46
Safeguarding Contract Language
Exhibit 7
Publication 1075 (October 2014)
Page 137
(9) The agency will have the right to void the contract if the contractor fails to provide
the safeguards described above.
(10) (Include any additional safeguards that may be appropriate.)
II. CRIMINAL/CIVIL SANCTIONS
(1) Each officer or employee of any person to whom returns or return information is
or may be disclosed will be notified in writing by such person that returns or
return information disclosed to such officer or employee can be used only for a
purpose and to the extent authorized herein, and that further disclosure of any
such returns or return information for a purpose or to an extent unauthorized
herein constitutes a felony punishable upon conviction by a fine of as much as
$5,000 or imprisonment for as long as 5 years, or both, together with the costs of
prosecution. Such person shall also notify each such officer and employee that
any such unauthorized further disclosure of returns or return information may
also result in an award of civil damages against the officer or employee in an
amount not less than $1,000 with respect to each instance of unauthorized
disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth
at 26 CFR 301.6103(n)-1.
(2) Each officer or employee of any person to whom returns or return information is
or may be disclosed shall be notified in writing by such person that any return or
return information made available in any format shall be used only for the
purpose of carrying out the provisions of this contract. Information contained in
such material shall be treated as confidential and shall not be divulged or made
known in any manner to any person except as may be necessary in the
performance of the contract. Inspection by or disclosure to anyone without an
official need-to-know constitutes a criminal misdemeanor punishable upon
conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year,
or both, together with the costs of prosecution. Such person shall also notify each
such officer and employee that any such unauthorized inspection or disclosure of
returns or return information may also result in an award of civil damages against
the officer or employee [United States for Federal employees] in an amount
equal to the sum of the greater of $1,000 for each act of unauthorized inspection
or disclosure with respect to which such defendant is found liable or the sum of
the actual damages sustained by the plaintiff as a result of such unauthorized
inspection or disclosure plus in the case of a willful inspection or disclosure which
is the result of gross negligence, punitive damages, plus the costs of the action.
These penalties are prescribed by IRC 7213A and 7431.
(3) Additionally, it is incumbent upon the contractor to inform its officers and
employees of the penalties for improper disclosure imposed by the Privacy Act of
1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable
to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a
contractor, who by virtue of his/her employment or official position, has
possession of or access to agency records which contain individually identifiable
29
Safeguarding Contract Language
Exhibit 7
Publication 1075 (October 2014)
Page 138
information, the disclosure of which is prohibited by the Privacy Act or regulations
established thereunder, and who knowing that disclosure of the specific material
is prohibited, willfully discloses the material in any manner to any person or
agency not entitled to receive it, shall be guilty of a misdemeanor and fined not
more than $5,000.
(4) Granting a contractor access to FTI must be preceded by certifying that each
individual understands the agency’s security policy and procedures for
safeguarding IRS information. Contractors must maintain their authorization to
access FTI through annual recertification. The initial certification and
recertification must be documented and placed in the agency's files for review.
As part of the certification and at least annually afterwards, contractors must be
advised of the provisions of IRCs 7431, 7213, and 7213A (see Exhibit 4,
Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for
Unauthorized Disclosure). The training provided before the initial certification and
annually thereafter must also cover the incident response policy and procedure
for reporting unauthorized disclosures and data breaches. (See Section 10) For
both the initial certification and the annual certification, the contractor must sign,
either with ink or electronic signature, a confidentiality statement certifying their
understanding of the security requirements.
III. INSPECTION
The IRS and the Agency shall have the right to send its officers and employees into the
offices and plants of the contractor for inspection of the facilities and operations
provided for the performance of any work under this contract. On the basis of such
inspection, specific measures may be required in cases where the contractor is found to
be noncompliant with contract safeguards.
38
Warning Banner Examples
Exhibit 8
Publication 1075 (October 2014)
Page 139
Exhibit 8 Warning Banner Examples
A warning banner is required when access is provided to any information system that
receives, processes, stores, or transmits FTI. The following elements, as explained in
Section 9.3.1.8, System Use Notification (AC-8), must be contained within the warning
banner: (i) the system contains U.S. Government information, (ii) user actions are
monitored and audited, (iii) unauthorized use of the system is prohibited, and (iv)
unauthorized use of the system is subject to criminal and civil sanctions.
The following warning banners are acceptable examples for use by agencies.
WARNING
This system may contain U.S. Government information, which is restricted to authorized
users ONLY. Unauthorized access, use, misuse, or modification of this computer
system or of the data contained herein or in transit to/from this system constitutes a
violation of Title 18, United States Code, Section 1030, and may subject the individual
to criminal and civil penalties pursuant to Title 26, United States Code, Sections 7213,
7213A (the Taxpayer Browsing Protection Act), and 7431. This system and equipment
are subject to monitoring to ensure proper performance of applicable security features
or procedures. Such monitoring may result in the acquisition, recording, and analysis of
all data being communicated, transmitted, processed, or stored in this system by a user.
If monitoring reveals possible evidence of criminal activity, such evidence may be
provided to Law Enforcement Personnel.
ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS TO SUCH MONITORING.
The following two banners are approved by the Department of Justice for systems that
have limited space for the warning banner.
WARNING! BY ACCESSING AND USING THIS GOVERNMENT COMPUTER
SYSTEM, YOU ARE CONSENTING TO SYSTEM MONITORING FOR LAW
ENFORCEMENT AND OTHER PURPOSES. UNAUTHORIZED USE OF, OR ACCESS
TO, THIS COMPUTER SYSTEM MAY SUBJECT YOU TO CRIMINAL PROSECUTION
AND PENALTIES.
WARNING! THIS SYSTEM CONTAINS U.S. GOVERNMENT INFORMATION. BY
ACCESSING AND USING THIS COMPUTER SYSTEM, YOU ARE CONSENTING TO
SYSTEM MONITORING FOR LAW ENFORCEMENT AND OTHER PURPOSES.
UNAUTHORIZED USE OF, OR ACCESS TO, THIS COMPUTER SYSTEM MAY
SUBJECT YOU TO STATE AND FEDERAL CRIMINAL PROSECUTION AND
PENALTIES AS WELL AS CIVIL PENALTIES.
74
Record Retention Schedules
Exhibit 9
Publication 1075 (October 2014)
Page 140
Exhibit 9 Record Retention Schedules
The Office of Safeguards requires the retention of FTI logs only. FTI should be
destroyed after use or according to the agency record retention schedule.
Table 10
–
Record Retention Schedules
Document Type
Required Document Elements
Retention
Schedule
Electronic and Non-
Electronic FTI Logs
Section 3.2
Taxpayer name
Tax year(s)
Type of information (e.g., revenue agent reports,
Form 1040, work papers)
Reason for request
Date requested
Date received
Exact location of FTI
Person(s) with access to the data, and
Date and method of disposition, if disposed of
5 years
Converted Media
Section 3.2
Requirements listed for FTI in its current form
(electronic or non-electronic)
5 years
State Auditor
Disclosures
Section 3.4
Approximate number of records, date of inspection,
description of records, name of individual making
inspection
5 years
Visitor Access Logs
Section 4.3.1
Name and organization of visitor
Signature of visitor
Form of identification
Date of access
Time of entry and departure
Purpose of visit
Name and organization of person visited
5 years
Disclosure
Awareness
Certification
Section 6.3
Signed disclosure awareness confidentiality
statement that certify understanding of FTI security
requirements
5 years
30
Record Retention Schedules
Exhibit 9
Publication 1075 (October 2014)
Page 141
Document Type
Required Document Elements
Retention
Schedule
Internal Inspections
Section 6.4
Internal Inspections
Record keeping
Secure storage
Disposal
Limited access
Computer systems security
POA&M
3 years
Audit Trail Logs
Section 9.3.3.11
See Section 9.3.3.2,
Audit Events (AU-2)
See Section 9.3.3.4
7 years
42
Data Warehouse Security Requirements
Exhibit 10
Publication 1075 (October 2014)
Page 142
Exhibit 10 Data Warehouse Security Requirements
When an agency implements a data warehouse, the agency must provide written
notification to the Office of Safeguards, identifying the security controls, including FTI
identification and auditing within the data warehouse. The written notification shall be
sent using SDT or to the SafeguardReports@irs.gov mailbox at least 45 days before
implementation. In addition, implementation of a data warehouse constitutes a
significant change under Section 7.2, triggering the requirement for the submission of a
new SSR.
Purpose
The purpose of this document is to provide an overview of data warehousing and data
storage concepts and to define the security requirements necessary to protect these
environments. Although some security controls may replicate those contained in this
publication, such redundancy is necessary so that Exhibit 10 can be used as a stand-
alone document. As a rule, all requirements contained within the main text of this
publication also apply to any data warehousing environments used by federal, state, or
local agencies, and these environments incorporate FTI. These requirements also apply
to authorized representatives, agents, or contractors with access to FTI.
This document is intended to describe the controls that are specific to data
warehousing-type environments. As the term data warehousing is used, the concepts
are applied to all complex data environments, including data warehousing, data mining,
and data marts.
Audience
This document is intended for federal, state, and local agencies, as well as authorized
representatives, agents, or contractors with access to FTI. The document is to be used
as a planning document and is intended to support the development and deployment of
data warehousing architectures, as well as architectures of a similar environment, such
as data marts.
Background
A data warehouse is a structure that is designed to distribute data from multiple arenas
to the primary enterprise system. A data mart is a structure designed for access, which
is used to facilitate client user support. A data warehouse receives, collects, extracts,
transforms, transports, and loads data for a distribution to various data marts.
In the context of FTI within agencies, the data warehouse stores data sets, which
contain specific taxpayer information as well as summary information and historical
data.
A data warehouse is structured to separate analysis from transaction work and allows a
large amount of data to be consolidated from several sources. The security controls
remain constant with operational enterprises and are applicable to a data warehouse.
39
Data Warehouse Security Requirements
Exhibit 10
Publication 1075 (October 2014)
Page 143
In a data warehouse, the scope of security changes with respect to the different
dimensions of data management. Information enters a data warehouse through a
staging area where it goes through a process of extraction, transformation, and loading.
This process is referred to as ETL. In addition, a data warehouse is operated by query
or a search engine tool. Through the use of end-to-end security, the data warehouse
ensures the confidentiality, privacy, and integrity of FTI. The security of the data
warehouse must include all aspects of the warehouse, including hardware, software,
data transport, and data storage.
Data Warehousing Implications
FTI placed in a data warehouse environment may be used only for “tax administration“
purposes or for other authorized purposes defined within this publication. As part of the
data warehouse, FTI data must retain its identity as FTI to the data element level (i.e., it
must be obvious that the IRS is the source of the data). Whenever calculations or data
manipulations are performed that could commingle FTI with any other data, the access
to FTI must be restricted to agency staff with a need-to-know and their contractors or
agents as authorized by law. This requirement is defined in the primary publication but
is reinforced here for clarification.
Security
Security controls for data warehousing concepts are derived from NIST SP 800-53,
Recommended Security Controls for Federal Information Systems. These controls
address the areas of management, operational, and technical controls.
When all controls are implemented and managed, these controls provide effective
safeguards for the confidentiality, integrity reliability, and availability of the data. For this
document, the defined controls have been mapped to the classes and families of the
NIST SP 800-53 to allow technical personnel to easily review NIST controls and
understand how these apply to security environments.
The next sections define specific and unique controls related to data warehousing
environments. If no additional controls are required, the sections identify this fact.
Management Controls
The following section identifies high-level management controls that shall be used within
a data warehousing environment.
Risk Assessment
The agency shall have a risk management program in place to ensure that each aspect
of the data warehouse is assessed for risk. Any risk documents shall identify and
document all vulnerabilities associated with the data warehousing environment.
41
Data Warehouse Security Requirements
Exhibit 10
Publication 1075 (October 2014)
Page 144
Planning
Planning is crucial to the development of a new environment. A security plan shall be in
place to address organizational policies, security testing, rules of behavior, contingency
plans, architecture and network diagrams, and requirements for security reviews.
Although such a security plan will provide planning guidelines, it does not replace
requirements documents, which contain specific details and procedures for security
operations.
Policies and procedures are required to define how activities and day-to-day procedures
will occur. They contain the specific policies, relevant to all of the security disciplines
covered in this document. Because they relate to data warehousing, any data
warehousing documents can be integrated into overall security procedures. A section
shall be dedicated to the data warehouses to define the controls specific to that
environment.
The agency must develop policies and procedures to document all existing business
processes. The agency must ensure that roles are identified for the organization and
develop responsibilities for the roles.
Within the security planning and policies, the purpose or function of the warehouse shall
be defined. The business process shall include a detailed definition of configurations
and the functions of the hardware and software involved. In general, the planning shall
define any unique issues related to data warehousing.
The agency must define how “legacy system data” will be brought into the data
warehouse and how the legacy data that is FTI will be cleansed for the ETL
transformation process.
The policy shall ensure that FTI will not be subject to public disclosure. Only authorized
users with a demonstrated need-to-know can query FTI data within the data warehouse.
System and Services Acquisition
Acquisition security needs to be explored. Because FTI is used within data warehousing
environments, it is important that the services and acquisitions have adequate security
in place, including the capacity to block information to contractors in cases in which they
are not authorized to access FTI.
Certification, Accreditation, and Security Assessments
Certification, accreditation, and security and risk assessments are accepted best
practices used to ensure that appropriate levels of control exist, that they are being
managed, and that they are compliant with all federal and state laws or statutes.
State and local agencies shall develop a process or policy to ensure that data
warehousing security meets the baseline security requirements defined in the current
revision of NIST SP 800-53. The process or policy must contain the methodology used
42
Data Warehouse Security Requirements
Exhibit 10
Publication 1075 (October 2014)
Page 145
by the state or local agency to inform management, define accountability, and address
known security vulnerabilities. Risk assessments must follow the guidelines provided in
NIST Publication 800-30, Risk Management Guide for Information Technology Systems.
Operational Controls
The following section identifies high-level operational controls that shall be used within a
data warehousing environment.
Personnel Security Personnel clearances may vary from agency to agency. As a rule,
personnel with access to FTI shall have a completed background investigation. In
addition, when a staff member has administrator access to the entire set of FTI records,
additional background checks may be determined to be necessary. All staff that interact
with data warehouse and data mart resources are subject to background investigations
to ensure their trustworthiness, suitability, and work role need-to-know. Access to these
resources must be authorized by operational supervisors, granted by the resource
owners, and audited by internal security auditors.
Physical Security and Environmental Protection
There are no additional physical security controls for a data warehousing environment.
However, the physical security requirements throughout this publication apply to the
physical location that hosts the data warehouse hardware.
Contingency Planning
Online data resources shall be provided adequate tools for the backup, storage,
restoration, and validation of data. Agencies will ensure that the data provided is
reliable.
Both incremental and special purpose data backup procedures are required, combined
with off-site storage protections and regular test-status restoration to validate disaster
recovery and business process continuity. Standards and guidelines for these
processes are bound by agency policy and are tested and verified. Although already
addressed in this publication
, the agency’s contingency plan must be evaluated to
ensure that all data resources are synchronized and restored to allow re-creation of the
data to take place.
Configuration Management
The agency shall have a process and documentation to identify and analyze how FTI is
used and how FTI is queried or targeted by end users. Parts of the system containing
FTI shall be mapped to follow the flow of the query from a client through the
authentication server to the release of the query from the database server. During the
life cycle of the data warehouse, online and architectural adjustments and changes will
occur. The agency shall document these changes and ensure that FTI always is
secured from unauthorized access or disclosure.
37
Data Warehouse Security Requirements
Exhibit 10
Publication 1075 (October 2014)
Page 146
Maintenance
There are no unique maintenance requirements for data warehousing environments.
System and Information Integrity
There are no unique system and information integrity requirements for data
warehousing environments.
Media Protection
The agency shall have policy and procedures in place that describe the cleansing
process at the staging area and how the ETL process cleanses the FTI when it is
extracted, transformed, and loaded. In addition, the agency shall describe the process
of object reuse once FTI is replaced from data sets. IRS requires that all FTI be
removed by a random overwrite software program.
Incident Response
Intrusion-detection software shall be installed and maintained to monitor networks for
any unauthorize
d attempt to access tax data. The agency’s incident reporting policy and
procedures must cover the data warehousing environment as well.
Awareness and Training
The agency shall have a disclosure awareness training program in place that includes
how FTI security requirements are communicated to end users. Training shall be user-
specific to ensure that all personnel receive appropriate training for a particular job,
such as training required for administrators or auditors.
Technical Controls
The following section identifies high-level technical controls that shall be used within a
data warehousing environment.
Identification and Authentication
The agency shall configure the Web services to be authenticated before access is
granted to users via an authentication server. The Web portal and two-factor
authentication requirements in Section 9.0 apply in a data warehouse environment.
Business roles and rules shall be imbedded at either the authentication level or
application level. In either case, roles must be in place to ensure that only authorized
personnel have access to FTI information.
Authentication shall be required both at the operating system level and at the
application level, whenever the data warehousing environment is accessed.
Documents you may be interested
Documents you may be interested
