AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 2. Physical Security Program

Section 11. Basic Security Concepts

10.2.11  Basic Security Concepts

10.2.11.1  (09-30-2008)
Overview

  1. The Internal Revenue Service has a legal obligation to protect the confidentiality of tax returns and related information. The Service also has responsibility for protecting the entire Federal Tax Administration System, not just the individual components of the system, which includes employees, computer equipment, tax returns, monies, property, facilities and records.

  2. The Service has taken the position of providing reasonable protection commensurate with the character and value of the information or property involved. For example, processing center operations require a high degree of physical protection to meet minimum security needs, while a small post-of-duty may require fewer protective measures.

  3. The Office of Management and Budget (OMB) Circular A-130 requires that government information be protected commensurate with the magnitude of harm that could result from the loss, misuse, unauthorized access to or modification of such information. This responsibility includes establishing physical, administrative and technical safeguards to protect personal, proprietary or other sensitive data whether it is national defense information or not.

10.2.11.2  (09-30-2008)
Scope

  1. This IRM includes the physical security requirements for the entire Federal Tax Administration System as administered within the IRS. This includes all Service facilities (National Office, posts of duty, processing centers, computing centers and other Service offices or space).

  2. This IRM establishes security guidelines for the reasonable protection of tax information, property, and facilities against disclosure, loss, damage, or destruction without unnecessarily restricting or interfering with operations. It also provides instructions on the Service's Minimum Security Standards (MSS) and serves as a procedural and technical guide for security personnel. It includes optional methods for providing security under varying local conditions, provides for specific items requiring protection and identifies the various methods for protection.

10.2.11.3  (09-30-2008)
Responsibilities

  1. The Chief, Agency Wide Shared Services, is authorized to prescribe the Basic Security Concepts Program for use within the IRS. The Director, Physical Security and Emergency Preparedness, is responsible for oversight of this IRS Program. The Associate Director, Security and Emergency Programs Division, is responsible for planning, developing, implementing, evaluating, and controlling this IRS Program.

  2. Area Directors of the Physical Security and Emergency Preparedness (PSEP) Operations offices, are responsible for assuring that offices are in compliance with Service policy and for providing guidance, oversight and assistance to their Territory offices on the physical security program. The Territory Offices are responsible for implementing, evaluating and managing the local physical security program and for providing guidance, oversight and assistance to client sites.

  3. Submission Processing Center Directors, Computing Center and Customer Service Center Directors are responsible for implementing an effective physical security program and for ensuring that security measures taken are reasonable, adequate and effective.

  4. The Business Units are responsible for implementing an effective physical security program within their functional areas; for ensuring that security measures taken are reasonable, adequate and effective; and, for notifying the Security and Emergency Programs (SEP) Division of any proposed protective changes.

  5. To meet the obligation to provide necessary security protection to the Tax Administration System, the Service has determined that Service officials and managers are responsible for ensuring the continued operation of the Federal Tax Administration System by taking all responsible actions to prevent the loss of life and property, the disruption of services and functions and the unauthorized disclosure of documents and information. Managers are responsible for providing reasonable security for all information, documents, and property with which they are entrusted, for complying with all minimum security standards contained in 10.4.1, Managers Security Handbook, all local security requirements, and for reporting any violations to the local physical security office or other individuals who have security responsibilities. Managers must ensure that the physical security measures required for protecting information, property, and life are applied within their area of supervision and that those measures meet the established minimum security standards.

  6. All employees are responsible for providing reasonable security for all information, documents and property with which they are entrusted, for complying with established security procedures, all local security requirements, and for reporting any violations to their manager or to their local physical security office or other individuals who have security responsibilities.

  7. A security representative and alternate (if available) shall be appointed to and participate in the Building Security Committee (BSC) established for each building by the Federal Protective Service (FPS). The FPS Policy Directive FPS-05-002, Building Security Committees, dated February 16, 2005, will apply. Members of the BSC shall at a minimum focus their efforts on:

    • Functions identified in the Department of Justice (DOJ) Vulnerability Assessment of Federal Facilities or FPS-05-002

    • A means of communicating threat or security-related notices to the facility population

    • Serve as liaison to local law enforcement, fire, and other emergency response authorities, and to establish roles and responsibilities in responding to incidents and emergencies at each facility

    • Determine appropriate security measures to be implemented during increased threat conditions

    • Review and adjust security measures as needed.

10.2.11.4  (09-30-2008)
Basic Security Concepts

  1. Basic security concepts have been adopted by the Service and applied to the various activities within the Service. These concepts provide management with the flexibility to provide the degree of security or protection commensurate with the degree of sensitivity of each particular activity.

  2. Minimum security levels shall be established for each facility based first on the factors of occupancy, multi-agency tenancy, square footage, and amount of public contact. Security levels must then be adjusted and additional security measures implemented commensurate with the operation, personnel, resources, information systems, and/or mission of the facility. Each facility will be designated Level I, II, III, or IV, in accordance with the DOJ Vulnerability Assessment of Federal Facilities Report, and appropriate security measures shall be implemented. A designation of Level V is reserved for and assigned only to those facilities identified and prioritized as national security critical infrastructure assets in accordance with the Treasury Critical Infrastructure Protection Program. A Level V designation necessitates implementation of extensive security measures and such designation requires concurrence of Treasury’s Office of Security Programs and coordination with the Critical Infrastructure Physical Security Program Manager. IRS facilities identified as critical infrastructure and those housing critical infrastructure and key resources shall be designated and protected as Level IV, at a minimum.

10.2.11.5  (09-30-2008)
Photography Prohibited

  1. Taking photographs within or recording images of the inside of Treasury bureau facilities shall be prohibited except when specifically authorized by the Internal Revenue Service Agency Wide Share Services Physical Security Emergency Preparedness Territory Managers, Area Director (AD), or National office (N.O.) PSEP SEP. Taking photographs of external features of a facility or other property which provides information not accessible to the public shall also be prohibited and must be reported to local Physical Security Office, and the Contracting Officer Technical Representative (COTR) who will then notify FPS and/or local law enforcement. Photography means any physical or electronically recorded image, including still photographs, x-ray images, video tapes or recordings, and motion pictures.

10.2.11.6  (09-30-2008)
Facility Security Plan

  1. The Facility Security Plan (FSP) is an Operations Office level document that provides summary information used to describe all significant Safeguards and Security programs at applicable sites and facilities for PSEP Systems, Resources and Designs (SRD) review, track corrective actions and/or funding. The FSP will be completed for each IRS facility, including computing centers, campuses and critical post of duty (POD). This FSP documents the implementation of Physical Security and Environmental (PSE) and Media Protection (MP) Controls prescribed within the National Institute Standards and Technology (NIST SP 800-53), Treasury Department Publication (TDP 15-71), and Interagency Security Committee Design Criteria (ISCDC). Development and maintenance of the FSP is directed in Treasury Department Publication (TDP 15-71) Security Manual.

  2. The purpose of the FSP template is to provide an overview of the appropriate physical security measures and requirements taken to minimize the threat to our facilities, employees, loss of assets, equipment, and material through terrorism, criminal activities and natural disasters.

  3. The intent of the FSP template is to describe those programs used to form the basis for the site and facility protection and the basis for future changes and improvements. The description of how those programs are implemented should be contained in site and facility procedures, directives, supplemental orders or other authoritative documentation. While these documents may change, the FSP template should remain relatively constant describing the long term protection plan in place and envisioned for the site or facility.

  4. At a minimum, the Facility Security Plan shall identify the following:

    • Site/Facility Identification

    • Threat Information

    • Roles and Responsibilities of Security Staff

    • Personnel Security (PERSEC)

    • Physical Security Environmental Protection Policy and Procedures

    • Information Security (INFOSEC)

    • Computer Security (COMPUSEC)

    • Communication Security

    • Physical Security (PHYSSEC)

    • Physical Access Authorizations

    • Physical Access Control

    • Access Control for Transmission Media

    • Access Control for Display Medium

    • Monitoring Physical Access

    • Visitor Control

    • Access Logs

    • Vehicle Control

    • Delivery and Removal

    • Emergency Power

    • Emergency Shutoff

    • Emergency Lighting

    • Fire Protection

    • Temperature and Humidity Controls

    • Water Damage Protection

    • Intrusion Detection System

    • Communications

    • Security Guard Force

    • Contingency Plans

    • Business Resumption Plan (BRP)

    • Alternate Work Site

    • Location of Information System Components

    • Coordinating instructions

    • Protect Act, Code Adam and Amber Alerts

    • Media Protection (MP)

    • Media Access

    • Media Labeling

    • Media Storage

    • Media Transport

    • Media Sanitization and Disposal

    • Occupant Safety and Health

    • Emergency Planning

    • Security Education and Awareness

    (5) At a minimum the plan will be reviewed on an annual basis, current and plan security controls shall address those security concerns that impact the physical security of the site/facility and the protection of media contained therein. PSEP Area Directors and PSEP Territory Managers will certify FSP annually and submit to PSEP SRD for accuracy, or identify changes and resolution strategy where applicable.

10.2.11.7  (09-30-2008)
Risk Management

  1. The Service has established minimum physical security standards and requirements for the protection of Service facilities, personnel and information. These standards are based on possible threats and identified countermeasures that could minimize the impact of an occurrence. Periodic risk management assessments provide security personnel and management officials with information on the effectiveness and appropriateness of existing standards and countermeasures, identifies risks, recommends additional upgrades, as needed, and provides guidance on how best to implement approved recommendations.

  2. Evaluation of the risk is the first step in determining the degree of security required for a particular facility. Security measures should be relative to the type of risks to which the facility and its contents are exposed, the probability that these risks will occur, and the impact that an occurrence would have on the organization. The Service recognizes the value of this approach and has developed and implemented an automated risk assessment process, known as the FSR-Manager (Facility Security Risk-Manager). This risk assessment process, FSR-Manager, is to be used by the physical security personnel to develop a tailored physical protective system for the facility and associated annexes. The process provides an objective tool to assist in identifying and justifying security requirements for IRS assets and systems that can be substantiated as minimum requirements to support IRS security policy. It allows the security analyst to independently assess the security posture at a specific facility, annex, or group of facilities and, based on this assessment; determine security criteria to protect the facility(s).

  3. At a minimum, risk/vulnerability assessments will be conducted at the following intervals, at a minimum: Level IV and V, every two (2) years; Level III, every three (3) years; and Level I and II, every four (4) years. Existing Risk Assessments that are less than 5 years old with no significant changes in the overall security posture at a security level I, II, or III facility may be re-validated. If the security posture has been enhanced by the addition of security countermeasures, those enhancements should be noted in the re-validation report. (see Exhibit 10.2.11-1). Security Level IV and V facilities must continue to be re-assessed at intervals of every 2 years or more frequently, if circumstances warrant and/or when the following condition occurred;

    • a change in location

    • major building renovation

    • increase in significant incidents, and/or

    • change in the mission of the businesses located at the facility

  4. The risk assessment process will include the following steps:

    1. Evaluation of the risk – determining the degree of security required at the facility based on the likelihood of an occurrence happening.

    2. Vulnerability assessment – potential impact of an occurrence and vulnerability (attractiveness of target and level of deterrence provided by established countermeasures) of the facility to an occurrence (see Exhibit 10.2.11-1)

    3. Risk analysis – evaluation of potential risk to a facility from a given threat based on the impact of loss and vulnerability ratings (see Exhibit 10.2.11-2).

    4. Recommendations – recommended countermeasures and cost (installation, operating cost, etc.)

  5. Risk/vulnerability assessments will be conducted using the FSR-Manager automated tool and all completed risk assessment reports will carry the legend "For Official Use Only-Restricted Distribution" . Copies of the report will be forwarded to the National Office Security and Emergency Programs Division via secure E-mail or by a traceable means if sent through the postal system.

  6. The SEP will perform a Risk Assessment Authority Review. The Risk Authority Review is conducted to confirm the recommended upgrades based on impact of loss and the risk of an occurrence happening. The Risk Authority Review will be objective and fiscally responsible and will assist in prioritizing the recommended upgrades that become authorized

10.2.11.8  (09-30-2008)
Limiting Access

  1. The basic principle of security within IRS, or anywhere, is "limit access to assets based upon need." When protecting information, for example, access to documents should be limited to those persons with a need to know the information. When the asset to be protected is a room, an area, a building, a computer, or other such property, access to that property should be restricted to those persons who, due to their official duties and/or responsibilities, have a need for such access.

  2. Whether a person needs to access an asset will depend upon whether that access is necessary to enable the person to perform his/her assigned duties and responsibilities. Management is responsible for determining such a need and for subsequently deciding to grant or deny access. Once this determination has been made, management should consult Security personnel for assistance in selecting the appropriate method of achieving the desired control.

10.2.11.9  (09-30-2008)
Safeguard Functions

  1. Most of the methods of protection are designed for protection after normal duty hours or at any time the assets to be protected are not under the personal custody of authorized Service employees.

  2. Because any single safeguard is often insufficient protection for any asset, the concept of layering of safeguards was developed to provide security-in-depth. To facilitate understanding of security-in-depth, the following functions of safeguards are presented.

    1. Deter -- The psychological effect which a safeguard or a system of safeguards has upon the potential perpetrator or human originated threat is difficult to measure. One can determine the effectiveness of an alarm by the number of bona fide "catches" it makes, but we can only guess the effectiveness of a safeguard which is designed only or primarily to deter a human being. The best example of a pure deterrent is a sign which identifies a restricted area. While it would be ideal to have effective security simply by the use of such inexpensive means as signs or lights, it is not practical. A good security program will not rely solely upon safeguards which are only deterrents.

    2. Delay -- Ideally, the Service should be able to deny access to its assets to separate them from human originated threats. But this is not practical since to perform its mission the Service must allow access to its assets. The objective then is to limit access to authorized personnel at approved times for official reasons. At times when the assets are not in the personal custody of an authorized IRS employee, they should be protected by means which delay as long as practical access by unauthorized persons. Safeguards such as locks, containers and walls will withstand (depending on the type of lock, container, etc.) forced entry and surreptitious entry attempts for a given period of time. This time is, hopefully, enough to discourage most would-be thieves, saboteurs, etc. However, given enough determination and resources (i.e., time, tools, and money) all such safeguards can be breached. If the asset being protected merits more than a deterring and delaying effort, the next function we would add is detection.

    3. Detect -- Many safeguards will automatically provide detection of an unauthorized act. For example, a door may show signs of a forced entry. However, an alarm might give evidence of an attempted surreptitious or forced entry. Depending once again upon the value of the asset, the timing of detection is crucial. For example, the goal for a threat such as sabotage of a computer in a processing center would be to detect the attempted execution of the threat soon enough to intervene before it can be completed. Perimeter alarms and alarm activated cameras will help achieve this goal. Such a goal will also require a response force (internal IRS security personnel, contract guard personnel, Federal Protective Services, or the local police department) which will monitor detection devices and respond to them as appropriate. The functions of assessing, identifying, and tracking can be accomplished by closed circuit television (CCTV) systems, alarm systems and entry control systems. The most important of these functions is assessment, since the nature of the unauthorized act (e.g. unauthorized access, theft, robbery, assault, etc.) will influence the nature of the response to that act. Identifying a person committing an unauthorized act or a crime may be before, during or after the act has been committed. In some cases, we may only be able to respond to a threat as it is occurring. While the act has not been prevented, identification of the perpetrator enables the Service to take appropriate action. The tracking function is most useful for the response force to focus on the current location of the problem or perpetrator.

    4. Respond (Intervene/Apprehend) – Ideally, response to a threat in progress is to detect it and to take appropriate action soon enough to prevent it from causing any harm or loss. To achieve this ideal, the delaying safeguard, the detection devices, and the response force must be designed to ensure that the safeguard delays the perpetrator long enough for a detection device to alert the response force and long enough to allow the response force to arrive in time to intervene to prevent access or to prevent a perpetrator from leaving the area with stolen government property or information. Realistically, we should expect a contract security force to respond to a threat at a processing center within 5 minutes and at other buildings (protected with central station alarm systems) within 15 minutes. If this is not possible, then compensating measures must be included in the protective system design to delay an adversary until an effective response can be executed.

    5. Deny -- The only real way to accomplish this function is to destroy an asset to prevent unauthorized personnel from obtaining it. Clearly, for the Service, this only pertains to information on paper, microfilm, or magnetic media, etc. which is no longer needed or which is a waste by-product of a tax administration function.

  3. Exhibit 10.2.11-3 shows the functions generally performed by certain physical security devices/techniques. No attempt is made to address the effectiveness of each, as this depends on the quality of the device selected monitoring activities and timely reactionary measures. Also most of the techniques/devices shown are primarily for use against any potential perpetrator (employee or outsider) during unoccupied times. Conversely, ID media, electronic access control systems, sign in and other audit trail procedures and task separation techniques are generally for use during occupied times to protect against "insiders. "

10.2.11.9.1  (09-30-2008)
Security Awareness

  1. A security program is enhanced when all managers and all employees are aware of security requirements including the reasons for each of the security requirements they are expected to follow or enforce. Each manager must know the general security requirements as well as the specific security measures which apply to his/her particular area of responsibility. The key to an effective awareness program is to show how the requirements relate to the work in which an employee is involved. For example, awareness efforts directed toward computer room employees should relate to security requirements in a computer room, while those efforts directed toward a tax auditor should relate to protecting the privacy of the taxpayer and the sensitivity to the tax return and return information.

  2. To ensure that all employees and managers are made aware of security requirements each security program will include an awareness program. See 10.2.11.9.2.

10.2.11.9.2  (09-30-2008)
Methods of Dissemination

  1. There are numerous ways which security information can be disseminated to employees and managers. In addition to the security briefing (see below), the following methods will be considered as tools of the security awareness program:

    1. In-house newsletters -- may be used to present articles that will appeal to the target audience and will maintain a continuing interest.

    2. Memoranda -- may be used to stress a particular requirement which may be new or not being followed.

    3. Stuffers -- graphic presentation that can be disseminated with other all employee items (i.e. earning statements).

    4. Posters -- graphic presentations that may be posted in heavy traffic areas or in areas where a particular requirement applies.

    5. Flyers -- may be used to make a particular point or to stress a new requirement or one which is not being followed.

    6. Managers meetings -- may be used to discuss security items of common interest to the managers.

    7. Employee meetings -- may be used by managers to present current issues to employees or for discussion.

    8. E-mail and voice mail-may be used to disseminate information on new procedures, identify areas of concern or simply provide reminders.

10.2.11.9.3  (09-30-2008)
Security Briefings

  1. The Security Awareness Program will, at a minimum, include briefings as specified below:

    1. The Director and/or Senior Commissioner Representative (SCR) at each campus and computing center will be given a security briefing by security personnel, shortly after being appointed. The briefing will include current information on threats to the Service, and a review of the director's responsibilities in maintaining properly protected facilities.

    2. National office executives will be given a security briefing by the security staff. The briefing will include current information on threats to the Service and a review of the official's responsibilities.

    3. All managerial personnel will be given annual security briefings on their responsibilities by security personnel. The information presented during these sessions must then be passed on by the managers to all their employees. Security items will also be made a regular topic at periodic group/staff meetings.

    4. All new employees will receive a security orientation within the first week following employment. The orientation will be given separately or as part of the existing new employee orientation.

    5. All assigned employees will be given a refresher security orientation within the first week if they have been in a non-work status for nine months or longer. Local management will determine who will provide the orientation.

    6. Periodic security briefing sessions will be conducted for all processing center managers throughout the year and at the beginning of each filing season. All the first-line managers will attend a security briefing session before the start of each filing period. The individual sessions should be conducted by each facility's security personnel and Disclosure Officer with introductory remarks by the director or designated representative (if scheduling permits). Special scheduling considerations will be necessary to accommodate managers who work on shifts or off-site locations.

    7. Management will inform each employee of special security requirements pertaining to their particular work area or facility within the first 30 days the employee reports to the manager for duty.

Exhibit 10.2.11-1  (09-30-2008)
Categories of Vulnerability Levels

Vulnerability Categories
The Vulnerability Assessment considers the potential impact from a successful attack, as well as the vulnerability of the facility/location to attack. A key component of the Vulnerability Assessment is properly defining the ratings for impact of loss.
Devastating The facility is damaged beyond habitation. Most items/assets are lost, destroyed, or damaged beyond repair restoration.
Severe The facility is partially damaged or contaminated. Some items/assets are damaged beyond repair/restoration, but the facility remains mostly intact.
Noticeable The facility is temporarily closed or unable to operate without an interruption of more than one day. A limited number of items/assets may be damaged, but the majority of the facility is not affected.
Minor The facility experiences no significant impact on operation (disruption to operation is less than four hours) and there is no loss of major assets.

Exhibit 10.2.11-2  (09-30-2008)
Vulnerability Ratings

Vulnerability Ratings
Vulnerability is defined to be a combination of the attractiveness of the target and the level of deterrence and/or defense provided by established countermeasures. Target attractiveness is a measure of the asset or facility in the eyes of an aggressor and is influenced by the function and/or symbolic
Very High This is a high profile facility that provides a very attractive target for potential adversaries. The level of deterrence and/or defense provided by the existing countermeasures is inadequate.
High This is a high profile regional facility that provides an attractive target. The level of deterrence and/or defense provided by the existing countermeasure is inadequate.
Moderate This is a moderate profile facility (not well known outside the local area) that provides a potential target. The levels of deterrence and/or defense provided by the existing countermeasures are marginally adequate.
Low This is not a high profile facility and provides a possible target. The level of deterrence and/or defense provided by the existing countermeasures is adequate.

Exhibit 10.2.11-3  (09-30-2008)
SAFEGUARDS and Their Related Protection Functions

Safeguards Deter Delay Detect Assess Identify Track Respond Deny
   Intervene Apprehend Access
 
Alarms x   x x* x x x** x**  
 
Areas x x x   x        
 
Building x x x            
 
CCTV x   x x x x      
 
Containers x x x            
 
Degaussers                 x
                                     
Document Destructors and Shredders                                
 
 
 
   
Entry Control Systems x     x x x x         x  
 
 
   
Fences x x                
   
Guards x x x x x x x x x  
   
ID Media Systems x     x     x                  
 
 
   
Locks x x x              
   
Procedures (e.g., Audit Trail) x     x     x x              
 
 
   
Secured Areas/ Security Rooms x x x                          
 
 
 
   
Signs x                  
   
Task Separation Compart- mentation x                                  
 
 
 
Note: The functions of each safeguard may vary according to the quality of the safeguard and the nature of the threat. The following chart represents generally the functions each safeguard provides. Not included here are other functions such as promoting awareness of security to meet responsibilities to prevent violations or crimes, and investigation and appropriate remedial actions for violations. These are not within the scope of the manual.  
*Alarms can be arranged to determine the extent of a fire (by zoning) or the nature of unauthorized entry (by duress to an authorized entrant).  
** Alarm systems can be designed to provide for a response force; by themselves of course, they merely annunciate an unauthorized access. Programmed into an integrated system can be instructions to automatically shut doors, operate cameras, start/stop sprinklers, or perform other actions which go beyond detection and assessment of a threat to intervening or, as in the case of some entry controls, rejecting personnel who attempt an unauthorized access.  

More Internal Revenue Manual