p)(7) Recommendation for FTI Suspension and/or Termination of FTI Disclosures form see Exhibit 11.3.36-8. Prepare letter for GLDS Director’s signature and issuance of HOA advising of IRC 6103(p)(7) determination and intent to terminate FTI disclosures and appeal rights. Submit IRC 6103(p)(7) Recommendation for FTI Suspension and/or Termination of FTI Disclosures form to AD for approval along with Action Routing Sheet and GLDS Director letter to HOA advising of IRC 6103(p)(7) determination and intent to terminate FTI disclosures and agency’s appeal rights. 11.3.36.21.4 (09-11-2014) Director’s Actions If the appropriate management is unable to break the impasse, the recipient agency will be notified in writing of the IRS’s preliminary determination and intention to recommend discontinuance of disclosures. Such notices will allow 30 calendar days for response. Notices will indicate: That a report is being submitted to the Office of Governmental Liaison Disclosure and Safeguards (GLDS) detailing the uncorrected deficiencies and the agencies reasons, if any, for noncompliance; That the Director, Governmental Liaison, Disclosure and Safeguards will take appropriate action. Reminder: The notification should include the appeal and administrative review procedures provided for in 26 CFR 301.6103(p)(7)–1. At this time, a written report should be prepared and submitted by the Director, Office of Safeguards to the Director, Governmental Liaison and Disclosure. If it is determined that Federal tax administration would be impaired because of a safeguards deficiency, a duly delegated IRS official (see Delegation Order 11-2) may immediately suspend disclosures to the agency pursuant to IRC §6103(p)(4)and Treasury Regulation 301.6103(p)(7)-1. This would be the case where unauthorized accesses/disclosures would be made absent the suspension. See IRM 11.3.36.21. If the 30 day time frame expires without the agency taking satisfactory action, a letter will be drafted to the head of the agency from the Delegation Order 11-2 official notifying the agency that disclosures are being discontinued until such time as the deficiency is corrected. Copies of the letter should be sent to the Director, Office of Safeguards and to the Director, Office of Governmental Liaison, Disclosure and Safeguards. Documentation detailing the uncorrected deficiencies and the agency's reasons, if any, for noncompliance will be organized and maintained. Note: There must be appropriate coordination with the Deputy Commissioner's and/or Commissioner's offices from this point forward. The Director, Office of Governmental Liaison, Disclosure and Safeguards (GLDS) actions will be similar to those stated in section 5 above. If the Director is unable to break the impasse, the agency head will be notified in writing of the IRS’s preliminary determination and the Director's intention to recommend discontinuance of disclosure. The notice will allow 30 calendar days for response. If the 30 day time frame expires without the agency taking satisfactory action, two copies of the proposed letter to discontinue disclosures will be drafted to the head of the agency, from the Director's, Office of Governmental Liaison, Disclosure and Safeguards ,notifying the agency that disclosures are being discontinued until such time as the deficiency is corrected. Following the Director's signature, one signed copy will be retained in Headquarters Office, and the other will be forwarded to the Director, Office of Safeguards and to the Director, Governmental Liaison, Disclosure and Safeguards. 11.3.36.21.5 (09-11-2014) Alternative Actions The discontinuance of disclosures may take several forms. The appropriate form is dependent upon all of the facts in the case. All disclosures to an agency may be suspended or permanently cutoff in situations where the deficiency pervades the entire agency or where the agency refuses to submit the required reports. Suspensions or cutoffs of selected information may be used in cases where the deficiency can be isolated in a certain segment of the agency. Example: If the deficiency relates to computer processing, electronic disclosures may be suspended while disclosures of paper documents continue. Exhibit 11.3.36-1 Safeguard Evaluation Guide DISCLOSURE AND SECURITY - The following outline can be used as a tool in evaluating reports and planning safeguard reviews. Not all questions and topics pertain to a given report or review. Conversely, additional questions and topics may arise as a result of information gathered during an evaluation or review. Publication 1075 should always be used as the definitive authority on conducting a safeguard review. I. IRC 6103 A. Need and Use (State tax agencies) 1. Is data used as agreed upon? 2. Amount of revenues generated by tax data? 3. Should new areas of information-sharing be explored? B. Permanent System of Standardized Records 1. What kind of system is used? 2. How are requests for tax information recorded? 3. Date and reasons stated? 4. How are disclosures identified? By name, SSN? C. Segregation of Records 1. How is Federal tax data filed? 2. Can data be retrieved by individual name? 3. What identifying information is used for retrieval? 4. Is tax data kept separate or commingled with other records? 5. Is commingled tax data identifiable? Can Federal tax data within agency records be located and segregated? D. Access 1. How is access limited to authorized employees? 2. Who designates authorized employees? 3. Do authorized employees have a need-to-know? 4. Are employees with "substantial access" (other than purely clerical) identified? 5. Are work assignments involving Federal tax data controlled? 6. Do contractors have access to data? 7. Review of third party inquiries - any evidence of unauthorized or involuntary disclosure? 8. Are there written procedures to restrict access to data by state or GAO auditors? 9. Are procedures in effect for disclosures to other agencies? If fraud is involved, does another agency have access? (Note: contractors and other agencies authorized access to FTI must also meet federal safeguards requirements.) II. Security Awareness A. Employee Awareness 1. Have written instructions been issued to employees concerning the handling, controlling and securing of FTI? 2. Have employees received formal or informal training? 3. Are employees aware of the disclosure and penalty provisions of the law? 4. Are employees aware of emergency procedures, particularly those regarding the securing of tax information? 5. Are employees advised annually of the provisions of IRC §7213, IRC §7213A and IRC §7431? 6. Have the requirements for unauthorized access (UNAX) detection and training been met per the Taxpayer Browsing Protection Act? 7. Are the initial certification and annual recertification documented and placed in agency and/or contractor files? B. Agency Awareness 1. How often are inspections conducted? 2. Who conducts the inspections? 3. Are field offices inspected? 4. Who acts on the reports? 5. Have problems been resolved? 6. Does the agency maintain internal inspection files? (Determine the quality of inspections) Review tips: 1) Sample inspection sheets (5-10) for the sites inspected. 2) Sampling needs to include the sites within the scope of your current safeguard review. 3) Compare your findings of sites reviewed to the internal the inspection sheets. PHYSICAL SECURITY (for FTI) - The following outline can be used as a tool to assess physical security measures specifically used to safeguard tax information. I. Access Controls A. Sensitive/Restricted Areas 1. What physical barriers are used to restrict access? 2. How are restricted or limited areas marked? 3. How is the area controlled? a. Is the desk of supervisor or other responsible employee located at the entrance? b. Are areas cleaned during duty hours or after hours in the presence of regularly assigned employees of the guard/service? c. Are areas locked by adequate security devices after office hours? d. Are locks keyed off-master? e. Do wall partitions rise above any false ceiling to the actual ceiling (slab to slab)? B. Entry procedures 1. Is access limited to employees who have official need? 2. Is a list of authorized employees posted at the entrance? 3. What ID are employees required to show? 4. Are visitors permitted? 5. What procedures are followed to admit customer service personnel into the restricted areas (are they always escorted, by whom)? 6. Are sign-in/sign-out registers used? 7. How often and by whom are registers used? 8. How is access restricted during non-duty hours? II. Storage A. Containers 1. How is data physically stored? 2. Are containers locked when not under supervision? 3. Locking bars a. Can material be removed when bars are in place and locked? b. Can locking hasp at top or fastener at bottom be easily removed with hand tools? c. Are steel locking bars affixed to cabinets to preclude surreptitious removal of contents? 4. Types of locks on cabinets with bars? B. Key and combination control 1. Who maintains controls (keys, locks, etc.)? 2. How often are combinations changed? 3. How often are keys inventoried (last inventory and results)? 4. What is the policy on reproducing keys? 5. Is it required that keys be removed from locks and placed in a secure location while containers are unlocked? 6. Are the number of keys distributed held to a minimum? 7. Does the key control system ensure that keys are returned when an employee terminates or transfers? 8. What records are maintained of all keys issued and returned? 9. Are the correct padlocks being used? 10. After a cabinet has been opened, are the padlocks stored in the cabinet itself or locked through the staple until the cabinet is secured? 11. Who has keys or combinations to the buildings, rooms, safes, cabinets, or files where Federal tax data is stored? III. Disposal A. Paper Documents 1. Burning - is there complete combustion? 2. Shredding - are strips rendered unreadable? a. Size of strips b. Print perpendicular to cutting line 3. Pulping - what size is material reduced to? 4. Disintegration - how fine a screen is used? B. Magnetic Media 1. Shredding - size of strip? 2. Electronic/electromagnetic erase or multiple write over? IV. Facility Access Controls A. Entry procedures 1. Who monitors the doors? 2. How is entry controlled for: a. Employees? b. Visitors? c. Vendors, maintenance personnel? 3. Are property passes required and checked? 4. Are packages searched; what is the policy? 5. After duty hours: a. What identification is required? b. Is a sign-in register used? c. Who reviews the register? B. ID Card/System 1. What type of personnel identification system is utilized? 2. Who issues the ID cards? 3. Are employees required to wear ID cards? 4. What are procedures if employee reports to work without the ID card? 5. In the event of evacuation, are IDs checked on re-entry? 6. Are inventories complete and all cards accounted for? 7. Are ID supplies secured, and is stock controlled? C. Sign-in/sign-out registers 1. Content? 2. Who monitors? 3. Is ID required? 4. By whom and how often is register reviewed? 5. What action is taken if a problem is detected? D. Alarms 1. Type a. Intrusion (photoelectric, magnetic contact, foil, capacitance, electromagnetic, ultrasonic, infrared, etc.)? b. Duress? c. Fire/Smoke? d. Humidity? COMPUTER SECURITY (for FTI) - The following outline can be used as a tool to assess the security of only those systems involved in processing FTI. I. Electronic Media Controls A. Electronic Media Library 1. Librarian a. Full-time or part-time? b. Other responsibilities? c. All shifts? d. Duties performed? 2. Procedures a. Documented or informal? b. Electronic Media Access (charge out) logs? 1. In house? 2. Outside of agency? c. Electronic Media Inventories 1. Periodic? 2. Results of prior inventories? d. External labeling procedures for Federal tax data 1. Type? 2. Procedures in actual use? B. Automated Electronic Media System 1. Is Federal media part of a system? 2. How do employees access the system? 3. What system documentation is there? 4. What are system outputs? C. File Retention Cycles 1. Are cycles documented? 2. Are cycles monitored to ensure destruction? D. Data Backup 1. How are data files backed up? a. Who performs actual backup? b. On what type of media are backup files contained? 1. Removable storage media 2. Internal storage 2. Storage a. Where is data stored? b. How are files protected? c. Who has access to these files? 3. Retention a. What is retention period? b. How many generations of backup files exist at the same time? c. Are backup files stored off-site? E. Destruction of Sensitive Information: What is the method for clearance of magnetic media (removable and non-removable) before reallocation or destruction? II. Recommend that computer Security analysts conduct or review computer systems, telecommunications environment, agency or contractor facility A. Security Policy 1. Written policy document exists? 2. Addresses FTI, how it will be restricted, level of protection it will be given? An example: a. Privileges that can/cannot be granted b. Users restrictions, e.g. contractors c. Data transmissions d. Products created (what's allowable) e. Commingling (if so, where and how will be identifiable) f. Final disposition B. Systemic Access Controls 1. Type of Controls used: a. Account codes b. Unique authorization codes for access and update c. Passwords (who assigns, frequency of change, how many cycles before the same password can be reused, length of cycle) d. User profiles e. User Identifications (User ID) f. Other 2. Type of Restriction a. User ID b. File of command codes 3. Administration of Controls a. Periodic changes of systemic controls? b. Who manages and monitors controls (security officer, etc.)? C. Operating System 1. How is access to the operating system restricted? 2. How is access to the files/applications that contain Federal data restricted? 3. How can security routines be bypassed? Are they recorded? 4. How many users have "privileged" authority? 5. Are all accesses to the operating system recorded? 6. Are all accesses to files that contain Federal tax data recorded? 7. When an application is completed, is all data used by the application removed from memory? D. System Reports 1. What information is available on the reports? 2. Are reports monitored to detect unauthorized access to files containing Federal tax data? 3. What actions are taken when unauthorized events are detected? 4. How long are reports retained? E. Terminal Capabilities 1. Remote job entry? 2. Data base inquiry? 3. Data base update? 4. Interactive programming? F. Retrieval and Output Controls 1. Are audit trails maintained of accesses or updates to magnetic data (terminal to disk inquiry, etc.)? 2. Are audit records of listings or extracts made? 3. Do these audit trails or records include: a. Reasons for access? b. Current location of data? c. Final disposition? G. Networked Systems 1. What protection is there for IRS information? 2. Are procedures documented? H. Personnel Access to Computer Areas 1. Authorized personnel only (all shifts)? 2. Who authorizes non-computer personnel? I. Data Transmissions 1. Is Federal tax data transmitted from one point to another? From where to where? 2. What type(s) of communications devices are used for data transmissions (e.g., fiber optics, twisted pair lines, etc.)? 3. Are the transmissions encrypted ? Exhibit 11.3.36-2 Safeguard Review Report Format — Findings and Recommendations The format for the Safeguard Review Report is described in subsections 36.11.1 and 36.11.2 as uniformly consisting of: A. Title Page or Cover Sheet B. Introduction C. Background D. Scope and Objectives of the Review E. Summary (Optional) F. Findings and Recommendations G. Need and Use H. Computer Security The section of the Safeguard Review Report entitled Findings and Recommendations should be further divided into sub-sections to address all of the safeguard requirements as follows: FINDINGS AND RECOMMENDATIONS A. MAINTAINING A SYSTEM OF STANDARDIZED RECORDS Requirement: 26 USC 6103(p)(4)(A) requires that a permanent system of standardized records be kept which documents requests for, and disclosures of, returns or return information. A.1 FINDING: Briefly describe the first finding under this requirement. Include a listing of all types of media in which Federal tax data exists, e.g., printouts, backup tapes, case files, computer files. DISCUSSION: This should be a brief narrative describing the condition, process or practice listed as a "finding" in A.1 above. The narrative should be in sufficient detail so that the reader will understand the system, process or practice that lead to the "finding." RECOMMENDATION: If the finding is such that a change should be initiated by the agency, the recommended corrective action should be described. A.2 FINDING: The second finding pertaining to the agency’s system of records. Findings should be related to the requirements, which is the reason for clearly describing each of the requirements imposed on an agency receiving tax returns or return information. DISCUSSION: Each of the findings will be followed by a discussion of the procedures or practices that lead to that second finding. RECOMMENDATION: Since the finding and the discussion can be describing a positive as well as a negative situation, it is possible that there will be no recommendation for change, and thus Recommendation A.2 may be "None. All requirements have been met." A.3 FINDING: Each subsequent finding will be successively numbered and the Recommendation will be the same number as the Finding. DISCUSSION: All Findings and Recommendations pertaining to the standardized records requirement will bear the prefix A, and in that way, the agency can respond to each Recommendation by number. RECOMMENDATION: The reviewer can use the concept of the "audit trail" when reviewing the agency’s records. Can they document the request for, the receipt, processing, distribution and destruction/disposition of the tax information? See Exhibit 11.3.36–2 for additional record keeping considerations. B MAINTAINING A SECURE PLACE FOR STORAGE OF TAX RETURNS AND RETURN INFORMATION Requirement: 26 USC 6103(p)(4)(B) requires that a secure place or area be maintained where FTI is stored. B.1 FINDING: A "finding" is a statement of condition, and may describe either a positive or adverse condition. NOTE: Computer Operations, e.g., rooms with servers, at field offices, should be evaluated for this requirement. Appropriate findings should be included in the report. DISCUSSION: Secure storage requirements apply to computer tapes, disks, or cartridges as well as paper documents. Who processes the tape, and how is it secured before and after processing at the computer facility? RECOMMENDATION: Recommended corrective action as required. Include implementation dates or schedules if applicable. B.2 FINDING: Second finding pertaining to the secure storage requirement. DISCUSSION: The secure storage requirements encompass such diverse security considerations as locking cabinets or rooms, key control, and off-site storage of back-up tapes. RECOMMENDATION: None C LIMITING ACCESS TO TAX DATA TO EMPLOYEES OF THE AGENCY WHO HAVE A NEED-TO-KNOW AND WHO ARE AUTHORIZED TO HAVE ACCESS. Requirement:IRC §6103(p)(4)(C) requires that access to FTI be restricted to those persons whose duties require access and to whom disclosures may be made under provisions of law. NOTE: It is especially important that both tests be applied to persons with access to returns or return information; that is, they have a need-to-know and are authorized by statute. (An agency's contract programmer may have a need-to-know, but the disclosure to contractors may not be authorized by statute). C.1 FINDING: Agency should be limiting access to those employees having a need and federal statutory right to know. DISCUSSION: Access by employees should be limited to those portions of FTI that is actually required in the performance of their assigned duties. NOTE: The same restrictions to access shall apply to any contractor or subcontractor. RECOMMENDATION: The reviewer may need to advise the agency to implement changes or develop a system to restrict access to information consistent with employees duties and responsibilities. NOTE: It is especially important that both tests be applied to persons with access to returns or return information; that is, they have a need-to-know and are authorized by statute. (An agency’s contract programmer may have a need-to-know, but the disclosure to contractors may not be authorized by statute.) Unauthorized access may be in the form of unauthorized viewing (inspection) of tax data, and the reviewer should ascertain what, if any, procedures have been (or are being) initiated by the agency to prevent or detect casual viewing of returns or return information. All Safeguard Review Reports will include documentation to reflect discussions with the agency regarding their procedures to prevent and detect unauthorized access to, or inspection of, tax returns or return information. Penalties are applicable to unauthorized inspection of returns or return information as well as unauthorized disclosures (see Taxpayer Browsing Protection Act). Limiting access to computer systems or computer screens should be discussed in the sub-section devoted to computer security issues. Limiting access also applies to the controls used to protect the agency’s facilities. Physical access controls for the computer facilities may, at the reviewer’s discretion, be discussed either in this sub-section or under computer security. D PROVIDING OTHER SAFEGUARDS DETERMINED TO BE NECESSARY. Requirement: IRC §6103(p)(4)(D) requires that other safeguard measures be provided that the Secretary of the Treasury determines to be appropriate to protect the confidentiality of FTI. IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, specifies that recipient agencies are to conduct periodic internal inspections to ensure that safeguards are adequate. The publication also provides employee awareness guidelines to ensure that all appropriate agency employees are aware of the disclosure provisions of the Internal Revenue Code and the penalties provided for the unauthorized disclosure of return information. D.1 FINDING: Agencies should, at a minimum, advise their employees of the provisions of IRC 7213, 7213A, and 7431. Also, include comments regarding orientation programs and the actual training provided e.g. the topics covered relevant to Federal tax data. Comment on your review of or the practices for employee and contractor employee certification and annual recertification. DISCUSSION: Publication 1075 and Exhibit 11.3.36–1 contain some examples of awareness efforts or initiatives. RECOMMENDATION: The reviewer may have to take an active role in the agency's awareness efforts by providing definitions of explanations of what constitutes "return information" and the confidentiality requirements imposed by the code. D.2 FINDING: Agencies may not be conducting, and documenting, internal inspections to ensure the security of the return information. DISCUSSION: Properly conducted and documented security inspections by the agency can be a valuable adjunct to our safeguard reviews. RECOMMENDATION: The inspections should be conducted by a function that does not use the return information, and the inspection results and follow-up actions should be included in the agency’s annual Safeguard Activity Report. E. SUBMISSION OF REQUIRED SAFEGUARD REPORTS. Requirement: In accordance with IRC §6103(p)(4)(E), the IRS has prescribed that, at least 45 days prior to the scheduled receipt of the tax information, recipient agencies submit a Safeguard Security Report describing the procedures established to ensure the confidentiality of the returns or return information received. Subsequent to submission of the Safeguard Security Report, a Safeguard Activity report must be submitted annually to give current information regarding their safeguard program. NOTE: If the Safeguard Security Report is several years old, the reviewer should ensure that current agency procedures are accurately reflected in the SSR. The reviewer should request a new SSR if the original one is more than five years old, or safeguard procedures have substantially changed. Also, include comments regarding whether actual agency practices observed during the on-site review comply with the SSR on file and with the SSRs submitted since the last review. F. DISPOSAL OF RETURNS AND RETURN INFORMATION UPON COMPLETION OF USE Requirement: IRC §6103(4)(F) requires agencies to return tax information to the IRS, make the information "a non-disclosure" , or, in some cases, retain the information and safeguard it. G. NEED AND USE Requirement: Policy Statement P–1–35 states that "Tax Information provided by the IRS to State tax authorities will be restricted to the authorities’ justified needs and uses of such information." Other agencies must use the information only for the purpose(s) authorized by statute. State Tax Agencies: If a "need and use" review of a state tax agency has been conducted recently this should be noted and a summary of that report may be included in this portion of the Safeguard Review Report. (IRM 11.3.36.10 I Federal and Other State Agencies: During reviews of Federal or non-tax state agencies that may receive return information specified by statute, the reviewer should note how the agency actually uses the data, and if these uses are in accordance with the enabling legislation. This would include sharing the data with agencies not specified by statute, or using the data for, or in, programs not included in the statute, as well as unauthorized disclosure to agents or contractors. A Safeguard Review Report should always include observations about the agency’s actual use of the data. H. COMPUTER SECURITY. Requirement: All automated information systems and networks which process, store, or transmit sensitive but unclassified information (tax return information, information covered by the Privacy Act, etc.) must meet the requirements for Controlled Access Protection as evaluated by the National Security Agency or National Institute of Standards and Technology.* NOTE: The reviewer should also pay particular attention that all features are operational, because the user has the option of selecting operational features of the security software. In data processing environments, certain, specified, personnel may require access to the hardware and software used to store or process Federal tax information, but not all information processing personnel require access to the FTI. Agencies should ensure that only those employees with a need-to-know are allowed access to Federal tax information. Exhibit 11.3.36-3 Quality Review Safeguard Review Report Preparation Check Sheet Item Description DAF matches agency reviewed and is loaded in Documents file. SDSEM is complete with failures and comments, and is loaded to Documents file. Previous review findings A-H, and all component findings are closed. Forward open CAP case (if applicable) associated with previous review to appropriate Chief. Review Contact Questionnaire is complete and loaded to Documents file. The agency head and point of contact named in SRR-L are correct and updated on Agency Findings and component findings in the SRR and in e-Trak match. Correct report template has been used. Cover sheet has correct agency/month/year. Table of Contents page numbers are correct. Targeted Implementation Dates in SRR are calculated correctly (days not months). Verify SRR-L and SRR are in .doc format and have proper naming convention. Note: The SRR and SRR-L should be dated the date forwarded Example: MAXXX-DOR-SRR-102614 MAXXX-DOR-SRR-L-102614 Load letter and report to Outgoing correspondence file. Documented all case notes on e-Trak for any actions taken. Update Comments field on case to reflect status. Example: 10/26/14– To Associate Director for approval/signature - CB Update Email Notification Comments field on case to reflect case status and number of days open. Priority should be used for cases less than 45 days. Forwarded case to Associate Director by day 40-42 in order to meet 45 day timeliness measure. Move case to Associate Director through Workflow Step - Submit to Mgmt Approval. Exhibit 11.3.36-4 Quality Review of Technical Inquires Preparation Check Sheet Item Description TI response clearly states current IRS Safeguards policy. Cite Publication 1075 references as appropriate Discussion and answer provided in e-Trak case notes. Attachments to be sent to the agency are included as part of the response are loaded into e-Trak Documents folder. Verify TI is loaded in e-mail format, has proper naming convention, and is appropriate for forwarding to the agency. Documented all case notes on e-Trak for any actions taken. Update Comments field on case to reflect status Example: 10/26/14- To Technical Advisor for approval and closure - BG Update the Email Notification Comments field on the case. “Priority” should be used for cases less than 30 days. Example: Priority MAXXX-DOR-TI-102614, 20 days for approval/closure Forward case to Technical Advisor by day 25 in order to meet the 30 day timeliness measure. Move case to Management Approver status. Exhibit 11.3.36-5 Quality Review Safeguard Security Report Preparation Check Sheet Item Description DAF matches SSR reviewed and is loaded to Documents file. SSR Acceptance Check List is complete with failures and comments, and is loaded to Documents file. SSR Analysis is complete with comments, and loaded to Document file. The agency head and point of contact named in SSR are up-dated on Agency screen. Correct report template has been used. Verify SSR-L and SSR have proper naming convention. Note: The SSR and SSR-L should be dated the date forwarded to QR. Example: MAXX-DOR-SSR-102614, MAXX-DOR-SSR-L-102614 Load letter and report to Outgoing correspondence file. Documented all case notes on e-Trak for any actions taken. Update Comments field on case to reflect status. Example: QR Complete. Agree with acceptance and sending for signature 11/24/14-CL Update Email Notification Comments field on case to reflect case status and number of days open. Priority should be used for cases less than 60 days. Example: Priority MAXX-DOR-SSR-102614, 39 days, for approval/signature. Forwarded case to Associate Director by day in order to meet the 60 day timeliness measure. Exhibit 11.3.36-6 Quality Review Corrective Action Plan Preparation Check Sheet Item Description Status matches IRS Comments: Closed or Open Open Findings: Agency Planned Implementation date has been updated Closed Findings: Actual Closure Date has been updated Explanation has been included in IRS Comments if agency said the finding was closed but it was determined to be open by the DES/CSR Verify the Parent Finding is closed if all Component Findings are closed Load POC and Head of Agency letters in e-Trak Outgoing Correspondence Folder with proper naming convention. Note: The letters should be dated the date forwarded to QR. Example: MAXXX-DOR-POC-L-102614, MAXXX-DOR-AGENCY-L-102614 Documented all case notes on e-Trak for any actions taken Comments field on case reflects case status and next CAP due date Example: 10/26/14 - To Chief, SRT 2 for approval, Next CAP Due Date is MM/DD/YY Update Email Notification Comments field on case to reflect case status and number of days open. Priority should be used for cases less than 45 days. Example: Priority MAXXX-DOR-A-CAP-102614, 39 days, for approval/signature Submit for Mgmt Approval to appropriate SRT Chief by day 40 in order to meet the 45 day timeliness measure Exhibit 11.3.36-7 Artifact for Review 800-53 Control Control Name Artifact for Review Section 5.2 Commingling and Labeling Screenshots of database schemes that show electronic FTI labeling Sample output (report/notice) that shows how FTI is labeled AC-6 Least Privilege FTI data flow diagram (physical and logical) to include all devices and inputs/outputs Access Control Policy & Procedures AC-17 Remote Access Screen shot of authentication screens Document how multi-factor authentication is deployed for all remote network access to systems containing FTI and the tokens used for authentication AC-20 Use of External and Information System Remote Access Policy & Procedures Notice of Use for any non-agency-owned information systems; components; or devices to process, store, or transmit FTI, seeking IRS approval to meet 45-Day Notification Reporting Requirement AU-2 Audit Events Audit and accountability policy and procedure for operating systems, databases and applications with FTI Log Monitoring Policy (recordkeeping) AU-3 Content of Audit Records Sample audit logs for all technologies/components associated with FT. AT-4 Security Training Records Training material (for users and system security personnel) Sample certification statement CA-2 Security Assessments Independent Security Assessment Report (SAR) or other report reflecting the results of security testing and mitigation for any high findings within the last year CA-6 Security Authorization Signed Authority to Operate (ATO) for new systems (or Draft if ATO not yet granted Documentation appointing the system Authorization Official CM-8 Information System Component Inventory Complete listing of FTI Inventory (includes networking devices) identifying: platform, operating system, and applicable software. IA-5 Authenticator Management Password & Authenticator Management Policy & Procedures Screenshots of local security policy for password management IR-6 Incident Reporting Incident Response Plan and Procedures MP-6 Media Sanitization Media Sanitization Policy & Procedures Destruction log template PE-3 Physical Access Control Physical Access Policy & Procedures Alternative Worksite Policy & Procedures PE-8 Visitor Access Records Sample visitor access log SA-9 External Information System Services System & Services Acquisition Policy and/or Access Control Policy SC-4 Information in Shared Resources System & Communication Policy & Procedure SC-7 Boundary Protection Network architecture and design documents and/or diagrams depicting FTI network segments or logical location of FTI system. SC-8 Transmission Confidentiality and Integrity System & Communication Policy & Procedures Network design diagram and documentation with all FTI transmission protocols and encryption mechanisms identified SI-2 Flaw Remediation Patch Management Policy & Procedure SI-3 Malicious Code Protection Malicious Code Protection Policy & Procedure Exhibit 11.3.36-8 Recommendation for FTI Suspension and/or Termination FTI Suspension and/or Termination Memo Format Agency Name Agency Code: Agency Type: Head of Agency Name: Head of Agency Phone: Head of Agency E-mail: Head of Agency Address (applicable for federal and tax administration agencies) Governmental Liaison Name: Governmental Liaison Phone: Governmental Liaison E-Mail (applicable for federal and tax administration agencies) Disclosure Manager Name: Disclosure Manager Phone: Disclosure Manager E-mail: Statuary FTI Disclosure Authority Type of FIT Received Electronic? (Yes/No) From what federal or state agency? Know volume? Using what connection? Paper? (Yes/No) From what federal or state agency? Known volume? Identified 6103(p)(7) Violations(s)? Unauthorized inspection or disclosure of returns or return information and no adequate corrective action taken to prevent recurrence of an unauthorized inspection or disclosure (Yes/No)? If Yes, provide details (What is the violation? How was agency put on notice of violation? How was agency advised to take corrective action? How did agency respond? and/or Section 6103(p)(4) safeguards are not being satisfactory maintained and agency has demonstrated no adequate plan to improve its system to maintain the safeguards satisfactorily? (Yes/No) If Yes, provide details. (What is the violation? How was agency put on notice of the violation? How was agency advised to take corrective action? How did agency respond?) Recommend Suspension of FIT Disclosure Pending Final Determination By Commissioner? (Yes/No) If Yes, provide details. ( Describe how tax administration would be seriously impaired if FTI disclosures were not suspended pending final determination by Commissioner AD Approval of IRC 6103(p)(7) Recommendation? (Yes/No) Signature----------------------------------------------------------- Date------------------------------------- Date Assistant Director sent STAT/SRT prepared letter to Head of Agency warning guidelines have been met to initiate recommendation:---------------------------------------------------- GLDS Director Approval of IRC 6103(p)(7) Recommendation?(YES/NO) Signature--------------------------------------------- Date--------------------------------------------- Date GLDS Director sent STAT/SRT prepared letter to HOA advising of IRC 6103(p)(7)determination of intent to terminate FTI disclosures and providing agency appeals rights:............................................................ Date Commissioner’s Office Notified of Agency IRC 6103(p)(7)Determination Notification:......................................................... 30 Day Deadline Date for Agency Appeal of IRC 6103(p)(7) Determination:............................................................................. Agency Appealed IRC 6103(p)(7) Determination (Yes/No) If No, Date of Termination of Termination FTI Disclosures to Agency. If Yes, 45 Day Deadline to Commissioner Appeal Conference. Commissioner Sustains IRC 6103(p)(7)Determination (Yes/No)IRC 6103(p)(7). Signature................................................................. Date.................................................................. If Yes, Date of Termination of FTI Disclosures to Agency.............................................................