SB/SE Security Awareness for Employees II (S.A.F.E. II)

SB/SESecurity Awareness for Employees II (S.A.F.E. II)

Version 1.14, April 2010

FISMA Year 2010

ELMS # 30907

2

S.A.F.E. II Table of Contents

Introduction to S.A.F.E. II What is SBU or PII Data? Disclosure/Loss/Theft Incident Analysis

and Trends Trends/Protection Guidelines and Key

Security Preventative TIPS Scenarios Reporting a Disclosure/Loss/Theft

3

Introduction – What is your responsibility?

As with all Federal agencies, IRS employees and managers have a responsibility to safeguard Sensitive But Unclassified (SBU) and Personally Identifiable Information (PII).

The IRS must safeguard tax, financial and personal information regarding taxpayers, fellow employees and other individuals.

You must protect any information that, if lost or disclosed, could: Violate a person’s privacy Put a person at risk for identity theft Compromise the integrity of the tax administration process

Loss, theft or disclosure of sensitive information places taxpayers and others at serious risk for identity theft and erodes the public’s

confidence in the IRS.

4

…Introduction – What is S.A.F.E. II?

S.A.F.E. II was developed to keep the topic of safeguarding taxpayer data and other SBU/PII data foremost in the minds of SBSE employees.

Last year we conducted S.A.F.E. briefings to reinforce safeguarding policies, procedures, and requirements, and we provided all employees with reference materials and preventative tips to assist in the protection of both government equipment and sensitive data.

This awareness and training briefing provides employees with the current loss and disclosure trends and key tips and actions for lowering these incidents.

Exercising the same care in handling, securing and protecting data in your possession as you would your own personal information and valuables is a simple way to reduce the

number of loss or disclosure incidents.

5

To begin, what is SBU or PII Data?

SBU data refers to sensitive but unclassified information originating within IRS offices. Sensitive information (including tax and tax-related

information) is any information which if lost, stolen, or altered without proper authorization, may adversely affect Service operations (IRM 10.2.13.3).

PII is a specific type of SBU information. PII includes the personal data of taxpayers, and also the

personal information of employees, contractors, applicants, and visitors to the IRS.

Failure to protect PII could result in disciplinary action for employees and managers (IRM 10.2.13.3.1(1) provides examples of PII).

Disclosure/Loss/Theft Incident Analysis and Trends

Did you know? ………….

Unintentional/Inadvertent Disclosure Definition Disclosure is making known in any way:

Unintentional or inadvertent unauthorized disclosures of sensitive data, including but not limited to federal tax returns or return information, Privacy Act Information, Bank Secrecy Act information, Trade Secrets Act information, Financial Right to Privacy Act information, Grand Jury information, and other sensitive information except as provided for by statute

Sensitive data may include infrastructure/configuration data Includes personally identifiable information (PII) of individuals, including personnel

and job applicant information.

Loss/Theft Definition Lost or stolen:

IT equipment , such as: Computers, laptops, routers, removable Media, CD/DVD, flash drive, floppies, cell phones, or wireless/air cards

Hardcopy records Packages lost during shipment

7

Did you know? ………….

47% of all FY09 SB/SE incidents resulted from procedural deviation

59% of those incidents resulted in disclosure

34% of all FY09 SB/SE incidents resulted from human error

33% of those incidents resulted in disclosure

14% of all FY09 SB/SE incidents resulted from loss and theft of IT equipment

5% of all FY09 SB/SE incidents resulted from other reported incidents such as recovered loss and method not stated

8

9

IRS Disclosure/Loss/Theft of IT Assets and DataFY07 through FY09

30

100

1871

165

98

109

190

375

392

0 200 400 600 800 1000 1200 1400 1600 1800 2000

FY-2007

FY-2008

FY-2009

Loss

Theft

Disclosure

Between 2007 and 2009, the IRS experienced more than 3,150 incidents of loss, theft or disclosure of IT assets or data. This chart shows the breakdown between each type of incident.

During 2009 loss/theft incidents had a slight increase (6%). The total number of disclosures in 2009 increased at an alarming rate to more than1,800.

‒ This increase can largely be attributed to a change in the reporting requirements for inadvertent disclosures, which may not have been captured by CSIRC in the past, as well as increased employee awareness as the result of outreach and education efforts.

CSIRC Loss/Theft/Disclosure Reporting does not include UNAX violations and investigations.

Source: Statistics provided by Office of DC-Operations Support, Privacy – Information Protection and Data Security, Privacy & Information Protection, Incident Management

SB/SE versus IRS Disclosure/Loss/Theft FY07 through FY09

10

190

375392

57

137

94

0

50

100

150

200

250

300

350

400

450

FY07 (30%)

FY08 (35.5%)

FY09 (24%)

IRS Loss

SB/SE Loss

165

98109

10 14

30

0

20

40

60

80

100

120

140

160

180

FY07 (6%)

FY08 (14%)

FY09 (27.5%)

IRS Theft

SB/SE Theft30100

1871

1 16

351

0

200

400

600

800

1000

1200

1400

1600

1800

2000

FY07 (3.3%)

FY08 (16%)

FY09 (18.8%)

IRS Disclosure

SB/SE Disclosure

(%) SBSE percentage of total IRS incidents

Correcting the top 7 Disclosure Types of Incidents will address 63% of all SB/SE FY09 Disclosures

Number of D is c los ures (351) by Inc ident T ype for S B /S E in F Y09

12

45

77

899

1012

1313

1417

2028

2930

3638

39

0 5 10 15 20 25 30 35 40

P II in garbage/improper dis pos al3rd P arty - Didn't s ign/prepare return

OtherL os t Doc s within IR S

L os t Doc s via UP S reported dis c los ureL os t Doc s within IR S , improper mailing

Unenc rypted emailP roc edural deviation

More information than allowedHard c opy handling

3rd P arty - Other than taxpayerOther Dis c los ure (method not s tated)

E mail internalMis repres entation by c ontac t

S S N/E IN/TIN entry errorP reprinted form

S S N/Name mis matc hMulti-s tuffing, multi-page

Inc orrec t addres sInc orrec t addres s ee

F axNo P OA /P OA Y ears

11

Type of Incident ExamplesNo POA/POA years No POA or No POA for year(s) in question

Fax Incorrect fax number enteredIncorrect addressee Mail sent to person with similar nameIncorrect address Mail sent to address other than address of record, or trace address not updated Multi-stuffing, multi-page Multiple taxpayers' data included in same envelopeSSN/Name mismatch SSN for a sibling or childPre-printed form Form used for another taxpayer without updating all fields and pages with intended taxpayer’s

data

Correcting the top 4 Loss/Theft Types of Incidents will address 85% of all SB/SE FY09 Losses/Thefts

1

1

1

2

3

3

7

17

24

30

35

0 5 10 15 20 25 30 35 40

Other

Multi-stuffing, multi-page

Incorrect address

Recovered Loss no Disclosure

PII in garbage/improper disposal

Hard copy handling

Lost Documents within IRS -- improper mailing

Lost Documents within IRS

Lost Documents UPS, reported as Loss

IT Equipment Theft

IT Equipment Loss

Number of Loss/Theft (124)

12

Type of Incident Examples

IT Equipment Loss Lost air card, cell phone

IT Equipment Theft Stolen laptop

Lost Documents UPS, reported as loss Lost during shipping and package unable to be located

Lost Documents within IRS Lost documents in mailroom

Loss/Theft and Disclosure by SB/SE OU’s in FY09

13(#) Total Number of Incidents

14

Without immediate action, we are on a trajectory to have 6 times more Disclosures in FY10 than in FY09

0

50

100

150

200

250

300

350

400

450

500

Oct

Nov

Dec

Jan

Feb

Mar Ap

rM

ay Jun Jul

Aug

Sep

FY10 Disclosures (Trend to 2249)

FY09 Disclosures (351)

4

9

14

19

24

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

FY10 Loss/Theft (Trend to 147)

FY09 Loss/Theft (124)

FY10 Disclosure trend is based on Oct-Dec 2010 (75 incidents) FY10 Loss/Theft trend is based on Oct-Dec 2010 (30 losses)

Loss/Theft FY09 vs. FY10 TrendDisclosures FY09 vs. FY10 Trend

FY09 Trends & Protection GuidelinesKey Security Preventative TIPS

16

FY09 Trends & Protection Guidelines… Disclosure – 3rd Party Permissible Disclosure

Protection Guidelines

3rd Party permissions can work in 4 different ways as listed in the following table:

FY09 Trend: 15% of inadvertent disclosures were due to 3rd party permissions that were not verified and/or not current.

Type Guidelines

Checkbox Designee - 2

• Checkbox authorizations are made directly on the tax form 720, 941, 941PR, 941SS, 1040, 1041, 1120, 2290 and CT-1

• Not permissible for collection or examination proceedings • Only valid the period of one year from the due date of the return. • Checkbox designees cannot be contacted by RAs/ROs to schedule the initial

appointment

Written consents or tax information authorizations (TIAs)

• Written consents, such as tax information authorizations, permit access to returns and return information by the designee

• Does not grant the power to represent the taxpayer before the IRS. For example, while he or she is granted permission to have a copy of a Revenue Agent’s Report of Adjustments, the holder of a Tax Information Authorization (TIA) may not dispute any of the adjustments found in the report.

http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3002.aspx

17

FY09 Trends & Protection Guidelines… Disclosure – 3rd Party Permissible Disclosure Continued

Type Guidelines

Oral Consent

• Take appropriate steps to verify that person is indeed the taxpayer – at a minimum, follow the guidance in IRM 11.3.2.3.2 to authenticate identity

• Be sure to fully document in your case file the actions taken when the taxpayer gives you oral permission and when verifying the third party’s identity (oral consent can only be accepted to resolve a federal tax matter)

Power of Attorney

Power of Attorney IRS Form 2848

• Authorizes a third party to represent the taxpayer before the IRS. • Only individuals can be named to represent the taxpayer• They must be part of a specifically authorized category of representative

sanctioned by regulation. • They must be specifically designated by the taxpayer via a properly completed

Power of Attorney.

Non-IRS Powers of Attorney • Individuals may use a non-IRS durable power of attorney as long as it contains

all of the information required by regulation• Must include language that authorizes the designee to handle federal tax

matters. http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3021.aspx

18

…Key Security Preventative TIPS Disclosure – Power of Attorney (POA)

Understand the different types of permissible 3rd party authorizations and the information allowed to be disclosed under each

Keep the Quick Guide* from Disclosure for a chart that identifies permissible disclosures based on the taxpayer designee type

All discussions of tax matters must be held only with someone named on the POA and for the year(s) covered by that POA, Form 2848

Verify there is a valid Power of Attorney (POA) on file before disclosing any information POAs must be held by individuals

Non-IRS POAs may be used given that it is clearly stated on the POA that the designee has rights to federal tax information

POAs must be on file for the year(s) in question

Some acts must be specifically authorized, e.g. receive and endorse a refund check, substitute a representative

*A Quick Guide to the Powers of Attorney and Tax Information Authorizations can be found at: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/7486.aspx

19

FY09 Trends & Protection Guidelines… Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms

FY09 Trend: Inadvertent disclosures occurring during routine activities account for 46% of all SB/SE disclosures and include key errors such as: Misdirected Faxes Double-stuffing, stuffing envelopes incorrectly Different party’s information on a pre-printed form (a.k.a. pattern correspondence)


For faxing - use a cover sheet with the recipient’s name, number of pages and Notice of Disclosure – no confidential information on cover page Fax the cover sheet in the order in which the cover sheet is the first page

covering the faxed correspondence (IRM Reference: 11.3.1.10).

Cover sheet template link:

http://core.publish.no.irs.gov/forms/internal/pdf/23436c07.pdf

Wherever possible, pattern correspondence templates should be saved without confidential information

20

…Key Security Preventative TIPS Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms

Do not use the redial button on the fax machine

Before hitting the “Send” button - take the time to double check the fax number you just entered

Before sealing envelope, verify only ONE taxpayer’s documentation is in the envelope

Work one case file at a time to prevent documents becoming mixed between cases

For pattern correspondences/pre-printed forms: Use a new template letter or document Remove references to other taxpayers Take a second look at the correspondence for accuracy

21

FY09 Trends & Protection Guidelines… Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch

FY09 Trend: 27% of inadvertent disclosures were due to incorrect addressee, address and SSN/Name mismatch

Disclosures resulting from incorrect addressee or address and SSN and Name mismatch Addressee is a different taxpayer Address is incomplete or similar to another case Recipient of correspondence has the same name, but different SSN Address obtained from Accurint was not for the same person for

which the correspondence was intended


Conduct a Mail Trace using e-Discovery and/or Accurint to verify the name and address match SSN/EIN/TIN you are processing

22

…Key Security Preventative TIPS Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch

Taking a few simple precautions can greatly reduce these incidents:

When using Accurint, be sure to:

Use Accurint guide to optimize searches

Redact all identifying information that does not relate to the taxpayer in question based upon how it appears in the IRS address of record

Remove other SSNs listed with taxpayer names

Verify taxpayer using identifiers other than name (such as DOB, SSN)

Accurint QRG: http://rnet.web.irs.gov/docs/pdfs/accurint_qrg.pdf Redacting Choicepoint and Accurint:http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Office/Guidance/Dispatch/3425.aspx

23

Other Key Security Preventative TIPS Disclosure

Good disclosure decisions use the CAP process: Be sure Code (C) allows the disclosure,

that you have the authority (A) to make the disclosure and

that you follow the appropriate procedures (P) when making the disclosure.

Safeguard Paper Files Follow the Clean Desk Policy – do not leave confidential information unattended

Securely lock paper documents containing sensitive information when not in use

Protect documents while you are in the field as well as in the office by keeping them in a folder or placing a blank cover sheet on top

Misrepresentation of contact is often due to incomplete authentication of taxpayer or taxpayer’s Limited English Proficiency Required Taxpayer Authentication procedures should be followed as outlined in IRM 21.1.3.2.3 and

21.1.3.2.4

Taxpayers may use their minor child as interpreter by giving verbal or written consent

CAP: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/Basics/3131.aspxDisclosure Awareness Pocket Guide: http://core.publish.no.irs.gov/docs/pdf/14784k08.pdfGeneral Disclosure Hot Topics: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/default.aspx

24

FY09 Trends & Protection Guidelines…Laptop Losses/Thefts

52

28 2824

20

10

20

30

40

50

60

SB/SE Laptop Highlights

Number of Lost/Stolen Laptops

Note: Year-to-date data represents the period from Oct 1 to Dec 31

25

FY09 Trends & Protection Guidelines…Loss/Theft – IT Assets

FY09 Trend: 52% of all SB/SE loss and theft incidents are related to IT asset loss and theft, which includes: Cell phones Laptops Media Cards, Thumb drives, printers, etc


IRS laptops and other IT assets (e.g. air cards) shall never, under any circumstance, be stored in checked luggage while traveling, whether it is an international or a domestic flight.

Protect your passwords at all times. Passwords, smart cards or grid cards should be protected and shall not be stored on or with the laptop/cell phone.

Never leave your laptop unattended and/or unsecured!!

26

...Key Security Preventative TIPSLoss/Theft – IT Assets

When possible place your laptop under the seat in front of you when traveling by plane, bus or train, rather than in an overhead bin where it is out of your sight. If your laptop is stored in overhead bin it should be within your direct line of

sight

Set up an encrypted directory and save sensitive files to an encrypted folder Newer laptop images have forced encryption on everything in the “My

Documents” folder

Use cable locks to secure your laptop - even within IRS-controlled facilities. Laptops may be locked in a cabinet or desk for additional protection overnight

Never leave your laptop in your vehicle overnight!! Not even in your trunk, in the driveway, or in the garage

Enable the password/PIN function on your cell phone

27

FY09 Trends & Protection Guidelines… Loss/Theft - Hardcopy Loss

FY09 Trend: Loss of hardcopy SBU/PII data accounted for 48% of all losses/thefts and is comprised of: UPS Shipping

Losses within IRS Facilities

Other hard copy loss, e.g. residence, vehicle, public transportation

Protection Guidelines When transmitting PII in paper or removable media format by mail or through a carrier,

employees are required to do so in a manner that ensures it does not become misdirected or disclosed to unauthorized personnel.

IRM Reference for Form 3210: 3.13.62.7.1

Use Small Package Carrier (e.g. UPS) when shipping PII

Use US Postal Service to mail documents to the taxpayer

Use Form 3210, Document Transmittal to track mail and shipments

28

...Key Security Preventative TIPS Loss/Theft – Shipping Loss

Do not use “Sensitive Contents” labels on PII packages – decreases temptation for theft.

Securely package PII contents prior to shipping Use undamaged packaging materials

Double wrap or double box all materials. Place address labels on both inside and outside packages

When shipping via United Parcel Service (UPS) Monitor the package during shipment using the basic tracking number

provided by UPS and confirm receipt

Set and monitor timelines for transmittal acknowledgement – within 7 days

For internal IRS shipments, use a document receipt to verify that confidential material has been properly received If sender, initiate Form 3210; if recipient, complete and return Form 3210

Scenarios

30

Scenario 1: Incorrectly Stuffed Envelope

A Revenue Agent (RA)/ Correspondence Examination Technician (CET) was working several cases and preparing letters to be sent to taxpayers and their representatives. The RA/CET prepared a letter for case 1 to send to POA “A” on behalf of Mr. and Mrs. Jones. The RA/CET then moved on to case 2 and prepared a report to send to POA “B”, Mr. and Mrs. Smith’s representative. The RA/CET packaged up the documents for mailing, addressed the envelopes and moved on to other case work. Two days later, POA “A” called to say he had received the report for Mr. and Mrs. Smith, and he does not represent them.

Which of the following are True statements about this scenario?A. This is not a disclosure

B. This is a disclosure

C. Prior to sealing envelope, RA/CET should have checked contents

D. RA/CET should have completed case 1 prior to moving to case 2

See Notes for Answers

31

Scenario 2: Incorrectly Stuffed Envelope

A Tax Compliance Officer (TCO) was preparing a report to send to a taxpayer. The report was sent to the network printer, promptly retrieved and put in an envelope for mailing. 3 days later, the taxpayer called to say that they had received additional documents of another taxpayer.



C. Prior to sealing envelope, TCO should have checked the documents retrieved from the printer to verify pages were only for this taxpayer


32

Scenario 3: Incorrect Addressee

A Revenue Officer (RO)/ Tax Examining Technician (TET) researched the address of a taxpayer, found a newer address on Accurint, and mailed a letter to the address. The individual at the address opened the letter believing it was for her since it was her maiden name. Upon opening the letter, the individual realized the letter was for someone else.



C. The RO/TET should have verified the identity of the taxpayer using additional identifiers such as SSN and Date of Birth


Reporting a Loss/Theft/Disclosure

34

Reporting a Disclosure/Loss/Theft

Within one hour of becoming aware of the inadvertent disclosure of sensitive information, or the loss or theft of a laptop, IT asset or hardcopy document containing sensitive information, you should report the incident to:

1. Your manager,

2. If it involves taxpayer correspondence, report it directly to the Notice Gatekeeper using the Servicewide Notice Information Program’s Erroneous Taxpayer Correspondence SNIP Reporting Form http://gatekeeper.web.irs.gov/errCPReport2.aspx This form has now been expanded to include electronic communication like faxes, transcripts and e-mails.

3. If it does not involve taxpayer correspondence (for example, a verbal disclosure, lost laptop, data disk or internal mail shipment), report it to the Computer Security Incident Response Center using the CSIRC Incident Reporting Form, or by calling 866.216.4809

4. If the incident involves the loss or theft of an IT asset or hardcopy data, contact TIGTA at 800.366.4484.(TTY/TDD 1-800-877-8339) http://www.treas.gov/tigta/contact_report.shtml

When calling TIGTA, always secure a TIGTA reference number.

5. Local Law Enforcement, as appropriate

35


Situations that are not to be reported to SNIP or CSIRC: Example 1:

An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find they are not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.

Example 2: An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number given to them by the taxpayer or authorized representative was incorrect.

Example 3: IRS employees follow all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS and says they are not the taxpayer.

Example 4: The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the taxpayer does not live there.


The timely reporting of all information losses or thefts is critical so that any needed investigation can be initiated quickly, which can decrease/mitigate the possibility that the information will be compromised and used to perpetrate identity theft or other forms of fraud. Refer to IRM 10.5.3.6 - Reporting Losses, Thefts and Disclosures of

Sensitive Information If you see indications of an intentional unauthorized disclosure, the

incident must be reported to TIGTA. See IRM 11.3.1.6(2) and IRM 11.3.38.6.1(1).

36

37

Security Awareness for Employees II (S.A.F.E. II)

Please email the SB/SE Security PMO with any questions at: *SBSE Security

SB/SE Security Awareness for Employees II (S.A.F.E. II)

Documents

Transcript of SB/SE Security Awareness for Employees II (S.A.F.E. II)