sb/se security awareness for employees ii (s.a.f.e. ii) version 1.14, april 2010 fisma year 2010...
TRANSCRIPT
SB/SESecurity Awareness for Employees II (S.A.F.E. II)
Version 1.14, April 2010
FISMA Year 2010
ELMS # 30907
2
S.A.F.E. II Table of Contents
Introduction to S.A.F.E. II What is SBU or PII Data? Disclosure/Loss/Theft Incident Analysis
and Trends Trends/Protection Guidelines and Key
Security Preventative TIPS Scenarios Reporting a Disclosure/Loss/Theft
3
Introduction – What is your responsibility?
As with all Federal agencies, IRS employees and managers have a responsibility to safeguard Sensitive But Unclassified (SBU) and Personally Identifiable Information (PII).
The IRS must safeguard tax, financial and personal information regarding taxpayers, fellow employees and other individuals.
You must protect any information that, if lost or disclosed, could: Violate a person’s privacy Put a person at risk for identity theft Compromise the integrity of the tax administration process
Loss, theft or disclosure of sensitive information places taxpayers and others at serious risk for identity theft and erodes the public’s
confidence in the IRS.
4
…Introduction – What is S.A.F.E. II?
S.A.F.E. II was developed to keep the topic of safeguarding taxpayer data and other SBU/PII data foremost in the minds of SBSE employees.
Last year we conducted S.A.F.E. briefings to reinforce safeguarding policies, procedures, and requirements, and we provided all employees with reference materials and preventative tips to assist in the protection of both government equipment and sensitive data.
This awareness and training briefing provides employees with the current loss and disclosure trends and key tips and actions for lowering these incidents.
Exercising the same care in handling, securing and protecting data in your possession as you would your own personal information and valuables is a simple way to reduce the
number of loss or disclosure incidents.
5
To begin, what is SBU or PII Data?
SBU data refers to sensitive but unclassified information originating within IRS offices. Sensitive information (including tax and tax-related
information) is any information which if lost, stolen, or altered without proper authorization, may adversely affect Service operations (IRM 10.2.13.3).
PII is a specific type of SBU information. PII includes the personal data of taxpayers, and also the
personal information of employees, contractors, applicants, and visitors to the IRS.
Failure to protect PII could result in disciplinary action for employees and managers (IRM 10.2.13.3.1(1) provides examples of PII).
Disclosure/Loss/Theft Incident Analysis and Trends
Did you know? ………….
Unintentional/Inadvertent Disclosure Definition Disclosure is making known in any way:
Unintentional or inadvertent unauthorized disclosures of sensitive data, including but not limited to federal tax returns or return information, Privacy Act Information, Bank Secrecy Act information, Trade Secrets Act information, Financial Right to Privacy Act information, Grand Jury information, and other sensitive information except as provided for by statute
Sensitive data may include infrastructure/configuration data Includes personally identifiable information (PII) of individuals, including personnel
and job applicant information.
Loss/Theft Definition Lost or stolen:
IT equipment , such as: Computers, laptops, routers, removable Media, CD/DVD, flash drive, floppies, cell phones, or wireless/air cards
Hardcopy records Packages lost during shipment
7
Did you know? ………….
47% of all FY09 SB/SE incidents resulted from procedural deviation
59% of those incidents resulted in disclosure
34% of all FY09 SB/SE incidents resulted from human error
33% of those incidents resulted in disclosure
14% of all FY09 SB/SE incidents resulted from loss and theft of IT equipment
5% of all FY09 SB/SE incidents resulted from other reported incidents such as recovered loss and method not stated
8
9
IRS Disclosure/Loss/Theft of IT Assets and DataFY07 through FY09
30
100
1871
165
98
109
190
375
392
0 200 400 600 800 1000 1200 1400 1600 1800 2000
FY-2007
FY-2008
FY-2009
Loss
Theft
Disclosure
Between 2007 and 2009, the IRS experienced more than 3,150 incidents of loss, theft or disclosure of IT assets or data. This chart shows the breakdown between each type of incident.
During 2009 loss/theft incidents had a slight increase (6%). The total number of disclosures in 2009 increased at an alarming rate to more than1,800.
‒ This increase can largely be attributed to a change in the reporting requirements for inadvertent disclosures, which may not have been captured by CSIRC in the past, as well as increased employee awareness as the result of outreach and education efforts.
CSIRC Loss/Theft/Disclosure Reporting does not include UNAX violations and investigations.
Source: Statistics provided by Office of DC-Operations Support, Privacy – Information Protection and Data Security, Privacy & Information Protection, Incident Management
SB/SE versus IRS Disclosure/Loss/Theft FY07 through FY09
10
190
375392
57
137
94
0
50
100
150
200
250
300
350
400
450
FY07 (30%)
FY08 (35.5%)
FY09 (24%)
IRS Loss
SB/SE Loss
165
98109
10 14
30
0
20
40
60
80
100
120
140
160
180
FY07 (6%)
FY08 (14%)
FY09 (27.5%)
IRS Theft
SB/SE Theft30100
1871
1 16
351
0
200
400
600
800
1000
1200
1400
1600
1800
2000
FY07 (3.3%)
FY08 (16%)
FY09 (18.8%)
IRS Disclosure
SB/SE Disclosure
(%) SBSE percentage of total IRS incidents
Correcting the top 7 Disclosure Types of Incidents will address 63% of all SB/SE FY09 Disclosures
Number of D is c los ures (351) by Inc ident T ype for S B /S E in F Y09
12
45
77
899
1012
1313
1417
2028
2930
3638
39
0 5 10 15 20 25 30 35 40
P II in garbage/improper dis pos al3rd P arty - Didn't s ign/prepare return
OtherL os t Doc s within IR S
L os t Doc s via UP S reported dis c los ureL os t Doc s within IR S , improper mailing
Unenc rypted emailP roc edural deviation
More information than allowedHard c opy handling
3rd P arty - Other than taxpayerOther Dis c los ure (method not s tated)
E mail internalMis repres entation by c ontac t
S S N/E IN/TIN entry errorP reprinted form
S S N/Name mis matc hMulti-s tuffing, multi-page
Inc orrec t addres sInc orrec t addres s ee
F axNo P OA /P OA Y ears
11
Type of Incident ExamplesNo POA/POA years No POA or No POA for year(s) in question
Fax Incorrect fax number enteredIncorrect addressee Mail sent to person with similar nameIncorrect address Mail sent to address other than address of record, or trace address not updated Multi-stuffing, multi-page Multiple taxpayers' data included in same envelopeSSN/Name mismatch SSN for a sibling or childPre-printed form Form used for another taxpayer without updating all fields and pages with intended taxpayer’s
data
Correcting the top 4 Loss/Theft Types of Incidents will address 85% of all SB/SE FY09 Losses/Thefts
1
1
1
2
3
3
7
17
24
30
35
0 5 10 15 20 25 30 35 40
Other
Multi-stuffing, multi-page
Incorrect address
Recovered Loss no Disclosure
PII in garbage/improper disposal
Hard copy handling
Lost Documents within IRS -- improper mailing
Lost Documents within IRS
Lost Documents UPS, reported as Loss
IT Equipment Theft
IT Equipment Loss
Number of Loss/Theft (124)
12
Type of Incident Examples
IT Equipment Loss Lost air card, cell phone
IT Equipment Theft Stolen laptop
Lost Documents UPS, reported as loss Lost during shipping and package unable to be located
Lost Documents within IRS Lost documents in mailroom
Loss/Theft and Disclosure by SB/SE OU’s in FY09
13(#) Total Number of Incidents
14
Without immediate action, we are on a trajectory to have 6 times more Disclosures in FY10 than in FY09
0
50
100
150
200
250
300
350
400
450
500
Oct
Nov
Dec
Jan
Feb
Mar Ap
rM
ay Jun Jul
Aug
Sep
FY10 Disclosures (Trend to 2249)
FY09 Disclosures (351)
4
9
14
19
24
Oct
Nov
Dec
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
FY10 Loss/Theft (Trend to 147)
FY09 Loss/Theft (124)
FY10 Disclosure trend is based on Oct-Dec 2010 (75 incidents) FY10 Loss/Theft trend is based on Oct-Dec 2010 (30 losses)
Loss/Theft FY09 vs. FY10 TrendDisclosures FY09 vs. FY10 Trend
FY09 Trends & Protection GuidelinesKey Security Preventative TIPS
16
FY09 Trends & Protection Guidelines… Disclosure – 3rd Party Permissible Disclosure
Protection Guidelines
3rd Party permissions can work in 4 different ways as listed in the following table:
FY09 Trend: 15% of inadvertent disclosures were due to 3rd party permissions that were not verified and/or not current.
Type Guidelines
Checkbox Designee - 2
• Checkbox authorizations are made directly on the tax form 720, 941, 941PR, 941SS, 1040, 1041, 1120, 2290 and CT-1
• Not permissible for collection or examination proceedings • Only valid the period of one year from the due date of the return. • Checkbox designees cannot be contacted by RAs/ROs to schedule the initial
appointment
Written consents or tax information authorizations (TIAs)
• Written consents, such as tax information authorizations, permit access to returns and return information by the designee
• Does not grant the power to represent the taxpayer before the IRS. For example, while he or she is granted permission to have a copy of a Revenue Agent’s Report of Adjustments, the holder of a Tax Information Authorization (TIA) may not dispute any of the adjustments found in the report.
http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3002.aspx
17
FY09 Trends & Protection Guidelines… Disclosure – 3rd Party Permissible Disclosure Continued
Type Guidelines
Oral Consent
• Take appropriate steps to verify that person is indeed the taxpayer – at a minimum, follow the guidance in IRM 11.3.2.3.2 to authenticate identity
• Be sure to fully document in your case file the actions taken when the taxpayer gives you oral permission and when verifying the third party’s identity (oral consent can only be accepted to resolve a federal tax matter)
Power of Attorney
Power of Attorney IRS Form 2848
• Authorizes a third party to represent the taxpayer before the IRS. • Only individuals can be named to represent the taxpayer• They must be part of a specifically authorized category of representative
sanctioned by regulation. • They must be specifically designated by the taxpayer via a properly completed
Power of Attorney.
Non-IRS Powers of Attorney • Individuals may use a non-IRS durable power of attorney as long as it contains
all of the information required by regulation• Must include language that authorizes the designee to handle federal tax
matters. http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3021.aspx
18
…Key Security Preventative TIPS Disclosure – Power of Attorney (POA)
Understand the different types of permissible 3rd party authorizations and the information allowed to be disclosed under each
Keep the Quick Guide* from Disclosure for a chart that identifies permissible disclosures based on the taxpayer designee type
All discussions of tax matters must be held only with someone named on the POA and for the year(s) covered by that POA, Form 2848
Verify there is a valid Power of Attorney (POA) on file before disclosing any information POAs must be held by individuals
Non-IRS POAs may be used given that it is clearly stated on the POA that the designee has rights to federal tax information
POAs must be on file for the year(s) in question
Some acts must be specifically authorized, e.g. receive and endorse a refund check, substitute a representative
*A Quick Guide to the Powers of Attorney and Tax Information Authorizations can be found at: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/7486.aspx
19
FY09 Trends & Protection Guidelines… Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms
FY09 Trend: Inadvertent disclosures occurring during routine activities account for 46% of all SB/SE disclosures and include key errors such as: Misdirected Faxes Double-stuffing, stuffing envelopes incorrectly Different party’s information on a pre-printed form (a.k.a. pattern correspondence)
Protection Guidelines
For faxing - use a cover sheet with the recipient’s name, number of pages and Notice of Disclosure – no confidential information on cover page Fax the cover sheet in the order in which the cover sheet is the first page
covering the faxed correspondence (IRM Reference: 11.3.1.10).
Cover sheet template link:
http://core.publish.no.irs.gov/forms/internal/pdf/23436c07.pdf
Wherever possible, pattern correspondence templates should be saved without confidential information
20
…Key Security Preventative TIPS Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms
Do not use the redial button on the fax machine
Before hitting the “Send” button - take the time to double check the fax number you just entered
Before sealing envelope, verify only ONE taxpayer’s documentation is in the envelope
Work one case file at a time to prevent documents becoming mixed between cases
For pattern correspondences/pre-printed forms: Use a new template letter or document Remove references to other taxpayers Take a second look at the correspondence for accuracy
21
FY09 Trends & Protection Guidelines… Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch
FY09 Trend: 27% of inadvertent disclosures were due to incorrect addressee, address and SSN/Name mismatch
Disclosures resulting from incorrect addressee or address and SSN and Name mismatch Addressee is a different taxpayer Address is incomplete or similar to another case Recipient of correspondence has the same name, but different SSN Address obtained from Accurint was not for the same person for
which the correspondence was intended
Protection Guidelines
Conduct a Mail Trace using e-Discovery and/or Accurint to verify the name and address match SSN/EIN/TIN you are processing
22
…Key Security Preventative TIPS Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch
Taking a few simple precautions can greatly reduce these incidents:
When using Accurint, be sure to:
Use Accurint guide to optimize searches
Redact all identifying information that does not relate to the taxpayer in question based upon how it appears in the IRS address of record
Remove other SSNs listed with taxpayer names
Verify taxpayer using identifiers other than name (such as DOB, SSN)
Accurint QRG: http://rnet.web.irs.gov/docs/pdfs/accurint_qrg.pdf Redacting Choicepoint and Accurint:http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Office/Guidance/Dispatch/3425.aspx
23
Other Key Security Preventative TIPS Disclosure
Good disclosure decisions use the CAP process: Be sure Code (C) allows the disclosure,
that you have the authority (A) to make the disclosure and
that you follow the appropriate procedures (P) when making the disclosure.
Safeguard Paper Files Follow the Clean Desk Policy – do not leave confidential information unattended
Securely lock paper documents containing sensitive information when not in use
Protect documents while you are in the field as well as in the office by keeping them in a folder or placing a blank cover sheet on top
Misrepresentation of contact is often due to incomplete authentication of taxpayer or taxpayer’s Limited English Proficiency Required Taxpayer Authentication procedures should be followed as outlined in IRM 21.1.3.2.3 and
21.1.3.2.4
Taxpayers may use their minor child as interpreter by giving verbal or written consent
CAP: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/Basics/3131.aspxDisclosure Awareness Pocket Guide: http://core.publish.no.irs.gov/docs/pdf/14784k08.pdfGeneral Disclosure Hot Topics: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/default.aspx
24
FY09 Trends & Protection Guidelines…Laptop Losses/Thefts
52
28 2824
20
10
20
30
40
50
60
SB/SE Laptop Highlights
Number of Lost/Stolen Laptops
Note: Year-to-date data represents the period from Oct 1 to Dec 31
25
FY09 Trends & Protection Guidelines…Loss/Theft – IT Assets
FY09 Trend: 52% of all SB/SE loss and theft incidents are related to IT asset loss and theft, which includes: Cell phones Laptops Media Cards, Thumb drives, printers, etc
Protection Guidelines
IRS laptops and other IT assets (e.g. air cards) shall never, under any circumstance, be stored in checked luggage while traveling, whether it is an international or a domestic flight.
Protect your passwords at all times. Passwords, smart cards or grid cards should be protected and shall not be stored on or with the laptop/cell phone.
Never leave your laptop unattended and/or unsecured!!
26
...Key Security Preventative TIPSLoss/Theft – IT Assets
When possible place your laptop under the seat in front of you when traveling by plane, bus or train, rather than in an overhead bin where it is out of your sight. If your laptop is stored in overhead bin it should be within your direct line of
sight
Set up an encrypted directory and save sensitive files to an encrypted folder Newer laptop images have forced encryption on everything in the “My
Documents” folder
Use cable locks to secure your laptop - even within IRS-controlled facilities. Laptops may be locked in a cabinet or desk for additional protection overnight
Never leave your laptop in your vehicle overnight!! Not even in your trunk, in the driveway, or in the garage
Enable the password/PIN function on your cell phone
27
FY09 Trends & Protection Guidelines… Loss/Theft - Hardcopy Loss
FY09 Trend: Loss of hardcopy SBU/PII data accounted for 48% of all losses/thefts and is comprised of: UPS Shipping
Losses within IRS Facilities
Other hard copy loss, e.g. residence, vehicle, public transportation
Protection Guidelines When transmitting PII in paper or removable media format by mail or through a carrier,
employees are required to do so in a manner that ensures it does not become misdirected or disclosed to unauthorized personnel.
IRM Reference for Form 3210: 3.13.62.7.1
Use Small Package Carrier (e.g. UPS) when shipping PII
Use US Postal Service to mail documents to the taxpayer
Use Form 3210, Document Transmittal to track mail and shipments
28
...Key Security Preventative TIPS Loss/Theft – Shipping Loss
Do not use “Sensitive Contents” labels on PII packages – decreases temptation for theft.
Securely package PII contents prior to shipping Use undamaged packaging materials
Double wrap or double box all materials. Place address labels on both inside and outside packages
When shipping via United Parcel Service (UPS) Monitor the package during shipment using the basic tracking number
provided by UPS and confirm receipt
Set and monitor timelines for transmittal acknowledgement – within 7 days
For internal IRS shipments, use a document receipt to verify that confidential material has been properly received If sender, initiate Form 3210; if recipient, complete and return Form 3210
Scenarios
30
Scenario 1: Incorrectly Stuffed Envelope
A Revenue Agent (RA)/ Correspondence Examination Technician (CET) was working several cases and preparing letters to be sent to taxpayers and their representatives. The RA/CET prepared a letter for case 1 to send to POA “A” on behalf of Mr. and Mrs. Jones. The RA/CET then moved on to case 2 and prepared a report to send to POA “B”, Mr. and Mrs. Smith’s representative. The RA/CET packaged up the documents for mailing, addressed the envelopes and moved on to other case work. Two days later, POA “A” called to say he had received the report for Mr. and Mrs. Smith, and he does not represent them.
Which of the following are True statements about this scenario?A. This is not a disclosure
B. This is a disclosure
C. Prior to sealing envelope, RA/CET should have checked contents
D. RA/CET should have completed case 1 prior to moving to case 2
See Notes for Answers
31
Scenario 2: Incorrectly Stuffed Envelope
A Tax Compliance Officer (TCO) was preparing a report to send to a taxpayer. The report was sent to the network printer, promptly retrieved and put in an envelope for mailing. 3 days later, the taxpayer called to say that they had received additional documents of another taxpayer.
Which of the following are True statements about this scenario?A. This is not a disclosure
B. This is a disclosure
C. Prior to sealing envelope, TCO should have checked the documents retrieved from the printer to verify pages were only for this taxpayer
See Notes for Answers
32
Scenario 3: Incorrect Addressee
A Revenue Officer (RO)/ Tax Examining Technician (TET) researched the address of a taxpayer, found a newer address on Accurint, and mailed a letter to the address. The individual at the address opened the letter believing it was for her since it was her maiden name. Upon opening the letter, the individual realized the letter was for someone else.
Which of the following are True statements about this scenario?A. This is not a disclosure
B. This is a disclosure
C. The RO/TET should have verified the identity of the taxpayer using additional identifiers such as SSN and Date of Birth
See Notes for Answers
Reporting a Loss/Theft/Disclosure
34
Reporting a Disclosure/Loss/Theft
Within one hour of becoming aware of the inadvertent disclosure of sensitive information, or the loss or theft of a laptop, IT asset or hardcopy document containing sensitive information, you should report the incident to:
1. Your manager,
2. If it involves taxpayer correspondence, report it directly to the Notice Gatekeeper using the Servicewide Notice Information Program’s Erroneous Taxpayer Correspondence SNIP Reporting Form http://gatekeeper.web.irs.gov/errCPReport2.aspx This form has now been expanded to include electronic communication like faxes, transcripts and e-mails.
3. If it does not involve taxpayer correspondence (for example, a verbal disclosure, lost laptop, data disk or internal mail shipment), report it to the Computer Security Incident Response Center using the CSIRC Incident Reporting Form, or by calling 866.216.4809
4. If the incident involves the loss or theft of an IT asset or hardcopy data, contact TIGTA at 800.366.4484.(TTY/TDD 1-800-877-8339) http://www.treas.gov/tigta/contact_report.shtml
When calling TIGTA, always secure a TIGTA reference number.
5. Local Law Enforcement, as appropriate
35
Reporting a Disclosure/Loss/Theft
Situations that are not to be reported to SNIP or CSIRC: Example 1:
An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find they are not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.
Example 2: An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number given to them by the taxpayer or authorized representative was incorrect.
Example 3: IRS employees follow all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS and says they are not the taxpayer.
Example 4: The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the taxpayer does not live there.
Reporting a Disclosure/Loss/Theft
The timely reporting of all information losses or thefts is critical so that any needed investigation can be initiated quickly, which can decrease/mitigate the possibility that the information will be compromised and used to perpetrate identity theft or other forms of fraud. Refer to IRM 10.5.3.6 - Reporting Losses, Thefts and Disclosures of
Sensitive Information If you see indications of an intentional unauthorized disclosure, the
incident must be reported to TIGTA. See IRM 11.3.1.6(2) and IRM 11.3.38.6.1(1).
36
37
Security Awareness for Employees II (S.A.F.E. II)
Please email the SB/SE Security PMO with any questions at: *SBSE Security