Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 34. IDRS Security Controls

10.8.34  IDRS Security Controls

Manual Transmittal

October 14, 2011

Purpose

(1) This transmits revised IRM 10.8.34, Information Technology (IT) Security, IDRS Security Controls.

Background

TD P 85-01, "Department of Treasury Information Technology Security Program" and Federal regulations require that senior agency officials establish an Information Technology (IT) security program, which includes security controls for audit and accountability; ensuring that appropriate identification and authentication controls, audit logging, and integrity controls are implemented on all information systems.

This IRM provides policy for the administration of the security program for the Integrated Data Retrieval System (IDRS).

Material Changes

(1) IRM section titles renamed and IRM sections rearranged to more closely align this IRM with IRM 10.8.1, "Information Technology (IT) Security, Policy and Guidance" , IRM 10.8.2, "Information Technology (IT) Security, IT Security Roles and Responsibilities" , and NIST SP 800-53, "Recommended Security Controls for Federal Information Systems and Organizations" .

(2) IRM updated to include references to IRM 10.8.1 security controls where applicable.

(3) IRM updated to restrict Official Use Only information.

(4) IRM updated to correct outdated IRS intranet web site links.

(5) IRM updated to reflect migration of IDRS user account administration to EOPS, Operational Security Program Management Office (EOPS-OSPMO).

(6) IRM updated to reflect the IDRS Security Program Management Office has been charged to develop, review, and update of IDRS USR training material; and to monitor compliance with USR training requirements.

(7) IRM updated to allow use of authorized pseudonyms that have been approved in accordance with IRM 10.5.7 Use of Pseudonyms by IRS Employees

(8) IDRS security command code policy moved to IRM 2.3.9 Security Command for IDRS Users or IRM 2.4.2 Security Command Codes for IDRS Security Personnel.

(9) IRM updated to reflect that the user's Standard Employee Identifier (SEID) has replaced their Social Security Number as login identifier.

(10) USR initial and annual refresher training policy and USR training compliance review policy revised to reflect GAO recommended changes.

(11) Content of IRM 10.8.34 has been cleared by Stakeholders as IRM 2.9.50.

Effect on Other Documents

This IRM supersedes all prior versions of IRM 10.8.34.

Audience

IRM 10.8.34 shall be distributed to all personnel responsible for ensuring that adequate security is provided for IDRS. This policy applies to all employees, contractors and vendors of the Service.

Effective Date

(10-14-2011)

Terence V. Milholland
Chief Technology Officer

10.8.34.1  (10-14-2011)
Purpose

  1. This manual provides policies and guidance to be used by IRS organizations to carry out their respective responsibilities related to the security of the Integrated Data Retrieval System (IDRS).

  2. The term, "IDRS," in the context of this policy, is inclusive of Corporate Files On-Line (CFOL) and the Security and Communications System (SACS).

10.8.34.1.1  (10-14-2011)
Overview

  1. It is the policy of the IRS to establish and manage an Information Security Program within all its offices. This manual provides uniform policies and guidance to be used by each office.

  2. It is the policy of the IRS to protect its information resources and allow the use, access, and disclosure of information in accordance with applicable laws, policies, federal regulations, Office of Management and Budget (OMB) Circulars, Treasury Directives, National Institute of Standards and Technology (NIST) Publications, and other regulatory guidance. All IT resources belonging to, or used by the IRS, shall be protected at a level commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that IT resource.

  3. This policy delineates the security management structure, assigns responsibilities, and lays the foundation necessary to measure progress and compliance. Requirements in this policy are subdivided under three major security control areas: management, operational, and technical.

  4. This IRM establishes the IT security requirements framework for subordinate IRMs, and subordinate Standard Operating Procedures (SOPs), Desk Procedures, Job Aids, etc., which shall be used to provide the detailed guidance for implementing the requirements of this IRM. If there is a conflict with or variance from this IRM within the subordinate documents, this IRM has precedence.

10.8.34.1.2  (10-14-2011)
Scope

  1. The provisions of this issuance are applicable to all individuals who use, manage users of, or support the security of the IDRS.

  2. The provisions in this manual apply to all offices, business, operating, and functional units within the IRS. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers.

  3. Internal Revenue Manual 10.8 Chapter 34, IDRS Security Controls, shall be available to:

    1. individuals with responsibilities related to the security of IDRS;

    2. individuals who manage employees accessing IDRS;

    3. individuals responsible for development, testing, and maintenance of IDRS features; and

    4. individuals with a need to know in Treasury Inspector General for Tax Administration (TIGTA).

10.8.34.1.3  (10-14-2011)
IRM Section Topics

  1. This manual contains information on the following subjects:

    • Purpose

    • General Policy

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Deviations

10.8.34.1.4  (10-14-2011)
Authority

  1. This IRM further defines the requirements found in IRM 10.8.1, "Information Technology (IT) Security, Policy and Guidance" , as they pertain to IDRS security. In the event there is a discrepancy between this manual and IRM 10.8.1, 10.8.1 has precedence.

  2. This IRM further defines the requirements found in IRM 10.8.2, "Information Technology (IT) Security, IT Security Roles and Responsibilities" as they pertain to IDRS security roles and responsibilities.

10.8.34.2  (10-14-2011)
General Policy

  1. In accordance with Title III of the E-Government Act of 2002, known as the Federal Information Security Management Act (FISMA) of 2002, the IRS shall develop, document, and implement a service-wide information security program supporting the operations and assets of this agency. This manual provides policies and guidance related to the security of the IDRS.

    1. There shall be no grandfathering of requirements contained in this IRM.

    2. There shall be no exceptions to the requirements of this IRM based on past practices.

  2. The IRS IDRS Security Program shall assure the objectives of applicable laws, policies, federal regulations, OMB Circulars, Treasury Directives, NIST Publications, and other regulatory guidance are met by establishing and ensuring compliance with security requirements, procedures, and guidelines to properly implement management, operational, and technical controls. Note: In situations where regulatory guidance has been released and IRS requirement documents are not at the same point in their lifecycle, the intent of the requirements within the regulatory guidance shall be ensured.

  3. This IRM and all IDRS security IRMs shall be evaluated a minimum of annually to ensure consistency with the IRS mission, functions, and associated laws, directives, regulations, and standards. They shall be updated when organizational reviews indicate updates are necessary.

10.8.34.2.1  (10-14-2011)
Integrated Data Retrieval System (IDRS)

  1. The Integrated Data Retrieval System is designed primarily to accomplish the following:

    1. Provide employees with instantaneous access to taxpayer accounts.

    2. Provide better, faster, more responsive, and more personal service to the taxpayer.

    3. Facilitate and speed the work of employees in campuses and area offices by providing the most current information on tax accounts and by furnishing the most up-to-date data processing tools available today.

  2. Capabilities the Integrated Data Retrieval System provides include:

    • the ability to research of taxpayer account information;

    • the ability to request tax returns and account transcripts;

    • the ability to input transactions, such as adjustments, entity changes, etc.;

    • the ability to input collection information for storage and processing in the system; and

    • the ability to generate notices, collection documents, and other outputs.

  3. IDRS was established in 1972 and currently has about 50,000 users.

  4. Each user account is associated with an IDRS unit that is associated with a campus IDRS database.

  5. Each campus database is associated with one of two computing centers listed below:

    • Enterprise Computing Center - Martinsburg (MCC) (formerly the Martinsburg Computing Center); or the

    • Enterprise Computing Center - Memphis (TCC) (formerly the Tennessee Computing Center).

    1. Campus databases that are associated with MCC are: Andover, Austin, Brookhaven, Ogden, and Philadelphia.

    2. Campus databases that are associated with TCC are: Atlanta, Cincinnati, Fresno, Kansas City, and Memphis.

10.8.34.2.2  (10-14-2011)
IDRS Security System

  1. The Security and Communications System (SACS) provides security and auditing for IDRS. It is the IDRS Security System.

  2. SACS is designed to provide the protection defined in IRM 10.8.1 and it conforms to the various laws and regulations defined in the IRM.

  3. SACS provides identification and authorization for every input.

    1. The system's Employee Security File contains significant data required to recognize each employee authorized to use IDRS.

    2. The system's Terminal Security File includes terminal identification to recognize each workstation capable of accessing IDRS.

  4. All actions taken on IDRS, both authorized and unauthorized, are recorded in the IDRS audit trail.

  5. The IDRS Security System is designed to provide protection to both the taxpayer and IDRS user.

    • The taxpayer shall be protected from unauthorized disclosure of information concerning their account as well as unauthorized access, inspection, and changes.

    • The IDRS user employee shall be protected from other personnel using their identification to access or make changes to an account.

10.8.34.2.3  (10-14-2011)
Authorized Access

  1. IDRS users shall only access accounts necessary for accomplishing their official duties.

  2. IDRS users shall not access:

    • their own account;

    • the account of their spouse or former spouse;

    • the account of a friend or relative;

    • any account in which they have a personal or financial interest;

    • tax account information to satisfy personal curiosity or for fraudulent purposes.

  3. IDRS users shall not access the account of a celebrity or another IRS employee unless it is part of their official duties.

  4. The willful unauthorized access or inspection of taxpayer records is referred to as Unauthorized Access (UNAX).

  5. On August 5, 1997, President Clinton signed the Taxpayer Browsing Protection Act into law. Under the law,

    1. willful unauthorized access or inspection of non-computerized taxpayer records, including hard copies of returns - as well as computerized information - is a crime, punishable upon conviction, by fines, prison terms and termination of employment;

    2. taxpayers have the right to take legal action when they are victims of unlawful access or inspection - even if a taxpayer’s information is never revealed to a third party; and

    3. when managers or employees are criminally charged, the Service is required to notify taxpayers that their records have been accessed without authorization.

  6. The provisions and applicable criminal penalties under the Taxpayer Browsing Protection Act also applies to all contractors and contractor employees.

10.8.34.2.4  (10-14-2011)
Communications Protocol

  1. This section defines the communications protocol to be followed when addressing IDRS security issues.

  2. Unless otherwise stated, IDRS users shall direct IDRS security related concerns to their manager or Unit Security Representative (USR).

  3. Unless otherwise stated, managers and USRs shall elevate the following:

    1. any IDRS account administration related concern they are unable to resolve to the IDRS Security Account Administration staff;

    2. any IDRS security report related concern they are unable to resolve to their home campus Cybersecurity IDRS Security Analyst; and

    3. any IDRS security policy related concern they are unable to resolve to the IDRS Security Program Management Office.

  4. Unless otherwise stated, the IDRS Security Account Administration staff and Cybersecurity IDRS Security Analysts shall elevate any IDRS security related concern they are unable to resolve to the IDRS Security Program Management Office.

  5. IDRS Security Business Division Points-Of-Contact shall direct IDRS security related concerns to the IDRS Security Program Management Office or the Cybersecurity IDRS Security Analysts that support their business organization.

  6. IDRS security related concerns that involve multiple business divisions or campus domains shall be elevated to the IDRS Security Program Management Office.

  7. IDRS users, their managers, or USRs rarely have a need to contact a Computing Center IDRS Security staff. Unless otherwise stated, any communication with Computing Center IDRS Security staff shall be routed through the IDRS Security Program Management Office.

10.8.34.3  (10-14-2011)
Roles and Responsibilities

  1. In accordance with IRM 10.8.1, the IRS shall implement security roles and responsibilities in accordance with federal laws and IT security guidelines that are appropriate for specific operations and functions. This IRM establishes the IT security roles and responsibilities for IDRS. See IRM 10.8.2, "Information Technology (IT) Security, IT Security Roles and Responsibilities" , for general policy related to IT security roles and responsibilities.

  2. This section provides functional roles and responsibilities for personnel who have security-related governance responsibility for the protection information systems they operate, manage and support. These roles are defined in accordance with and are based on Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), and Department of Treasury and IRS policy and guidelines.

10.8.34.3.1  (10-14-2011)
Key Governance and Related Roles & Responsibilities

  1. This section provides functional roles and responsibilities for personnel who have security-related governance responsibility for the protection information systems they operate, manage and support. These roles are defined in accordance with IRM 10.8.2.

10.8.34.3.1.1  (10-14-2011)
Senior Management/Executives

  1. Senior management/executives are officials subordinate to the Commissioner.

  2. Senior management/executives have responsibility for the implementation and administration of the IDRS Security in their jurisdiction.

  3. Senior management executives shall perform the following as a part of their responsibilities:

    1. ensure IDRS Security policies and guidance are implemented in their jurisdiction;

    2. identify at least one individual as the point of contact and coordinator for their organization's IDRS security activities. The security role of these individuals is IDRS Security Business Division Point-Of-Contact. The point of contact's name, Standard Employee Identifier (SEID), and contact information shall be provided to the IDRS Security Program Management Office;

    3. ensure that Unit Security Representatives (USRs) and IDRS Online Reports Services (IORS) Primary Report Reviewers are appointed to cover all IDRS units and users;

    4. ensure that for each IDRS unit, IDRS Security Account Administrators are provided with the name, SEID, and contact information for all current USRs, alternate USRs, Terminal Security Administrators, and IORS Security Report Reviewers;

    5. ensure the IDRS Security Account Administrators or the IDRS Security Program Management Office are notified of any business division reorganizations that may require the realignment or renumbering of IDRS units;

    6. ensure that, at least annually, IDRS security issues are the topic of discussion at managerial meetings;

    7. ensure that IDRS security reports are reviewed, and certified timely; and that any required report actions are completed timely;

    8. ensure that corrective actions are taken when IDRS security report reviewers fail to meet their IDRS security report responsibilities;

    9. ensure that required responses related IDRS security report compliance are timely submitted to the IDRS Security Program Management Office and/or Cybersecurity Operations staff;

    10. ensure that all reported accesses and violations for USRs and alternate USRs are independently reviewed at the next management level that is higher than the USR's or Alternate USR's level;

    11. ensure that any user who is being investigated for a UNAX violation is promptly removed from IDRS;

    12. ensure that all users who are re- added to IDRS after having a proven UNAX violation have satisfied all requirements of their disciplinary actions before being added to IDRS;

    13. ensure that USRs and Alternate USRs complete the required initial and annual refresher training;

    14. ensure that IDRS users complete the required initial and annual refresher awareness training;

    15. ensure that IDRS users recertify (re-acknowledge) the rules of behavior annually in order to maintain access privileges; and

    16. fulfill any additional IDRS security responsibilities of the Senior Management/Executive stated elsewhere in the IRM.

10.8.34.3.1.2  (10-14-2011)
IDRS Security Program Officer

  1. The IDRS Security Program Officer is the Senior Manager/Executive (or designee) responsible for ensuring that the appropriate IDRS security posture is maintained.

  2. The Director, Cybersecurity Architecture & Implementation (or designee) serves as the IDRS Security Program Officer.

10.8.34.3.1.3  (10-14-2011)
Front/First Line Manager

  1. The Front/First Line Manager of IDRS users shall be responsible for day-to-day implementation and administration of IDRS security in their unit/group.

  2. The Front/First Line Manager shall perform the following:

    1. ensure IDRS Security policies and guidance are implemented in their unit/group;

    2. reinforce employee awareness and compliance to the prohibition that employees shall not access any taxpayer or personnel data not required to accomplish official duties;

    3. conduct periodic re-orientation sessions to ensure that employees remain alert to and aware of IDRS security requirements;

    4. ensure that employees who are IDRS users complete the required initial and annual refresher training;

    5. ensure weekly and monthly IDRS Security reports are reviewed and certified timely and that any required report actions are completed timely;

    6. ensure the Maximum Profile Authorization File (MPAF), the Unit Command Code Profile (UCCP), and the Employee Security Record File (ESRF) for all employees and IDRS units are reviewed at least monthly and any necessary corrective actions are competed timely;

    7. ensure the command code usage of employees with sensitive command code combinations in their profiles is reviewed at least monthly;

    8. ensure new IDRS users review the rules of behavior and that each IDRS user recertifies the rules of behavior annually via the Online 5081 (OL5081) application;

    9. ensure questionable activity or potential UNAX violations are timely reported to TIGTA;

    10. report any IDRS user who refuses to certify or recertify the rules of behavior to employees' division management for appropriate disciplinary action. Users who refuse to certify or recertify the rules of behavior will not be allowed to access IDRS. Their IDRS user account shall be deleted;

    11. ensure that all requirements associated with a disciplinary action have been met prior to reinstating an IDRS user who has been deleted from IDRS because of an illegal or improper activity. If the employee's disciplinary action resulted because of one or more unauthorized actions, the manager shall ensure that the employee has met the recertification requirements, which includes having had the employee review the UNAX briefing and signed the UNAX Recertification Certificate before the employee may be added or re-added to IDRS or receives access to taxpayer information and return information. The manager's signature on the UNAX Recertification form indicates that the employee has met all disciplinary actions for Recertification; and

    12. fulfill any additional IDRS security responsibilities of the Front/First Line Manager stated elsewhere in the IRM.

  3. Front/First Line Managers who HAVE been officially designated as the USR for their unit/group (via an approved Form 13230, IDRS Security Personnel Designation) shall perform the IDRS security duties of a USR as described by the IRM as well as the Front/First Line Manager duties.

  4. Front/First Line Managers who HAVE NOT been designated as the USR for their unit/group perform the following:

    1. coordinate with the USR to help ensure that IDRS security is effectively implemented for the unit/group;

    2. ensure the USR is notified immediately, when an IDRS user no longer needs system access; and

    3. provide the USR with written or electronic documentation for all requests to update the unit's MPAF or UCCP or to update an employee's ESRF.

  5. See IRM 10.8.2, for general policy related to the IT security role and responsibilities of the Front/First Line Manager.

10.8.34.3.2  (10-14-2011)
Organization/Functional Roles and Responsibilities

  1. This section provides functional roles and responsibilities for personnel who have IDRS security related responsibilities. These roles are defined in accordance with IRM 10.8.2.

10.8.34.3.2.1  (10-14-2011)
IDRS Security Program Management Office

  1. The IDRS Security Program Management Office is a function in the Modernization & Information Technology Services (MITS), Cybersecurity organization that was established to manage the IDRS Security Program.

  2. The IDRS Security Program Management Office consists the following:

    1. IDRS Security Program Officer - the senior manager/executive (or designee) responsible for ensuring that the appropriate IDRS security posture is maintained.

    2. IDRS Security Program Manager - the individual who coordinates day-to-day IDRS Security Program Management Office activity.

    3. IDRS Security Program Analyst(s) - individuals who support the day-to-day IDRS Security Program Management Office activity.

  3. The IDRS Security Program Management Office shall perform the following:

    1. establish policy and procedures for managing the IRS IDRS Security Program;

    2. identify security activities that will help improve IDRS security;

    3. perform activities that promote and maintain a continuing awareness of IDRS security;

    4. disseminate information to IRS management, IDRS Security personnel, and IDRS users regarding changes in policy, procedures, and practices;

    5. provide IDRS Security subject matter expert support to IRS management and staffs;

    6. define the minimum content required for IDRS user security awareness training;

    7. develop, review, update the required initial and annual refresher for Unit Security Representatives; and monitor compliance with the training requirement;

    8. review the implementation of IDRS security at IRS campuses, computing centers, field offices, and other locations;

    9. evaluate the implementation of IDRS security by IDRS Security Account Administrators, IDRS Security Analysts, Unit Security Representatives, and business unit management. Any oversight and evaluation activities performed by or for the IDRS Security Program Management Office will not substitute or replace any monitoring, training, or oversight activities required to be performed by IDRS Security Account Administrators, IDRS Security Analysts, Unit Security Representatives, or business unit management;

    10. support Cybersecurity staffs in the review of requests to deviate from IDRS security policy stated in IRM 10.8.34, IDRS Security Controls; and

    11. fulfill any additional IDRS security responsibilities of the IDRS Security Program Management Office stated elsewhere in the IRM.

10.8.34.3.2.2  (10-14-2011)
IDRS Security Business Division Point-Of-Contact

  1. IDRS Security Business Division Point-Of-Contact helps ensure their business organization effectively performs IDRS security administration and monitoring.

  2. IRS business divisions are required to identify at least one individual as their IDRS Security Business Division Point-Of-Contact

  3. They shall perform the following:

    1. serve as their business organization's point of contact with the IDRS Security Program Management Office;

    2. serve as a liaison between the IDRS Security Program Management Office and their business organization in addressing IDRS security issues;

    3. coordinate their business organization's response to IDRS security related issues;

    4. coordinate their business organization's response to IORS security report certification related issues;

    5. represent their business organization at IDRS Security related stakeholder meetings; and

    6. fulfill any additional IDRS security responsibilities of the IDRS Security Business Division Point-Of-Contact stated elsewhere in the IRM.

  4. Because the needs of each business division are different, additional duties may be assigned by the business division.

  5. The names of current IDRS Security Business Division Points-Of-Contact can be found on the IDRS Security web site: http://idrssecurity.web.irs.gov/IDRS/IDRSSecurityPOC.asp

10.8.34.3.2.3  (10-14-2011)
MITS Enterprise Operations, Operational Security Program Management Office (EOPS-OSPMO) Management

  1. MITS EOPS-OSPMO Management shall assign security specialist(s) and/or security assistants as IDRS Security Account Administrators.

  2. MITS EOPS-OSPMO Management shall assign security specialist(s) and/or security assistants as Computing Center IDRS Security Administrators.

  3. MITS EOPS-OSPMO Management shall perform the following:

    1. ensure that IDRS Security Account Administrators and Computing Center IDRS Security Administrators are properly trained to perform the necessary IDRS Security related tasks;

    2. monitor the activity of IDRS Security Account Administrators and Computing Center IDRS Security Administrators to ensure that activity is both effective and appropriate;

    3. ensure that IDRS Security Account Administrators and Computing Center IDRS Security Administrators are not assigned duties that conflict with their security responsibilities. Any security matters that arise shall be given priority consideration over non-security duties or assignments; and

    4. fulfill any additional IDRS security responsibilities of MITS EOPS-OSPMO Management stated elsewhere in the IRM.

10.8.34.3.2.4  (10-14-2011)
MITS Cybersecurity Operations Management

  1. MITS Cybersecurity Operations Management assign security specialist(s) and/or security assistants as Campus IDRS Security Analysts.

  2. MITS Cybersecurity Operations Management assign security specialist(s) and/or security assistants as Computing Center IDRS Security Analysts.

  3. MITS Cybersecurity Operations Management shall perform the following:

    1. ensure that Campus IDRS Security Analysts and Computing Center IDRS Security Analysts are properly trained to perform the necessary IDRS Security related tasks;

    2. monitor the activity of Campus IDRS Security Analysts and Computing Center IDRS Security Analysts to ensure that activity is both effective and appropriate;

    3. ensure that Campus IDRS Security Analysts and Computing Center IDRS Security Analysts are not assigned duties that conflict with their security responsibilities. Any security matters that arise shall be given priority consideration over non-security duties or assignments; and

    4. fulfill any additional IDRS security responsibilities of MITS Cybersecurity Operations Management stated elsewhere in the IRM.

10.8.34.3.2.5  (10-14-2011)
Campus IDRS Security Officer

  1. The Campus IDRS Security Officer role no longer exists.

  2. In 2009, to help ensure proper separation of duties, IDRS security user and unit account administration migrated from Cybersecurity Operations to the Enterprise Operations, Operational Security Program Management Office (EOPS-OSPMO). Cybersecurity Operations will continue to perform IDRS security policy support and oversight related tasks.

  3. The IDRS Security Officer role has been replaced with two new roles:

    1. The IDRS Security Account Administrator performs the user and unit account administration tasks previously performed by the IDRS Security Officer.

    2. The IDRS Security Analyst performs the policy support and oversight tasks previously performed by the IDRS Security Officer.

10.8.34.3.2.6  (10-14-2011)
IDRS Security Account Administrator

  1. The IDRS Security Account Administrator performs tasks relating to the administration of IDRS user and unit accounts.

  2. The IDRS Security Account Administrator shall be a non-bargaining unit employee who is a member of the EOPS-OSPMO staff.

  3. To help ensure proper separation of duties, the IDRS Security Account Administrator shall not simultaneously serve as Computing Center IDRS Security Administrator.

  4. IDRS Security Account Administrator shall perform the following unit and account administration related tasks:

    1. process, maintain (or be able to acquire), and explain how to complete and submit IDRS security related requests that are submitted via OL5081, Form 13230, and Form 9937;

    2. add, modify, or delete employee access to IDRS; ensuring that user accounts are established in the proper unit, Office Identifier (OI), and organization code range;

    3. review and update, at a minimum semi-annually, pertinent IDRS user information in the Master Register of Active IDRS Users report for completeness and accuracy. This includes Employee Name, SEID, Social Security Number (SSN), and background investigation status;

    4. assign temporary passwords when adding users to IDRS, or as requested per an OL5081 request;

    5. add or delete security command codes to user profiles;

    6. ensure that employees designated as USRs or Alternate USRs have completed the required training before adding security command codes to their profile;

    7. ensure, in coordination with the IDRS Security Program Management Office, that security command codes are removed from the profiles of USRs and Alternate USRs who have not completed the required training.

    8. ensure that employees designated as primary USRs are non-bargaining employees with a "completed" background investigation status before adding security command codes to their profile;

    9. coordinate with USRs and Front/First Line Managers to create new IDRS units that fall under the Front/First Line Managers’ jurisdictions; ensuring the Office Identifier (OI) and Organization code for the new unit are consistent with the unit number ranges established by in IRM 10.8.34. See IRM 10.8.34.6.2.1.6 # for more information on IDRS Organization Code Management;

    10. develop or update the Maximum Profile Authorization File (MPAF) and the Unit Command Code Profile (UCCP) based on signed Form 9937 requests;

    11. lock any unit that has active IDRS users, but does not have a designated USR or IORS Primary Report Reviewer; and

    12. add or delete terminals to IDRS (in coordination with a Computing Center IDRS Security Administrator);

  5. IDRS Security Account Administrator shall perform the following IDRS Unit and USR Database (IUUD) related tasks:

    1. maintain a current record of Unit Security Representatives (USRs), Alternate USRs, Terminal Security Administrators (TSAs), managers, and the designated Primary Report Reviewers for all IDRS units in the IUUD;

    2. for all persons listed, ensure the IUUD includes their name, SEID, address, and phone number; indicate when command code ASNPW is in the individual’s profile;

    3. for all IDRS units listed, ensure the IUUD includes the USR, manager, IORS Primary Report Reviewers, and any Alternate USRs, TSAs; to the extent possible include a description of the unit and any alternate unit mailing address; and

    4. assist managers and business organization security personnel in getting access to, using, and requesting updates to information in the IUUD.

  6. IDRS Security Account Administrator shall perform the following IORS related tasks:

    1. review and certify IDRS security reports requiring IDRS Security Account Administrator action;

    2. assist managers and business organization security personnel in getting access to IORS;

    3. add or delete employee access to the IORS. Ensure employees designated as IORS Primary Report Reviewer are non-bargaining employees before adding command code REPTS to their profile (REPTS is added to a user's profile to allow IORS access); and

    4. lock any unit that has active IDRS users, but where no IORS Primary Report Reviewer has been designated to review/certify IDRS security reports. The IDRS Security Account Administrator will also designate the primary USR for the unit as the IORS Primary Report Reviewer until the IDRS Security Account Administration staff is notified to the contrary.

  7. IDRS Security Account Administrator shall also perform the following:

    1. assist USRs and Front/First Line Managers in addressing issues relating to the administration of IDRS user and unit accounts;

    2. support the IDRS Security Program Management Office as reviewers of policy and procedural documents, SACS and IORS system changes, job aids, and training material related to the administration of IDRS user and unit accounts;

    3. identify potential and actual IDRS security administration related problems, probable causes, and recommend corrective actions;

    4. have access to all necessary security command codes pertaining to IDRS security;

    5. have access to all security reports, forms, manuals, and handbooks pertaining to the administration of IDRS user and unit accounts; and

    6. fulfill any additional IDRS security responsibilities of the IDRS Security Account Administrator stated elsewhere in the IRM.

10.8.34.3.2.7  (10-14-2011)
Computing Center IDRS Security Administrator

  1. The Computing Center IDRS Security Administrator performs tasks relating to the administration Computing Center IDRS security activity.

  2. The Computing Center IDRS Security Administrator shall be a non-bargaining unit employee who is a member of the EOPS-OSPMO staff.

  3. To help ensure proper separation of duties, the Computing Center IDRS Security Administrator shall not simultaneously serve as IDRS Security Account Administrator.

  4. The Computing Center IDRS Security Administrator perform the following tasks:

    1. add console operators, using command code TPFCN;

    2. add/change host-to-host passwords using command code UPHPW;

    3. change or display the list of command codes in a host profile using command code UPHST;

    4. add/delete command codes from the prohibited command code tables for various employee role restrictions based on direction from the MITS, International Business Machines (IBM) Support Services Branch and the IDRS Security Program Management Office;

    5. have access to all necessary security command codes pertaining to Computing Center IDRS Security Administration; and

    6. fulfill any additional IDRS security responsibilities of the Computing Center IDRS Security Administrator stated elsewhere in the IRM.

10.8.34.3.2.8  (10-14-2011)
IDRS Security Analyst

  1. The IDRS Security Analyst performs IDRS security policy support and oversight related tasks for IDRS campus domains and/or IDRS computing centers.

10.8.34.3.2.8.1  (10-14-2011)
Campus IDRS Security Analyst

  1. The Campus IDRS Security Analyst performs IDRS security policy support and oversight related tasks for the IDRS campus domains.

  2. The Campus IDRS Security Analyst shall be a non-bargaining unit employee who is a member of the Cybersecurity Operations staff.

  3. The Campus IDRS Security Analyst shall perform the following tasks:

    1. monitor and review the implementation and administration of the IDRS security program in their campus domain(s) to help ensure that the program is properly implemented and maintained;

    2. process, maintain (or be able to acquire), and explain how to complete Form 9936 requests for audit trail extracts;

    3. review and certify IDRS security reports requiring IDRS Security Analyst action;

    4. review IORS utility reports on a weekly basis to determine whether IORS Primary Report Reviewers in their campus domain(s) are reviewing and certifying IDRS Security reports in a timely manner, and provide business organizations in their campus domain(s) with a report of uncertified reports;

    5. work with business organizations in their campus domain(s) to address IORS security report certification related issues;

    6. notify business organizations in their campus domain(s) of any units where a Primary Report Reviewer has not been designated;

    7. ensure that IORS Primary Report Reviewers, Front/First Line Managers, and/or USRs have documented the appropriateness of all accesses to taxpayer accounts identified in the weekly IDRS security reports;

    8. review, in an oversight capacity, the various IDRS security reports for trends, for compliance with IDRS security policy, and for ensuring that reports are being reviewed in a timely and appropriate manner;

    9. assist managers and business organization security personnel in their campus domain(s) in using IORS;

    10. respond to inquiries from business organizations in their campus domain(s) regarding IDRS security policy, procedures and processes;

    11. perform activities that promote and maintain a continuing awareness of IDRS security;

    12. identify potential and actual IDRS security problems, probable causes, and recommend corrective actions;

    13. advise management on matters relating to IDRS security;

    14. support the IDRS Security Program Management Office as reviewers of policy and procedural documents, SACS and IORS system changes, job aids, and training material related to IDRS security;

    15. have access to all necessary security command codes pertaining to IDRS security;

    16. have access to, or be able to acquire, IDRS security related documentation requests which include OL5081, Form 13230 ,and Form 9937 requests;

    17. have access to all security reports, forms, manuals, and handbooks pertaining to the implementation and administration of IDRS Security; and

    18. fulfill any additional IDRS security responsibilities of the IDRS Security Analyst stated elsewhere in the IRM.

10.8.34.3.2.8.2  (10-14-2011)
Computing Center IDRS Security Analyst

  1. The Computing Center IDRS Security Analyst, like the IDRS Security Analyst, performs IDRS security policy support and oversight related tasks for the IDRS campus domains

  2. The Computing Center IDRS Security Analyst also performs IDRS security policy support and oversight related tasks unique to IDRS Computing Centers.

  3. The Computing Center IDRS Security Analyst shall be a non-bargaining unit employee who is a member of the Cybersecurity Computing Center Operations staff.

  4. The Computing Center IDRS Security Analyst shall perform the duties of the Campus IDRS Security Analyst. See section IRM 10.8.34.3.2.8.1 above for a list of these duties.

  5. The Computing Center IDRS Security Analyst shall also perform the following tasks unique to IDRS Computing Centers:

    1. process requests for IAP IDRS Audit Trail extracts;

    2. provide USR and IORS Primary Reviewer support for IDRS units containing IDRS Security Program Management Office staff or Computing Center IDRS Security Administrators; and

    3. fulfill any additional IDRS security responsibilities of the Computing Center IDRS Security Analyst stated elsewhere in the IRM.

10.8.34.3.2.9  (10-14-2011)
Unit Security Representative (USR)

  1. The USR is an individual assigned by their business organization to implement and administer IDRS security at the IDRS unit level.

  2. The USR is sometimes referred as a unit's "Primary USR" , especially when other individuals have been designated to serve as Alternate USR for the unit.

  3. Each IDRS unit shall have a designated USR. Designations shall be approved by a second level or higher manager who is in the direct chain of command of the IDRS users being supported. The designation shall be submitted to a IDRS Security Account Administrator for approval on Form 13230.

  4. The USR may or may not be the IDRS user's immediate manager, but will have the requisite authority to perform USR duties.

  5. The USR shall be a non-bargaining unit employee.

  6. The USR shall have a "completed" background investigation status.

  7. The USR shall complete initial USR training prior to performing USR duties; and shall complete USR refresher training at least annually.

  8. USR shall perform the following unit and account administration related tasks:

    1. Approve OL5081 add user requests for all users to be added to IDRS units covered by the USR; or for any action that requires an OL5081 request be submitted to an IDRS Security Account Administrator with the exception of a request for a temporary password for an existing IDRS user;

    2. Update a current user's IDRS profile for the command codes that are available in the unit's MPAF as appropriate for the user to perform their assigned work; the USR shall add or delete command codes to and from user profiles, with the exception of security command codes, which shall be added or deleted by an IDRS Security Account Administrator;

    3. With the concurrence of the unit manager, prepare, approve, and submit requests to the IDRS Security Account Administrator to add or delete command codes to/from the MPAF and the UCCP. USRs are authorized to approve Form 9937 in IORS for the unit manager if the USR has written or electronic documentation that supports the managers concurrence with the action taken. Documentation shall include the date, action to be taken, the IDRS unit number, and validation of the manager agreement such as an e-mail or a signed or initialed memo from the manager;

    4. Ensure that user profiles are locked no later than the first day the employee is on leave if the employee is going to be on leave for 15 consecutive calendar days or more or goes into non-pay status with an expectation of returning to duty within 60 consecutive calendar days. Users going on leave are to be encouraged to lock their own profiles if the leave is not expected to exceed 45 days. For users who are going into non-pay status for less than 60 days, the USR shall lock the user's IDRS profile to prevent the user from being deleted from IDRS;

    5. Delete employees from IDRS who either do not need access to IDRS for a period of 60 consecutive calendar days or longer or who do not need future access to IDRS. The employee shall be removed from IDRS on the first day they no longer need access to IDRS;

    6. Unlock the profile of employees at the request of the employee or manager, if there is no cause to keep the profile locked;

    7. Unlock IDRS terminals when requested to do so by a manager or known user and notify the Front/First Line Manager of any questionable activity that caused the workstation to be locked;

    8. initiate the transfer of employee profiles into an IDRS unit under the USR's jurisdiction when requested to do so by a known manager. This task is the responsibility of the receiving unit's USR;

    9. coordinate the creation of new IDRS units and the deletion of deactivated IDRS units with the IDRS Security Account Administrators;

    10. ensure that IDRS users who meet the criteria for restricted roles, have the appropriate restrictions added to their profiles; and

    11. modify IDRS terminal availability times to be consistent with the need to access IDRS. USRs shall set time off-the-air/on-the-air to coincide with access need, using command code UPTRM.

  9. The USR shall perform the following security monitoring and review related tasks:

    1. monitor each IDRS user's command code usage/non-usage, and coordinate with the Front/First Line Manager to delete command codes from the employee's profile that are not being used and are no longer needed;

    2. timely review various IDRS security reports for the unit/group and take appropriate action to correct security weaknesses and breaches;

    3. review the command code usage via the Monthly IDRS Security Profile Report, and in coordination with the Front/First Line Manager, submit requests to the IDRS Security Account Administrator to delete the command codes that were not used or no longer needed in the MPAF and UCCP;

    4. review the profile of each IDRS user at least monthly to identify any unauthorized command codes;

    5. ensure that command codes are not in the training mode unless the employee is in training, except for the specific case of User Support Specialists;

    6. ensure that managers are aware of and monitor command code usage of employees with sensitive command code combinations in their profiles;

    7. monitor compliance with sign-off requirements by reviewing the IDRS Security Profile Reports to determine if IDRS users have 15 or more automatic sign-offs for the month. IDRS users meeting this criteria shall be advised of the need to sign-off IDRS when IDRS is not needed and how to refresh their IDRS activity clock if the user needs to have continuous access to IDRS;

    8. ensure, in coordination with the Front/First Line Manager, that any questionable activity or potential UNAX violations are timely reported to TIGTA;

    9. review the Master Register of Active IDRS Users at least monthly to ensure that only authorized users are in their IDRS units and all information included in this report is correct and complete; and

    10. review the IUUD at least monthly to ensure the accuracy of information for their IDRS unit(s); submit updates and corrections to the IDRS Security Account Administration staff.

  10. The USR shall perform the following training and awareness related tasks:

    1. ensure that management annually reviews the rules of behavior with IDRS users;

    2. ensure that security procedures and instructions that relate to IDRS security are explained to the users prior to adding the user to IDRS;

    3. perform periodic security awareness training (at least annually) for each IDRS user;

    4. ensure that Front/First Line Managers are aware of their IDRS security responsibilities; and

    5. train Terminal Security Administrators on when and how to unlock IDRS terminals and user profiles; and train Terminal Security Administrators to report any unusual circumstances to the USR.

  11. The USR shall perform the following password management related tasks:

    1. USRs are to encourage all users to activate their IDRS password management capability.

    2. USRs, who are authorized to provide temporary passwords to IDRS users, shall maintain documentation to support user requests.

    3. If a USR provides a temporary password, the issuance of the temporary password shall be supported by an OL5081 request, e-mail, or written notification from a manager. At a minimum, the documentation shall include the following:

    • the date the temporary password was requested for the employee;

    • the name of the employee who is to receive the temporary password;

    • the reason for requesting the temporary password; and

    • the name of the manager or USR who requested the temporary password for the employee.

  12. The USR shall also perform the following:

    1. identify potential and actual IDRS security related problems, probable causes, and recommend corrective actions;

    2. support the IDRS Security Program Management Office as reviewers of policy and procedural documents, SACS and IORS system changes, job aids, and training material related to IDRS security;

    3. have access to all manuals and handbooks pertaining to IDRS security; and

    4. fulfill any additional IDRS security responsibilities of the USR stated elsewhere in the IRM.

10.8.34.3.2.10  (10-14-2011)
Alternate USR

  1. The Alternate USR is an individual who assists and/or performs the duties of the primary USR when that individual in not available.

  2. Alternate USR designations shall be approved by a second level or higher manager who is in the direct chain of command of the IDRS users being supported.

    1. The designation shall be submitted to a IDRS Security Account Administrator on a Form 13230.

    2. Before submission, the Form 13230 shall be coordinated with the primary USR(s) to ensure that the primary USR(s) is aware of who is being designated as an Alternate USR.

  3. The Alternate USR shall be a non-bargaining unit employee or a bargaining unit employee (e.g., lead) who is familiar with IDRS security requirements and procedures.

  4. The Alternate USR shall have a "completed" background investigation status.

  5. The Alternate USR shall complete:

    1. initial USR training prior to performing USR duties; and

    2. shall complete USR refresher training at least annually.

  6. The Alternate USR's manager shall submit an OL5081, "Modify User Profile Request," to the IDRS Security Account Administration staff to request the appropriate security command codes be included in the Alternate USR's IDRS employee profile. The OL5081 request shall be approved by the Alternate USR's primary USR to ensure that primary USR is aware of who is being given security command codes.

  7. A non-bargaining unit Alternate USR is authorized to act as the primary USR when the primary USR is not available, including serving as a unit's Primary Report Reviewer for the review and certification of security reports. A non-bargaining unit Alternate USR may perform all related security duties when officially acting as the primary USR and is authorized to have the full suite of USR security command codes.

  8. A bargaining unit Alternate USR cannot act as primary USR and cannot perform the full duties of a USR. They support a non-bargaining unit USR and can perform non-managerial duties of the USR, such as updating a user's profile. The bargaining unit Alternate USR shall not review another employee's IDRS actions.

  9. For IDRS security purposes, the Alternate USR's security activity is under the purview of the designated primary USR for that unit or area. If the primary USR has concerns regarding security actions taken by the Alternate USR, the primary USR may request that the IDRS Security Analyst provide an audit trail extract of the Alternate USR's activities for a designated date or date range.

  10. The Alternate USR shall fulfill any additional IDRS security responsibilities of the Alternate USR stated elsewhere in the IRM.

10.8.34.3.2.11  (10-14-2011)
Terminal Security Administrator (TSA)

  1. The TSA is an individual assigned by their business organization to unlock IDRS terminals and unlock employee profiles locked due to 17 days of inactivity.

  2. Assigning individuals to serve as TSA is optional and the discretion of business organization management. The intent of the TSA role is to reduce USR workload.

  3. TSAs may either be a non-bargaining or bargaining unit employee.

  4. A TSA designation shall be approved by a second level manager or higher in their business organization. The designation shall be submitted to the IDRS Security Account Administration staff on Form 13230. Before submission, the Form 13230 shall be coordinated with the unit's primary USR to ensure that the primary USR is aware of who is being designated as a TSA.

  5. The TSA's manager shall submit an OL5081 application modify user request to the IDRS Security Account Administrator to have the appropriate security command codes added to the TSA's IDRS employee profile. The OL5081 application shall be approved by the TSA's primary USR to ensure that their primary USR is aware of who is being given security command codes.

  6. TSAs will not be required to complete specialized IDRS security training, but shall receive instruction from a primary USR before performing TSA duties.

  7. Command Code SECOP is to be placed in the user profile of TSAs (SECOP is the command code used to unlock IDRS terminals). At the request of the manager, TSAs may also be given command code UNLEM. (UNLEM is the command code used by a TSA to unlock an employee profiles that have been locked by the system because the user has been inactive for 17 days).

  8. For TSA's who are given the capability to unlock employee profiles, USRs are authorized to provide a copy of the "Master Register of Active Users" report or a Command Code SFINQA screen print to the TSA that lists the IDRS employee numbers of users in their unit(s). TSAs are only authorized to unlock IDRS profiles for known users.

  9. For IDRS security purposes, the TSA's security activity is under the purview of the designated primary USR(s) for that unit or area. If the primary USR has concerns regarding security actions taken by the TSA, the primary USR may request that an IDRS Security Analyst provide an audit trail extract of the TSA activities for a designated date or date range.

10.8.34.3.2.12  (10-14-2011)
IORS Report Reviewer

  1. The IORS Report Reviewer is an individual assigned by their business organization to review IDRS security reports in IORS.

  2. There are two IORS Report Reviewer roles:

    1. IORS Primary Report Reviewer

    2. IORS Secondary Report Reviewer

10.8.34.3.2.12.1  (10-14-2011)
IORS Primary Report Reviewer

  1. The IORS Report Reviewer is an individual assigned by their business organization who is responsible for ensuring that the IDRS security reports for a designated IDRS unit(s) are timely reviewed and the appropriate actions are taken when necessary.

  2. IORS Primary Report Reviewers shall be non-bargaining unit employees. They normally serve as the unit's Front/First Line Manager, USR, or have an IDRS coordinator's role.

  3. Each IDRS unit shall have a designated IORS Primary Report Reviewer and their designation shall be submitted to the IDRS Security Account Administration staff on Form 13230. Before submission, the Form 13230 shall be coordinated with the primary USR(s) to ensure that the primary USR(s) is aware of who is being designated as IORS Primary Report Reviewer.

  4. The IDRS Security Account Administration staff will lock any unit that has active IDRS users, but where no IORS Primary Report Reviewer has been designated to review/certify IDRS security reports. The IDRS Security Account Administrator will also designate the primary USR for the unit as the IORS Primary Report Reviewer until the IDRS Security Account Administration staff is notified to the contrary.

  5. The IORS Primary Report Reviewer roles are recorded in the IUUD. This information is used by IORS to define Primary Report Reviewer permissions in IORS.

  6. The Primary Report Reviewer shall input report certifications, but may indicate in the certification that the certification is based on the documented review of others such as the Front/First Line Manager or USR, if the Primary Report Reviewer does not perform either of these roles.

  7. The IORS Primary Report Reviewer will receive notification when the security reports are available for review and when security reports requiring certification have not been certified within the prescribed time frame.

  8. The Primary Report Reviewer may grant a proxy to another non-bargaining unit IORS user to act in their place when they are not available.

  9. The IORS Primary Report Reviewer may grant Secondary Report Reviewer permissions to other IORS users to view and comment on IDRS security reports for the unit. The IORS Primary Report Reviewer shall remove these permissions when they are no longer needed.

  10. IORS Primary Report Reviewer shall fulfill any additional IDRS security responsibilities of the IORS Primary Report Reviewer stated elsewhere in the IRM.

10.8.34.3.2.12.2  (10-14-2011)
IORS Secondary Report Reviewer

  1. The IORS Secondary Report Reviewer is an individual who has received permissions from an IORS Primary Report Reviewer to view one or more security reports for a unit.

  2. The IORS Secondary Report Reviewer is usually the Front/First Line Manager of an unit where the Primary Report Reviewer role is being performed by another individual.

  3. The IORS Secondary Report Reviewer shall be a non-bargaining unit employee. However, bargaining unit employees (e.g., leads) who are experienced with IDRS may be given Secondary Reviewer permissions to assist the Primary Report Reviewer with the review and evaluation of security reports that do not involve the review of another employee's IDRS actions. These are reports that do not require a certification (the Master Register, Employee Count, Automated IDRS Sign-offs, and Password Management Activations reports). Bargaining unit employees not shall not review reports that involve another employee's IDRS actions. These reports include the Security Violations, Sensitive Access, and Monthly and Quarterly Security Profile reports.

  4. The IORS Secondary Report Reviewer cannot input certifications for security reports, but they can input information to document they have reviewed data that appears on security reports. They can input relevant comments and indicate that they have taken any necessary actions.

  5. The IORS Secondary Report Reviewer cannot grant permissions to other IORS users to view IDRS security reports.

  6. The IORS Secondary Report Reviewer shall notify the Primary Report Reviewer immediately when they no longer need access to unit reports.

  7. IORS Secondary Report Reviewer shall fulfill any additional IDRS security responsibilities of the IORS Secondary Report Reviewer stated elsewhere in the IRM.

10.8.34.4  (10-14-2011)
Management Controls

  1. Per IRM 10.8.1 , IRS shall implement management security controls to mitigate risk of IT applications and electronic information loss in order to protect the organization’s mission. This IRM further defines the management security control requirements found in IRM 10.8.1 as they pertain to IDRS security.

10.8.34.4.1  (10-14-2011)
Planning

  1. Per IRM 10.8.1, the IRS shall establish enterprise-wide security planning policy and procedures that define and implement rules of behavior for all IT systems.

10.8.34.4.1.1  (10-14-2011)
Rules of Behavior

  1. IDRS users shall sign a statement acknowledging that they have read and understand the rules of behavior.

  2. The OL5081 system shall be used to document IDRS users' acknowledgement they have read and understand the rules of behavior.

    1. Prior to being added to IDRS, users shall sign the OL5081 rules of behavior statement acknowledging that they have read and understand the rules.

    2. In order to maintain access privileges, IDRS users shall annually sign the OL5081 rules of behavior statement to recertify (re-acknowledge) they have read and understand the rules of behavior.

  3. IDRS users who do not sign or annually re-acknowledge the security rules will be denied access to the system. The Front/First Line Manager of an employee who refuses to sign security rules, may at the discretion of business organization management, brief the employee on the security rules in the presence of a second manager and both managers acknowledge in writing that the employee was briefed on the security rules.

  4. Failure to comply with the rules of behavior is subject to disciplinary actions. See IRM 6.751.1, "Discipline and Disciplinary Actions: Policies, Responsibilities, Authorities, and Guidance" , for further guidance.

10.8.34.5  (10-14-2011)
Operational Controls

  1. Per IRM 10.8.1, IRS shall implement operational security controls. This IRM further defines the operational security control requirements found in IRM 10.8.1 as they pertain to IDRS security.

10.8.34.5.1  (10-14-2011)
Awareness and Training

  1. Per IRM 10.8.1 , the IRS shall develop and implement an IT security awareness and training program.

10.8.34.5.1.1  (10-14-2011)
Awareness

  1. IRM 10.8.1 requires system users to complete security awareness training when being granted access to a system and annually for as long as they remain system users. This IRM further defines security awareness training requirements as they pertain to IDRS security.

10.8.34.5.1.1.1  (10-14-2011)
IDRS User Security Awareness Training

  1. The USR shall ensure new and returning users in their IDRS units receive an IDRS security awareness briefing prior to accessing IDRS.

  2. The USR shall ensure that users in their IDRS units receive periodic (at a minimum annual) IDRS security awareness briefings.

  3. The IDRS security awareness briefings shall cover general IDRS security procedure and instruction. At a minimum, the briefings shall cover the following:

    1. the General IDRS Security Procedures found in IRM 2.3.9 Security Command for IDRS Users;

    2. the requirement to annually review and recertify the rules of behavior;

    3. rules regarding unauthorized accesses;

    4. use and protection of passwords and implementation and use of the IDRS password management capability;

    5. necessity of locking workstation or signing off IDRS when the user's workstation is unattended and knowing when IDRS sign-offs are required;

    6. necessity of clearing data from the screen when a terminal operation is completed;

    7. procedures to follow if IDRS goes down;

    8. necessity of promptly retrieving data from the printer;

    9. use of command code LOKME which allows employees to lock their profiles up to 45 days;

    10. use of command code SFDIS definer P for users to check the authorized command codes in their profile, their Multiple Accesses capability and Password Management status;

    11. knowing who to contact if their IDRS terminal is locked or profile is locked; and

    12. advising users that all actions performed on IDRS are recorded in the IDRS audit trail; audit trail records are retained for at least six years.

10.8.34.5.1.2  (10-14-2011)
Training

  1. This IRM section defines security training requirements and responsibilities as they pertain to personnel with significant IDRS security responsibilities.

10.8.34.5.1.2.1  (10-14-2011)
Front/First Line Manager Training

  1. The USR shall ensure that the Front/First Line Managers of their IDRS units are fully aware of their IDRS security responsibilities as outlined in IRM 10.8.34.3.1.3.

10.8.34.5.1.2.2  (10-14-2011)
IDRS Security Program Management Office Staff Training

  1. The IDRS Security Program Officer shall ensure that IDRS Security Program Management Office staff are properly trained to perform their IDRS Security related tasks.

10.8.34.5.1.2.3  (10-14-2011)
IDRS Security Analyst and Computing Center IDRS Security Analyst Training

  1. MITS Cybersecurity Operations management shall ensure that IDRS Security Analysts and Computing Center IDRS Security Analysts are properly trained to perform their IDRS Security related tasks.

10.8.34.5.1.2.4  (10-14-2011)
IDRS Security Account Administrator and Computing Center IDRS Security Administrator Training

  1. MITS EOPS-OSPMO management shall ensure that IDRS Security Account Administrators and Computing Center IDRS Security Administrators are properly trained to perform their IDRS Security related tasks.

10.8.34.5.1.2.5  (10-14-2011)
Unit Security Representative (USR) and Alternate USR Training

  1. Employees designated as USR or Alternate USR shall complete the required initial and annual refresher training.

  2. The required USR initial and annual refresher training courses shall be available on the IRS Enterprise Learning Management System (ELMS).

    Note:

    TIGTA employees who cannot access ELMS will be trained by Kansas City Campus IDRS Security Analysts. Kansas City Campus IDRS Security Analysts will provide TIGTA course completion records to the IDRS Security Program Management Office and the EOPS-OSPMO IDRS Security Account Administration staff.

10.8.34.5.1.2.5.1  (10-14-2011)
Course Development and Revision

  1. The IDRS Security Program Management Office shall be responsible for developing and revising the required USR initial and annual refresher training.

    1. The IDRS Security Program Management Office shall develop the required USR initial and annual refresher training courses and ensure the courses are available on ELMS.

    2. The IDRS Security Program Management Office shall review the required USR initial and annual refresher training courses at least annually by end of each calendar year to ensure they reflect current IDRS security policies and procedures.

    3. The IDRS Security Program Management Office shall contact the MITS Learning & Education staff each year to notify them whether or not any course revisions are necessary.

    4. The IDRS Security Program Management Office shall update the required USR initial and annual refresher training courses as necessary.

10.8.34.5.1.2.5.2  (10-14-2011)
Initial Training

  1. Employees designated as USR or Alternate USR shall complete the ELMS Course # 29776 — IDRS Unit Security Representatives (USRs) Training.

    1. Security command codes shall not be placed in the profiles any USR or Alternate USR who has not completed this ELMS course.

    2. Security command codes shall be removed from the profile of any USR or Alternate USR who has not completed this ELMS course.

    3. Completing the course will satisfy the annual training requirement for the FISMA training year in which the course is completed.

      Note:

      The FISMA training year is July 1 thru June 30.

  2. New USRs and Alternate USRs shall complete the required initial training course before security command codes are added to their profile.

  3. Returning USRs and Alternate USRs who have not performed USR duties for more than one year shall be considered new and are required to complete the initial training course before security command codes are added to their profile.

  4. IDRS Security Account Administration staff shall remove security command codes from the profile of any USR or Alternate USR who received the command without completing the required initial training.


Next

More Internal Revenue Manual