[PDF] Publication 1075 - Tax Information Security Guidelines





Previous PDF Next PDF



Guidance on the Employee Retention Credit under Section 3134 of

under section 6033 as defined in section III.E. of Notice 2021-20. The Treasury Department and the IRS have also determined that it is appropriate.



Fringe Benefit Guide

Department of the Treasury Internal Revenue Service www.irs.gov The definition of fringe benefits for this purpose generally applies to services of ...



Social Security and Other Information for Members of the Clergy and

24 ???. 2022 ?. at the end of this publication go to the IRS In- teractive Tax Assistant page at ... earnings for these ministerial services (defined.



Notice 2014-21

The Internal Revenue Service (IRS) is aware that “virtual currency” may be used to pay for goods or services or held for investment. Virtual currency is a 



Passive Activity and At-Risk Rules

8 ????. 2022 ?. at the end of this publication go to the IRS In- teractive Tax Assistant page at ... the definition of passive activity deductions



2021 Publication 502

11 ???. 2022 ?. expense you are looking for refer to the definition of medi- ... to the IRS Interactive Tax Assistant page at IRS.gov/.



Publication 1075 - Tax Information Security Guidelines

800-53 Security and Privacy Controls and are shown as IRS-Defined. 65) Glossary and Key Terms - The definition for Personally Identifiable Information ...



Determining Full-Time Employees for Purposes of Shared

definition of full-time employee in § 4980H(c)(4) and is the definition of Treasury and the IRS requested and received comments on the safe harbor.



1 Guidance on the Application of Section 162(m) Notice 2018-68 I

Revenue Service (IRS) anticipate that further guidance on the amendments made by A. Amendments to the Definition of Publicly Held Corporation.



2021 Publication 526

24 ????. 2022 ?. relief to a qualified organization (defined under ... at the end of this publication go to the IRS In- teractive Tax Assistant page at ...

Publication 1075

Tax Information

Security Guidelines

For Federal, State

and Local Agencies

Safeguards for Protecting Federal Tax Returns

and Return Information

IRS Mission Statement

Provide America's taxpayers top-quality service by helping them understand and meet their tax responsibilities and enforce the law with integrity and fairness to all.

Office of

Safeguards Mission Statement

The Mission of Safeguards is to promote taxpayer confidence in the integrity of the tax system by ensuring the confidentiality of IRS information provided to federal, state, and local agencies. Safeguards verifies compliance with Internal Revenue Code (IRC) §

6103(p)(4) safeguard requirements through the identification and mitigation of any risk of

loss , breach or misuse of Federal Tax Information (FTI) held by external government agencies.

Office of

Safeguards Vision Statement

To serve as a trusted advisor to our Partners, ensuring they have full understanding and insight into FTI requirements and their risk profile, obtain consistent and timely guidance from a "single voice" and receive service and support that is aligned to their risk profile. We will drive the customer experience and FTI compliance via a collaborative and empowered culture and a cross-trained workforce that is built around a risk-based operating model that integrates infrastructure and processes to enable efficient and effective operations. 2

Contents

IRS Mission Statement_________________________________________________ 2 Office of Safeguards Mission Statement __________________________________ 2 Office of Safeguards Vision Statement ___________________________________ 2 Highlights for November 2021 Revision__________________________________ 12 Security and Privacy Control Table _____________________________________ 17 INTRODUCTION _____________________________________________________ 23

Overview of Publication 10

SAFEGUARD RESOURCES____________________________________________24 Safeguards Website________________________________________________________24 Safeguards Mailbox ________________________________________________________25 KEY DEFINITIONS ___________________________________________________ 25 Federal Tax Information _____________________________________________________25 Return and Return Information________________________________________________26 Personally Identifiable Information (PII) _________________________________________26 Information Received from Taxpayers or Third Parties _____________________________27 Access __________________________________________________________________27 Cloud Computing __________________________________________________________27 Inadvertent Access_________________________________________________________27 Inadvertent Disclosure ______________________________________________________27 Incidental Access __________________________________________________________27 Unauthorized Access _______________________________________________________27 Unauthorized Disclosure ____________________________________________________28 Need -to-Know ____________________________________________________________28 Adverse Action ____________________________________________________________28 Disciplinary Action _________________________________________________________28 Personnel Sanction ________________________________________________________28

1.0 FEDERAL TAX INFORMATION, REVIEWS and OTHER REQUIREMENTS____29

1.1 General _________________________________________________________ 29

1.2 Authorized Use of FTI _____________________________________________ 29

1.3 Secure Data Transfer ______________________________________________ 30

1.4 State Tax Agency Limitations _______________________________________ 30

3

1.5 Coordinating Safeguards within an Agency ___________________________ 31

1.6 Safeguard Reviews _______________________________________________ 31

1.6.1 Before the Review _____________________________________________________31

1.6.2 During the Review _____________________________________________________32

1.6.3 After the Review ______________________________________________________32

1.7 Termination of FTI ________________________________________________ 33

1.7.1 Agency Request ______________________________________________________33

1.7.1.1 Termination Documentation _______________________________________________ 33

1.7.1.2 Archiving FTI Procedure __________________________________________________ 34

1.7.2 FTI Suspension, Termination and Administrative Review_______________________34

1.8 Reporting Improper Inspections or Disclosures ________________________ 34

1.8.1 Terms ______________________________________________________________34

1.8.1.1 Data Incident ____________________________________________________________ 34

1.8.1.2 Data Breach _____________________________________________________________ 35

1.8.2 General _____________________________________________________________35

1.8.3 Office of Safeguards Notification Process___________________________________36

1.8.4 Incident Response Procedures ___________________________________________37

1.8.5 Incident Response Notification to

Impacted Individuals ________________________37

1.9 Disclosure to Other Persons________________________________________38

1.9.1 General _____________________________________________________________38

1.9.2 Authorized Disclosure Precautions ________________________________________38

1.9.3 External Personnel Security _____________________________________________38

1.9.4 Disclosing FTI to Contractors or Sub

1.9.5 Re

-Disclosure Agreements ______________________________________________40

1.10 Return Information in Statistical Reports ____________________________ 40

1.10.1 General ____________________________________________________________40

1.10.2 Making a Request under IRC § 6103(j)____________________________________41

1.10.3 State Tax Agency Statistical Analysis _____________________________________41

2.0 PHYSICAL SECURITY REQUIREMENTS ______________________________ 42

2.A Recordkeeping Requirement - IRC § 6103(p)(4)(A) _____________________ 42

2.A.1 General _____________________________________________________________42

2.A.2 Logs of FTI (Electronic and Non

-Electronic Receipts) _________________________42

Figure 1

- Sample FTI Logs__________________________________________________43

2.A.3 Converted Media______________________________________________________43

2.A.4 Recordkeeping of Disclosures to State Auditors______________________________43

2.B Secure Storage - IRC § 6103(p)(4)(B) ________________________________ 43

4

2.B.1 General _____________________________________________________________43

2.B.2 Minimum Protection Standards___________________________________________44

Table 1

- Minimum Protection Standards _______________________________________44

2.B.3 Restricted Area Access_________________________________________________45

2.B.3.1 Visitor Access Logs ______________________________________________________ 45

Figure 2 - Visitor Access Log ____________________________________________________ 46

2.B.3.2 Authorized Access List ___________________________________________________ 46

2.B.3.3

Controlling Access to Areas Containing FTI__________________________________ 47

2.B.3.4 Control and Safeguarding Keys and Combinations ____________________________ 47

2.B.3.5 Locking Systems for Secured Areas ________________________________________ 48

2.B.4 FTI in Transit_________________________________________________________48

2.B.4.1 Security During Office Moves ______________________________________________ 48

2.B.5 Physical Security of Computers, Electronic and Removable Media _______________48

2.B.6 Media Off-Site Storage Requirements _____________________________________49

2.B.7 Alternate Work Site ____________________________________________________49

2.B.7.1 Equipment ______________________________________________________________ 49

2.B.7.2 Storing Da

ta ____________________________________________________________ 50

2.B.7.3 Other Safeguards ________________________________________________________ 50

2.C Restricting Access

- IRC § 6103(p)(4)(C) _____________________________ 50

2.C.1 General _____________________________________________________________50

2.C.2 Policies and Procedures ________________________________________________51

2.C.3 Background Investigation Minimum Requirements ___________________________53

2.C.3.1 Background Investigation Requirement Implementation _______________________ 54

2.C.4 Personnel Actions_____________________________________________________54

2.C.4.1 Personnel Transfer_______________________________________________________ 54

2.C.4.2 Personnel Sanctions _____________________________________________________ 55

2.C.4.3 Personnel Termination____________________________________________________ 55

2.C.5 Commingling of FTI ___________________________________________________55

2.C.5.1 Commingling of Electronic Media __________________________________________ 56

2.C.6 Access to FTI via State Tax Files or Through Other Agencies___________________56

2.C.7 Offshore Operations ___________________________________________________57

2.C.8 Controls Over Processing_______________________________________________57

2.C.8.1 Agency

-owned and Operated Facility _______________________________________ 57

2.C.8.2 Agency, Contractor or Sub-Contractor Shared Facilities _______________________ 57

2.C.9 Service Level Agreements (SLA) _________________________________________58

2.C.10 Review Availability of Contractor and Sub

-Contractor Facilities_________________59

2.C.11 Restricting Access - Other Disclosures ___________________________________59

2.C.11.1 Child Support Agencies - IRC §§ 6103(l)(6), (l)(8) and (l)(10)____________________ 59

2.C.11.2 Human Services Agencies

IRC § 6103(l)(7)_________________________________ 60

2.C.11.3 Deficit Reduction Agencies

IRC § 6103(l)(10) _______________________________ 60

2.C.11.4 Centers for Medicare and Medicaid Services

IRC § 6103(l)(12)(C) ______________ 60

2.C.11.5 Disclosures under IRC § 6103(l)(20) ________________________________________ 60

2.C.11.6 Disclosures under IRC § 6103(l)(21) ________________________________________ 60

2.C.11.7 Disclosures under IRC § 6103(i) ___________________________________________ 61

5

2.C.11.8 Disclosures under IRC § 6103(m)(2)________________________________________ 61

2.D Other Safeguards -IRC § 6103(p)(4)(D) _______________________________ 61

2.D.1 General _____________________________________________________________61

2.D.2 Training Requirements _________________________________________________61

Table 2 - Training Requirements _________________________________________________ 62

2.D.2.1 Disclosure Awareness Training ____________________________________________ 62

2.D.2.2 Disclosure Awareness Training Products ____________________________________ 64

2.D.3 Internal Inspections and On

-Site Reviews __________________________________64

2.D.4 Recordkeeping____________________________________________________________ 65

2.D.5 Secure Storage ___________________________________________________________ 65

2.D.6 Limited Access ___________________________________________________________ 65

2.D.7 Disposal _________________________________________________________________ 66

2.D.8 Computer Systems Security ________________________________________________ 66

2.D.9 Plan of Action and Milestones (POA&M) ______________________________________ 66

2.E Reporting Requirements - IRC § 6103(p)(4)(E) _________________________ 66

2.E.1 General _____________________________________________________________66

2.E.2 Report Submission Instructions __________________________________________66

2.E.3 Encryption Requirements _______________________________________________67

2.E.4 Safeguards Security Reports (SSR) _______________________________________67

2.E.4.1 Initial SSR Submission Instructions - New Agency Responsibilities _____________ 68

Table 3

- SSR Evidentiary Documentation ______________________________________69

2.E.4.2 Agencies Requesting New FTI Data Streams _________________________________ 71

2.E.4.3 Annual SSR Update Submission Instructions_________________________________ 72

2.E.4.4 SSR Submission Dates ___________________________________________________ 72

Table 4

-SSR Submission Dates__________________________________________________ 73

2.E.5 Corrective Action Plan _________________________________________________73

2.E.5.1 CAP Submission Instructions ______________________________________________ 74

2.E.5.2 CAP Submission Dates ___________________________________________________ 75

Table 5 - CAP Submission Dates _________________________________________________ 75

2.E.6 Notification Reporting Requirements ______________________________________76

Table 6 - Notification Reporting __________________________________________________ 76

2.E.6.1 Cloud Computing ________________________________________________________ 76

2.E.6.2 Contractor or Sub-Contractor Access _______________________________________ 77

2.E.6.3 Tax Modeling____________________________________________________________ 77

2.E.6.4 Live Data Testing ________________________________________________________ 77

2.F Disposing of FTI - IRC § 6103(p)(4)(F) ________________________________ 77

2.F.1 General _____________________________________________________________77

2.F.2 Returning IRS Information to the Source ___________________________________78

2.F.3 Destruction and Disposal _______________________________________________78

Table 7

-FTI Destruction Methods ________________________________________________ 78

2.F.3.1 Media Sanitization________________________________________________________ 79

2.F.4Other Precautions _____________________________________________________79

3.1 General_______________________________________________________________81

3.2 Assessment Process ____________________________________________________81

6 Table 8 - Assessment Methodologies _____________________________________________ 82

3.3 Technology-Specific Requirements _________________________________________82

3.3.1 Cloud Computing __________________________________________________________ 82

3.3.2 Email Communications _____________________________________________________ 83

3.3.3 Facsimile and Facsimile Devices _____________________________________________ 84

3.3.4 Mobile Devices ____________________________________________________________ 85

3.3.5 Multifunction Devices (MFDs) and High-Volume Printers (HVPs) __________________ 85

3.3.6 Network Boundary and Infrastructure _________________________________________ 85

3.3.7 Virtual Desktop Infrastructure _______________________________________________ 86

3.3.8 Public

-Facing Systems _____________________________________________________ 86

4.0 NIST 800

-53 SECURITY AND PRIVACY CONTROLS _____________________ 88

4.1 ACCESS CONTROL ____________________________________________________88

AC -1 Access Control Policy and Procedures _______________________________________ 88 AC -2 Account Management ______________________________________________________ 88 AC -3 Access Enforcement _______________________________________________________ 90 AC -4 Information Flow Enforcement_______________________________________________ 91 AC -5 Separation of Duties _______________________________________________________ 91 AC -6 Least Privilege ____________________________________________________________ 91 AC -7: Unsuccessful Logon Attempts ______________________________________________ 92 AC -8: System Use Notification ___________________________________________________ 93 AC -11: Device Lock_____________________________________________________________ 93 AC -12: Session Termination _____________________________________________________ 94 AC -14: Permitted Actions Without Identification or Authentication _____________________ 94 AC -17: Remote Access__________________________________________________________ 94 AC -18: Wireless Access _________________________________________________________ 95 AC -19: Access Control for Mobile Devices _________________________________________ 96 AC -20: Use of External Systems __________________________________________________ 96 AC -21: Information Sharing ______________________________________________________ 97 AC -22: Publicly Accessible Content _______________________________________________ 97 AC -23: Data Mining Protection ___________________________________________________ 98

4.2 AWARENESS AND TRAINING ____________________________________________99

AT-1: Awareness and Training Policy and Procedures _______________________________ 99 AT-2: Awareness Training _______________________________________________________ 99 AT-3: Role-Based Training______________________________________________________ 100 AT-4: Training Records ________________________________________________________ 101quotesdbs_dbs1.pdfusesText_1
[PDF] irs fatca

[PDF] irs finance

[PDF] irs form 1040

[PDF] irs number

[PDF] irs phone number

[PDF] irs portugal

[PDF] irs usa

[PDF] irs wiki

[PDF] irts montpellier inscription

[PDF] irts montpellier resultat concours 2017

[PDF] irts perpignan

[PDF] is it possible to reconcile your dreams with a professional life

[PDF] is telecommuting improving our lives

[PDF] isbm

[PDF] isbst