Coordinating Safeguards within an Agency

Because of the diverse purposes that authorized disclosures may be made to an agency and the division of responsibilities among different components of an agency, FTI may be received and used by several quasi-independent units within the agency’s organizational structure. Where there is such a dispersal of FTI, the agency must

centralize safeguarding responsibilities to the greatest extent practical and establish and maintain uniform safeguard standards consistent with IRS guidelines. The official(s) assigned these responsibilities must hold a position high enough in the agency’s

procedures. The selected official(s) must also be responsible for ensuring that internal inspections are conducted, for submitting required safeguard reports to the IRS, for properly reporting any data breach incidents, and for any necessary liaison with the IRS. 2.6 Safeguard Reviews

A safeguard review is an on-site evaluation of the use of FTI and the measures employed by the receiving agency to protect the data.

This includes FTI received from the IRS, the SSA, or other agencies. Safeguard reviews are conducted to determine the adequacy of safeguards as opposed to evaluating an agency’s programs. IRS regularly conducts on-site reviews of agency safeguards. Several factors will be considered when determining the need for and the frequency of reviews. Reviews are conducted by the Office of Safeguards within the Office of

Privacy, Governmental Liaison, and Disclosure. 2.7 Conducting the Review

The IRS initiates the review by communication with an agency point of contact (POC). The preliminary discussion will be followed by a formal engagement letter to the agency head, giving official notification of the planned safeguard review.

The engagement letter outlines what the review will encompass; for example, it will include a list of records to be reviewed (e.g., training manuals, flowcharts, awareness program documentation, and organizational charts relating to the processing of FTI), the scope and purpose of the review, a list of the specific areas to be reviewed, and agency personnel to be interviewed.

Reviews cover the requirements of IRC 6103(p)(4):

 Section 3.0, Record Keeping Requirement

 Section 4.0, Secure Storage—IRC 6103(p)(4)(B)

 Section 5.0, Restricting Access—IRC 6103(p)(4)(C)

 Section 6.0, Other Safeguards—IRC 6103(p)(4)(D)

 Section 7.0, Reporting Requirements—6103(p)(4)(E)

 Section 8.0, Disposing of FTI—IRC 6103(p)(4)(F)

 Section 9.0, Computer System Security

The on-site review officially begins at the opening conference where procedures and parameters will be communicated. Observing actual operations is a required step in the review process. Agency files may be spot-checked to determine if they contain FTI. The actual review is followed by a closing conference and issuance of a Preliminary

Findings Report (PFR) where the agency is informed of findings identified during the review. A Safeguard Review Report (SRR) and Corrective Action Plan (CAP) will be issued to document the on-site review findings within 45 days of the closing conference.

The agency has 14 days to review the SRR and contact the Office of Safeguards with requests for corrections or clarification. After the review period, the report will become final. Requests for corrections or clarification to the SRR must be emailed to the

[email protected] mailbox. If the requested corrections are accepted, the Office of Safeguards will re-issue the SRR.

Table 1 – Safeguard Review Cycle

Action Notice Time Frame Note

Preliminary Discussion

Primary Point of Contact from last review

*120 days ahead of review

*Dates are approximate for the preliminary discussion and engagement letter. These dates may be closer to the actual review date. Engagement Letter Submitted to agency head *120 to 30 days in advance of review Opening Conference At HQ with agency head, department heads, and IT staff

Day 1 of review 9:00 a.m.

Opening conference will summarize the review. On-Site Review Visit to various departments where FTI is located

2 to 3 days Additional days may be needed as required. Closing Conference with Preliminary Findings Report At HQ with agency head and department heads Last day of review; will leave PFR for agency

Agency can start working on the findings but wait until the CAP cycle to report corrective actions.

This may be a soft (preliminary) closing if there are additional sites or devises to review.

Final Report Submitted to agency head

Prepared within 45 days after closing conference

The agency has 14 days to review the SRR and contact the Office of Safeguards with requests for

corrections or clarification. After the review period, the report will

become final. Attachments are required for significant and catastrophic findings.

Action Notice Time Frame Note CAP

Submissions

Report on any corrective action still open from the final report

Submitted semi- annually

Responses must include a status of finding and an actual numerical date of when the planned or actual correction action is taken to

address the finding. Subsequent CAP responses are required for all open findings. Documentation is required for significant findings.

SSR

Submission

Initially report procedures established to protect FTI received from the IRS;

reports yearly actions taken to protect FTI and any updates in

procedures

Submitted annually

Yearly update to the document will be accompanied by a certification of accuracy by agency head.