[ Home ] [ Services ] [ FAQ ] [ Site Map ] [ Contact Us ]

IRS Audits

Chapter 7. Examination Returns Control System (ERCS)

Section 2. Security

4.7.2  Security

4.7.2.1  (07-31-2000)
Overview

  1. This section discusses ERCS security and procedures for controlling access.

4.7.2.2  (07-31-2000)
Basic Principles of Security

  1. The basic principles of security in the Internal Revenue Service are:

    1. All information processed by the Service is considered sensitive,

    2. Access to sensitive information is granted only on a "need-to-know" basis,

    3. Employees are provided the least privileges necessary to accomplish their normal and recurring work assignments,

    4. Privacy protection is a personal and fundamental right of all taxpayers and employees. The Service collects, maintains, uses and disseminates identifiable personal information and data only as required under the law, and

    5. Security is the responsibility of all Internal Revenue Service personnel, including contractors.

     

4.7.2.2.1  (07-31-2000)
Security Assurance

  1. In addition to numerous system consistency/security checks, ERCS security is primarily assured by:

    1. Limited system access to assure data is provided on a need-to-know basis,

    2. Audit trail generation of users' activities, and

    3. Electronic managerial approval of certain actions. See text 1.8.3 of this section.

     

4.7.2.3  (07-31-2000)
Taxpayer Browsing Protection Act of 1997 (UNAX)

  1. On August 5, 1997, President Clinton signed the Taxpayer Browsing Protection Act into law. Under the law:

    1. Willful unauthorized access or inspection of non-computerized taxpayer records, including hard copies of returns — as well as computerized information — is a misdemeanor, punishable, upon conviction, by fines, prison terms and termination of employment,

    2. Taxpayers have the right to take legal action when they are victims of unlawful access or inspection — even if a taxpayer's information is never revealed to a third-party, and

    3. When managers of employees are criminally charged, the Service is required to notify taxpayers that their records have been accessed without authorization.

     

  2. The Law provides a criminal misdemeanor penalty for the willful, unauthorized inspection of tax returns or return information. The penalty is a fine up to $1,000 and/or imprisonment up to one year. It applies to all federal employees, state employees and contractors who receive federal tax information. Upon conviction, a federal employee is dismissed from employment.

4.7.2.4  (07-31-2000)
C2 Security

  1. C2 security is a government-wide requirement for all computer systems which process, store, or transmit sensitive but unclassified information. C2 requirements include identification of users, controlling access between system resources and users, and creation of an audit trail.

4.7.2.4.1  (10-01-2003)
C2 Certification

  1. The Department of Treasury Directive TD 71-10 establishes policy by requiring formal review (certification) and issuance of official declarations (accreditation) that all Sensitive But Unclassified (SBU) systems or networks are approved to operate. C2 is the minimum level of protection required for information systems and networks accessed by more than one user group or group of users when those users or groups do not have the same authorization to use sensitive but unclassified information.

  2. Guidance on the requirements of certification is provided, in part, by:

    • IRM 25.10.1, Section 1, Information Technology (IT) Security Policy and Guidance.

     

  3. ERCS obtained its original C2 certification in June 1999.

4.7.2.4.2  (10-01-2003)
C2 Certification Documentation

  1. The following documents were submitted as part of the certification process:

    1. ERCS Risk Assessment Report —identifies existing and potential threats, vulnerabilities and effectiveness of the current and proposed safeguards. A formal review of the minimum baseline security requirements for SBU systems is part of the Risk Assessment,

    2. ERCS Computer Security Plan — identifies the security requirements of a system and whether controls are in place to meet the requirements,

    3. ERCS Privacy Impact Assessment (PIA) — a process used to evaluate the privacy issues of a system. Approval by the Privacy Advocate must be obtained before a system is C2 certified,

    4. System of Records Notice (SOR) — defines the who, what, when and why a file exists in a government agency. ERCS is covered by SOR 42.008, Audit Information Management System (AIMS),

    5. ERCS Technical Contingency Planning Document (TCPD) — identifies the priorities, resources and procedures necessary to ensure that essential operational tasks can be continued after disruption to a system. Approval of the TCPD by the Disaster Recovery Planning Section (DRPS) must be obtained before a system is C2 certified,

    6. ERCS Trusted Facility Manual — describes how a system is to be configured and operated to maintain its accepted level of risk,

    7. ERCS Security Features Users Guide — describes how a user is to interact with the system, ensuring security controls are understood and used correctly, and