Security Awareness for Employee's (SAFE)

advertisement

SB/SE

Security Awareness for Employees II

(S.A.F.E. II)

Version 1.14, April 2010

FISMA Year 2010

ELMS # 30907

S.A.F.E. II Table of Contents

Introduction to S.A.F.E. II

What is SBU or PII Data?

Disclosure/Loss/Theft Incident Analysis and

Trends

Trends/Protection Guidelines and Key Security

Preventative TIPS

Scenarios

Reporting a Disclosure/Loss/Theft

2

Introduction – What is your responsibility?

As with all Federal agencies, IRS employees and managers have a responsibility to safeguard Sensitive But Unclassified (SBU) and

Personally Identifiable Information (PII).

The IRS must safeguard tax, financial and personal information regarding taxpayers, fellow employees and other individuals.

You must protect any information that, if lost or disclosed, could:

 Violate a person’s privacy

 Put a person at risk for identity theft

 Compromise the integrity of the tax administration process

Loss, theft or disclosure of sensitive information places taxpayers and others at serious risk for identity theft and erodes the public’s confidence in the IRS.

3

…Introduction – What is S.A.F.E. II?

S.A.F.E. II was developed to keep the topic of safeguarding taxpayer data and other SBU/PII data foremost in the minds of SBSE employees.

 Last year we conducted S.A.F.E. briefings to reinforce safeguarding policies, procedures, and requirements, and we provided all employees with reference materials and preventative tips to assist in the protection of both government equipment and sensitive data.

This awareness and training briefing provides employees with the current loss and disclosure trends and key tips and actions for lowering these incidents.

Exercising the same care in handling, securing and protecting data in your possession as you would your own personal information and valuables is a simple way to reduce the number of loss or disclosure incidents.

4

To begin, what is SBU or PII Data?

 SBU data refers to sensitive but unclassified information originating within IRS offices.

 Sensitive information (including tax and tax-related information) is any information which if lost, stolen, or altered without proper authorization, may adversely affect Service operations ( IRM 10.2.13.3

).

 PII is a specific type of SBU information.

 PII includes the personal data of taxpayers, and also the personal information of employees, contractors, applicants, and visitors to the IRS.

 Failure to protect PII could result in disciplinary action for employees and managers ( IRM 10.2.13.3.1(1) provides examples of PII).

5

Disclosure/Loss/Theft Incident Analysis and Trends

Did you know? ………….

 Unintentional/Inadvertent Disclosure Definition

 Disclosure is making known in any way:

 Unintentional or inadvertent unauthorized disclosures of sensitive data, including but not limited to federal tax returns or return information, Privacy Act Information,

Bank Secrecy Act information, Trade Secrets Act information, Financial Right to

Privacy Act information, Grand Jury information, and other sensitive information except as provided for by statute

 Sensitive data may include infrastructure/configuration data

 Includes personally identifiable information (PII) of individuals, including personnel and job applicant information.

 Loss/Theft Definition

 Lost or stolen:

IT equipment , such as: Computers, laptops, routers, removable Media, CD/DVD, flash drive, floppies, cell phones, or wireless/air cards

 Hardcopy records

 Packages lost during shipment

7

Did you know? ………….

 47% of all FY09 SB/SE incidents resulted from procedural deviation

 59% of those incidents resulted in disclosure

 34% of all FY09 SB/SE incidents resulted from human error

 33% of those incidents resulted in disclosure

 14% of all FY09 SB/SE incidents resulted from loss and theft of IT equipment

 5% of all FY09 SB/SE incidents resulted from other reported incidents such as recovered loss and method not stated

8

IRS Disclosure/Loss/Theft of IT Assets and Data

FY07 through FY09

 Between 2007 and 2009, the IRS experienced more than 3,150 incidents of loss, theft or disclosure of IT assets or data. This chart shows the breakdown between each type of incident.

FY-2009 109

392

1871

FY-2008 98

100

375

Loss

Theft

Disclosure

FY-2007

30

190

165

0 200 400 600 800 1000 1200 1400 1600 1800 2000

During 2009 loss/theft incidents had a slight increase (6%).

The total number of disclosures in 2009 increased at an alarming rate to more than1,800.

‒ This increase can largely be attributed to a change in the reporting requirements for inadvertent disclosures, which may not have been captured by CSIRC in the past, as well as increased employee awareness as the result of outreach and education efforts.

CSIRC Loss/Theft/Disclosure Reporting does not include UNAX violations and investigations.

Source: Statistics provided by Office of DC-Operations Support, Privacy

– Information Protection and Data Security, Privacy & Information Protection, Incident

Management

9

SB/SE versus IRS Disclosure/Loss/Theft

FY07 through FY09

2000

1800

1600

1400

1200

1000

800

600

400

200

0

30

1

FY07

(3.3%)

100

16

FY08

(16%)

1871

351

FY09

(18.8%)

IRS

Disclosure

SB/SE

Disclosure

450

400

350

300

250

200

150

100

50

0

190

57

180

160

140

120

100

80

60

40

20

0

FY07

(30%)

165

10

FY07

(6%)

375

98

137

FY08

(35.5%)

14

FY08

(14%)

392

109

94

FY09

(24%)

30

FY09

(27.5%)

IRS Loss

SB/SE Loss

IRS Theft

SB/SE Theft

(%) SBSE percentage of total IRS incidents

10

Correcting the top 7 Disclosure Types of Incidents will address 63% of all SB/SE FY09 Disclosures

N u mb er o f D is c lo s u res (351) b y In c id en t T y p e fo r S B /S E in F Y 09

No P O A /P O A Y ears

F ax

Inc orrec t addres s ee

Inc orrec t addres s

Multi-s tuffing, multi-page

S S N/Name mis matc h

P reprinted form

S S N/E IN/TIN entry error

Mis repres entation by c ontac t

E mail internal

O ther D is c los ure (method not s tated)

3rd P arty - O ther than tax pay er

Hard c opy handling

More information than allowed

P roc edural deviation

Unenc ry pted email

L os t D oc s within IR S , improper mailing

L os t D oc s via UP S reported dis c los ure

L os t D oc s within IR S

O ther

3rd P arty - D idn't s ign/prepare return

P II in garbage/improper dis pos al

0

1

2

Type of Incident

No POA/POA years

Fax

Incorrect addressee

Incorrect address

Multi-stuffing, multi-page

SSN/Name mismatch

Pre-printed form

4

5

7

7

8

9

9

1 0

1 2

1 3

1 3

1 4

1 7

2 0

2 8

2 9

3 0

3 6

3 8

3 9

5 10 15 20 25 30 35 40

Examples

No POA or No POA for year(s) in question

Incorrect fax number entered

Mail sent to person with similar name

Mail sent to address other than address of record, or trace address not updated

Multiple taxpayers' data included in same envelope

SSN for a sibling or child

Form used for another taxpayer without updating all fields and pages with intended taxpayer’s data

11

Correcting the top 4 Loss/Theft Types of Incidents will address 85% of all SB/SE FY09 Losses/Thefts

Number of Loss/Theft (124)

IT Equipment Loss

IT Equipment Theft

Lost Documents UPS, reported as Loss

Lost Documents within IRS

Lost Documents within IRS -- improper mailing

Hard copy handling

PII in garbage/improper disposal

Recovered Loss no Disclosure

Type of Incident

IT Equipment Loss

IT Equipment Theft

Lost Documents UPS, reported as loss

Lost Documents within IRS

Incorrect address

Multi-stuffing, multi-page

Other

1

1

1

3

2

3

7

17

24

30

35

0 5 10 15 20 25 30 35 40

Examples

Lost air card, cell phone

Stolen laptop

Lost during shipping and package unable to be located

Lost documents in mailroom

12

Loss/Theft and Disclosure by SB/SE OU’s in FY09

(#) Total Number of Incidents 13

Without immediate action, we are on a trajectory to have 6 times more Disclosures in FY10 than in FY09

500

450

400

350

300

250

200

150

100

50

0

Disclosures FY09 vs. FY10 Trend

24

19

FY10 Disclosures (Trend to

2249)

FY09 Disclosures (351)

14

9

4

Loss/Theft FY09 vs. FY10 Trend

FY10 Loss/Theft (Trend to 147)

FY09 Loss/Theft (124)

FY10 Disclosure trend is based on Oct-Dec 2010 (75 incidents)

FY10 Loss/Theft trend is based on Oct-Dec 2010 (30 losses)

14

FY09 Trends & Protection Guidelines

Key Security Preventative TIPS

FY09 Trends & Protection Guidelines…

Disclosure – 3

rd

Party Permissible Disclosure

FY09 Trend: 15% of inadvertent disclosures were due to 3 rd party permissions that were not verified and/or not current.

Protection Guidelines

Type

3 rd Party permissions can work in 4 different ways as listed in the following table:

Guidelines

Checkbox

Designee - 2

Written consents or tax information authorizations

(TIAs)

• Checkbox authorizations are made directly on the tax form 720, 941, 941PR, 941SS,

1040, 1041, 1120, 2290 and CT-1

• Not permissible for collection or examination proceedings

• Only valid the period of one year from the due date of the return.

• Checkbox designees cannot be contacted by RAs/ROs to schedule the initial appointment

• Written consents, such as tax information authorizations, permit access to returns and return information by the designee

• Does not grant the power to represent the taxpayer before the IRS. For example, while he or she is granted permission to have a copy of a Revenue Agent’s Report of

Adjustments, the holder of a Tax Information Authorization (TIA) may not dispute any of the adjustments found in the report. http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3002.aspx

16

FY09 Trends & Protection Guidelines…

Disclosure – 3

rd

Party Permissible Disclosure Continued

Type Guidelines

Oral

Consent

• Take appropriate steps to verify that person is indeed the taxpayer – at a minimum, follow the guidance in IRM 11.3.2.3.2

to authenticate identity

• Be sure to fully document in your case file the actions taken when the taxpayer gives you oral permission and when verifying the third party’s identity (oral consent can only be accepted to resolve a federal tax matter)

Power of

Attorney

Power of Attorney IRS Form 2848

• Authorizes a third party to represent the taxpayer before the IRS.

• Only individuals can be named to represent the taxpayer

• They must be part of a specifically authorized category of representative sanctioned by regulation.

• They must be specifically designated by the taxpayer via a properly completed

Power of Attorney.

Non-IRS Powers of Attorney

• Individuals may use a non-IRS durable power of attorney as long as it contains all of the information required by regulation

• Must include language that authorizes the designee to handle federal tax matters. http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3021.aspx

17

…Key Security Preventative TIPS

Disclosure – Power of Attorney (POA)

 Understand the different types of permissible 3 rd party authorizations and the information allowed to be disclosed under each

 Keep the Quick Guide* from Disclosure for a chart that identifies permissible disclosures based on the taxpayer designee type

 All discussions of tax matters must be held only with someone named on the POA and for the year(s) covered by that POA, Form 2848

 Verify there is a valid Power of Attorney (POA) on file before disclosing any information

 POAs must be held by individuals

 Non-IRS POAs may be used given that it is clearly stated on the POA that the designee has rights to federal tax information

 POAs must be on file for the year(s) in question

 Some acts must be specifically authorized, e.g. receive and endorse a refund check, substitute a representative

*A Quick Guide to the Powers of Attorney and Tax Information Authorizations can be found at: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/7486.aspx

18

FY09 Trends & Protection Guidelines…

Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms

FY09 Trend: Inadvertent disclosures occurring during routine activities account for 46% of all SB/SE disclosures and include key errors such as:

 Misdirected Faxes

 Double-stuffing, stuffing envelopes incorrectly

 Different party’s information on a pre-printed form (a.k.a. pattern correspondence)

Protection Guidelines

 For faxing use a cover sheet with the recipient’s name, number of pages and Notice of Disclosure – no confidential information on cover page

 Fax the cover sheet in the order in which the cover sheet is the first page covering the faxed correspondence (IRM Reference: 11.3.1.10).

 Cover sheet template link: http://core.publish.no.irs.gov/forms/internal/pdf/23436c07.pdf

 Wherever possible, pattern correspondence templates should be saved without confidential information

19

…Key Security Preventative TIPS

Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms

 Do not use the redial button on the fax machine

 Before hitting the “Send” button - take the time to double check the fax number you just entered

 Before sealing envelope, verify only ONE taxpayer’s documentation is in the envelope

 Work one case file at a time to prevent documents becoming mixed between cases

 For pattern correspondences/pre-printed forms:

 Use a new template letter or document

 Remove references to other taxpayers

 Take a second look at the correspondence for accuracy

20

FY09 Trends & Protection Guidelines…

Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch

FY09 Trend: 27% of inadvertent disclosures were due to incorrect addressee, address and SSN/Name mismatch

 Disclosures resulting from incorrect addressee or address and

SSN and Name mismatch

 Addressee is a different taxpayer

 Address is incomplete or similar to another case

 Recipient of correspondence has the same name, but different SSN

 Address obtained from Accurint was not for the same person for which the correspondence was intended

Protection Guidelines

 Conduct a Mail Trace using e-Discovery and/or Accurint to verify the name and address match SSN/EIN/TIN you are processing

21

…Key Security Preventative TIPS

Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch

Taking a few simple precautions can greatly reduce these incidents:

 When using Accurint, be sure to:

 Use Accurint guide to optimize searches

 Redact all identifying information that does not relate to the taxpayer in question based upon how it appears in the IRS address of record

 Remove other SSNs listed with taxpayer names

 Verify taxpayer using identifiers other than name (such as DOB,

SSN)

Accurint QRG: http://rnet.web.irs.gov/docs/pdfs/accurint_qrg.pdf

Redacting Choicepoint and Accurint: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Office/Guidance/Dispatch/3425.aspx

22

Other Key Security Preventative TIPS

Disclosure

Good disclosure decisions use the CAP process:

 Be sure Code (C) allows the disclosure,

 that you have the authority (A) to make the disclosure and

 that you follow the appropriate procedures (P) when making the disclosure.

Safeguard Paper Files

Follow the Clean Desk Policy

– do not leave confidential information unattended

 Securely lock paper documents containing sensitive information when not in use

Protect documents while you are in the field as well as in the office by keeping them in a folder or placing a blank cover sheet on top

Misrepresentation of contact is often due to incomplete authentication of taxpayer or taxpayer’s Limited English Proficiency

 Required Taxpayer Authentication procedures should be followed as outlined in IRM 21.1.3.2.3 and

21.1.3.2.4

 Taxpayers may use their minor child as interpreter by giving verbal or written consent

CAP: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/Basics/3131.aspx

Disclosure Awareness Pocket Guide: http://core.publish.no.irs.gov/docs/pdf/14784k08.pdf

General Disclosure Hot Topics: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/default.aspx

23

FY09 Trends & Protection Guidelines…

Laptop Losses/Thefts

SB/SE Laptop Highlights

60

50

40

30

20

10

0

52

28 28

24

2

Number of

Lost/Stolen Laptops

Note: Year-to-date data represents the period from Oct 1 to Dec 31

24

FY09 Trends & Protection Guidelines…

Loss/Theft – IT Assets

FY09 Trend : 52% of all SB/SE loss and theft incidents are related to IT asset loss and theft, which includes:

Cell phones

Laptops

 Media Cards, Thumb drives, printers, etc

Protection Guidelines

 IRS laptops and other IT assets (e.g. air cards) shall never, under any circumstance, be stored in checked luggage while traveling, whether it is an international or a domestic flight.

 Protect your passwords at all times. Passwords, smart cards or grid cards should be protected and shall not be stored on or with the laptop/cell phone.

 Never leave your laptop unattended and/or unsecured!!

25

...Key Security Preventative TIPS

Loss/Theft – IT Assets

When possible place your laptop under the seat in front of you when traveling by plane, bus or train, rather than in an overhead bin where it is out of your sight.

 If your laptop is stored in overhead bin it should be within your direct line of sight

Set up an encrypted directory and save sensitive files to an encrypted folder

 Newer laptop images have forced encryption on everything in the “My

Documents” folder

Use cable locks to secure your laptop - even within IRS-controlled facilities.

 Laptops may be locked in a cabinet or desk for additional protection overnight

Never leave your laptop in your vehicle overnight!!

 Not even in your trunk, in the driveway, or in the garage

Enable the password/PIN function on your cell phone

26

FY09 Trends & Protection Guidelines…

Loss/Theft - Hardcopy Loss

FY09 Trend: Loss of hardcopy SBU/PII data accounted for 48% of all losses/thefts and is comprised of:

 UPS Shipping

 Losses within IRS Facilities

 Other hard copy loss, e.g. residence, vehicle, public transportation

Protection Guidelines

When transmitting PII in paper or removable media format by mail or through a carrier, employees are required to do so in a manner that ensures it does not become misdirected or disclosed to unauthorized personnel.

Use Small Package Carrier (e.g.

UPS) when shipping PII

Use US Postal Service to mail documents to the taxpayer

Use Form 3210, Document

Transmittal to track mail and shipments

IRM Reference for Form 3210: 3.13.62.7.1

27

...Key Security Preventative TIPS

Loss/Theft – Shipping Loss

Do not use “Sensitive Contents” labels on PII packages – decreases temptation for theft.

Securely package PII contents prior to shipping

 Use undamaged packaging materials

Double wrap or double box all materials.

 Place address labels on both inside and outside packages

When shipping via United Parcel Service (UPS)

Monitor the package during shipment using the basic tracking number provided by UPS and confirm receipt

 Set and monitor timelines for transmittal acknowledgement – within 7 days

For internal IRS shipments, use a document receipt to verify that confidential material has been properly received

If sender, initiate Form 3210; if recipient, complete and return Form 3210

28

Scenarios

Scenario 1: Incorrectly Stuffed Envelope

A Revenue Agent (RA)/ Correspondence Examination Technician

(CET) was working several cases and preparing letters to be sent to taxpayers and their representatives. The RA/CET prepared a letter for case 1 to send to POA “A” on behalf of Mr. and Mrs. Jones. The

RA/CET then moved on to case 2 and prepared a report to send to

POA “B”, Mr. and Mrs. Smith’s representative. The RA/CET packaged up the documents for mailing, addressed the envelopes and moved on to other case work. Two days later, POA “A” called to say he had received the report for Mr. and Mrs. Smith, and he does not represent them.

Which of the following are True statements about this scenario?

A.

This is not a disclosure

B.

This is a disclosure

C.

Prior to sealing envelope, RA/CET should have checked contents

D.

RA/CET should have completed case 1 prior to moving to case 2

See Notes for Answers

30

Scenario 2: Incorrectly Stuffed Envelope

A Tax Compliance Officer (TCO) was preparing a report to send to a taxpayer. The report was sent to the network printer, promptly retrieved and put in an envelope for mailing. 3 days later, the taxpayer called to say that they had received additional documents of another taxpayer.

Which of the following are True statements about this scenario?

A.

This is not a disclosure

B.

This is a disclosure

C.

Prior to sealing envelope, TCO should have checked the documents retrieved from the printer to verify pages were only for this taxpayer

See Notes for Answers

31

Scenario 3: Incorrect Addressee

A Revenue Officer (RO)/ Tax Examining Technician (TET) researched the address of a taxpayer, found a newer address on

Accurint, and mailed a letter to the address. The individual at the address opened the letter believing it was for her since it was her maiden name. Upon opening the letter, the individual realized the letter was for someone else.

Which of the following are True statements about this scenario?

A.

This is not a disclosure

B.

This is a disclosure

C.

The RO/TET should have verified the identity of the taxpayer using additional identifiers such as SSN and Date of Birth

See Notes for Answers

32

Reporting a Loss/Theft/Disclosure

Reporting a Disclosure/Loss/Theft

 Within one hour of becoming aware of the inadvertent disclosure of sensitive information, or the loss or theft of a laptop, IT asset or hardcopy document containing sensitive information, you should report the incident to:

1.

Your manager,

2.

If it involves taxpayer correspondence , report it directly to the Notice Gatekeeper using the Servicewide Notice Information Program’s Erroneous Taxpayer

Correspondence SNIP Reporting Form http://gatekeeper.web.irs.gov/errCPReport2.aspx

This form has now been expanded to include electronic communication like faxes, transcripts and e-mails.

3.

If it does not involve taxpayer correspondence (for example, a verbal disclosure, lost laptop, data disk or internal mail shipment), report it to the Computer Security Incident

Response Center using the CSIRC Incident Reporting Form , or by calling 866.216.4809

4.

If the incident involves the loss or theft of an IT asset or hardcopy data, contact

TIGTA at 800.366.4484.(TTY/TDD 1-800-877-8339) http://www.treas.gov/tigta/contact_report.shtml

 When calling TIGTA, always secure a TIGTA reference number.

5.

Local Law Enforcement, as appropriate

34

Reporting a Disclosure/Loss/Theft

 Situations that are not to be reported to SNIP or CSIRC:

 Example 1:

An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find they are not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.

 Example 2:

An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number given to them by the taxpayer or authorized representative was incorrect.

 Example 3:

IRS employees follow all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS and says they are not the taxpayer.

 Example 4:

The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the taxpayer does not live there.

35

Reporting a Disclosure/Loss/Theft

 The timely reporting of all information losses or thefts is critical so that any needed investigation can be initiated quickly, which can decrease/mitigate the possibility that the information will be compromised and used to perpetrate identity theft or other forms of fraud.

 Refer to IRM 10.5.3.6

Reporting Losses, Thefts and Disclosures of

Sensitive Information

 If you see indications of an intentional unauthorized disclosure, the incident must be reported to TIGTA. See IRM 11.3.1.6(2) and IRM

11.3.38.6.1(1) .

36

Security Awareness for Employees II (S.A.F.E. II)

Please email the SB/SE Security PMO with any questions at: *SBSE Security

37

Download