[PDF] Publication 1075 - Tax Information Security Guidelines





Previous PDF Next PDF



Designing an effective information security policy for exceptional

The research problem was to investigate how to design effective information security policies for exceptional situations in an organization. Employees need 



Computing

18 May 2018 organisational policy. P7 Design and implement a security policy for an organisation. P8 List the main components of an.



Higher Nationals Internal verification of assessment decisions

P7 Design and implement a security policy for an organisation. P8 List the main components of an organisational disaster recovery.



POLICY P7.1.10 ORGANISATIONAL RISK MANAGEMENT

20 Aug 2019 Internal audit; j. Financial management including procurement activities; k. ICT security controls and objectives (including cyber security); ...



Cybersecurity in the EU Common Security and Defence Policy (CSDP)

States and international organisations play a key role in developing norms. The role of the states is prominent also in implementing and enforcing cybernorms.



Higher Nationals Internal verification of assessment decisions

P7 Design and implement a security policy for an organisation. P8 List the main components of an organisational disaster recovery.



Unit 5: Security

P7 Design and implement a security policy for an organisation. P8 List the main components of an organisational disaster recovery plan justifying the reasons 



SECURITY

12 Aug 2019 P7 Design and implement a security policy for an organisation. P8 List the main components of an organisational disaster recovery plan.



Publication 1075 - Tax Information Security Guidelines

AU-1: Audit and Accountability Policy and Procedures coordination among organizational entities and compliance to implement all applicable security ...



BTEC HNCD Computing

Pearson BTEC Level 5 Higher National Diploma in Computing (Security) Institution of Engineering and Technology (IET) ... P7 Design and implement a.



NIST Cybersecurity Framework Policy Template Guide

Security Assessment and Authorization Policy Security Awareness and Training Policy ID AM-2 Software platforms and applications within the organization are inventoried Acceptable Use of Information Technology Resource Policy Access Control Policy Account Management/Access Control Standard Identification and Authentication Policy Information



Best Practices for Implementing a Security Awareness Program

Security is one of the most important challenges modern organisations face Security is about protecting organisational assets including personnel data equipment and networks from attack through the use of prevention techniques in the form of vulnerability testing/security policies and detection techniques



Security Policy Framework - United Nations

A Policy is the basis of institutional consistency in managing security processes or issues and lays down principles for the achievement of one or more goals UNSMS Policies are issued following endorsement of the IASMN and approval by the HLCM They are compiled in the Security Policy Manual (SPM) also known as the “blue book”



Best Practices for Implementing a Security Awareness Program

A robust and properly implemented security awareness program assists the organization with the education monitoring and ongoing maintenance of security awareness within the organization This guidance focuses primarily on the following best practices:



Security Policies - University of Cambridge

Megacorp Inc security policy 1 This policy is approved by Management 2 All sta shall obey this security policy 3 Data shall be available only to those with a eed-to-know" 4 All breaches of this policy shall be reported at once to Security This sort of thing is common but is of little value to the engineer 3

What are some examples of information security policies?

    Industry standards or regulations related to background checks, privacy, and information security policies—e.g., FFIEC, SOX, HIPAA, NIST, ISO. Organization information security policy, risk assessment process, third-party service provider management and monitoring policy, and incident response plan Malware infections reduced over time.

How can a security awareness program help meet PCI DSS requirements?

    Ensuring staff is aware of the importance of cardholder data security is important to the success of a security awareness program and will assist in meeting PCI DSS Requirement 12.6. The first step in the development of a formal security awareness program is assembling a security awareness team.

How do you create a security awareness plan?

    Identify compliance or audit standards that your organization must adhere to. Identify security awareness requirements for those standards. Identify organizational goals, risks, and security policy. Identify stakeholders and get their support. Create a baseline of the organization’s security awareness.

What is the PCI Security Standards Council?

    The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security.

Publication 1075

Tax Information

Security Guidelines

For Federal, State

and Local Agencies

Safeguards for Protecting Federal Tax Returns

and Return Information

IRS Mission Statement

Provide America's taxpayers top-quality service by helping them understand and meet their tax responsibilities and enforce the law with integrity and fairness to all.

Office of

Safeguards Mission Statement

The Mission of Safeguards is to promote taxpayer confidence in the integrity of the tax system by ensuring the confidentiality of IRS information provided to federal, state, and local agencies. Safeguards verifies compliance with Internal Revenue Code (IRC) §

6103(p)(4) safeguard requirements through the identification and mitigation of any risk of

loss , breach or misuse of Federal Tax Information (FTI) held by external government agencies.

Office of

Safeguards Vision Statement

To serve as a trusted advisor to our Partners, ensuring they have full understanding and insight into FTI requirements and their risk profile, obtain consistent and timely guidance from a "single voice" and receive service and support that is aligned to their risk profile. We will drive the customer experience and FTI compliance via a collaborative and empowered culture and a cross-trained workforce that is built around a risk-based operating model that integrates infrastructure and processes to enable efficient and effective operations. 2

Contents

IRS Mission Statement_________________________________________________ 2 Office of Safeguards Mission Statement __________________________________ 2 Office of Safeguards Vision Statement ___________________________________ 2 Highlights for November 2021 Revision__________________________________ 12 Security and Privacy Control Table _____________________________________ 17 INTRODUCTION _____________________________________________________ 23

Overview of Publication 10

SAFEGUARD RESOURCES____________________________________________24 Safeguards Website________________________________________________________24 Safeguards Mailbox ________________________________________________________25 KEY DEFINITIONS ___________________________________________________ 25 Federal Tax Information _____________________________________________________25 Return and Return Information________________________________________________26 Personally Identifiable Information (PII) _________________________________________26 Information Received from Taxpayers or Third Parties _____________________________27 Access __________________________________________________________________27 Cloud Computing __________________________________________________________27 Inadvertent Access_________________________________________________________27 Inadvertent Disclosure ______________________________________________________27 Incidental Access __________________________________________________________27 Unauthorized Access _______________________________________________________27 Unauthorized Disclosure ____________________________________________________28 Need -to-Know ____________________________________________________________28 Adverse Action ____________________________________________________________28 Disciplinary Action _________________________________________________________28 Personnel Sanction ________________________________________________________28

1.0 FEDERAL TAX INFORMATION, REVIEWS and OTHER REQUIREMENTS____29

1.1 General _________________________________________________________ 29

1.2 Authorized Use of FTI _____________________________________________ 29

1.3 Secure Data Transfer ______________________________________________ 30

1.4 State Tax Agency Limitations _______________________________________ 30

3

1.5 Coordinating Safeguards within an Agency ___________________________ 31

1.6 Safeguard Reviews _______________________________________________ 31

1.6.1 Before the Review _____________________________________________________31

1.6.2 During the Review _____________________________________________________32

1.6.3 After the Review ______________________________________________________32

1.7 Termination of FTI ________________________________________________ 33

1.7.1 Agency Request ______________________________________________________33

1.7.1.1 Termination Documentation _______________________________________________ 33

1.7.1.2 Archiving FTI Procedure __________________________________________________ 34

1.7.2 FTI Suspension, Termination and Administrative Review_______________________34

1.8 Reporting Improper Inspections or Disclosures ________________________ 34

1.8.1 Terms ______________________________________________________________34

1.8.1.1 Data Incident ____________________________________________________________ 34

1.8.1.2 Data Breach _____________________________________________________________ 35

1.8.2 General _____________________________________________________________35

1.8.3 Office of Safeguards Notification Process___________________________________36

1.8.4 Incident Response Procedures ___________________________________________37

1.8.5 Incident Response Notification to

Impacted Individuals ________________________37

1.9 Disclosure to Other Persons________________________________________38

1.9.1 General _____________________________________________________________38

1.9.2 Authorized Disclosure Precautions ________________________________________38

1.9.3 External Personnel Security _____________________________________________38

1.9.4 Disclosing FTI to Contractors or Sub

1.9.5 Re

-Disclosure Agreements ______________________________________________40

1.10 Return Information in Statistical Reports ____________________________ 40

1.10.1 General ____________________________________________________________40

1.10.2 Making a Request under IRC § 6103(j)____________________________________41

1.10.3 State Tax Agency Statistical Analysis _____________________________________41

2.0 PHYSICAL SECURITY REQUIREMENTS ______________________________ 42

2.A Recordkeeping Requirement - IRC § 6103(p)(4)(A) _____________________ 42

2.A.1 General _____________________________________________________________42

2.A.2 Logs of FTI (Electronic and Non

-Electronic Receipts) _________________________42

Figure 1

- Sample FTI Logs__________________________________________________43

2.A.3 Converted Media______________________________________________________43

2.A.4 Recordkeeping of Disclosures to State Auditors______________________________43

2.B Secure Storage - IRC § 6103(p)(4)(B) ________________________________ 43

4

2.B.1 General _____________________________________________________________43

2.B.2 Minimum Protection Standards___________________________________________44

Table 1

- Minimum Protection Standards _______________________________________44

2.B.3 Restricted Area Access_________________________________________________45

2.B.3.1 Visitor Access Logs ______________________________________________________ 45

Figure 2 - Visitor Access Log ____________________________________________________ 46

2.B.3.2 Authorized Access List ___________________________________________________ 46

2.B.3.3

Controlling Access to Areas Containing FTI__________________________________ 47

2.B.3.4 Control and Safeguarding Keys and Combinations ____________________________ 47

2.B.3.5 Locking Systems for Secured Areas ________________________________________ 48

2.B.4 FTI in Transit_________________________________________________________48

2.B.4.1 Security During Office Moves ______________________________________________ 48

2.B.5 Physical Security of Computers, Electronic and Removable Media _______________48

2.B.6 Media Off-Site Storage Requirements _____________________________________49

2.B.7 Alternate Work Site ____________________________________________________49

2.B.7.1 Equipment ______________________________________________________________ 49

2.B.7.2 Storing Da

ta ____________________________________________________________ 50

2.B.7.3 Other Safeguards ________________________________________________________ 50

2.C Restricting Access

- IRC § 6103(p)(4)(C) _____________________________ 50

2.C.1 General _____________________________________________________________50

2.C.2 Policies and Procedures ________________________________________________51

2.C.3 Background Investigation Minimum Requirements ___________________________53

2.C.3.1 Background Investigation Requirement Implementation _______________________ 54

2.C.4 Personnel Actions_____________________________________________________54

2.C.4.1 Personnel Transfer_______________________________________________________ 54

2.C.4.2 Personnel Sanctions _____________________________________________________ 55

2.C.4.3 Personnel Termination____________________________________________________ 55

2.C.5 Commingling of FTI ___________________________________________________55

2.C.5.1 Commingling of Electronic Media __________________________________________ 56

2.C.6 Access to FTI via State Tax Files or Through Other Agencies___________________56

2.C.7 Offshore Operations ___________________________________________________57

2.C.8 Controls Over Processing_______________________________________________57

2.C.8.1 Agency

-owned and Operated Facility _______________________________________ 57

2.C.8.2 Agency, Contractor or Sub-Contractor Shared Facilities _______________________ 57

2.C.9 Service Level Agreements (SLA) _________________________________________58

2.C.10 Review Availability of Contractor and Sub

-Contractor Facilities_________________59

2.C.11 Restricting Access - Other Disclosures ___________________________________59

2.C.11.1 Child Support Agencies - IRC §§ 6103(l)(6), (l)(8) and (l)(10)____________________ 59

2.C.11.2 Human Services Agencies

IRC § 6103(l)(7)_________________________________ 60

2.C.11.3 Deficit Reduction Agencies

IRC § 6103(l)(10) _______________________________ 60

2.C.11.4 Centers for Medicare and Medicaid Services

IRC § 6103(l)(12)(C) ______________ 60

2.C.11.5 Disclosures under IRC § 6103(l)(20) ________________________________________ 60

2.C.11.6 Disclosures under IRC § 6103(l)(21) ________________________________________ 60

2.C.11.7 Disclosures under IRC § 6103(i) ___________________________________________ 61

5

2.C.11.8 Disclosures under IRC § 6103(m)(2)________________________________________ 61

2.D Other Safeguards -IRC § 6103(p)(4)(D) _______________________________ 61

2.D.1 General _____________________________________________________________61

2.D.2 Training Requirements _________________________________________________61

Table 2 - Training Requirements _________________________________________________ 62

2.D.2.1 Disclosure Awareness Training ____________________________________________ 62

2.D.2.2 Disclosure Awareness Training Products ____________________________________ 64

2.D.3 Internal Inspections and On

-Site Reviews __________________________________64

2.D.4 Recordkeeping____________________________________________________________ 65

2.D.5 Secure Storage ___________________________________________________________ 65

2.D.6 Limited Access ___________________________________________________________ 65

2.D.7 Disposal _________________________________________________________________ 66

2.D.8 Computer Systems Security ________________________________________________ 66

2.D.9 Plan of Action and Milestones (POA&M) ______________________________________ 66

2.E Reporting Requirements - IRC § 6103(p)(4)(E) _________________________ 66

2.E.1 General _____________________________________________________________66

2.E.2 Report Submission Instructions __________________________________________66

2.E.3 Encryption Requirements _______________________________________________67

2.E.4 Safeguards Security Reports (SSR) _______________________________________67

2.E.4.1 Initial SSR Submission Instructions - New Agency Responsibilities _____________ 68

Table 3

- SSR Evidentiary Documentation ______________________________________69

2.E.4.2 Agencies Requesting New FTI Data Streams _________________________________ 71

2.E.4.3 Annual SSR Update Submission Instructions_________________________________ 72

2.E.4.4 SSR Submission Dates ___________________________________________________ 72

Table 4

-SSR Submission Dates__________________________________________________ 73

2.E.5 Corrective Action Plan _________________________________________________73

2.E.5.1 CAP Submission Instructions ______________________________________________ 74

2.E.5.2 CAP Submission Dates ___________________________________________________ 75

Table 5 - CAP Submission Dates _________________________________________________ 75

2.E.6 Notification Reporting Requirements ______________________________________76

Table 6 - Notification Reporting __________________________________________________ 76

2.E.6.1 Cloud Computing ________________________________________________________ 76

2.E.6.2 Contractor or Sub-Contractor Access _______________________________________ 77

2.E.6.3 Tax Modeling____________________________________________________________ 77

2.E.6.4 Live Data Testing ________________________________________________________ 77

2.F Disposing of FTI - IRC § 6103(p)(4)(F) ________________________________ 77

2.F.1 General _____________________________________________________________77

2.F.2 Returning IRS Information to the Source ___________________________________78

2.F.3 Destruction and Disposal _______________________________________________78

Table 7

-FTI Destruction Methods ________________________________________________ 78

2.F.3.1 Media Sanitization________________________________________________________ 79

2.F.4Other Precautions _____________________________________________________79

3.1 General_______________________________________________________________81

3.2 Assessment Process ____________________________________________________81

6 Table 8 - Assessment Methodologies _____________________________________________ 82

3.3 Technology-Specific Requirements _________________________________________82

3.3.1 Cloud Computing __________________________________________________________ 82

3.3.2 Email Communications _____________________________________________________ 83

3.3.3 Facsimile and Facsimile Devices _____________________________________________ 84

3.3.4 Mobile Devices ____________________________________________________________ 85

3.3.5 Multifunction Devices (MFDs) and High-Volume Printers (HVPs) __________________ 85

3.3.6 Network Boundary and Infrastructure _________________________________________ 85

3.3.7 Virtual Desktop Infrastructure _______________________________________________ 86

3.3.8 Public

-Facing Systems _____________________________________________________ 86

4.0 NIST 800

-53 SECURITY AND PRIVACY CONTROLS _____________________ 88

4.1 ACCESS CONTROL ____________________________________________________88

AC -1 Access Control Policy and Procedures _______________________________________ 88 AC -2 Account Management ______________________________________________________ 88 AC -3 Access Enforcement _______________________________________________________ 90 AC -4 Information Flow Enforcement_______________________________________________ 91 AC -5 Separation of Duties _______________________________________________________ 91 AC -6 Least Privilege ____________________________________________________________ 91 AC -7: Unsuccessful Logon Attempts ______________________________________________ 92 AC -8: System Use Notification ___________________________________________________ 93 AC -11: Device Lock_____________________________________________________________ 93 AC -12: Session Termination _____________________________________________________ 94 AC -14: Permitted Actions Without Identification or Authentication _____________________ 94 AC -17: Remote Access__________________________________________________________ 94 AC -18: Wireless Access _________________________________________________________ 95 AC -19: Access Control for Mobile Devices _________________________________________ 96 AC -20: Use of External Systems __________________________________________________ 96 AC -21: Information Sharing ______________________________________________________ 97 AC -22: Publicly Accessible Content _______________________________________________ 97 AC -23: Data Mining Protection ___________________________________________________ 98

4.2 AWARENESS AND TRAINING ____________________________________________99

AT-1: Awareness and Training Policy and Procedures _______________________________ 99 AT-2: Awareness Training _______________________________________________________ 99 AT-3: Role-Based Training______________________________________________________ 100 AT-4: Training Records ________________________________________________________ 101 AT-6: Training Feedback _______________________________________________________ 101

4.3 AUDIT AND ACCOUNTABILITY __________________________________________102

AU -1: Audit and Accountability Policy and Procedures ______________________________ 102 AU -2: Audit Events ____________________________________________________________ 102 AU -3: Content of Audit Records _________________________________________________ 103 AU -4: Audit Storage Capacity ___________________________________________________ 103 AU -5: Response to Audit Processing Failures _____________________________________ 103 AU -6: Audit Review, Analysis and Reporting_______________________________________ 104 AU -7: Audit Reduction and Report Generation _____________________________________ 104 AU -8: Time Stamps ____________________________________________________________ 105 AU -9: Protection of Audit _______________________________________________________ 105 AU -11: Audit Record Retention __________________________________________________ 105 AU -12: Audit Generation _______________________________________________________ 105 AU -16: Cross-Organizational Auditing Logging ____________________________________ 106

4.4 ASSESSMENT, AUTHORIZATION AND MONITORING________________________107

CA -1: Assessment, Authorization and Monitoring Policy and Procedures ______________ 107 CA -2: Control Assessments_____________________________________________________ 107 7 CA -3: Information Exchange ____________________________________________________ 108 CA -5: Plan of Action and Milestones _____________________________________________ 108 CA -6: Authorization ___________________________________________________________ 109 CA -7: Continuous Monitoring ___________________________________________________ 109 CA -8: Penetration Testing ______________________________________________________ 110 CA -9: Internal System Connections ______________________________________________ 110

4.5 CONFIGURATION MANAGEMENT _______________________________________112

CM-1: Configuration Management Policy and Procedures ___________________________ 112 CM-2: Baseline Configuration ___________________________________________________ 112 CM-3: Configuration Change Control _____________________________________________ 113 CM-4: Security and Privacy Impact Analyses ______________________________________ 114 CM-5: Access Restrictions for Change____________________________________________ 114 CM-6: Configuration Settings ___________________________________________________ 115 CM-7: Least Functionality ______________________________________________________ 115 CM-8: System Component Inventory _____________________________________________ 116 CM-9: Configuration Management Plan ___________________________________________ 117 CM-10: Software Usage Restrictions _____________________________________________ 117 CM-11: User-Installed Software __________________________________________________ 118 CM-12: Information Location ____________________________________________________ 118 CM-13: Data Action Mapping ____________________________________________________ 118 CM-14: Signed Components ____________________________________________________ 118

4.6 CONTINGENCY PLANNING _____________________________________________119

CP-1: Contingency Planning Policy and Procedures ________________________________ 119 CP-2: Contingency Plan ________________________________________________________ 119 CP-3: Contingency Training_____________________________________________________ 120 CP-4: Contingency Plan Testing _________________________________________________ 121 CP-9: System Backup __________________________________________________________ 121 CP-10: System Recovery and Reconstitution ______________________________________ 122

4.7 IDENTIFICATION AND AUTHENTICATION _________________________________123

IA-1: Identification and Authentication Policy and Procedures ________________________ 123 IA-2: Identification and Authentication (Organizational Users) ________________________ 123 IA-3: Device Identification and Authentication _____________________________________ 124 IA-4: Identifier Management _____________________________________________________ 125 IA-5: Authenticator Management_________________________________________________ 125 IA-6: Authenticator Feedback ___________________________________________________ 127 IA-7: Cryptographic Module Authentication________________________________________ 128 IA-8: Identification and Authentication (Non-Organizational Users) ____________________ 128 IA-9: Service Identification and Authentication _____________________________________ 128 IA-11: Re-Authentication _______________________________________________________ 129 IA-12: Identity Proofing_________________________________________________________ 129

4.8 INCIDENT RESPONSE _________________________________________________131

IR-1: Incident Response Policy and Procedures ____________________________________ 131 IR-2: Incident Response Training ________________________________________________ 131 IR-3: Incident Response Testing _________________________________________________ 132 IR-4: Incident Handling _________________________________________________________ 132 IR-5: Incident Monitoring _______________________________________________________ 133 IR-6: Incident Reporting ________________________________________________________ 133 IR-7: Incident Response Assistance ______________________________________________ 134 IR-8: Incident Response Plan____________________________________________________ 134 IR-9: Information Spillage Response _____________________________________________ 135

4.9 MAINTENANCE _______________________________________________________136

MA-1: System Maintenance Policy and Procedures _________________________________ 136 MA-2: Controlled Maintenance __________________________________________________ 136 8 MA-3: Maintenance Tools_______________________________________________________ 137 MA-4: Nonlocal Maintenance ____________________________________________________ 137 MA-5: Maintenance Personnel___________________________________________________ 138 MA-6: Timely Maintenance ______________________________________________________ 139

4.10 MEDIA PROTECTION _________________________________________________140

MP-1: Media Protection Policy and Procedures ____________________________________ 140 MP-2: Media Access ___________________________________________________________ 140 MP-3: Media Marking __________________________________________________________ 140 MP-4: Media Storage___________________________________________________________ 140 MP-5: Media Transport _________________________________________________________ 141 MP-6: Media Sanitization _______________________________________________________ 141 MP-7: Media Use ______________________________________________________________ 142

4.11 PHYSICAL AND ENVIRONMENTAL PROTECTION _________________________143

PE -1: Physical and Environmental Policy and Procedures ___________________________ 143 PE -2: Physical Access Authorizations ____________________________________________ 143 PE -3: Physical Access Control __________________________________________________ 143 PE -4: Access Control for Transmission ___________________________________________ 144 PE -5: Access Control for Output Devices _________________________________________ 144 PE -6: Monitoring Physical Access _______________________________________________ 145 PE -8: Visitor Access Records ___________________________________________________ 145 PE -16: Delivery and Removal____________________________________________________ 145 PE -17: Alternate Work Site______________________________________________________ 145

4.12 PLANNING __________________________________________________________147

PL-1: Planning Policy and Procedures ____________________________________________ 147 PL-2: System Security and Privacy Plans _________________________________________ 147 PL-4: Rules of Behavior ________________________________________________________ 149 PL-8: Security and Privacy Architectures _________________________________________ 149

4.13 PROGRAM MANAGEMENT ____________________________________________151

PM-1: Information Security Program Plan _________________________________________ 151 PM-2: Information Security Program Leadership Role _______________________________ 151 PM-3: Information Security and Privacy Resources _________________________________ 152 PM-4: Plan of Action and Milestones Process ______________________________________ 152 PM-5: System Inventory ________________________________________________________ 152 PM-7: Enterprise Architecture ___________________________________________________ 153 PM-9: Risk Management Strategy ________________________________________________ 153 PM-10: Authorization Process ___________________________________________________ 154 PM-12: Insider Threat Program __________________________________________________ 154 PM-14: Testing, Training and Monitoring __________________________________________ 154 PM-18: Privacy Program Plan ___________________________________________________ 155 PM-19: Privacy Program Leadership Role _________________________________________ 155 PM-21: Accounting of Disclosures _______________________________________________ 156 PM-29: Risk Management Program Leadership Roles _______________________________ 156

4.14 PERSONNEL SECURITY ______________________________________________157

PS -1: Personnel Security Policy and Procedures ___________________________________ 157 PS -2: Position Risk Designation _________________________________________________ 157 PS -3: Personnel Screening _____________________________________________________ 157 PS -4: Personnel Termination____________________________________________________ 158 PS -5: Personnel Transfer _______________________________________________________ 158 PS -6: Access Agreements ______________________________________________________ 158 PS -7: External Personnel Security _______________________________________________ 159 PS -8: Personnel Sanctions _____________________________________________________ 159 PS -9: Position Descriptions_____________________________________________________ 159 9

4.15 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

PT-1: Personally Identifiable Information Processing and Transparency Policy and Procedures___________________________________________________________________ 160 PT-2: Authority to Process Personally Identifiable Information _______________________ 160

4.16 RISK ASSESSMENT __________________________________________________161

RA -1: Risk Assessment Policy and Procedures ____________________________________ 161 RA -3: Risk Assessment ________________________________________________________ 161 RA -5: Vulnerability Monitoring and Scanning ______________________________________ 162 RA -7: Risk Response __________________________________________________________ 163 RA -8: Privacy Impact Assessments ______________________________________________ 163

4.17 SYSTEM AND SERVICES ACQUISITION _________________________________163

SA-1: System and Services Acquisition Policy and Procedures_______________________ 163 SA-2: Allocation of Resources___________________________________________________ 164 SA-3: System Development Life Cycle ____________________________________________ 164 SA-4: Acquisition Process ______________________________________________________ 165 SA-5: System Documentation ___________________________________________________ 166 SA-8: Security Engineering Principles ____________________________________________ 167 SA-9: External System Services _________________________________________________ 167 SA-10: Developer Configuration Management______________________________________ 168 SA-11: Developer Testing and Evaluation _________________________________________ 169 SA-15: Development Process, Standards and Tools ________________________________ 169 SA-22: Unsupported System Components ________________________________________ 170

4.18 SYSTEM AND COMMUNICATIONS PROTECTION__________________________171

SC-1: System and Communications Protection Policy and Procedures ________________ 171 SC-2: Application Partitioning ___________________________________________________ 171 SC-4: Information in Shared System Resources ____________________________________ 171 SC-7: Boundary Protection _____________________________________________________ 171 SC-8: Transmission Confidentiality and Integrity ___________________________________ 174 SC-10: Network Disconnect _____________________________________________________ 174 SC-12: Cryptographic Key Establishment and Management __________________________ 175 SC-13: Cryptographic Protection ________________________________________________ 175 SC-15: Collaborative Computing Devices and Applications __________________________ 175 SC-17: Public Key Infrastructure Certificates ______________________________________ 175 SC-18: Mobile Code ___________________________________________________________ 176 SC-20: Secure Name/Address Resolution Service (Authoritative Source)_______________ 176 SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver)______ 176 SC-22: Architecture and Provisioning for Name/Address Resolution Service ___________ 177 SC-23: Session Authenticity ____________________________________________________ 177 SC-28: Protection of Information at Rest __________________________________________ 177 SC-35: External Malicious Code Identification______________________________________ 178 SC-39: Process Isolation _______________________________________________________ 178 SC-45: System Time Synchronization ____________________________________________ 178

4.19 SYSTEM AND INFORMATION INTEGRITY ________________________________179

SI-1: System and Information Integrity Policy and Procedures ________________________ 179 SI-2: Flaw Remediation_________________________________________________________ 179 SI-3: Malicious Code Protection _________________________________________________ 180 SI-4: System Monitoring ________________________________________________________ 181 SI-5: Security Alerts, Advisories and Directives ____________________________________ 183 SI-7: Software, Firmware and Information Integrity _________________________________ 183 SI-8: Spam Protection__________________________________________________________ 184 SI-10: Information Input Validation _______________________________________________ 184 SI-11: Error Handling __________________________________________________________ 184 10 SI-12: Information Management and Retention _____________________________________ 184 SI-16: Memory Protection_______________________________________________________ 185

4.20 SUPPLY CHAIN RISK MANAGEMENT____________________________________186

SR-1: Supply Chain Risk Management Policy and Procedures________________________ 186 SR-2: Supply Chain Risk Management Plan _______________________________________ 186 SR-3: Supply Chain Controls and Processes ______________________________________ 186 SR-6: Supplier Assessments and Reviews ________________________________________ 187 SR-10: Inspection of Systems and Components____________________________________ 187 SR-11: Component Authenticity _________________________________________________ 187 Exhibit 1 IRC §§ 6103(a) and (b) _______________________________________ 188 Exhibit 6 Contractor 45-Day Notification Procedures______________________200

Exhibit 7 Safeguarding Contract Language______________________________202 Exhibit 2 IRC § 6103(p)(4) ____________________________________________ 192

Exhibit 3 Code of Federal Regulations (CFR) § 301.6103(p)(7)-1 [T.D. 9445, 74 FR

6830, Feb. 11, 2009] _________________________________________________ 194

Exhibit 4 IRC §§ 7213 and 7213A - Sanctions for Unauthorized Disclosure and quotesdbs_dbs12.pdfusesText_18
[PDF] p7zip command line

[PDF] pa 1040 form 2019 pdf

[PDF] pa court dockets

[PDF] pa driver's license status phone number

[PDF] pa medicaid dental coverage

[PDF] paar aiims

[PDF] pace converter min/mile to min/km

[PDF] pacific exchange rate services

[PDF] pacific ocean pure substance or mixture

[PDF] pacification of algeria

[PDF] pack up poste

[PDF] package natbib error: bibliography not compatible with author year citations

[PDF] package not available (for r version)

[PDF] package theft statistics 2018

[PDF] packet tracer activities