Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 2. Physical Security Program

Section 16. Laptop Random Security Screening Concepts

10.2.16  Laptop Random Security Screening Concepts

10.2.16.1  (10-06-2008)
Overview

  1. The Internal Revenue Service has a legal obligation to protect the confidentiality of tax returns and related information. The Service also has responsibility for protecting the entire Federal Tax Administration System, not just the individual components of the system -- employees, computer equipment, tax returns, monies, property, facilities and records.

  2. The Service has taken the position of providing reasonable protection commensurate with the character and value of the information or property involved. For example, processing center operations require a high degree of physical protection to meet minimum security needs, while a small post-of-duty may require fewer protective measures.

  3. The Office of Management and Budget (OMB) Circular A-130 requires that government information be protected commensurate with the magnitude of harm that could result from the loss, misuse, unauthorized access to or modification of such information. This responsibility includes establishing physical, administrative and technical safeguards to protect personal, proprietary or other sensitive data, whether it is national defense information or not.

10.2.16.2  (10-06-2008)
Scope

  1. This IRM includes Government Issue laptop random security screening requirements for the entire Federal Tax Administration System as administered within the IRS. This includes all Service facilities (National Office, posts of duty, processing centers, computing centers and other Service offices or space).

  2. This IRM, along with IRM 10.8.26 Laptop Computer Security Policy, establishes laptop security guidelines for the reasonable protection of tax information, personal identifiable information (PII), and sensitive information against disclosure, loss, or damage without unnecessarily restricting or interfering with operations. It also provides instructions on key security preventive measures and serves as a procedural and technical guide for security personnel.

10.2.16.3  (10-06-2008)
Responsibilities

  1. The Chief, Agency-Wide Shared Services, is authorized to prescribe the Laptop Random Security Screening Program for use within the IRS. The Director, Physical Security and Emergency Preparedness (PSEP), is responsible for oversight of this IRS Program. The Associate Director, Security and Emergency Programs Division, is responsible for planning, developing, implementing, evaluating, and controlling this IRS Program.

  2. Area Directors of the Physical Security Emergency Preparedness (PSEP) Operations offices, Operational Assurance Areas, are responsible for assuring that offices are in compliance with Service policy and for providing guidance, oversight and assistance to their Territory offices on the laptop security program. The Territory Offices are responsible for implementing, evaluating and managing the local physical security program and for providing guidance, oversight and assistance to IRS sites.

  3. PSEP staff on site is responsible for the program with input from or in coordination with the Campus Directors, Submission Processing Center Directors, Computing Center and Customer Service Center Directors, for implementing an effective laptop random screening program and for ensuring that security measures taken are reasonable, adequate and effective.

  4. Business Unit managers are responsible for implementing an effective laptop security program within their functional areas; for ensuring that laptop security measures taken are reasonable, adequate and effective; and, for notifying the PSEP Security and Emergency Programs division of any proposed changes to items listed in this IRM.

  5. To meet the obligation to provide necessary security protection to Taxpayer data, PII and Tax Administration System, the Service has determined that Service officials and managers are responsible for ensuring that employees and contractors protect government issue laptops and sensitive information of the Federal Tax Administration System by taking all responsible actions to prevent the loss of laptop, blackberry, thumb drive and property, the disruption of services and functions and the unauthorized disclosure of documents and information. Managers are responsible for enforcing laptop security procedures, and ensuring that employees and contractors are complying with the policy and procedures outlined in this IRM.

  6. All employees are responsible for protecting Government Issue equipment such as but not limited to, laptop, blackberry, thumb drive and external hard drive property with which they are entrusted, for complying with established laptop security procedures, all local security requirements, and for reporting any loss, theft and violations to their manager, local physical security office, Computer Security Incident Response Center (CSIRC) and Treasury Inspector General for Tax Administration (TIGTA).

10.2.16.4  (10-06-2008)
Laptop Security Concepts

  1. The theft or loss of laptop is a threat to our information and Taxpayer systems; therefore IRS employees and contractors who are issued government furnished equipment such as laptops, blackberry, thumb drive, external hard drives, satellite phone, and other electronic devices are responsible for securing this equipment at all times and for safeguarding such articles from loss, theft and/or damage. The accountability and security of IT resources, extends to your workplace, residence and/or other areas in which you use, travel and/or store the equipment.

  2. Proper precautions must be consistently exercised to ensure that government equipment is not vulnerable to any negligence or potential criminal activity. If you are assigned an IRS laptop, you are responsible for its physical safety as well as the data stored on it. Below are some actions you can take to safeguard and secure the government equipment issued to you.

    • Secure your laptop and other electronic devices when they are not in your possession.

    • Use cable locks to secure your laptop even within IRS controlled facilities Only MITS approved cables should be used. Cable locks should be tested to make sure they will not release.

    • Keep your electronic devices under your direct control in and outside IRS controlled facilities.

    • Challenge any unescorted visitor you may observe in IRS controlled workspace

    • Be aware of your surroundings.

    • Ensure Government issued laptop is properly marked with IRS Property Barcode.

    • Store laptop in a locked container or physically secure it to immovable furniture with a cable lock when not in use.

    • When using a laptop for meetings or conferences, always keep it in your sight. Do not leave the room without taking the laptop with you.

    • Keep a copy of relevant information (i.e., form 1930 with model, serial number, and other unique identifiers) about your laptop in a safe place.

    • Be aware and careful about the information that is showing on the screen and who has a need to know the displayed information. IRS employees all have an obligation to protect Sensitive but Unclassified (SBU) information from unauthorized disclosure.

    • Place your laptop under the seat in front of you when traveling by plane, bus, or train, rather than in an overhead bin where it is out of your sight.

    • Secure your laptop in the trunk, when you must keep it in your vehicle (be mindful of exposing your laptop to high/low temperatures for an extended period of time). If there is no trunk in your vehicle, it must be stored out of sight.

  3. Employees and/or Contractors must never:

    • Leave your government issued equipment unsecured and/or unattended.

    • Check laptop with your luggage at airports unless directed to do so by the Department of Homeland Security (DHS), Transportation Security Administration (DHS/TSA). Keep it with you at all times.

    • Leave laptop unattended in public places.

    • Leave laptop unattended in plain view in your car.

    • Leave laptop in your work area unsecured.

    • Store passwords/smart cards on or with your laptop.

    • Put your laptop through the x-ray machine until you are ready to walk through the metal detector at security checkpoints, like those at airports. This is a major area of laptop theft.

    • Ask anyone to watch your possessions while you go to the bathroom or newsstand. Take your laptop (and other valuables) with you. Keep it in your possession at all times.

    • Check your laptop with the bellhop or baggage storage at your hotel. You should check with the hotel front desk to see if the laptop can be stored in their locked safe if your room is not ready. (Be sure to always get a receipt/ticket for the laptop if it is stored in a locked safe).

    • Leave your laptop in plain view (on top of the night stand, dresser, bed, etc.) when you leave your hotel room. Put it out of sight in a dresser drawer, your luggage, etc., and be sure to use your cable lock.

    • Leave laptop at home where sensitive information can be easily seen.

    • Connect your IRS laptop to anything personally owned (printers, scanners, wireless devices, flash drives, etc.).

10.2.16.5  (10-06-2008)
Property (Laptop) Removal from IRS Facility and Security Guard Random Screening Procedures

  1. All employees and contractors issued IRS laptops are required to have a valid property pass to remove the item from the facility. IRS laptops will have a bar code with the following annotation Property of IRS and laptop Information Technology Asset Management System (ITAMS) number. Upon exiting the facility, IRS issued equipment must be accompanied by a Property pass/custody receipt Authorization (Form 1930) to record the removal from the facility, for the temporary removal of IRS property for authorized purposes. Form 1930 is available from Real Estate and Facilities Management.

  2. Random Laptop screening will be determined by local PSEP staff and conducted in facilities where security guard force is under IRS control. All employees/contractors are subject to random screening and must:

    • Present Property pass/custody receipt Authorization (Form 1930) signed by employee’s manager to the Guard along with picture Identification and equipment to Guard for inspection.

    • Guard(s) will review:
      – The ID card and property pass to ensure the documents were issued to the same employee.
      – The information on the property pass and laptop; comparing serial number, make and model. If the information matches, employee may remove the laptop from the facility.

    • Employee should complete an application for an annual property pass to expedite the inspection process on future visits.

  3. If information on form 1930 does not match, the laptop may not be removed from the facility. Employees will be directed to return the equipment to the workstation and record their name on the event log. If employee refuses to comply:

    • Guard will ask employee and/or contractor to remain on site; contact security operations center (SOC), project manager (PM), contracting officer technical representative (COTR) and/or physical security staff on site for further guidance/assistance.

    • PM, COTR and/or physical security staff will reiterate policy directly to the employee, either in person or via phone.

    • Employee will be advised that continued non-compliance may result in the reporting of the action to TIGTA.

    • Guard will complete an incident report

    • COTR and/or physical security staff will contact TIGTA to report employee’s failure to comply with established policy and procedures.

    • Removal of IRS issued laptops, without a valid property pass will not be permitted.

    • Use of Force, officer will not detain/apprehend non-compliant employees/contractors. Officer will record employee/contractor name and if at all possible badge ID number and submit an incident report to Supervisor, PM and COTR.

  4. All non-IRS issued laptops must be registered upon entry into the facility.

    • Facilities where security guard force is under IRS control, guard will ask employee/contractor if they are carrying a laptop. The laptop shall be presented to the guard and identifying information (make, model, and serial number) shall be recorded on the visitor or Record of Personal Property form.

    • Upon exit from the facility, the uniformed guard will locate the employee/contractor individual in the Record of Personal Property.

    • Compare the serial number, make and model. If the information matches, employee may remove the laptop from the facility.

    • Only laptops recorded on the Record of Personal Property form will be permitted to leave the facility.

  5. Custodial and property officers should obtain custody receipts for laptops.

  6. Procedures for IRS Employees/Contractors are as follow; You’ll need to use the updated Form 1930, Property Pass/Custody Receipt for Government and Individually Owned Property, after July 23, 2007 if you are issued new equipment that you can remove from your workplace (for example, a laptop, Blackberry or cell phone). See IRM 1.14.4 for this requirement. Here’s what you have to do:

    • Employees/contractors: Download Form 1930. Fill it in online, print the form, sign it and get manager approval and signature (or if you’re a contractor, have your COTR or IRS manager sign it) and give a copy to your manager. Carry it with you when you remove the associated property from your workplace.

    • Managers: Keep copies of all forms from your employees and contractors.

  7. You won’t need to replace any Forms 1930 or other property passes that you have completed before July 23, 2007 with the new form. If you have questions, contact your local Real Estate office.

  8. The custodial or property officer prepares an original only of Form 1930, secures the employee's signature, and files the signed form, by name, in a file maintained for this purpose on property removed from the premises.

  9. Employees should not remove property from the premises except for conducting official business. As soon as practical, they should return the property.

  10. The employee (recipient) is responsible for the property while it is in his/her possession. When the property is returned, the employee should obtain the custody receipt the custodial or property officer has been holding.

  11. Supervisors must notify the custodial or property officer when an employee transfers or terminates employment. Such notification will enable the officer to check custody receipts to make sure that any property loaned to the employee has been returned.

  12. The condition, status, etc. of loaned property must be verified during inventories by issuing authority.

10.2.16.6  (10-06-2008)
Protection of Sensitive Information Stored on Laptop

  1. Employees and contractors are responsible for safeguarding sensitive information stored on the government laptop. All sensitive information will be encrypted and password protected. Ensure that all sensitive information stored on laptops has been encrypted in accordance with cyber security IRM directives. Please follow these preventive measures to protect sensitive information stored on your laptop:

    • Protect information stored on the laptop with a secure password. It should consist of a combination of numbers and upper and lower-case letters.

    • Install Enterprise Disk Encryption (EDE) on your laptop. In the event the laptop is lost or stolen, unauthorized users will not be able to access any data stored on the hard drive.

    • Implement advanced security measures such as Remote Laptop Security (RLS) and laptop encryption is a security measure that allows a user to control files on a computer even if it has been lost or stolen that prevents access to all protected files.

    • Make use of such security measures as locks and cables. These security devices make theft more difficult and thereby discourage thieves from taking your machine.

    • When leaving a laptop in the office, make sure it is hidden and secured e.g., combination cable lock, (Only a MITS approved cable lock should be used), lockable file cabinet and or GSA approved safe.

    • Be sure that all important data contained on the laptop is backed up.

  2. Sensitive information stored on any laptop computer that is outside of IRS facilities, or on travel, shall be encrypted using Federal Information Processing Standards (FIPS) 140-2 or later approved encryption. Contact the MITS Enterprise Service Desk at 1-866-7HELP4U (743-5748) or TDD/TTY at 1-866-HELP4U6 (1-866-435-7486) to ensure you have the latest encryption software installed.

10.2.16.7  (10-06-2008)
Reporting Procedures for Lost or Stolen Laptop

  1. Employees and Contractors are responsible for reporting the loss or theft of their government issued laptop or electronic device within 24 hours to their manager, and managers must ensure that employee/contractor submit an incident report to the local Physical Security Office, the Computer Security Incident Response Center (CSIRC) and TIGTA.

  2. Reports must be submitted using the computer incident report form on the CSIRC website, https://www.csirc.web.irs.gov/incident/ Additionally, employees and contractors must file a complaint and/or incident report with TIGTA and provide complaint number to CSIRC for tracking and reporting purposes.

Exhibit 10.2.16-1  (10-06-2008)
Property Pass/Custody Receipt for Government and Individual Owned Property Form 1930 (Rev. 6-2007)

IRS issued equipment must be accompanied by form 1930.

This image is too large to be displayed in the current screen. Please click the link to view the image.

More Internal Revenue Manual