Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 60. Information Technology Disaster Recovery Policy and Guidance

10.8.60  Information Technology Disaster Recovery Policy and Guidance

10.8.60.1  (06-01-2009)
Purpose

  1. This transmits Internal Revenue Manual (IRM) 10.8 Section 60, Information Technology (IT) Disaster Recovery Policy and Guidance.

  2. This IRM provides policies and guidance to be used by the Internal Revenue Service (IRS) organizations to carry out their respective responsibilities in information systems security and availability regarding IT Contingency Plans (ITCP) and Disaster Recovery (DR).

10.8.60.1.1  (06-01-2009)
Overview

  1. This DR policy provides requirements and guidance to ensure that all (Tier 1, Tier 2, Tier 3, telecommunications, network, etc.) IRS systems and applications owned or managed by IRS employees or contractors are compliant with Office of Management and Budget (OMB), Federal Information Security Management Act of 2002 (FISMA), National Institute of Standards and Technology (NIST), Treasury, and IRS guidelines. All IRS IT systems and applications must have sufficient Disaster Recovery (DR) capability to recover IRS data with system/application functionality (data is usable to customer) according to pre-defined Recovery Time Objective/Recovery Point Objective (RTO/RPO). Per RTO/RPO, as agreed upon and documented in the Information Technology Contingency Plan (ITCP), that in the event of a significant interruption or disaster, data must be available and usable to the customer.

  2. This policy is a critical component of the IRS' overall Business Continuity Program or Business Continuity Plan (BCP). The pieces of the BCP must work together to create and support the overall Business Continuity of the IRS.

    1. The BCP is an all-encompassing "umbrella" that consists of the following suite of plans:

    • Incident Management Plan – Management Focus

    • Occupant Emergency Plan- Personnel Safety Focus

    • Business Resumption Plan – Process Focus

    • Disaster Recovery / IT Contingency Plan – IT Focus

  3. Program Guidance for the IT Disaster Recovery Program includes:

    • National Institute of Standards and Technology - NIST 800-12, An Introduction to Computer Security: The NIST Handbook, Chapter 11, Preparing for Contingencies and Disasters

    • National Institute of Standards and Technology - NIST 800-34, Contingency Planning Guide for Information Technology Systems

    • National Institute of Standards and Technology – NIST 800-35, Guide to Information Technology Security Services

    • National Institute of Standards and Technology – NIST 800-53, Recommended Security Controls for Federal Information Systems

    • National Institute of Standards and Technology - NIST 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities

10.8.60.1.2  (06-01-2009)
Scope

  1. The provisions in this policy apply to all offices, business, operating, and functional units within the IRS, as well as individuals and organizations having contractual arrangements with the IRS, including employees, contractors, and vendors, which use or operate IT systems containing IRS data to accomplish the IRS mission.

  2. This policy governs all (Tier 1, Tier 2, Tier 3, telecommunications, network, etc.) IRS components of information systems that process, store, or transmit information.

  3. This IRM describes responsibilities of IRS and contractor personnel in regard to the IT Disaster Recovery Program.

10.8.60.1.3  (06-01-2009)
IRM Section Topics

  1. This manual contains information on the following topic areas:

    • Organizational structure and responsibility;

    • Roles and responsibilities;

    • Requirements;

    • Exhibits

10.8.60.1.4  (06-01-2009)
Authority

  1. IRM 10.8.1, Information Technology (IT) Security Policy and Guidance, establishes the security program and the policy framework per Treasury requirements and other federal regulations.

  2. IRM 10.8.2, Information Technology(IT) Security Roles and Responsibilities, details specific roles and duties across the enterprise.

  3. The Computer Security Act of 1987: ''P.L. 100-235''

  4. Presidential Decision Directive (PDD) 67, Enduring Constitutional Government and Continuity of Government, October, 1998

  5. Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, November 2000

  6. Federal Information Security Management Act (FISMA) of 2002, Public Law (P.L.) 107-347

  7. Homeland Security Presidential Directive/HSPD –7, Critical Infrastructure Identification, Prioritization, and Protection, December 2003

  8. National Security Presidential Directive/NSPD –51 and Homeland Security Presidential Directive/HSPD –20, National Continuity Policy, May 2007

  9. Federal Continuity Directive 1Federal Executive Branch National Continuity Program and Requirements, February 2008

  10. Federal Continuity Directive 2Mission Essential Function and Primary Mission Essential Function Identification and Submission Process, February 2008

  11. Federal Emergency Management Agency (FEMA) National Response Framework, March 1999

  12. Treasury Directive Publication (TD P) 85-01, Department of the Treasury Information Technology (IT) Security Program

  13. Federal Preparedness Circular (FPC) 65, Federal Executive Branch Continuity of Operations (COOP), June 2004

10.8.60.2  (06-01-2009)
General Policy

  1. In accordance with the Federal law and regulation, the IRS shall:

    1. Plan for security

    2. Assign security responsibility to appropriate officials

    3. Ensure continuity of operations for information systems that support the operations and assets of the agency.

    4. Authorize system (Certification & Accreditation) processing prior to operations, and periodically after deployment.

    5. Conduct exercises or tests for their systems’ IT contingency plans and Disaster Recovery Plans' (DRPs) capabilities at least annually within a FISMA period. FISMA periods run from July 1 thru June 30 of the following year.. Exercises and tests will be conducted with all impacted parties.

    6. Track and document findings and lessons learned to ensure that corrective action plans and executive briefings can be developed.

    7. Ensure that findings are reported to executive management for the direction and leadership assuring that corrective action plans are implemented and findings are resolved or risks accepted.

  2. IRS Executive Sponsors, Program Managers, and Technical Leads will be identified for all major infrastructure initiatives. These initiatives must:

    • comply with Enterprise Life Cycle (ELC) requirements

    • address infrastructure changes

    • day-to-day operations (desktop support, Unified Work Request (UWR) process, Change Requests, Service Desk support, server support, security, E-mail support)

    • Service Level Agreements (SLAs) and

    • infrastructure integration testing

10.8.60.3  (06-01-2009)
Responsibilities

  1. IRM 10.8.2, Information Technology Security Roles and Responsibilities, defines service-wide roles and responsibilities related to IRS information and computer security and is the authoritative source for such information.

  2. Following are the organizational and staff responsibilities supporting and implementing the IRS IT DR Program.

10.8.60.3.1  (06-01-2009)
IT Disaster Recovery Organization (ITDRO)

  1. The Director, Information Technology Disaster Recovery Organization (ITDRO), within MITS, Cybersecurity is the lead for the IRS for establishing and maintaining the IRS enterprise-wide IT DR policy, standards, and procedures, as well as, overseeing IT Business Impact Analysis (IT BIA) and testing activities of the IRS IT DR Program.

  2. ITDRO provides guidance and direction to the IRS enterprise-wide disaster recovery efforts. The ITDRO provides a comprehensive, business-centric IT DR program designed to protect IRS operations, assets, and information.

  3. The ITDRO is responsible for coordinating the efforts of the enterprise-wide IT DR Program as follows:

    1. Policy: Develop policy, guidance, standards, documentation, IRMs, and templates.

    2. Education: Develop training, and perform outreach and awareness for IT DR program activities. Ensure that training is provided and tracked for personnel involved in IT DR activities.

    3. IT Business Impact Analysis: Perform RTO/RPO/Gap Analysis Evaluations. Validate the Critical Business Processes (CBPs) and supporting systems/applications. Facilitate agreement in prioritization of the restoration of systems/applications with Business Operating Divisions (BODS) and MITS organizations.

    4. Compliance: Monitor compliance of applicable IRS systems and applications with IT DR requirements.

    5. Testing/Exercise: Develop testing/exercise standards, metrics, and evaluation of performance. Coordinate Annual FISMA ITCP exercises and DR testing. Provide oversight for the completion of exercise and testing of DRPs and ITCPs. This includes monitoring, as well as, facilitating the exercise and testing of plans; coordinating business and MITS participation in exercises; documenting on of test results; and reporting exercise and tests results to IRS Business and MITS executive management.

    6. Technical Assessment: Facilitate, monitor and assist in conducting annual risk assessments; validate backup strategies (backups are performed and stored off site and can be retrieved on a timely basis to meet RTO/RPO/MAO (Maximum Allowable Outage)) and perform gap analysis' to ensure that the BODs and MITS are in agreement regarding Redundancy/Resiliency Analysis.

    7. Plan Development: Facilitate the creation of Disaster Recovery Plans, verify annual DR Plan review and maintenance of DR plan repository.

    8. Material Weakness and Audit Reporting: Manage re-mediation plans and resolution of IT DR Computer Security Material Weaknesses (CSMW) that have been identified by the General Accounting Office (GAO), Treasury Inspector General for Tax Administration (TIGTA) or Inspector General (IG) as it relates to the Critical Infrastructure Protection (CIP) program.

    9. Plans of Actions & Milestones: Responsible for monitoring and concurring/approving closure of all ITCP/DR related POA&M items.

  4. Responsibilities of the ITDRO include:

    • Establishing templates and documents for the development of IT DR Plans, ITCPs, testing, exercises, etc.

    • Coordinating DR testing to ensure keystroke/step-by-step DRPs are in alignment with the ability to restore operations within allotted RTO/RPO time frames.

    • Coordinating exercises of IT Contingency Plans, to ensure the ITCP is capable of providing guidance for recovery of IT system(s) in the event of a significant disruption or disaster.

    • Maintaining copies of all IT Contingency Plans (ITCPs), Disaster Recovery Plans (DRPs) and associated documents.

    • Assuring an IT Business Impact Analysis (IT BIA) is conducted by the BODs, providing appropriate IT DR Information.

    • Conducting Technical Risk Assessment; recommending mitigation strategies.

    • Facilitating site-based infrastructure vulnerability reviews.

    • Conducting compliance reviews of documentation and activities related to IT Contingency Plans, DR Plans, exercises and testing.

    • Developing IT DRPs in conjunction with system owners/administrators.

    • Partnering with Agency Wide Shared Services (AWSS) on Business Continuity efforts.

    • Partnering with MITS Enterprise Operations on executing the ITCP and DRP exercises and tests.

    • Partnering with MITS Enterprise Networks on executing the ITCP and DRP exercises and tests.

    • Managing an enterprise Business Impact Assessment that includes ranking of IRS CBPs, their sub-processes, and the supporting IT assets.

10.8.60.3.2  (06-01-2009)
Modernization and Information Technology Services (MITS) operations

  1. Each BOD that owns or operates IT resources shall comply with MITS requirements.

  2. Each contractor or vendor that owns or operates IT resources on behalf of the IRS shall also comply with MITS requirements.

  3. MITS operations is responsible for:

    • Performing annual execution and exercise of each IT Contingency Plan.

    • Providing updates to the IT Contingency Plan with changes to the owner as they are identified, but not less than annually.

    • Providing subject matter expertise for DR capabilities.

    • Providing subject matter expertise to write the detailed content (keystrokes/step by step) of each plan.

    • Performing annual execution and testing of each DRP.

    • Updating the DRP with changes after each DR Test.

    • Securing approval for use of production or live data, if applicable, for functional or DR tests using Form 13471, Live Data Request.

    • Partnering with ITDRO and BODs to coordinate requirements, priorities, recovery times, cost evaluations and support to procurement activities to enhance DR capabilities to meet stated business objectives.

    • Maintaining/owning the content of the DRPs.

    • Providing resources for DR planning, including staffing, location and procuring funded equipment.

    • Establish a succession planning document to ensure the service is protected from experiencing a personnel single point of failure within their organization in the event of a disaster, which would negatively impact the recovery of FISMA General Support Systems (GSSs) and/or applications.

    • Securing concurrence, in writing, from the Director, ITDRO prior to closing all ITCP/DR related POA&M items

10.8.60.3.3  (06-01-2009)
Business Operating Division (BOD) Information System Owners

  1. The BOD/Information System Owner is the agency official responsible for the overall procurement, development, integration, modification, operation and maintenance of the information system. For applications housed on systems owned by or operated by MITS, MITS will work with BODs to determine appropriate enterprise priorities and identify funding sources for the procurement of equipment. The Information System Owner is also known as the Business and Functional Unit Owner.

  2. Each BOD that owns or operates IT resources shall comply with the MITS requirements.

  3. Each contractor or vendor that owns or operates IT resources on behalf of the IRS shall comply with the MITS requirements.

  4. The BOD/Information System Owner is required to:

    • Determine business impacts, recovery needs and time frames needed for business restoration and communicate this information to MITS operations and ITDRO.

    • Work jointly with MITS Operations and ITDRO in the development of viable DRPs determining what data needs to be recovered and the priority order for recovery.

    • Review/update DRPs, at a minimum, annually to ensure accuracy and notify the ITDRO of completion via their mailbox *MITS IT DR Mailbox with the name(s) of the GSS or application and a Point of Contact (POC).

    • Work jointly with MITS Operations and ITDRO in the development of viable Business Impact Analysis's to assist in determining time frames for recovering applications that support CBPs and align recovery expectations of BODs with recovery capabilities of MITS.

    • Develop adequate DR requirements and funding during the Enterprise Life Cycle (ELC) development phase of all new systems and throughout any production system upgrades.

    • Securing concurrence, in writing, from the Director, ITDRO prior to closing all ITCP/DR related POA&M items.

  5. IRM 10.8.2, Information Technology (IT) Roles and Responsibilities, Section 2.2.5(2), (4) and (5), states in part that Business and Functional Unit Owners shall:

    • Be the official responsible for the overall procurement, development, integration, modification, operation, and maintenance of an information system or application;

    • In accordance with FISMA requirements, include security requirements in their capital planning and investment business cases;

    • Ensure security requirements are adequately funded and documented in accordance with OMB Circular A-11;

    • Conduct annual testing of the system;

    • Fully describe and document the information system in the ITCP;

    • Clearly define system and application priorities, subsequent needs, and related risk acceptance or avoidance for recovery;

    • Acquire and transport replacement equipment required to restore operations;

    • Determine recovery needs and time frames needed for business restoration through comprehensive business impact analysis evaluations;

    • Determine what data needs to be recovered and the priority order for recovery;

    • Develop DR requirements during the development phase of all new systems and throughout any production system upgrades;

    • Provide the funding for the DR equipment/space/storage needed to meet the recovery goals (set by the business);

    • Fully describe and document the details of the information system in the IT Contingency Plan (ITCP) that is required by FISMA for each major system;

    • Ensure ITCPs and DR plans for all applications and systems are tested annually;

    • Work jointly with MITS in development and testing of DR plans to ensure business continuity;

    • Work jointly with MITS in the testing of the DR plans to ensure availability of data from the recovered system.

  6. It is recommended that BODs work jointly with Agency-Wide Shared Services (AWSS), MITS operations and ITDRO to conduct integrated Business Continuity (BC)-Disaster Recovery(DR) exercises, whenever possible, to validate the recovery times of CBPs and supporting applications.

10.8.60.3.4  (06-01-2009)
Contracting Officer (CO)

  1. Contracting Officer’s (COs) acting on IRS's behalf are required to ensure the inclusion of IRS DR expectations within contracts for the purpose of DR support. Verbiage included in the contract should contain the following:

    • Contractors will comply with this IRM and any others developed for the IRS DR Program.

    • Contractors agree to provide IRS with all data and documents pertaining to DR deliverables.

    • Contractors agree to provide IRS with proof of an existing DR keystroke or step by step documentation (DR Plan) and succession planning document to ensure the contractor is protected from experiencing a single point of failure within their organization in the event of a disaster, which would negatively impact the IRS.

    • Contractors are expected to follow IRS guidance on security, building access, system access, etc.

10.8.60.3.5  (06-01-2009)
Situation Awareness Management Center (SAMC)

  1. Situation Awareness Management Center (SAMC) receives, manages, and escalates advisories and alerts of physical and cyber events from across the IRS.

  2. SAMC operates on a 24x7x365 schedule, providing immediate response required by the incident. All incidents affecting IRS operations, employees, facilities, or data processing should be reported to SAMC within a 30 minute time frame of the incident discovery (allowing for notification of local responders (Federal Protection Service (FPS), TIGTA, HAZMAT, Police, Fire Department).

  3. For the purposes of IT Disaster Recovery, SAMC is typically notified by the site Director, Senior Commissioner's Representative, AWSS.

  4. SAMC can be notified through 4 different modes of communication (E-mail, phone, fax, and hot line).

    • E-mail: samc@irs.gov

    • Phone: (202) 283-4809

    • Fax: (202) 283-0345

    • Hot line: (866) 216-4809

10.8.60.3.6  (06-01-2009)
IT DR Reporting

  1. Single Entry Time Reporting Function/Program Codes and Internal Order Codes have been established that will be used to track Internal Revenue Service Information Technology Disaster Recovery work efforts. Any Internal Revenue Service employee involved in this work will use Function Code 800 and Program Code 800-8237X series for tracking purposes.

  2. If you are involved in any of the activities mentioned in the chart listed in (3) below, ensure you utilize the applicable Information Technology Disaster Recovery Program Code(s), so that time spent addressing Information Technology Disaster Recovery activities may be tracked.

    Note:

    These program codes are not to be used for activities associated with restoring services in the event Business Operations are interrupted because of natural, environmental or man-made incidents – see the Agency-Wide Shared Services Program Code 82350 for this guidance. For Taxpayer Disaster Relief activities see Program Code 82360

  3. The chart below provides the new codes and the activities/definition related to them:

    Program/Project Code Activity – Definition
    Code 82370 – DISREC - Disaster Recovery Office

    • Internal IT Disaster Recovery Office Support Staff only
    Code 82371 — PLANDVLP - Prepare Disaster Recovery Plans

    • Prepare IT Disaster Recovery Plans

    • IT Disaster Recovery plans are written, evaluated and updated annually as business priorities and operational procedures change
    Code 82372 – TECHASMT- Technical Assessment

    • Prepare/Assist IT Disaster Recovery Technical Assessments including assessing the readiness and capabilities of existing and future state infrastructures and evaluating new technologies and best practices to enhance existing capabilities

    • Technical Assessments perform critical in-depth analyses to identify existing capabilities and vulnerabilities to business processes and supporting infrastructure

    Code 82373 – DRITCPTT - Test, Exercise & Evaluation

    • Participate in FISMA ITCP Testing and/or Disaster Recovery Testing, Exercise and Evaluation including all pre-work for tests, the actual test and post-work to bring the testing activity to full completion

    • Test, Exercise & Evaluation is conducted across all critical assets to evaluate readiness, identify issues and provide recommendations for improvements

    Code 82374 – BIARISK - Business Impact Assessment

    • Participate in Business Impact Assessment activities including development, evaluating risks, continuity and resiliency of business processes

    • Business Impact Assessments to evaluate all processes, systems, locations, etc. in order to determine business impacts and priorities

    Code 82375 – DRPOLICY - Policy

    • Participate in IT Disaster Recovery Policy initiatives (Internal ITDRO only) including establishing policies, standards, documentation, metrics, templates, etc.

    • The establishment of policies, documentation and templates provide the framework for a standardized approach for program execution
    Code 82376 – DRCOMPL -Compliance

    • Participate in IT Disaster Recovery Compliance initiatives including the internal audit process for all Disaster Recovery activities, auditing enterprise adherence and consistency to established program standards

    Code 82377 – DRTRAIN -Training

    • Conduct or participate in IT Disaster Recovery Training

    • Targeted IT Disaster Recovery training ensures all roles and responsibilities are understood and established policies, procedures and standards are effectively communicated

10.8.60.4  (06-01-2009)
IT Disaster Recovery and Business Continuity

  1. IT Contingency Plans and Disaster Recovery Plans are supporting documents in an organization's overall Business Continuity Plan (BCP). The BCP acts as an over-arching plan, like an umbrella, that encompasses all activities that ensure business continues in the event of a significant impact or disaster.

  2. The Business Continuity Plan has four primary documents or programs supporting it. They are:

    • Incident Management Plan (IMP) - Incident Focus (AWSS)

    • Occupant Emergency Plan (OEP)- Personnel Safety Focus (AWSS)

    • Business Resumption Plan (BRP)- Process Focus (BODs)

    • Disaster Recovery (DR)/ IT Contingency Plan(ITCP) - Technology Focus (MITS/BODs)

  3. The four documents relate as indicated in the table below.

    Business Continuity Plan
    Incident Management Plan
    Occupant Emergency Plan Business Resumption Plan Disaster Recovery/IT Contingency Plan

    The OEP, BRP, and DR and/or ITCP are stand-alone plans that may be implemented by separately or together. These plans feed into the IMP which then feeds into the BCP.

10.8.60.5  (06-01-2009)
IT Business Impact Analysis (IT BIA)

  1. The IT Business Impact Analysis (IT BIA) is a critical step in IT contingency planning and the ITCP.

  2. The IT BIA takes into account business needs and requirements as well as information technology.

  3. The IT BIA evaluates the business and system requirements, processes, and interdependences to determine contingency requirement and priorities. The IT BIA correlates system components with the critical services they provide to quantify the consequences to the business of a disruption to the system components or application.

  4. The IT BIA is evaluated and written in relation to an application and/or system. IT BIAs are considered stand-alone for that particular application or system, but are managed at an enterprise level and by site.

  5. The site-based IT BIA serves to:

    • Identify the impact that disruptions to computer applications could have on the ability of a particular site, to perform its CBPs.

    • Determine recovery priorities for site-specific applications that supporting these processes, regardless of security categorization.

    • Identify the risks faced by the site. This helps to evaluate or determine the effectiveness of the sites risk mitigation priorities and associated expenditures.

  6. The enterprise-wide IT BIA serves as a core initiative to:

    • Identify the impact that disruptions to computer applications would have on the ability of the IRS to perform its CBPs.

    • Determine recovery priorities for all IRS applications supporting these processes, regardless of location.

    • Identify the risks faced by the enterprise, and measure the appropriateness of its risk mitigation priorities and expenditures.

10.8.60.5.1  (06-01-2009)
IT BIA Requirement

  1. All FISMA Master Inventory (MI) GSSs and applications have an initial IT BIA conducted as part of the C&A process, See IRM 10.8.60.4.

  2. Conducting and funding of IT BIA activities is the responsibility of the Business Owner.

  3. The IT BIA is an ongoing, living document that must be evaluated on an annual basis or whenever there is a change to business requirements, systems, or applications or the applications or systems that affect it.

10.8.60.5.2  (06-01-2009)
Conducting the IT BIA

  1. There are four primary steps to completing an IT BIA.

    1. Identify the business requirements and purpose of the application undergoing the BIA.

    2. Identify outage tolerances:

      • Disruption impacts to specific business functions
      • Maximum Allowable Outage (MAO) Times
      • Application Recovery Time Objectives (RTO)
      • Interdependencies supporting other IT resources (GSS, Internal/External Applications, etc.)

    3. Identify outage impacts. Items to consider:

      • Loss of data
      • Operational
      • Customer service
      • Damage to Reputation

    4. Identify recovery priorities. Such as:

      • Critical Business Processes
      • Business process RTOs
      • Outage impact (see above)

10.8.60.5.3  (06-01-2009)
IRS Critical Business Processes

  1. Critical Business Processes (CBPs) have been defined by the IRS Senior Executive team and business representatives as the most critical to the tax administration mission of the IRS supporting the overall continuity of the Federal Government. Originally established in 2002 and updated in May 2008, there are 18 IRS Critical Business Processes. They are also referred to as the IRS’s Global Priorities.

  2. There are three categories based on their relative priority to the execution and support of the overall mission of the IRS. Those three categories are defined below.

    1. Priority 1 - Mission Enablers (Infrastructure / People)

      • Provides the foundation and basic needs to support all operational functionality ensuring the continuity of the mission of the IRS

      • Enables and assures that the necessary infrastructure and personnel are available and ready to perform the business functions of the IRS

      • Defines activities to provide facilities, human resources, technology, safety, information security, communications, business continuity and assurance of fair taxpayer treatment

    2. Priority 2 – Mission Critical (Primary / Core Functions)

      • Core business functions to execute the mission of the IRS

      • Business functionality that must be restored first in the event of a disaster

      • Any disruption or failure of these functions would negatively impact the IRS’s ability to fulfill its mission in a timely manner and thus could impact public trust and confidence in government, economic stability and taxpayer compliance requirements

    3. Priority 3 – Mission Supportive (Discretionary Functions)

      • Represents the business functions that directly enhance or support the mission of the IRS

      • Objectives of these functions have less immediate impact on taxpayers if they are disrupted

      • A short term disruption or loss of these functions would not preclude the IRS from executing it’s mission, but a long-term loss would have a significant impact on operations

  3. Listed below are the 18 Critical Business Processes by Priority

    Priority 1 - Mission Enablers - Infrastructure / People Priority 2 - Mission Critical - Primary / Core Functions Priority 3 - Mission Supportive - Discretionary Functions
    Perform Human Resource and Operational Support Activities Process Remittances Conduct Collection Activities
    Maintain a Business Continuity Capability Process Tax Returns Conduct Examination Activities
    Provide External Communications Process Refunds Issue Pre-Filing Determinations
    Advocate Fair Taxpayer Treatment Respond to Inquiries Conduct Criminal Investigation Activities
      Detect and Stop Fraudulent Refunds Perform Litigation
      Issue Taxpayer Notices Provide Appeals Process
      Develop and Deliver Tax Forms and Publications Process Vendor Payments

10.8.60.6  (06-01-2009)
IT Contingency Testing and Exercise

  1. IRM 10.8.1, Information Technology (IT) Security Policy and Guidance requires BODs to conduct exercises or tests for their systems’ contingency plan capabilities at least annually.

  2. Functional and DR tests requiring the use of production or live data are required to get a Live Data Waiver, Form 13471. This form is located at: http://core.publish.no.irs.gov/forms/internal/pdf/37277h04.pdf . The use of live data in testing is covered in IRM 2.5.16 Use of Live Data in Testing

  3. All testing and exercises are coordinated by the ITDRO staff. ITDRO can be reached via their mailbox *MITS IT DR Mailbox.

  4. Guidance and procedures for IT Contingency Testing and Exercises is located in IRM 10.8.62 Information Technology (IT) Disaster Recovery Testing, Training and Exercise Program.

10.8.60.7  (06-01-2009)
Information Technology Contingency Plan (ITCP)

  1. IRM 10.8.1, Information Technology (IT) Security Policy and Guidance, requires the development and maintenance of continuity of support plans/IT contingency plans.

  2. The ITCP provides the procedures and capabilities for recovering General Support Systems (GSSs) and applications. In addition, the ITCP addresses the resources, roles, responsibilities, and procedures for recovering IT applications and GSSs after a disruption. This type of disruption does not require relocation to another location/site.

    Note:

    A Disaster Recovery Plan is a document created that defines the resources, roles, responsibilities, actions, tasks, and the steps required, down to a key step level, to restore an IT system to its full operational status at the current or alternate facility after a disruption. This is different from the ITCP in that it is in greater detail and is usually only activated when there has been a significant incident requiring relocation of the system. See IRM 10.8.60.10 Disaster Recovery Plan for additional information.

10.8.60.7.1  (06-01-2009)
IT Contingency Plan Requirement

  1. All FISMA MI GSSs and applications are required to have an ITCP.

  2. All FISMA MI GSSs and applications are required to exercise their ITCP annually.

    Note:

    There is no difference in the ITCP test processes and documentation between one conducted during a Certification and Accreditation and one conducted during Continuous Monitoring.

  3. The FISMA MI and other FISMA related information are located on the MITS Cybersecurity Web site at: http://mits.web.irs.gov/cybersecurity/FISMA/default.htm

  4. ITCPs are to be reviewed no less than annually, or when major changes are made to the system, or contact information necessary in the event of an incident, and updated as needed.

10.8.60.7.2  (06-01-2009)
IT Contingency Planning Process

  1. NIST 800-34,Contingency Planning Guide for Information Technology Systems, lists seven steps to developing and maintaining an effective ITCP. The initial ITCP is developed during the IRS Certification and Accreditation (C&A) process required for every application or system before going into production.

    Note:

    There is no difference in the ITCP test processes and documentation between one conducted during a Certification and Accreditation and one conducted during Continuous Monitoring.

    The seven steps below provide an overview of the process:

    1. Develop the contingency planning policy statement.

    2. Conduct the IT Business Impact Analysis (IT BIA). The initial IT BIA is conducted during the C&A process and is included in the ITCP. See IRM 10.8.60.5.1 IT BIA Requirements.

    3. Identify preventive controls.

    4. Develop recovery strategies.

    5. Develop an IT Contingency Plan.

    6. Plan, test, train participants, and exercise the ITCP.

    7. Conduct ITCP maintenance.

10.8.60.7.3  (06-01-2009)
ITCP Exercise

  1. ITCP exercises consist of Tabletop and/or Functional Exercises.

  2. Treasury and OPM guidance requires ITCP exercise requirements be based on the Federal Information Processing Standards Publications (FIPS) 199 security availability category below:

    Security Availability Type of Exercise Required
    LOW Tabletop
    MODERATE Tabletop plus low level functional exercise
    HIGH Tabletop plus high level functional exercise

  3. In addition to the requirements in (2) above, all GSSs and applications, that support one of the IRS Critical Business Processes (CBPs) must have a Tabletop plus a functional exercise.

  4. See Exhibit 10.8.60-1for a definition of a tabletop and functional exercise.

  5. Procedures for conducting ITCP Exercises are in IRM 10.8.62 Information Technology (IT) Disaster Recovery Testing, Training and Exercise Program.

  6. Additional guidance based on Treasury, OMB or IRS requirements are issued by the Director, ITDRO each FISMA period.

10.8.60.8  (06-01-2009)
IT Disaster Recovery Requirements

  1. All GSSs and applications must be recoverable.

  2. All GSSs and applications must have a DRP. See Section 10.8.60.9, Disaster Recovery Plan (DRP) for more information on DRPs.

  3. Owners of all GSSs and applications supporting a CBP must annually test their recovery capability (DR Test) in order to ensure the continuity of the operations of the IRS.

  4. Modifications to this annual requirement must be submitted to and approved by the Director, IT Disaster Recovery Organization.

    1. Request must include:

    • Name of BOD

    • Name of GSS/Application and its locations

    • Reason for Deviation Request

    • Planned date to conduct the DR Test

    • Desired frequency of DR test if less than annually

    • Point of Contact and phone number

    • Signature of Designated Approving Authority (DAA), also known as Designated Accrediting Authority.

  5. Procedures for conducting DR tests are in IRM 10.8.62 Information Technology (IT) Disaster Recovery Testing, Training and Exercise Program.

10.8.60.9  (06-01-2009)
System/Application Back Ups

  1. All FISMA MI GSSs and applications and non-applications (as defined by FISMA) must be backed up in a restorable format on a regular basis and stored off site.

  2. Frequency and type of back ups must be defined in the Operations/Customer Service Level Agreement (SLA) and documented in applicable Certification and Accreditation documents.

  3. All Mobile Media must be encrypted as required in IRM 10.8.1, Information Technology (IT) Security Policy and Guidance, Section 10.8.1.5.2.10.3, Encryption of Mobile Media.

  4. All media must be stored off-site.

  5. For further information on back ups, please refer to IRM 10.8.1, Information Technology (IT) Security Policy and Guidance, Section 10.8.1.4.3.1, Information Backup.

10.8.60.9.1  (06-01-2009)
Recovery Site

  1. When selecting fixed-site locations for recovery of IRS FISMA Master Inventory (MI) systems and applications, consideration for the time and mode of transportation necessary to move personnel there is required. This is particularly critical if personnel at the potential location do not have the skills necessary to recover/operate the equipment, systems, and applications. (Example: During a wide-spread disaster, such as that of September 11, 2001, roads and bridges may be closed to vehicles and air transportation may be restricted.) In addition, the fixed site should be in a geographic area that is unlikely to be negatively affected by the same disaster event (e.g., weather-related impacts or power grid failure) as the organization’s primary site.

  2. Use or development of designated and potential Recovery Sites, must be submitted to and analyzed by the MITS, Enterprise Operations, Customer Relationship and Integration Division. Requests must be based on the specific requirements defined in the IT Business Impact Analysis (IT BIA).

  3. The recovery site should have system security, management, operational, and technical controls that are equal to the production site. Such controls may include firewalls, physical access controls, data controls, and security clearance level of the site and staff supporting the site.

  4. Recovery sites must be IRS facilities. For FISMA Master Inventory GSSs, systems and applications, to the greatest extent possible, the recovery site will be one of the three Enterprise Computing Centers.

10.8.60.9.2  (06-01-2009)
Off Site Storage

  1. The off-site storage location must be located in sufficient distance as to not be affected by a physical incident affecting the area of the production location but within adequate distance to retrieve stored data/documents per the documented business needs.

  2. Contracted services for retrieval from off premise storage facilities must be based on the system/applications RTO objectives.

  3. Yearly verification must be performed and documented to ensure that:

    1. Backup media are stored at designated off-site locations and retrievable

    2. The backup/off-site storage organization/vendor’s delivery time, is based on the business needs during normal and non-normal business hours

  4. The annual verification shall extend to a review and update of the access control list for the off site storage, making note that, in an incident, it may be non-local staff who are called upon to retrieve/receive backup media.

  5. The review shall also ensure that the off site copy of the DR plan is current.

10.8.60.10  (06-01-2009)
Disaster Recovery Plan (DRP)

  1. A Disaster Recovery Plan (DRP) refers to an IT-focused plan designed to restore operability of the target system and/or application in computing space within an alternate site after an emergency.

  2. The DRP defines the resources, roles, responsibilities, actions, tasks, and the detailed work steps (keystrokes) required to restore an IT system to its full operational status at the current or alternate facility after a major disruption with long term effects..

  3. The DRP is developed with the following factors considered:

    • Operational requirements

    • Security requirements

    • Technical procedures

    • Hardware, software and other equipment

    • Names and contact information of team members

    • Names and contact information of vendors

    • Alternate and off site requirements

    • Vital records (electronic and hardcopy)

  4. For assistance in developing a DRP and for copies of the DRP templates, E-mail the ITDRO at *MITS IT DR Mailbox.

10.8.60.10.1  (06-01-2009)
DRP Requirement

  1. All FISMA MI GSSs and applications will have recovery capability. Applications that do not support the IRS CBPs see (8) below. Funding of the DR solution is the responsibility of the Business Owner and will be addressed in the Service Level Agreement (SLA) or Memorandum of Understanding (MOU) as appropriate.

  2. All FISMA MI GSSs and applications are required to have a DRP. All systems used for recovery shall comply with existing IRS Policies.

  3. DR-related information, including recovery times, are documented in the ITCP and DRP.

  4. The DRP is the responsibility of the owner of the GSS or application. It is maintained/updated by the owner and MITS operations responsible for the recovery of the GSS or application and the system(s) it resides on.

  5. IT assets that are not listed in the FISMA MI which are determined to have an interdependency with a FISMA MI asset, are required to have a DRP.

  6. The DRP is Appendix H to the ITCP. While it is a part of the overall ITCP, it is also a stand alone document that provides guidance and procedures, necessary for the technical recovery of a system or application at an alternate site. Depending on the size and complexity of the DRP, it will be maintained separately from the ITCP. High level guidance and reference to the DRP will be maintained in Appendix H.

  7. The DRP shall be sufficiently detailed (detailed work steps/key strokes) and complete enough to recover the system and/or application, to the working level prescribed by the ITCP/MOU/SLA, for which it was written, by any administrator with the appropriate skills and permissions.

  8. A risk assessment and business impact analysis shall be performed for all FISMA MI GSSs and applications that do not support the IRS' Critical Business Processes to determine the extent of necessary recovery capability.

10.8.60.10.2  (06-01-2009)
IT DRP Planning Process

  1. Following the guidance provided by NIST 800-34, Contingency Planning Guide for information Technologies Systems, a DRP refers to an IT-focused plan designed to restore operability of the target system, application or computer facility at an alternate site after a major, and usually catastrophic, disaster. The steps below provide an overview of the process:

    • Review current documentation, both the ITCP and BIA.

    • Determine backup and recovery strategies.

    • Determine recovery site.

    • Identify current subject matter experts.

    • Gather information relevant to system recovery, i.e. key stroke recovery guide, backup location, RTO/RPO, etc.

    • Develop a DRP.

    • Review DRP, at a minimum, annually and update. Notify the ITDRO of completion via their mailbox *MITS IT DR Mailbox with the name(s) of the GSS or application and a POC.

    • File updated copy at recovery site, off-site storage location and provide electronic copy to the ITDRO via their mailbox *MITS IT DR Mailbox and other appropriate staff.

10.8.60.10.3  (06-01-2009)
IT Disaster Recovery Test

  1. Owners of FISMA MI GSSs and applications that support a CBP are required to annually test the recovery of their system.

  2. All testing and exercises are coordinated by the ITDRO staff. See IRM 10.8.62, Information Technology (IT) Disaster Recovery Testing, Training and Exercise Program for guidance. The IRM documents how to begin and proceed through the ITCP and DR exercise and testing process for every application and GSS in the IRS Master Inventory. For additional information, the ITDRO can be reached via their mailbox *MITS IT DR Mailbox.

  3. Given the costs and feasibility of conducting a full DR Test, functional tests/partial DR tests are utilized with a gradual increase in complexity and extensiveness in testing until compliance with See IRM 10.8.60.2.

  4. A tested DR Plan is a DRP that has been subjected to an evaluation using a DR Test Plan to identify the scope, objectives, expected results, recovering the system/application using back up data on different equipment or another location. The actual summary results are used to measure the ability of the recovery personnel using the DRP to recover an IT system and its data to full operational status following a disruption.

  5. Procedures for requesting and conducting DR Tests are in IRM 10.8.62Information Technology (IT) Disaster Recovery Testing, Training and Exercise Program

  6. The test results are to be documented in the Summary Report within 30 days after the conclusion of the annual Disaster Recovery Test. Within 10 days after finalization, the results must be shared with the Senior Management of the recovery personnel who participated in the Disaster Recovery Test from Enterprise Computing Centers and other Enterprise Operations organizations. A copy of the completed documents are to be provided to the IT Disaster Recover Organization, Test, Training & Exercise team

  7. All DRPs should be updated with lessons learned following any conducted tests/exercises.

10.8.60.11  (06-01-2009)
Access and Requests for IT Contingency/Disaster Recovery Information

  1. Only employees or non-IRS individuals with an authorized need to know can view or receive documentation relating to ITCPs or DRPs.

  2. Requests for DR or ITCP data will be handled by the owner of the document/data. Requests should be in writing and include sufficient information to determine type of documents requested, purpose/need and requestor's information/position.

10.8.60.11.1  (06-01-2009)
Internal Information Requests

  1. System administrators, managers, or other individuals with responsibility for IT Contingency or IT DR are required to have access to or copies of applicable ITCPs and/or DRPs.

  2. System administrators, managers, or other individuals with responsibility for IT Contingency or IT DR should be provided copies of or access to GSS and application ITCPs and/or DRPs by their management or the GSS or application owner.

  3. Requests for copies of or access to GSS and application ITCPs and/or DRPs should be made through the employees' manager to the GSS and/or application owner.

  4. All other requests for copies of, or access to, GSS and application ITCPs and/or DRPs shall be requested from the GSS or application owner. The request must specify what is being requested, purpose, contact person, and where it is to be sent.

10.8.60.11.2  (06-01-2009)
TIGTA/GAO Audits and Information Requests

  1. TIGTA/GAO notification of audits and requests for information that involve IT DR in some way, are received by or routed through the Cybersecurity, Communications & Support Services, Program Oversight & Coordination Office for control and provided to the ITDRO.

  2. TIGTA/GAO requests for documents, such as ITCPs or DRPs, for current or upcoming DR or IT Contingency Plan audits are to be sent to the system/application owner for release.

10.8.60.12  (06-01-2009)
Security Awareness Training

  1. FISMA requires that all agencies establish security awareness training to inform personnel, including contractors, of information security risks associated with their activities, and their responsibilities in complying with agency policies and procedures to protect the confidentiality, integrity, and availability of information and information systems.

10.8.60.12.1  (06-01-2009)
Disaster Recovery Training

  1. The ITDRO is responsible for developing and disseminating training information through MITS/FISMA Program Management Office BOD representatives to identified employees.

  2. The ITDRO establishes training in support of the DR program.

  3. The training established by ITDRO supports annual FISMA security training requirements.

  4. The training established by ITDRO is available through the Enterprise Learning Management System (ELMS).

10.8.60.12.2  (06-01-2009)
Disaster Recovery Training Guidelines

  1. Employee's with DR responsibilities are required to complete DR-focused training each year. Training can be met through elective courses from the online services provided by IRS, on the job training (i.e. training during a DR Test) or through offerings of a private vendor. DR training classes or seminars count toward the employees annual security training requirement.

  2. Suggested Training hours are based on the employees' role with respect to DR as indicated in the chart below. Exception, for ITDRO staff, the hours are required.

    Role Role Description Organization Annual DR Hours
    Disaster Recovery Process Owner The Disaster Recovery Process Owner defines the principles, policies, and procedures necessary to support essential business function after a catastrophic event. MITS 8
    DR Policy, Assessment, and Metric Management The staff performing this role assists the DR process owner in the design, implementation and evaluation of policy and compliance. MITS 12
    Training, Test & Exercise Coordination The staff performing this role assists the DR process owner in DR program training, testing and exercise (TT&E) coordination. MITS 12
    DR Plan Development & Technical Assessment The staff performing this role assists the DR process owner in providing guidance to system/application owners in the creation of adequate DR plans and assessing technical requirements for effective recovery. MITS 12
    Business System/Application Owner The Business System/Application Owner plans and supports activities required to design, acquire resources, test, implement, and update a DR plan/strategy. MITS BODs 2
    Coordinator IT Disaster Recovery Testing The Coordinator is the liaison between the ITDRO and the IT resources. MITS BODs 2
    Disaster Recovery Operations The role encompasses many types of operational functions: e.g., system/application administration, database administration, network and telecommunications, procurement, server refreshment, help desk, etc. MITS BODs 4

  3. IRS ELMS training classes available for the roles above will be listed in the various established IRS Roles Requiring an IT Security Curriculum. For current information, guidance and requirements on IRS Roles Requiring an IT Security Curriculum, go to the FISMA Specialized IT Security Training web site at: http://mits.web.irs.gov/cybersecurity/FISMA/training.htm

  4. Employees/managers must work with their training coordinator to ensure credit is given for classes relating to IT Disaster Recovery/IT Contingency Planning.

10.8.60.12.3  (06-01-2009)
Disaster Recovery Certifications

  1. Employee's with primary or full time DR duties are encouraged to complete formal, vendor-sponsored DR training and test for DR certification. DR training counts towards the employees annual security training requirement. Vendor-sponsored refers to vendors that provide training on IT DR, Business Continuity, and/or IT Contingency Planning.

  2. Employee's with DR certifications are required to complete the appropriate number of hours (CPE) yearly to maintain their certification. Hours count towards the employees annual security training requirement.

  3. Costs of certification, testing and yearly maintenance fees may be paid for by IRS, if approved by the employees management.

10.8.60.13  (06-01-2009)
Hosting Non IRS Agencies for Disaster Recovery

  1. IRS allows, and currently has, a number of existing DR/Business Resumption/Continuity of Operations Plan agreements in place with other federal government agencies, allowing them to house DR equipment within IRS facilities.

  2. A Memorandum of Understanding (MOU) must be prepared, that specifically outlines the IRS and the other Agency's responsibilities.

  3. For information regarding the hosting of Non-IRS Agencies, contact the appropriate Real Estate & Facilities Management team.

  4. The ITDRO has no regulatory control or responsibility for the hosting of Non-IRS Agency equipment or staff within IRS space.

10.8.60.14  (06-01-2009)
Deviations/Deviation Requests

  1. See IRM 10.8.1 Information Technology (IT) Security, Policy and Guidance, Section 10.8.1.6 for deviation requirements.

  2. See the Deviation Web Page located at: http://mits.web.irs.gov/cybersecurity/Policy_Compliance/deviation_process.htm for access to the Deviation SOP, Security Requirements Deviation Request, Form 13125, and instructions on requesting deviations.

Exhibit 10.8.60-1  (06-01-2009)
Glossary of Key Terms

These tables contain significant DR Program terms and their definitions.

Term/Word Definition
Backup: The process of duplicating and storing the files and programs of an IT system on another medium or device to facilitate complete restoration of the system and its data following a disruption.
Business Continuity: Business Continuity is a collection of strategies and specialized plans that ensures a local IRS site can continue to manage efficiently and operate optimally in response to an impending/actual incident without significant impact to overall IRS client services.
Business Continuity Plan (BCP): The documentation of a predetermined set of instructions and procedures (strategies) that describe how an organization’s business functions will be sustained during and after a significant disruption.
IT Business Impact Analysis (IT BIA): The steps taken to understand the critical processes of the business and the maximum time the business can operate without those critical processes.
Business Recovery/Resumption Plan (BRP): The documentation of a predetermined set of instructions or procedures (strategies) that describe how business processes will be restored after a significant disruption has occurred.
Continuity of Operations Plan (COOP): The COOP focuses on restoring an organization’s (usually a headquarters element) essential functions at an alternate site performing those functions for up to 30 days before returning to normal operations. Because a COOP addresses headquarters-level issues, it is developed and executed independently from the business continuity plan. Standard elements of a COOP include Delegation of Authority statements, Orders of Succession, and Vital Records and Databases. Minor disruptions that do not require relocation to an alternate site are typically not addressed. However, the COOP may include the business continuity plan, business resumption plan, and disaster recovery plan as appendices.
Contingency Planning: The process of developing advanced arrangements and procedures that enable an organization to respond to an undesired event that negatively impacts the organization.
Continuity of Support Plan/IT Contingency Plan: OMB Circular A-130, Appendix III, requires the development and maintenance of continuity of support plans for general support systems and contingency plans for major applications. Because an IT contingency plan should be developed for each major application and general support system, multiple contingency plans may be maintained within the organization’s business continuity plan.
Components Information System components include, but are not limited to, mainframes, servers, workstations, network components, operating systems, middleware, and applications. Information system components are either purchased commercially off-the-shelf or are custom-developed.
Critical Business Process (CBP): IRS business processes (also referred to as "Global Priorities" ) defined by the IRS Business Units that are the most critical to the tax administration mission of the IRS and the Federal Government.
Disaster Recovery: The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions.
Disaster Recovery Plan (DRP): A document created and maintained by MITS or any information technology service provider that defines the resources, roles, responsibilities, actions, tasks, and the steps required, down to a key step level, to restore an IT system to its full operational status at the current or alternate facility after a disruption.
Disaster Recovery Capability Analysis Report: An analysis of the IRS’s Disaster Recovery capability, identifying IT systems that are certified and accredited, have DRPs, have tested DRPs, and are backed up.
Exercise A people-focused activity designed to execute one or more portions of a business continuity plan and evaluate the performance against approved standards or objectives. Through the exercise, validate the viability of one or more aspects of a Business Resumption Plan, Disaster Recovery Plan or IT Contingency Plan.
Federal Information Security Management Act of 2002 (FISMA): FISMA amends Chapter 35 of title 44, United States Code, adding a new sub chapter: ‘‘SUBCHAPTER III — INFORMATION SECURITY which provides additional security requirements on Federal Agencies.
FISMA Master Inventory: A record of IRS General Support Systems, Major Applications, and other applications as defined by FISMA guidelines
Functional Exercise Functional exercises are more extensive than tabletops, requiring the event to be simulated. Functional exercises include simulations and war gaming. Often, scripts are written out for role players pretending to be external organization contacts, or there may be actual interagency and vendor participation. A functional exercise might include actual relocation to the alternate site and/or system cut over.
Information Technology Contingency Plan (ITCP): Documents created and maintained by MITS, Cybersecurity and system owners that define the resources, roles, responsibilities, and procedures for recovering IT applications and General Support Systems (GSS) after a disruption.
Keystroke Recovery (KR): Detailed step-by-step instructions, including keystroke-by-keystroke details, to restore an IT system to its full operational status following a disruption.
Major IT System: An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. (OMB Circular A-130, Appendix III) The major IT systems are part of the FISMA Master Inventory.
Minor IT System: An application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system. (OMB Circular A-130, Appendix III) The minor IT systems are part of the FISMA Master Inventory.
Recovery Point Objective (RPO): The point in time to which systems and data must be recovered after an outage. (e.g. end of previous day’s processing). RPOs are often used as the basis for the development of backup strategies, and as a determinant of the amount of data that may need to be recreated after the systems or functions have been recovered.
Recovery Time Objective (RTO): The period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). RTOs are often used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation. SIMILAR TERMS: Maximum Allowable Outage (MAO)
Risk Analysis/Assessment Process of identifying risks/vulnerabilities to an organization, assessing critical functions necessary to continue business operations; defining controls in place to reduce exposure to risk; and evaluating cost for such controls.
Scenario A sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives.
Situation Awareness Management Center (SAMC): Receives, manages, and escalates advisories and alerts of physical and cyber events from across the IRS. The SAMC is a 24/7 operation.
Single Point of Failure (SPOF): Identified within the critical business processes (CBP) using the following criteria: [Location: A CBP is conducted in only one location]; [IT Systems: IT system located in only one location]; [Unique Employee Skills: A CBP relies on a small set of people with unique knowledge, skills or abilities]; [Third Parties/Vendors: A CBP depends on a third party to complete the process]; [Vital Records: a CBP depends on paper (non-electronic) vital records to complete the process].
Tabletop Exercise A discussion-based exercise where personnel with roles and responsibilities in a particular plan ( ITCP, DRP or BRP) meet to validate the content of the plan in the context of a particular emergency situation.
Vital Records: Records in either electronic or non-electronic format that are needed to meet operational responsibilities and perform essential functions under national security emergencies and/or disaster conditions; and protect the legal and financial rights of the Government and those affected by the Government. Examples of vital records include the continuity of operations plan and other emergency plans and directives, staffing assignments, policy documents, selected program records, contracting and acquisition files, personnel files, insurance files, orders of succession, delegations of authority, and contact information.

Acronym/Abbreviation Word/Meaning
BCP Business Continuity Plan
BRP Business Recovery/Resumption Plan
BRS Business Resumption Strategy
CBP Critical Business Process
COOP Continuity of Operations Plan
DRP Disaster Recovery Plan/ Detailed Recovery Plan
DRWG Disaster Recovery Working Group
FISMA Federal Information Security Management Act
MAO Maximum Allowable Outage
MITS Modernization and Information Technology Services
NIST National Institute of Standards and Technology
OMB Office of Management and Budget
RPO Recovery Point Objective
RTO Recovery Time Objective
SAMC Situation Awareness Management Center
SPOF Single Point of Failure
VROM Very Rough Order of Magnitude

Exhibit 10.8.60-2  (06-01-2009)
References

The following sites provide additional references in support of the Disaster Recovery Program.

  • E-Government Act of 2002 (Public Law 107-347), December 2002

  • FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems

  • Federal Information Security Management Act of 2002 (Public Law 107-347, Title III), December 2002. (FISMA)

  • Information Technology Management Reform Act of 1996 (Public Law 104-106), August 1996

  • National Institute of Standards and Technology Special Publication (SP) 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems

  • National Institute of Standards and Technology Special Publication (SP) 800-34, Contingency Planning Guide for Information Technology Systems

  • National Institute of Standards and Technology Special Publication (SP) 800-35, Guide to Information Technology Services

  • National Institute of Standards and Technology Special Publication (SP) 800-84, Test, Training, and Exercise Programs for IT Plans and Capabilities

  • Office of Management and Budget, Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, November 2000.

Exhibit 10.8.60-3  (06-01-2009)
IRM 10.8.60 Change Log

Pub Version Work Version Date Reason for Change Changed by
         
         
         
         
         
         
         
         
         
         
         
         
         

More Internal Revenue Manual