Docstoc

Secure Area Access Agreement

Document Sample
Secure Area Access Agreement Powered By Docstoc
					   Safeguard Computer Security Evaluation Matrix
                   (SCSEM)




                                           Release v2.0
                                              July 30, 2010

Agency: Insert agency name and type
DES:      Insert name of DES who completed the review
Date:     Insert date(s) review occurred
Location: Insert Location review was conducted, i.e., data center, field office, alternate storage site
Agency POC(s): Insert agency interviewee(s) name, title
The dashboard is provided to automatically calculate disclosure test results
from the individual locations.

                      SDSEM Results Dashboard                                               Data Center SDSEM Results Dashboard

           Status                  # of Tests                Percent (%)                  Status             # of Tests
            Pass                   #VALUE!                      0.0%                       Pass               #VALUE!
            Fail                   #VALUE!                      0.0%                       Fail               #VALUE!
  Not Applicable (N/A)             #VALUE!                      0.0%             Not Applicable (N/A)         #VALUE!
  Blank (Not Reviewed)             #VALUE!                      0.0%             Blank (Not Reviewed)         #VALUE!
Total # of Tests Performed         #VALUE!                        -            Total # of Tests Performed     #VALUE!
 Total # of Tests Available        #VALUE!                        -             Total # of Tests Available    #VALUE!

            Head Quarters SDSEM Results Dashboard                                         Off Site Storage SDSEM Results Dashboard

           Status                  # of Tests                Percent (%)                  Status             # of Tests
            Pass                   #VALUE!                      0.0%                       Pass               #VALUE!
            Fail                   #VALUE!                      0.0%                       Fail               #VALUE!
  Not Applicable (N/A)             #VALUE!                      0.0%             Not Applicable (N/A)         #VALUE!
  Blank (Not Reviewed)             #VALUE!                      0.0%             Blank (Not Reviewed)         #VALUE!
Total # of Tests Performed         #VALUE!                        -            Total # of Tests Performed     #VALUE!
 Total # of Tests Available        #VALUE!                        -             Total # of Tests Available    #VALUE!

              Field Office SDSEM Results Dashboard

           Status                  # of Tests                Percent (%)
            Pass                   #VALUE!                      0.0%
            Fail                   #VALUE!                      0.0%
  Not Applicable (N/A)             #VALUE!                      0.0%
  Blank (Not Reviewed)             #VALUE!                      0.0%
Total # of Tests Performed         #VALUE!                        -
 Total # of Tests Available        #VALUE!                        -
ts Dashboard

           Percent (%)
              0.0%
              0.0%
              0.0%
              0.0%
                -
                -

ults Dashboard

           Percent (%)
              0.0%
              0.0%
              0.0%
              0.0%
                -
                -
                                                                  IRS Safeguards
                                              Safeguards Disclosure Security Evaluation Matrix (SDSEM)

                                                Instructions for Completing the SDSEM
          Agency Instructions:
          Upon receipt of the SDSEM, the agency point of contact(s) should complete Column J "Agency's Pre-review Answers" in each tab
          prior to the start of the Safeguard Review. The Agency IT POC should be involved in filling out the answers to the "Data Center" and
          possibly the "Off Site Storage" tabs. The Agency may wish to list the title of any documentation or reports they are listing as evidence
          to support their claim. This will be useful for the IRS Disclosure Enforcement Specialist (DES) to reference when on-site working with
          the Agency POC. The Agency should set aside all referenced evidence, so that it can be provided for the DES when the site review is
          conducted.

          Column I "Pass / Fail" should not be filled out by the Agency. The IRS DES will determine the test result for each test case based on
          a verification of the evidence during the Safeguard Review.

          The pre-populated SDSEM should be provided by the agency to the DES no later than 15 days prior to the on-site review kick-off.
          Head Quarters Tab: This section is designed around head quarters operations and the protection of FTI, at the agency's head
          quarters or main building of operations. These questions can often be answered by the disclosure and physical security POCs.
          Field Office Tab: This section is intended to cover local offices and their protection of FTI. These questions should be answered by
          the head of the local field office.
          Data Center Tab: This section address security controls surrounding the operation and security of the agency or state run data
          center. These questions can often be answered by the agency/state IT data center office.
          Off Site Storage Tab: This section is specific to a an off site data storage location. These questions can often be answered by the
          personnel in charge of the off site storage as well as head quarters and data center personnel.

          IRS Safeguards DES Reviewer Instructions:
          The DES is to execute the test cases in appropriate tabs and document the results. The DES is required to complete the following
          columns: Column I "Pass/Fail", and Column K "IRS Comments/Supporting Evidence." See the Legend tab for information on
          completing these columns.




85901907-d61d-4d54-9a68-2e81241e0236.xls                              Instructions                                                                   4 of 78
                                                                   IRS Safeguards
                                               Safeguards Disclosure Security Evaluation Matrix (SDSEM)

          DES # - Column B: This is an optional column not required to be completed as part of the Safeguard review. The purpose of this
          column is to allow the DES to customize the Test Cases tab by sorting the order of the test cases within each IRC Category to fit the
          individual DES's normal order of test execution while on-site. The following steps provide guidance to do this for IRC Section
          6103(p)(4)(A) as an example:

          1. Insert a sequence number in Column B for each test case. This is the sequence in which you will execute each test within the
          section.
          2. Select the area to be sorted, in this case rows 3-36, columns A-J for each row.
          3. Go to "Data" --> "Sort"
          4. In the Sort dialog box, the Sort By drop down box reads Column B (to ensure it will sort on the DES #) and the Ascending button is
          selected.
          5. Click OK.
          6. The rows will rearrange based on the numerical order of the DES # column.
          7. To undo the sort, repeat #2, 3 and 4, but ensure the Sort By drop down box reads Column A (to sort on Test ID) and click OK.

          Note: This must be done one section at a time. The gray IRC section headers cannot be selected as part of the area to
          sort or else the sort will not function properly.
          Pass/Fail - Column I: Determine if the supporting evidence supports a Pass, Fail or N/A test result. If the control is marked as N/A,
          provide appropriate justification as to why the control is considered N/A. The cell will only accept the values P, F, or N/A.
          IRS Comments/Supporting Evidence - Column K: Include a supporting narrative that explains the evidence used to confirm if the
          test case passed, failed or is not applicable As evidence, at a minimum provide the following information for the following assessment
          methods:
          1. Interview - Name and title of the person providing information. Also provide the date when the information is provided.
          2. Examination - Provide the name, title, and date of the document referenced as the evidence. Also provide section number where the
          pertinent information is resident within the document (if possible).
          3. Test - Provide a description of the condition observed during the test and the name and title of the agency person that assisted with
          the test execution.

          If Column I is marked as 'N/A', an explanation is needed in this section as to why this isn't applicable.




85901907-d61d-4d54-9a68-2e81241e0236.xls                                Instructions                                                                 5 of 78
Child Support Agency - Extract Type                            Check all Form of Receipt (e.g. SDT,       Explain the use of each Extract   Which internal and external
                                                              that Apply CyberFusion, ConnectDirect, or                                     organizations have access?
                                                                         Other)
IRS Taxpayer Address Request Master File Extract (l)(6)
FMS Tax Refund Offset Program Extract (l)(10)
Social Security Administration Wage Database Extract (l)(8)
Other Extracts:

Human Services Agency - Extract Type                           Check all Form of Receipt (e.g. SDT,       Explain the use of each Extract   Which internal and external
                                                              that Apply CyberFusion, ConnectDirect, or                                     organizations have access?
                                                                         Other)
DIFSLA (l)(7) Extract
BEERS Extract
Other Extracts:

Department of Revenue Agency or other "D" Agency -             Check all Form of Receipt (e.g. SDT,       Explain the use of each Extract   Which internal and external
Extract Type                                                  that Apply CyberFusion, ConnectDirect, or                                     organizations have access?
                                                                         Other)
1099-MISC
Abusive Tax Transaction (ATAT)
Appeals
Business Master File (BMF)
Business Return Transaction File (BRTF)
Corporate Affiliations
CP 2000
Examination Operational Automation Database (EOAD)
Exam
Federal Employee Identification Number (FEIN)
Individual Master File (IMF)
Individual Return Transaction File (IRTF)
Individual Returns Master File (IRMF)
Individual Taxpayer Identification Number (ITIN)
Levy
Military Combat Zone (MCZ)
Non-Itemizer
Preparere Tax Identification Number (PTIN)
Taxpayer Address Report (TAR)
Other Extracts:

Federal Agency - Extract Type                                  Check all Form of Receipt (e.g. SDT,       Explain the use of each Extract   Which internal and external
                                                              that Apply CyberFusion, ConnectDirect, or                                     organizations have access?
Describe Extracts:                                                       Other)
                                                                                         IRS Safeguards
                                                                     Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID      PUB 1075      PUB 1075 NIST    Test Objective                    Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
             Reporting       REF     ID                                                                     Method    Fail                                         Evidence
             Category
                                                                                      IRC Section 6103(p)(4)(A)
HQ1       Record Keeping     3.0   PE-16 Obtaining FTI       How is FTI received (i.e., FedEx, UPS,     Interview
          Requirements                                       USPO, Secure Data Transfer, i.e.,
                                                             Tumbleweed, ConnectDirect,
                                                             CyberFusion, encrypted CD, TDS)?
HQ2       Record Keeping     3.0   PE-16 Obtaining FTI       What FTI do you receive (extracts) and in     Interview
          Requirements                                       what format do you receive it in?

HQ3       Record Keeping     3.0   PE-16 Obtaining FTI       Is FTI receipt acknowledged electronically    Examine
          Requirements                                       and returned to IRS?
                                                             Is there an electronic or manual log?
HQ4       Record Keeping     3.0   PE-16 Obtaining FTI:      Is FTI received in the mailroom?             Interview/
          Requirements                   Mailroom            If so, is receipt acknowledged?               Examine
                                                             Is the package logged in?
                                                             Does the mailroom open the package?
                                                             Is the package brought to another
                                                             function?
                                                             Does the other function sign the log?

HQ5       Record Keeping     3.0   MP-2 Request for FTI      If requests for FTI are made, how are they Interview
          Requirements                                       logged (Form 8796, TDS, ad-hoc
                                                             requests)?
                                                             Is the log compliant with IRS Publication
                                                             1075 Section 3?
HQ6       Record Keeping     3.0   MP-2 Request for FTI      Are documents created from the FTI data       Interview
          Requirements                                       (e.g., CDs, tapes, letters, reports, etc?)

HQ7       Record Keeping     3.0   MP-2 Request for FTI      With whom are FTI based products              Interview
          Requirements                                       shared? Are logs kept and are they
                                                             compliant with Publication 1075, Section
                                                             3?
HQ8       Record Keeping     3.0   MP-2 Receipt FTI          If FTI is printed at data center what        Interview/
          Requirements                  Paper Reports        functions is it distributed to?               Examine



HQ9       Record Keeping     3.0   MP-2 Receipt FTI          Is paper FTI logged from receipt to          Interview/
          Requirements                  Paper Reports        destruction?                                  Examine



HQ10 Record Keeping          3.0   MP-5 Electronic Media     Is electronic media (CDs/tapes) generated Interview
     Requirements                       Containing FTI       upon receipt?
                                        Processed



   85901907-d61d-4d54-9a68-2e81241e0236.xls                                                  Head Quarters                                                                   7 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST    Test Objective                     Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                      Method    Fail                                         Evidence
        Category
HQ11 Record Keeping   3.0    MP-6 Electronic Media      What electronic media (CDs/tapes) do         Interview
     Requirements                 Containing FTI        you still have and how are you planning
                                  Processed             disposal?
HQ12 Record Keeping   3.0    MP-5 Electronic Media      Is electronic media (CDs/tapes) provided     Interview
     Requirements                 Containing FTI        to a contracted State Agency or
                                  Processed             Contractor?
HQ13 Record Keeping   3.0    MP-5 Electronic Media      What safeguard controls are in place         Interview
     Requirements                 Containing FTI        when transmitting and processing
                                  Processed             electronic media (CDs/tapes) at a
                                                        contracted state agency or contractor
                                                        site?

HQ14 Record Keeping    3.0    MP-4 Storage of IRS       Where is electronic media (CDs/tapes)        Interview
     Requirements                  FTI electronic       stored before and after processing?
                                   media                -At Agency?
                                                        -At Data Center?
                                                        -Is electronic media with FTI stored with
                                                        other Agency data?
HQ15 Record Keeping    3.2    MP-2 Electronic Files     Is a log kept or are transmittal documents Interview/
     Requirements                                       retained? Is the log compliant with         Examine
                                                        Publication 1075 Section 3? Documented
                                                        receipt? Informal receipt? By whom?
                                                        -In-house?
                                                        -Contractor?
                                                        -Outside of Agency?


HQ16 Record Keeping    3.2    MP-2 Electronic Files     Are electronic media inventories             Examine
     Requirements                                       performed -- How Often? Results of prior
                                                        inventories?

HQ17 Record Keeping    9.16   SI-12 Stored in the       Are file retention cycles documented and     Examine
     Requirements                   Media Library:      monitored to ensure destruction?
                                    Electronic Media
                                    Library:
                                    Procedures - File
                                    Retention Cycles
HQ18 Record Keeping    9.6    CP-9 Stored in the        How are data files backed up, by whom,       Interview
     Requirements                   Media Library:      and on what type of media (e.g., data
                                    Electronic Media    center backup, agency programmer
                                    Library:            backup)?
                                    Procedures -
                                    Data Backup




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Head Quarters                                                                   8 of 78
                                                                                   IRS Safeguards
                                                               Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST    Test Objective                     Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                       Method    Fail                                         Evidence
        Category
HQ19 Record Keeping   9.6    CP-9 Stored in the        is FTI commingled with other data on the       Interview
     Requirements                 Media Library:       backup tapes/media?
                                  Electronic Media
                                  Library:
                                  Procedures -
                                  Data Backup


HQ20 Record Keeping    9.6    CP-9 Stored in the       Are backup tapes/media containing FTI          Interview
     Requirements                  Media Library:      labeled
                                   Electronic Media
                                   Library:            Are backup tapes/electronic media
                                   Procedures -        (containing FTI) labeled in accordance
                                   Data Backup         with Publication 1075 section 5.6.10?


HQ21 Record Keeping    9.16   SI-12 Stored in the      What is retention period of backup media       Interview
     Requirements                   Media Library:     and how many generations of backup files
                                    Electronic Media   exist at the same time?
                                    Library:
                                    Procedures -
                                    Retention



HQ22 Record Keeping    9.6    CP-6 Stored in the       Where are backup files stored? Are            Interview/
     Requirements             MP-4 Media Library:      backup files stored off-site? If so, where?    Examine
                                   Electronic Media
                                   Library:
                                   Procedures -
                                   Retention
HQ23 Record Keeping    9.6    CP-6 Stored in the       How are files protected? Who has access Interview/
     Requirements             MP-4 Media Library:      to these files?                          Examine
                                   Electronic Media
                                   Library:
                                   Procedures -
                                   Retention
HQ24 Record Keeping    9.6    CP-6 Stored in the       Are backup tapes logged to be tracked          Interview
     Requirements             MP-4 Media Library:      from creation to destruction?
                                   Electronic Media
                                   Library:
                                   Procedures -
                                   Retention




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                           Head Quarters                                                                     9 of 78
                                                                                   IRS Safeguards
                                                               Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST    Test Objective                     Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                       Method    Fail                                         Evidence
        Category
HQ25 Record Keeping   9.6    CP-6 Stored in the        How long are any and all FTI logs              Interview
     Requirements            MP-4 Media Library:       (request, receipt, destruction logs)
                                  Electronic Media     retained?
                                  Library:
                                  Procedures -
                                  Retention
HQ26 Record Keeping    3.4     CP-6 Converted Media Does the agency convert FTI frompaper       Interview
     Requirements              MP-4                 to electronic media (scanning) or from
                                                    electronic media to paper (print screens or
                                                    printed reports)?

                                                       If so, is all converted FTI tracked on logs
                                                       containing the data elements detailed in
                                                       sections 3.2 and 3.3 of the Publication
                                                       1075?


                                                                              IRC Section 6103(p)(4)(B)
HQ27 Secure Storage    4.3.2   PE-3 Guards             Guards: Contractor or Employee?          Interview
                       4.3.4
HQ28 Secure Storage    4.3.2   PE-3 Guards             Guards: How many posts:                        Examine
                       4.3.4
                                                       -Main Entrance_____
                                                       -Rear Entrance_____
                                                       -Side Entrance_____
                                                       -Outside_____
                                                       -Inside_____

HQ29 Secure Storage   4.3.2    PE-3 Guards             Guards: Hours on Duty?                         Interview
                      4.3.4
HQ30 Secure Storage   4.3.12   PE-6 Alarms             Electronic Intrusion Alarm System?            Interview/
                                                                                                      Examine
HQ31 Secure Storage   4.3.12   PE-6 Alarms             Motion Detectors?                             Interview/
                                                                                                      Examine
HQ32 Secure Storage   4.3.12   PE-6 Alarms             Emergency Exit Alarm?                         Interview/
                                                                                                      Examine
HQ33 Secure Storage   4.3.12   PE-6 Alarms             Who monitors the various alarms?               Interview

HQ34 Secure Storage    4.3.2   PE-6 Cameras            Where are they placed?                         Examine
                                    (Outside/Inside)
HQ35 Secure Storage    4.3.2   PE-6 Cameras            How many cameras?                              Examine
                                    (Outside/Inside)
HQ36 Secure Storage    4.3.2   PE-6 Cameras            Who monitors the various cameras?              Interview
                                    (Outside/Inside)



   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Head Quarters                                                                   10 of 78
                                                                                IRS Safeguards
                                                            Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075 NIST   Test Objective                    Test Steps                 Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF     ID                                                                   Method    Fail                                         Evidence
        Category
HQ37 Secure Storage 4.3.2   PE-6 Cameras            Are cameras recording their view?              Test
                                 (Outside/Inside)
HQ38 Secure Storage 4.3.2   PE-6 Cameras            How long are electronic media (Hard         Interview/
                                 (Outside/Inside)   Drive, DVR, Tapes) maintained?               Examine
HQ39 Secure Storage 4.3.2   PE-6 Access:            What controls are in place to monitor        Interview
                                 Monitoring         access control points to restricted area
                                                    (i.e., cameras, logs, real-time entry
                                                    monitoring)?
HQ40 Secure Storage    4.3.2   PE-6 Access:         How often are access control points          Interview
                                    Monitoring      monitored?
HQ41 Secure Storage    4.3.2   PE-2 Access:         What is used to control access from         Examine/
                                    Keys/Cards      outside the facility: Keys or Electronic      Test
                                                    access control system?
HQ42 Secure Storage   4.3.10   PE-2 Access:         What is used to control access to secure    Examine/
                      4.3.11        Keys/Cards      areas (e.g., server room, data center)        Test
                                                    within the facility?: Keys or Electronic
                                                    access control system?
HQ43 Secure Storage   4.3.10   PE-2 Access:         Is a record maintained on the issuance of    Examine
                                    Keys/Cards      keys/key cards?

                                                    Buildings:
                                                    Offices:
                                                    Containers:
HQ44 Secure Storage   4.3.10   PE-2 Access:         If so, how are records maintained (i.e.,     Examine
                                    Keys/Cards      custody receipt/automated file)?

                                                    Buildings:
                                                    Offices:
                                                    Containers:
HQ45 Secure Storage   4.3.10   PE-2 Access:         Who is responsible for issuance of           Interview
                                    Keys/Cards      keys/key cards?

                                                    Buildings:
                                                    Offices:
                                                    Containers:
HQ46 Secure Storage   4.3.10   PE-2 Access:         Who has access to keys/key cards?            Interview
                                    Keys/Cards
                                                    Buildings:
                                                    Offices:
                                                    Containers:




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                        Head Quarters                                                                  11 of 78
                                                                                 IRS Safeguards
                                                             Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST   Test Objective                   Test Steps                 Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                  Method    Fail                                         Evidence
        Category
HQ47 Secure Storage 4.3.10 PE-2 Access:              Are periodic reviews being conducted to    Interview/
                                  Keys/Cards         reconcile records?                          Examine

                                                     Buildings:
                                                     Offices:
                                                     Containers:

                                                     When was the last review?
HQ48 Secure Storage   4.3.10   PE-2 Access:          Is there a written policy on recovery of    Examine
                                    Keys/Cards       ID/keys/key cards after employee leaves?

HQ49 Secure Storage   4.3.10   PE-2 Access:          Are the locking mechanisms routinely        Interview
                                    Keys/Cards       checked for malfunctions?

                                                     Buildings:
                                                     Offices:
                                                     Containers:

                                                     By Whom?

                                                     How often?


HQ50 Secure Storage   4.3.10   PE-2 Access:          Who controls the duplicate keys for:        Interview
                                    Keys/Cards
                                                     Buildings:
                                                     Offices:
                                                     Containers:
HQ51 Secure Storage   4.3.10   PE-2 Access:          Are all employees given keys to:            Interview
                                    Keys/Cards
                                                     Buildings:
                                                     Offices:
                                                     Containers:
HQ52 Secure Storage   4.3.10   PE-2 Access:          What is the key reproducing policy?        Interview/
                                    Keys/Cards                                                   Examine
                                                     Buildings:
                                                     Offices:
                                                     Containers:




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                        Head Quarters                                                                  12 of 78
                                                                                 IRS Safeguards
                                                             Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST   Test Objective                    Test Steps                Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                  Method    Fail                                         Evidence
        Category
HQ53 Secure Storage 4.3.10 PE-2 Access:              Who maintains the key to cabinet that       Interview
                                  Keys/Cards         contain(s) the electronic FTI?

                                                     Are there backup keys?

                                                     Where is the key kept during the day?

                                                     Where is the key kept at night?

                                                     How many keys are there in total?

HQ54 Secure Storage   4.3.10   PE-2 Access:          Who maintains the key to cabinet that       Interview
                                    Keys/Cards       contain(s) the paper FTI?

                                                     Are there backup keys?

                                                     Where is the key kept during the day?

                                                     Where is the key kept at night?

                                                     How many keys are there in total?

HQ55 Secure Storage   4.3.10   PE-2 Access:          Who maintains backup keys to cabinets       Interview
                                    Keys/Cards       that contain the IRS electronic media(s) or
                                                     FTI Reports?
HQ56 Secure Storage   4.3.10   PE-3 Access:          How often are door/safe combinations        Interview
                                    Combinations     changed?
HQ57 Secure Storage   4.3.10   PE-3 Access:          Who is responsible to change the            Interview
                                    Combinations     combinations?
HQ58 Secure Storage   4.3.10   PE-3 Access:          Who has access to combinations?             Interview
                                    Combinations
HQ59 Secure Storage   4.3.10   PE-3 Access:          Who safeguards the combinations?            Interview
                                    Combinations
HQ60 Secure Storage   4.3.10   PE-3 Access:          How are combinations safeguarded?           Interview
                                    Combinations
HQ61 Secure Storage    4.3.2   PE-2 ID Cards         Are employees wearing the agency               Test
                                    (Badges)         authorized IDs?
HQ62 Secure Storage    4.3.2   PE-2 ID Cards         Are lost ID cards reported?                 Interview
                                    (Badges)
HQ63 Secure Storage    4.3.2   PE-2 ID Cards         How do employees enter the work area        Interview
                                    (Badges)         without an ID card?
HQ64 Secure Storage    4.3.2   PE-2 ID Cards         Is there a written policy on ID cards?      Examine
                                    (Badges)



   85901907-d61d-4d54-9a68-2e81241e0236.xls                                         Head Quarters                                                                 13 of 78
                                                                                  IRS Safeguards
                                                              Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075 NIST    Test Objective                     Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF     ID                                                                      Method    Fail                                         Evidence
        Category
HQ65 Secure Storage 4.3.2   PE-2 ID Cards             Are ID cards inventoried (i.e., automated,    Examine
                                 (Badges)             written down and placed in safe, etc.)?

HQ66 Secure Storage    4.3.2   PE-2 ID Cards          Who has access to ID Card/Badge               Interview
                                    (Badges)          inventory?
HQ67 Secure Storage    4.3.2   PE-7 Visitor/Vendor    Do visitors/vendors sign a visitor access     Examine
                                    Access            log?


HQ68 Secure Storage    4.3.2   PE-8 Visitor/Vendor    Does the visitor access log contain the       Examine
                                    Access            following information?

                                                      (i) name and organization of the visitor;
                                                      (ii) signature of the visitor;
                                                      (iii) form of identification;
                                                      (iv) date of access;
                                                      (v) time of entry and departure;
                                                      (vi) purpose of visit; and
                                                      (vii) name and organization of person
                                                      visited.

HQ69 Secure Storage    4.3.2   PE-8 Visitor/Vendor    Do designated officials or designees          Interview
                                    Access            within the agency review the visitor
                                                      access records, at least annually?
HQ70 Secure Storage    4.3.2   PE-7 Visitor/Vendor    Are visitors/vendors escorted?               Interview/
                                    Access                                                          Examine
                                                      If so, what are the escorting procedures?



HQ71 Secure Storage    4.3.2   PE-7 Visitor/Vendor    Are visitors/vendors issued ID cards? Are    Interview/
                                    Access            ID cards turned in at end of day? Are ID      Examine
                                                      cards inventoried/monitored?
HQ72 Secure Storage    4.3.1   PE-3 Restricted Area   Verify two barriers are present to access     Examine
                                                      FTI under normal security:
                                                      secured perimeter/locked container,
                                                      locked perimeter/secured interior, or
                                                      locked perimeter/security container.
HQ73 Secure Storage    4.3.1   PE-3 Restricted Area   List the Restricted Access areas where       Interview/
                                                      FTI is located.                               Examine
HQ74 Secure Storage    4.3.1   PE-3 Restricted Area   How is access to the restricted areas         Interview
                                                      controlled?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                          Head Quarters                                                                   14 of 78
                                                                                  IRS Safeguards
                                                              Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075 NIST   Test Objective                      Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF     ID                                                                      Method    Fail                                         Evidence
        Category
HQ75 Secure Storage 4.3.1   PE-2 Restricted Area      Who authorizes access to the restricted       Interview
                                                      areas?
HQ76 Secure Storage    4.3.1   PE-2 Restricted Area   Are the names of departed/transferred        Interview/
                                                      employees removed? When are they              Examine
                                                      removed?
HQ77 Secure Storage    4.3.1   PE-2 Restricted Area   Is an access record review conducted to       Interview
                                                      update who can access certain areas?
                                                      How often?
HQ78 Secure Storage    4.3.1   PE-6 Restricted Area   Who reviews electronic and paper audit        Interview
                                                      trails? How often are they reviewed?
HQ79 Secure Storage    4.5     PE-16 Loading Docks    How are loading docks secured?               Interview/
                                                                                                    Examine
HQ80 Secure Storage    4.5     MP-4 Document          Are documents containing FTI stored in a      Examine
                                    Security          locked container until pick-up for
                                                      disposal?
HQ81 Secure Storage    4.5     MP-5 Document          How is the paper waste material               Interview
                                    Security          transported?
HQ82 Secure Storage    4.3.4   MP-2 Document          Is there a written “clean desk” policy        Examine
                                    Security          (should cover desktop, credenzas, and
                                                      in/out baskets)?
HQ83 Secure Storage    4.3.4   MP-2 Document          Does management periodically conduct         Interview/
                                    Security          an after-hours check to ensure the clean      Examine
                                                      desk policy, i.e., locked containers, office
                                                      doors locked, etc. How often? When was
                                                      the last review? Were there any findings
                                                      and have there been any findings and
                                                      corrective actions taken?


HQ84 Secure Storage    4.3.6   MP-4 Containers        What type of container is used to store       Examine
                       4.3.7                          FTI (i.e., lateral, upright, credenza,
                       4.3.8                          overhead, desk, safes, vaults)?
HQ85 Secure Storage    4.3.6   MP-4 Containers        Do all containers have locks?                 Examine
                       4.3.7
                       4.3.8
HQ86 Secure Storage    4.3.9   MP-4 Containers        What type of lock (i.e., lock bars, key lock, Examine
                                                      padlock, combination padlock)?
HQ87 Secure Storage    4.3.6   MP-4 Containers        Is FTI stored in locked containers after      Interview/
                       4.3.7                          hours or when not in use?                      Examine
                       4.3.8
HQ88 Secure Storage    4.3.4   PE-3 Office Security   How is access restricted to internal         Interview/
                                                      offices?                                      Examine




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                           Head Quarters                                                                  15 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075 NIST   Test Objective                        Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF     ID                                                                          Method    Fail                                         Evidence
        Category
HQ89 Secure Storage 4.3.4   PE-3 Office Security       Are integral office doors locked after          Interview/
                                                       hours?                                           Examine
HQ90 Secure Storage    4.3.4   PE-2 Office Security    Who has access to the offices after              Interview
                                                       hours?

                                                       Cleaning Crews:
                                                       Landlord:
                                                       Maintenance Crews:
                                                       Security Guards:
                                                       Employees (i.e. all or management):
HQ91 Secure Storage    4.3.4   MP-2 File Rooms         Does file room have its own staff? How           Interview
                                    Containing FTI     many employees?
HQ92 Secure Storage    4.3.4   MP-2 File Rooms         Can only file room staff access client           Interview
                                    Containing FTI     files?
HQ93 Secure Storage    4.3.4   MP-5 File Rooms         Are items removed/returned from the file         Examine
                                    Containing FTI     room logged or scanned?
HQ94 Secure Storage    4.3.4   MP-4 File Rooms         Is there a follow-up for missing files           Interview
                                    Containing FTI     performed?
HQ95 Secure Storage    4.3.4   MP-4 File Rooms         Is file room door locked at night?              Interview/
                                    Containing FTI                                                      Examine
HQ96 Secure Storage    4.3.4   MP-2 File Rooms         If so, who can access the room after             Interview
                                    Containing FTI     normal working hours (i.e., cleaning,
                                                       guards, maintenance)?
HQ97 Secure Storage    4.3.4   MP-4 Storage of Files   Are files stored at the field office/district   Interview/
                                    Containing FTI     office/agency?                                   Examine
HQ98 Secure Storage    4.3.4   MP-4 Storage of Files   How long are files stored at the field           Interview
                                    Containing FTI     office/district office/agency?
HQ99 Secure Storage    9.6     CP-6 Storage Off-Site   Are files stored at a alternate storage          Interview
                                                       facility?
HQ100 Secure Storage   9.6     CP-6 Storage Off-Site   If this is a agency facility, do agency          Interview
                                                       employees work at the facility?
HQ101 Secure Storage   9.6     CP-6 Storage Off-Site   If this is a facility administered by a          Interview
                                                       different state agency, how is access to
                                                       FTI controlled?
HQ102 Secure Storage   9.6     CP-6 Storage Off-Site   If this is a Contractor Facility, how is         Interview
                                                       access FTI controlled?
HQ103 Secure Storage   4.5     CP-6 Storage Off-Site   How is paper or electronic FTI shipped /         Interview
                       9.6     MP-5                    transfer to alternate storage facility?
HQ104 Secure Storage   4.5     CP-6 Storage Off-Site   What type of container is used to ship the      Interview/
                       9.6     MP-5                    files?                                           Examine




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Head Quarters                                                                   16 of 78
                                                                                      IRS Safeguards
                                                                  Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075   NIST     Test Objective                    Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF       ID                                                                       Method    Fail                                         Evidence
         Category
HQ105 Secure Storage   4.5      CP-6 Storage Off-Site     Is the container taped or locked?            Examine/
                       9.6      MP-5                                                                      Test
HQ106 Secure Storage   4.5      CP-6 Storage Off-Site     For retrieval of a single document/file/tape Interview
                       9.6      MP-5                      containing FTI, is the entire container
                                                          recalled or only the individual item?


HQ107 Secure Storage    4.5     CP-6 Storage Off-Site     Who is in charge of storage or shipping        Interview
                        9.6     MP-5                      files to storage facilities?
HQ108 Secure Storage    9.6     CP-6 Storage of Files     Does the storage contractor have a sub-        Interview
                                MP-2 Containing FTI       contractor (e.g. responsible for disposal)?

HQ109 Secure Storage   9.16     SI-12 Storage of Files    Is there a written policy on document          Examine
                                      Containing FTI      retention?
HQ110 Secure Storage    4.7     PE-17 Alternate Work      Are employees allowed to work with FTI        Interview/
                                      Site                from an alternate work site (i.e., any         Examine
                                                          working area that is attached to the Wide
                                                          Area Network (WAN) either through a
                                                          Public Switched Data Network (PSDN) or
                                                          through the Internet)? Examples:
                                                          Working at home, working at a different
                                                          agency site, working at a contractor site.


HQ111 Secure Storage    4.7     PE-17 Alternate Work      Does the agency have a documented plan Examine
                                      Site                for the security of alternative work site?

HQ112 Secure Storage    4.7     PE-17 Alternate Work      Does the agency certify the security           Examine
                                      Site                controls of the alternate work site are
                                                          adequate for security needs. Additionally,
                                                          does the agency promulgate rules and
                                                          procedures to ensure that employees do
                                                          not leave computers unprotected at any
                                                          time. These rules should address brief
                                                          absences while employees are away from
                                                          the computer.




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Head Quarters                                                                    17 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                        Method    Fail                                         Evidence
         Category
HQ113 Secure Storage   4.7    PE-17 Alternate Work      Do all computers and mobile devices that       Examine/
                                    Site                contain FTI and are resident in an               Test
                                                        alternate work site employ encryption
                                                        mechanisms to ensure
                                                        that this data may not be accessed, if the
                                                        computer is lost and/or stolen? What is
                                                        the encryption strength?

HQ114 Secure Storage     4.7    PE-17 Alternate Work    Does the agency provide specialized            Interview/
                                      Site              training in security, disclosure awareness,     Examine
                                                        and ethics for all participating employees
                                                        and managers? Does the training cover
                                                        situations that could occur as the result of
                                                        an interruption of work by family, friends,
                                                        or other sources?


HQ115 Secure Storage     4.7    PE-17 Alternate Work    Does the agency conduct periodic               Interview/
                                      Site              inspections of alternative work sites           Examine
                                                        during the year to ensure that safeguards
                                                        are adequate. Are the results of each
                                                        inspection documented?

HQ116 Secure Storage     4.7    PE-17 Alternate Work    Does the agency retain ownership and            Interview
                                      Site              control, for all hardware, software, and
                                                        telecommunications equipment
                                                        connecting to public communication
                                                        networks, where these are resident at all
                                                        alternate work sites.
HQ117 Secure Storage            CP-7 Alternate          Does the agency have an alternate site        Interview/
                                     Processing Site    identified for business resumption when        Examine
                                                        the primary processing location (office
                                                        space) is unavailable? The alternate site
                                                        could be a (i) dedicated site owned or
                                                        operated by the agency, (ii) reciprocal
                                                        agreement or memorandum of agreement
                                                        with an internal or external entity, or (iii)
                                                        commercially leased facility.




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Head Quarters                                                                     18 of 78
                                                                                   IRS Safeguards
                                                               Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST    Test Objective                    Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                      Method    Fail                                         Evidence
         Category
HQ118 Secure Storage          CP-7 Alternate           Does the agency have an alternate              Examine
                                   Processing Site     processing site agreement in place to
                                                       permit the resumption of operations?
                                                       Does the agreement define the time
                                                       period within which processing must be
                                                       resumed at the alternate processing site?

HQ119 Secure Storage    4.3.2   PE-5 Access Control    Are computer monitors or other display         Examine
                                     for Display       devices that display FTI positioned so as
                                     Medium            to not be visible to passers-by in hallways
                                                       or common areas?
HQ120 Secure Storage    4.3.2   PE-18 Location of      For all areas that process FTI, does the       Examine
                        4.3.3         Information      agency position information system
                        4.3.4         System           components within the facility to minimize
                                      Components       potential damage from physical and
                                                       environmental hazards and to minimize
                                                       the opportunity for unauthorized access?

HQ121 Secure Storage    4.4     PE-3 Security During   How is FTI protected during an office          Interview
                                     Office Moves      move? Is FTI kept in locked cabinets or
                                                       sealed packing cartons during the move?

HQ122 Secure Storage    4.4     PE-3 Security During   Is FTI mailed or transported between           Interview
                                     Office Moves      office locations?

                                                       Is this FTI placed in double-envelopes or
                                                       locked in a secure container during
                                                       transport?

                                                       Is a transmittal document used to track
                                                       the movement and ensure the delivery of
                                                       FTI?
                                                                             IRC Section 6103(p)(4)(C)
HQ123 Restricting       5.3     MP-2 Commingling       Describe how the agency labels paper    Interview
      Access                                           documents containing FTI.
HQ124 Restricting       5.3     MP-2 Commingling       Describe how the agency labels case files      Interview
      Access                                           containing paper FTI.
HQ125 Restricting       5.3     MP-2 Commingling       Describe how the agency labels paper           Interview
      Access                                           documents containing FTI.
HQ126 Restricting       5.3     MP-2 Commingling       How is paper FTI filed?                        Interview
      Access




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                           Head Quarters                                                                    19 of 78
                                                                                      IRS Safeguards
                                                                  Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID      PUB 1075    PUB 1075 NIST   Test Objective                   Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
             Reporting     REF     ID                                                                   Method    Fail                                         Evidence
             Category
HQ127     Restricting      5.3   MP-2 Commingling         How can paper FTI be retrieved?              Interview
          Access
HQ128     Restricting      5.3   MP-2 Commingling         What identifying information is used for     Interview
          Access                                          retrieval? Individual name?
HQ129     Restricting      5.3   MP-2 Commingling         Is paper FTI kept separate or commingled Interview/
          Access                                          with other information?                      Examine
HQ130     Restricting      5.3   MP-2 Commingling         If commingled, is commingled paper FTI      Interview/
          Access                                          identifiable?                                Examine
HQ131     Restricting      5.3   MP-2 Commingling         Can paper FTI within agency records be       Interview
          Access                                          located and segregated?
HQ132     Restricting      5.3   MP-2 Commingling         Please provide documents or letters          Examine
          Access                                          (Verification, Adjustment, Third Party)
                                                          used to obtain FTI verification from
                                                          clients, financial institutions and others.

HQ133 Restricting          5.3   MP-2 Commingling         What specific data, from paper FTI, is       Interview
      Access                                              entered into the system after independent
                                                          verification has been received?

HQ134 Restricting          5.3   MP-2 Commingling         How is electronic FTI filed?                 Interview
      Access

HQ135 Restricting          5.3   MP-2 Commingling         How can electronic FTI be retrieved?         Interview
      Access

HQ136 Restricting          5.3   MP-2 Commingling         What identifying information is used for     Interview
      Access                                              retrieval? Individual name?

HQ137 Restricting          5.3   MP-2 Commingling         Is electronic FTI kept separate or          Interview/
      Access                                              commingled with other information?           Examine

HQ138 Restricting          5.3   MP-2 Commingling         If commingled, is commingled electronic     Interview/
      Access                                              FTI identifiable?                            Examine

HQ139 Restricting          5.3   MP-2 Commingling         Can electronic FTI within agency records     Interview
      Access                                              be located and segregated?

HQ140 Restricting          5.3   MP-2 Commingling         What electronic FTI is either printed and    Interview
      Access                                              used in paper form?

                                                          What electronic FTI is referenced in
                                                          electronic or paper case notations? (e.g.
                                                          case history, source of information, or
                                                          comments section)




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Head Quarters                                                                  20 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                      Method    Fail                                         Evidence
         Category
HQ141 Restricting      5.5    AC-6 Computer Center If this is an agency facility, who works at        Interview
      Access                       Facility        the facility?
                                                   -Only agency employees?
                                                   -Other state agency employees?
                                                   -Contractors

                                                        How is access to FTI limited?

HQ142 Restricting      11.0   MP-2 Contractor        Is data disclosed to any contractor?            Interview/
      Access           11.4   SA-9 Access            Identify the data disclosed and the              Examine
                                                     contractor.
HQ143 Restricting      11.0   MP-2   Contractor      Provide a copy of the contractor's               Examine
      Access           11.4   SA-9   Access          contract.
HQ144 Restricting      11.0   MP-2   Contractor      Does the contract include the required           Examine
      Access           11.4   SA-9   Access          Safeguards language in the contract?
                                                     (Publication 1075 Exhibit 7 Language)
HQ145 Restricting      11.0   MP-2   Contractor      Does the contractor sub-contract any             Interview
      Access           11.4   SA-9   Access          work containing FTI?
HQ146 Restricting      11.0   SA-9   External        Does the agency outsource to a                  Interview/
      Access           11.4          Information     commercial vendor information system             Examine
                                     System Services services for systems that store, process
                                                     or transmit FTI to provider external to the
                                                     agency (contractor)?

                                                        Does the contract include the required
                                                        Safeguards language in the contract?
                                                        (Publication 1075 Exhibit 7)
HQ147 Restricting      11.0   SA-9 Consolidated         Does the agency receive IT system             Interview
      Access           11.4        Data Center          support from a consolidated data center
                                                        (e.g. a Dept. of Info Tech) which is
                                                        operated by a different state agency?

                                                        If so, is there a Service Level Agreement
                                                        between the agencies in place?

                                                        What is the name of the IT agency?



HQ148 Restricting      11.0   SA-9 Off-site Storage     Do employees or contractors, at an off-       Interview
      Access           11.4        Facility             site storage facility, have access to FTI?
                                                        If so, describe, by whom and how is FTI
                                                        access restricted?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                             Head Quarters                                                                  21 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                      Method    Fail                                         Evidence
         Category
HQ149 Restricting      9.1    AC-8 IRS Approved         Have a user open every application,           Examine
      Access                       Warning Banner       containing FTI, to show the warning
                                                        banner's wording. Examine it to ensure it
                                                        meets the requirements of Publication
                                                        1075 Section 5.6.1.



HQ150 Restricting      5.2    AC-6 Access               How is access limited to authorized           Interview
      Access                                            employees?
HQ151 Restricting      5.2    AC-6 Access               Who designates authorized employees?          Interview
      Access
HQ152 Restricting      5.2    AC-6 Access               Do all authorized employees have a need- Interview
      Access                                            to-know?
HQ153 Restricting      5.2    AC-6 Access               Do state auditors or inspector generals   Interview
      Access                                            have access to case files?
HQ154 Restricting      5.2    AC-6 Access               Provide the written procedures in effect  Examine
      Access                                            for specifying to whom disclosures of FTI
                                                        can be made.
HQ155 Restricting      5.2    AC-6 Quality Control,     Do reviewers have access to FTI online?      Test
      Access                       Quality              In paper?
                                   Assurance,
                                   Quality Review
HQ156 Restricting      5.2    AC-6 Quality Control,     Do reviewers send out verification letters    Interview
      Access                       Quality              on FTI?
                                   Assurance,
                                   Quality Review
HQ157 Restricting      5.2    AC-6 Quality Control,     Are reviewers agency employees?               Interview
      Access                       Quality
                                   Assurance,
                                   Quality Review
HQ158 Restricting      5.2    AC-6 Other Entities       Do other entities (e.g., volunteers,          Interview
      Access                                            researchers, contractors, non-agency
                                                        employees, interns) have access to FTI?

HQ159 Restricting      5.2    AC-6 Federal Offset       Are Federal Offset Payments released to       Interview
      Access                       Payments             courts or other third parties, such as
                                                        custodial parents?
HQ160 Restricting      5.2    AC-6 Federal Offset       Does the agency receive Federal Offset        Interview
      Access                       Payments             Payments (Applies to Revenue and Child
                                                        Support)?
HQ161 Restricting      5.2    AC-6 Federal Offset       Does the agency use a contractor to           Interview
      Access                       Payments             process the Offset (Reconciliation of
                                                        payment or data processing)?



   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Head Quarters                                                                   22 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                        Method    Fail                                         Evidence
         Category
HQ162 Restricting      5.4    AC-6 Sharing FTI          Is FTI shared between Child Support,            Interview
      Access                                            Human Services or Labor? Are
                                                        employees shared between these
                                                        agencies?
HQ163 Restricting      5.4    AC-6 Sharing FTI          Does the agency share FTI with any              Interview
      Access                                            agency or entity e.g. tribes, cities/states,
                                                        other state agencies)? If yes, what data,
                                                        to whom and by what authority?

HQ164 Restricting      5.2    AC-6 Modeling             Does the agency use FTI for modeling           Interview/
      Access                                            and or revenue projections? If yes, do          Examine
                                                        they have a signed Need and Use
                                                        justification statement?
HQ165 Restricting      5.2    AC-6 Portal Access        Does the agency have internal or external      Interview/
      Access                                            facing web applications or portals?               Test

                                                        Is FTI accessible through the portal/web
                                                        applications?

                                                        Who has access?

                                                        What data?


HQ166 Restricting      5.2    AC-6 Portal Access        Does the agency have an Integrated             Interview/
      Access                                            Voice Response (IVR) system?                      Test

                                                        If so, what data is available and who is the
                                                        intended user?
HQ167 Restricting      5.4    AC-6 Client               Who can represent a client?                     Interview
      Access                       Representation


HQ168 Restricting      9.2    AU-2 FTI Access Logs What data elements are captured on the               Examine
      Access                                       FTI access log reports?
HQ169 Restricting      9.2    AU-6 FTI Access Logs Are FTI access log reports monitored to              Interview
      Access                                       detect unauthorized browsing?
HQ170 Restricting      9.2    AU-6 FTI Access Logs What actions are taken when                          Interview
      Access                                       unauthorized action is found on an FTI
                                                   access log report?
HQ171 Restricting      9.2    AU-2 FTI Access Logs Are FTI access logs maintained of                      Test
      Access                                       accesses or updates to electronic data?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                             Head Quarters                                                                    23 of 78
                                                                                     IRS Safeguards
                                                                 Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075      PUB 1075 NIST    Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting       REF     ID                                                                       Method    Fail                                         Evidence
         Category
HQ172 Restricting        9.2   AU-2 FTI Access Logs Are access records or listings of FTI                  Test
      Access                                        extracts made?
HQ173 Restricting        9.2   AU-2 FTI Access Logs Do these FTI access logs include:                      Test
      Access                                        -Reason for access?
                                                    -Current location of data?
                                                    -Final disposition?
                                                    -Who monitors?
                                                    -How often monitored?
                                                    -Any findings within the last two years?
                                                    -What action was taken?
HQ174 Reporting         10.1   IR-1 Incident        Is there a documented policy with steps              Examine
      Improper                      Response        for reporting unauthorized disclosure of
      Inspections or                                FTI?
      Disclosures
HQ175 Reporting         10.1    IR-1 Incident            Does the incident reporting policy contain      Examine
      Improper                       Response            the IRS and TIGTA contact information,
      Inspections or                                     coordination steps and detail when these
      Disclosures                                        entities should be notified of the incident?

HQ176 Reporting         10.1    IR-2 Incident            Does the agency provide incident               Interview/
      Improper                       Response            response training to all personnel with         Examine
      Inspections or                 Training            access to FTI and personnel with incident
      Disclosures                                        response responsibilities? Is Initial
                                                         training provided, and refresher training
                                                         provided at least annually?
HQ177 Reporting         10.1    IR-7 Incident            Does the agency provide an incident             Interview
      Improper                       Response            response support resource for users?
      Inspections or                 Assistance          Possible implementations of incident
      Disclosures                                        response support resources include a
                                                         help desk or an assistance group, and
                                                         access to forensics services.
HQ178 Reporting         10.1    IR-3 Incident            Does the agency test/exercise the               Examine
      Improper                       Response            Disclosure aspect of its incident response
      Inspections or                 Testing and         capability at least annually? Review
      Disclosures                    Exercises           documented test results of prior incident
                                                         response tests.
HQ179 Reporting         10.1    IR-4 Incident Handling Does the agency's incident response               Examine
      Improper                                         procedures address an incident handling
      Inspections or                                   capability for security incidents that
      Disclosures                                      includes preparation, detection and
                                                       analysis, containment, eradication, and
                                                       recovery and post-incident activity?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Head Quarters                                                                    24 of 78
                                                                                      IRS Safeguards
                                                                  Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID   PUB 1075     PUB 1075 NIST     Test Objective                    Test Steps                     Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
          Reporting      REF     ID                                                                         Method    Fail                                         Evidence
          Category
HQ180 Reporting         10.1    IR-5 Incident             How is the incident documented, tracked         Interview/
      Improper                       Response             and monitored?                                   Examine
      Inspections or
      Disclosures
HQ181 Reporting         10.1    IR-5 Incident             Does the agency notify the impacted Tax          Examine
      Improper                       Response             Payer(s)?
      Inspections or
      Disclosures
HQ182 Restricting        9.1    PS-2 Personnel            Does the agency have a personnel                 Examine
      Access                         Security Policy      security policy that addresses position
                                     and Procedures       categorization, personnel screening,
                                                          personnel termination, personnel transfer,
                                                          and access agreements?

                                                          Who is responsible for implementation of
                                                          the policy?
HQ183 Restricting      9.17.5    -     Electronic Mail    Does the agency have a policy that states        Examine
      Access                                              FTI shall not be transmitted or used on
                                                          email systems?
HQ184 Restricting      9.17.5    -     Electronic Mail    If it is necessary to transmit FTI via email,    Interview
      Access                                              does the agency take the following
                                                          precautions to protect FTI sent via email?
                                                          - Email transmitting the FTI is encrypted
                                                          (i.e. Digital Certification encryption)
                                                          - Attachments containing FTI are
                                                          encrypted
                                                          - Ensure that all messages sent are to the
                                                          proper address
                                                          - Email stays within the agency email
                                                          system and is not sent outside the firewall
                                                          - Employees should log off the computer
                                                          when away from the area




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                               Head Quarters                                                                     25 of 78
                                                                                      IRS Safeguards
                                                                  Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST       Test Objective                    Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                         Method    Fail                                         Evidence
         Category
HQ185 Restricting    5.6.17.6     -    Fax Machines       If FAX machines are used to transmit FTI Interview/
      Access                                              does the agency take the following             Examine
                                                          precautions to protect Fax transmissions?
                                                          - A trusted staff member is located at both
                                                          the sending and receiving fax machines.
                                                          -Broadcast lists and other preset numbers
                                                          of frequent recipients of FTI are
                                                          maintained and periodically updated
                                                          - Fax machines are placed in a secured
                                                          area.
                                                          - A cover sheet is included on fax
                                                          transmissions that explicitly provides
                                                          guidance to the recipient, which includes:
                                                              - A notification of the sensitivity of the
                                                          data and the need for protection
                                                              - A notice to unintended recipients to
                                                          telephone the sender—collect if
                                                          necessary—to report the disclosure and
                                                          confirm destruction of the information.




HQ186 Restricting     9.17.1      -    Data Warehouse Does the agency employ a data                      Interview
      Access                           Configuration  warehousing environment. If so, what FTI
                                                      resides there?

                                                          How is the FTI identified as FTI within the
                                                          data warehouse?

                                                          How is the use, movement, and
                                                          destruction tracked within the warehouse?



                                                                                 IRC Section 6103(p)(4)(D)
HQ187 Other            6.2      AT-1   Employee           Does the agency have a security          Examine
      Safeguards                       Awareness          awareness and training policy?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Head Quarters                                                                    26 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                        Method    Fail                                         Evidence
          Category
HQ188 Other            6.2    AT-1 Employee             Does the agency have security training          Examine
      Safeguards                   Awareness            and awareness procedures that address
                                                        the policy elements and is disseminated
                                                        to employees responsible for
                                                        implementing security training and
                                                        awareness?
HQ189 Other            6.2    AT-2 Employee             Are new employees given a security              Interview
      Safeguards                   Awareness            orientation prior to having access to FTI?

HQ190 Other            6.2    AT-2 Employee             Does the orientation specifically cover         Examine
      Safeguards                   Awareness            FTI?

HQ191 Other            6.2    AT-2 Employee             Does the orientation cover Penalty              Examine
      Safeguards                   Awareness            Provisions under the Internal Revenue
                                                        Code (IRC) 7213, 7213A and 7431?
HQ192 Other            6.2    AT-2 Employee             Does the disclosure awareness training          Examine
      Safeguards                   Awareness            cover the incident response policy and
                                                        procedure for reporting unauthorized
                                                        disclosures and data breaches?
HQ193 Other            6.2    AT-2 Employee             Do employees sign a certification at initial    Examine
      Safeguards                   Awareness            security awareness orientation (provide a
                                                        copy of agreement)?
HQ194 Other            6.2    AT-2 Employee             Do employees sign a re-certification every        Test
      Safeguards                   Awareness            year thereafter?

HQ195 Other            6.2    AT-2 Employee             Are contractors with access to FTI              Interview
      Safeguards                   Awareness            included in the employee awareness
                                                        orientation?

HQ196 Other            6.2    AT-2 Employee             Are employees and/or contractors, from          Interview
      Safeguards                   Awareness            the consolidated data center, with access
                                                        to FTI included in the employee
                                                        awareness?

                                                        Are employees and/or contractors from an
                                                        off-site storage center, with access to FTI
                                                        included in the employee awareness
                                                        orientation?

                                                        Note: Access maybe physical or logical.
                                                        Such as System Administrator, Database
                                                        Administrators, etc.




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Head Quarters                                                                     27 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                   Test Steps                    Assessment Pass /     Agency's Pre-review Answers           IRS Comments/Supporting
         Reporting     REF     ID                                                                       Method    Fail                                                   Evidence
          Category
HQ197 Other            6.2    AT-2 Employee             Does the agency maintain training records      Examine
      Safeguards                   Awareness            for employees/contractors that identifies
                                                        the security and awareness training that
                                                        each user has completed?
HQ198 Employee         6.2    MP-2 Document             Are employees aware of the need to             Interview
      Awareness                    Security             protect FTI against inadvertent disclosure
                                                        when visitors/maintenance
                                                        personnel/vendors are in work area?
HQ199 Other            6.3    CA-2 Internal             Is the agency periodically audited by a        Interview
      Safeguards                   Inspections          third party (e.g. Internal Audit, Inspector
                                                        General (IG))?
HQ200 Other            6.3    CA-2 Internal             When was the last audit conducted?             Examine
      Safeguards                   Inspections          Provide a copy of the audit report.
HQ201 Other            6.3    CA-2 Internal             Does the agency conduct internal audit     Interview
      Safeguards                   Inspections          inspections of field offices that address
                                                        the safeguard requirements the IRC and
                                                        the IRS impose?
HQ202 Other            6.3    CA-2 Internal             When was the last internal inspection held Interview              Note: All local offices receiving FTI
      Safeguards                   Inspections          for --                                                            are reviewed within a three-year
                                                        -Field offices?                                                   cycle. Headquarters office facilities
                                                        -District offices?                                                housing FTI and the agency
                                                        -County offices?                                                  computer facility should be reviewed
                                                        -Central office?                                                  within an 18-month cycle.
                                                        -Headquarters?
                                                        -Administration?
                                                        -Storage Facilities?
HQ203 Other            6.3    CA-2 Internal             Are contractors with access to FTI,          Interview
      Safeguards                   Inspections          including a consolidated data center or off-
                                                        site storage facility included with internal
                                                        inspection activities?
HQ204 Other            6.3    CA-2 Internal             When was the last internal inspection for      Interview
      Safeguards                   Inspections          contractor run:

                                                        -Data Center?
                                                        -Off-site Storage Facility?
                                                        -Other?
HQ205 Other            6.3    CA-2 Internal             Who conducts the internal inspections?         Interview
      Safeguards                   Inspections




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                           Head Quarters                                                                               28 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                        Method    Fail                                         Evidence
          Category
HQ206 Other            6.3    CA-2 Internal             Are follow-up reviews conducted to              Interview
      Safeguards                   Inspections          determine the effectiveness of corrective
                                                        actions taken on findings from after-hours
                                                        and duty hours reviews?

HQ207 Other            6.3    CA-2 Internal             During the past two inspections, were           Interview
      Safeguards                   Inspections          there findings? If so, what action was
                                                        taken?
HQ208 Other            6.3    CA-2 Internal             Are copies of the inspection report             Examine
      Safeguards                   Inspections          submitted with the annual SAR?
HQ209 Other            6.3    CA-2 Internal             Please provide a copy of the                    Examine
      Safeguards                   Inspections          questionnaire that is used for the internal
                                                        inspection review process.
HQ210 Other            6.3    CA-2 Internal             Does the agency complete an internal            Examine
      Safeguards                   Inspections          inspection plan, detailing the timing of all
                                                        internal inspections in the current year
                                                        and next two years? Please provide plan.

                                                        If IRS templates are used, please specify
                                                        and don't attach.


                                                                              IRC Section 6103(p)(4)(E)
HQ211 Reporting        7.2    PL-2 Safeguard            When was the last SPR approved?        Interview/
      Requirements                 Procedures                                                   Examine
                                   Report
HQ212 Reporting        7.2    PL-2 Safeguard            Have there been any significant changes         Interview
      Requirements                 Procedures           since the last SPR was approved?
                                   Report
HQ213 Reporting        7.2    PL-2 Safeguard            If the agency has a data warehouse is it        Examine
      Requirements                 Procedures           reflected in the SPR?
                                   Report
HQ214 Reporting        7.2    PL-2 Safeguard            Does the SPR reflect all data extracts          Examine
      Requirements                 Procedures           received by the agency?
                                   Report
HQ215 Reporting        7.4    PL-2 Safeguard            When was the last SAR approved?                Interview/
      Requirements                 Activity Report                                                      Examine
                                                        What period did the SAR cover?

HQ216 Reporting        7.4    PL-2 Safeguard            When was the last Corrective Action Plan       Interview/
      Requirements                 Activity Report      (CAP) submitted?                                Examine

                                                        When was it approved?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Head Quarters                                                                     29 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID   PUB 1075    PUB 1075 NIST    Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
          Reporting     REF     ID                                                                       Method    Fail                                         Evidence
          Category
                                                                               IRC Section 6103(p)(4)(F)
HQ217 Disposing         8.3   MP-6 Paper FTI            Where is paper FTI secured prior to      Examine
      Federal Tax                                       disposal?
      Information                                       -Recycle bins?
                                                        -Locking container?
                                                        -Waste paper basket?
                                                        -Container on desk?
HQ218 Disposing         8.3   MP-6 Paper FTI            How is paper FTI destroyed?                     Interview
      Federal Tax                                       -Shredding (i.e., are strips rendered
      Information                                       unreadable, size of strips, print
                                                        perpendicular to cutting line)?
                                                        -Pulping (i.e., what size is material
                                                        reduced to) ?
                                                        -Burning (i.e., is there complete
                                                        combustion)?
                                                        -Disintegration (how fine a screen is
                                                        used)?

HQ219 Disposing         8.3   MP-6 Paper FTI            Who performs destruction of paper FTI?          Interview
      Federal Tax       8.4                             -Agency staff?
      Information                                       -Contractor?

HQ220 Disposing         8.3   MP-6 Paper FTI            Who picks up/takes paper FTI for                Interview
      Federal Tax       8.4                             destruction?
      Information                                       -State Agency/Federal Agency?
                                                        -Contractor?
HQ221 Restricting       8.3   AC-6 Destruction          If the destruction facility is a contractor     Interview
      Access            8.4        Facility             facility, how is access to paper FTI limited
                                                        to employees?
HQ222 Disposing         8.3   MP-6 Paper FTI:           What is the name of the contractor used         Interview
      Federal Tax       8.4        Contractor           for pick up and destruction of paper FTI
      Information
HQ223 Disposing         8.3   MP-6 Paper FTI:           Location of the contractor used for pick up     Interview
      Federal Tax       8.4        Contractor           and destruction of paper FTI?
      Information
HQ224 Disposing         8.3   MP-6 Paper FTI:           Name and telephone number of contact            Interview
      Federal Tax       8.4        Contractor           person at the contractor used for pick up
      Information                                       and destruction of paper FTI

HQ225 Disposing         8.3   MP-6 Paper FTI:           If the contractor does not have a               Interview
      Federal Tax       8.4        Contractor           destruction facility, where is the paper FTI
      Information                                       taken?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Head Quarters                                                                     30 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID   PUB 1075    PUB 1075 NIST    Test Objective                   Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
          Reporting     REF     ID                                                                      Method    Fail                                         Evidence
          Category
HQ226 Disposing         8.3   MP-6 Paper FTI:           Does Agency staff accompany paper FTI          Interview
      Federal Tax       8.4        Contractor           and view destruction?
      Information
HQ227 Disposing         8.3   MP-6 Paper FTI:           How is paper FTI packaged and secured? Interview/
      Federal Tax       8.4        Contractor                                                   Examine
      Information
HQ228 Disposing         8.3   MP-6 Electronic Media     Is paper FTI shredded (size of shred)?           Test
      Federal Tax       8.4        Library:
      Information                  Procedures -
                                   Destruction
HQ229 Disposing         8.3   MP-6 Electronic Media     How is electronic FTI destroyed?               Interview
      Federal Tax       8.4        Library:             -Returned to the IRS?
      Information                  Procedures -         -Returned to scratch pool?
                                   Destruction
HQ230 Disposing         8.3   MP-6 Electronic Media     How is FTI cleared from electronic media       Interview
      Federal Tax       8.4        Library:             (removable or non-removable; e.g.,
      Information                  Procedures -         primary or systemic backups) before
                                   Destruction          reallocation or destruction?
HQ231 Disposing         8.3   MP-6 Electronic Media     Is FTI erased? If so, in what manner:          Interview
      Federal Tax       8.4        Library:
      Information                  Procedures -         -Degaussed (specify make and strength
                                   Destruction          of degaussed)?
                                                        -Written over with 0 (zero) and 1 (one)?
                                                        -Written over with new data?
                                                        -Written over with FTI only?


HQ232 Disposing         8.3   MP-6 Electronic Media     Describe the method of verification for the    Interview
      Federal Tax       8.4        Library:             destruction of electronic media containing
      Information                  Procedures -         FTI.
                                   Destruction
                                                                                       Need and Use
HQ233 Need and Use      2.2   AC-6 Need and Use         Describe each FTI dataset received by      Interview
                                                        the agency and how it is used by the
                                                        agency.
HQ234 Need and Use      2.2   AC-6 Need and Use         For every FTI data extract received by the Interview
                                                        agency for an authorized use, does the
                                                        agency have a need?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Head Quarters                                                                    31 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                   Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                      Method    Fail                                         Evidence
         Category
HQ235 Need and Use     2.2    AC-6 Need and Use         State Agencies Receiving FTI under IRC        Examine
                                                        6103(d):

                                                        Provide copies of all current need and use
                                                        statements? (GLDEP, modeling, live data
                                                        testing)
HQ236 Need and Use     2.2    AC-6 Need and Use         Is use of the FTI documented? Examine         Examine
                                                        case files for evidence.
                                                                                Other DES Observations
 220




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                           Head Quarters                                                                    32 of 78
                                                                                          IRS Safeguards
                                                                      Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID      PUB 1075      PUB 1075 NIST     Test Objective                    Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
             Reporting       REF     ID                                                                      Method    Fail                                         Evidence
             Category
                                                                                        IRC Section 6103(p)(4)(A)
 FO1      Record Keeping     3.0    PE-16 Obtaining FTI       How is FTI received (i.e., FedEx, UPS,      Interview
          Requirements                                        USPO, Secure Data Transfer, i.e.,
                                                              Tumbleweed, ConnectDirect, encrypted
                                                              CD)?
 FO2      Record Keeping     3.0    PE-16 Obtaining FTI:      Is FTI received in the mailroom?           Interview/
          Requirements                    Mailroom            If so, is receipt acknowledged?             Examine
                                                              Is the package logged in?
                                                              Does the mailroom open the package?
                                                              Is the package brought to another
                                                              function?
                                                              Does the other function sign the log?

 FO3      Record Keeping     3.0    MP-2 Request for FTI      If requests for FTI are made through data       Interview
          Requirements                                        center, how are the logged (Form 8796,
                                                              TDS, ad-hoc requests)?
                                                              Are requests compliant with IRS
                                                              Publication 1075 Section 3?
 FO4      Record Keeping     3.0    MP-2 Request for FTI      Are documents created from the FTI data         Interview
          Requirements                                        (e.g., CDs, tapes, letters, reports, etc?)

 FO5      Record Keeping     3.0    MP-2 Request for FTI      Are FTI based products shared? Are logs         Interview
          Requirements                                        kept and are they compliant with
                                                              Publication 1075, Section 3?
 FO6      Record Keeping     3.0    MP-2 Receipt FTI          If FTI is printed at data center what           Interview/
          Requirements                   Paper Reports        functions is it distributed to?                  Examine

                                                                                     IRC Section 6103(p)(4)(B)
 FO7      Secure Storage    4.3.2   PE-3 Guards               Guards: Contractor or Employee?          Interview
                            4.3.4
 FO8      Secure Storage    4.3.2   PE-3 Guards               Guards: How many posts:                         Examine
                            4.3.4
                                                              -Main Entrance_____
                                                              -Rear Entrance_____
                                                              -Side Entrance_____
                                                              -Outside_____
                                                              -Inside_____

 FO9      Secure Storage   4.3.2    PE-3 Guards               Guards: Hours on Duty?                          Interview
                           4.3.4
FO10 Secure Storage        4.3.12   PE-6 Alarms               Electronic Intrusion Alarm System?              Interview/
                                                                                                               Examine




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                                    Field Office                                                                  33 of 78
                                                                                   IRS Safeguards
                                                               Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST  Test Objective                       Test Steps                 Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                     Method    Fail                                         Evidence
        Category
FO11 Secure Storage 4.3.12 PE-6 Alarms                 Motion Detectors?                               Interview/
                                                                                                        Examine
FO12 Secure Storage   4.3.12   PE-6 Alarms             Emergency Exit Alarm?                           Interview/
                                                                                                        Examine
FO13 Secure Storage   4.3.12   PE-6 Alarms             Who monitors the various alarms?                 Interview

FO14 Secure Storage    4.3.2   PE-6 Cameras            Where are they placed?                          Examine
                                    (Outside/Inside)
FO15 Secure Storage    4.3.2   PE-6 Cameras            How many cameras?                               Examine
                                    (Outside/Inside)
FO16 Secure Storage    4.3.2   PE-6 Cameras            Who monitors the various cameras?               Interview
                                    (Outside/Inside)
FO17 Secure Storage    4.3.2   PE-6 Cameras            Are cameras recording their view?                 Test
                                    (Outside/Inside)
FO18 Secure Storage    4.3.2   PE-6 Cameras            How long are electronic media (Hard             Interview/
                                    (Outside/Inside)   Drive, DVR, Tapes) maintained?                   Examine
FO19 Secure Storage    4.3.2   PE-6 Access:            What controls are in place to monitor            Interview
                                    Monitoring         access to restricted area (i.e., logs,
                                                       electronic monitoring)?
FO20 Secure Storage    4.3.2   PE-6 Access:            How often are access control points             Interview
                                    Monitoring         monitored?
FO21 Secure Storage    4.3.2   PE-2 Access:            What is used to control access from the         Examine/
                                    Keys/Cards         outside: Keys or Electronic access                Test
                                                       control system?
FO22 Secure Storage   4.3.10   PE-2 Access:            What is used to control access from the         Examine/
                      4.3.11        Keys/Cards         inside: Keys or Electronic access control         Test
                                                       system?
FO23 Secure Storage   4.3.10   PE-2 Access:            Is a record maintained on the issuance of       Examine
                                    Keys/Cards         keys/key cards?

                                                       Buildings:
                                                       Offices:
                                                       Containers:
FO24 Secure Storage   4.3.10   PE-2 Access:            If so, how are records maintained (i.e.,        Examine
                                    Keys/Cards         custody receipt/automated file)?

                                                       Buildings:
                                                       Offices:
                                                       Containers:




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                             Field Office                                                                 34 of 78
                                                                                 IRS Safeguards
                                                             Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST   Test Objective                   Test Steps                 Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                  Method    Fail                                         Evidence
        Category
FO25 Secure Storage 4.3.10 PE-2 Access:              Who is responsible for issuance of             Interview
                                  Keys/Cards         keys/key cards?

                                                     Buildings:
                                                     Offices:
                                                     Containers:
FO26 Secure Storage   4.3.10   PE-2 Access:          Who has access to keys/key cards?              Interview
                                    Keys/Cards
                                                     Buildings:
                                                     Offices:
                                                     Containers:
FO27 Secure Storage   4.3.10   PE-2 Access:          Are periodic reviews being conducted to        Interview/
                                    Keys/Cards       reconcile records?                              Examine

                                                     Buildings:
                                                     Offices:
                                                     Containers:

                                                     When was the last review?
FO28 Secure Storage   4.3.10   PE-2 Access:          Is there a written policy on recovery of       Examine
                                    Keys/Cards       ID/keys/key cards after employee leaves?

FO29 Secure Storage   4.3.10   PE-2 Access:          Are the locking mechanisms checked for         Interview
                                    Keys/Cards       malfunctions?

                                                     Buildings:
                                                     Offices:
                                                     Containers:

                                                     By Whom?

                                                     How often?

FO30 Secure Storage   4.3.10   PE-2 Access:          Who controls the duplicate keys for:           Interview
                                    Keys/Cards
                                                     Buildings:
                                                     Offices:
                                                     Containers:
FO31 Secure Storage   4.3.10   PE-2 Access:          Are all employees given keys to:               Interview
                                    Keys/Cards
                                                     Buildings:
                                                     Offices:
                                                     Containers:




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                          Field Office                                                                 35 of 78
                                                                                 IRS Safeguards
                                                             Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST   Test Objective                   Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                     Method    Fail                                         Evidence
        Category
FO32 Secure Storage 4.3.10 PE-2 Access:              What is the key reproducing policy?              Interview/
                                  Keys/Cards                                                           Examine
                                                     Buildings:
                                                     Offices:
                                                     Containers:
FO33 Secure Storage   4.3.10   PE-2 Access:          Who maintains the key to cabinet that            Interview
                                    Keys/Cards       contain(s) the electronic FTI?

                                                     Are there backup keys?

                                                     Where is the key kept during the day?

                                                     Where is the key kept at night?

                                                     How many keys are there in total?

FO34 Secure Storage   4.3.10   PE-2 Access:          Who maintains the key to cabinet that            Interview
                                    Keys/Cards       contain(s) the paper FTI?

                                                     Are there backup keys?

                                                     Where is the key kept during the day?

                                                     Where is the key kept at night?

                                                     How many keys are there in total?

FO35 Secure Storage   4.3.10   PE-2 Access:          Who maintains backup keys to cabinets            Interview
                                    Keys/Cards       that contain the IRS electronic media(s) or
                                                     FTI Reports?
FO36 Secure Storage   4.3.10   PE-3 Access:          How often are door/safe combinations             Interview
                                    Combinations     changed?
FO37 Secure Storage   4.3.10   PE-3 Access:          Who is responsible to change the                 Interview
                                    Combinations     combinations?
FO38 Secure Storage   4.3.10   PE-3 Access:          Who safeguards the combinations?                 Interview
                                    Combinations
FO39 Secure Storage   4.3.10   PE-3 Access:          Who controls (records)/safeguards                Interview
                                    Combinations     combinations?
FO40 Secure Storage   4.3.10   PE-3 Access:          How are combinations safeguarded?                Interview
                                    Combinations
FO41 Secure Storage    4.3.2   PE-2 ID Cards         Are employees wearing the agency                   Test
                                    (Badges)         authorized IDs?
FO42 Secure Storage    4.3.2   PE-2 ID Cards         Are lost ID cards reported?                      Interview
                                    (Badges)



   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Field Office                                                                  36 of 78
                                                                                  IRS Safeguards
                                                              Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075 NIST    Test Objective                     Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF     ID                                                                      Method    Fail                                         Evidence
        Category
FO43 Secure Storage 4.3.2   PE-2 ID Cards             How do employees enter the work area            Interview
                                 (Badges)             without an ID card?
FO44 Secure Storage 4.3.2   PE-2 ID Cards             Is there a written policy on ID cards?          Examine
                                 (Badges)
FO45 Secure Storage 4.3.2   PE-2 ID Cards             Are ID cards inventoried (i.e., automated,      Examine
                                 (Badges)             written down and placed in safe, etc.)?

FO46 Secure Storage    4.3.2   PE-2 ID Cards          Who has access to ID Card/Badge                 Interview
                                    (Badges)          inventory?
FO47 Secure Storage    4.3.2   PE-7 Visitor/Vendor    Do visitors/vendors sign a visitor access       Examine
                                    Access            log?


FO48 Secure Storage    4.3.2   PE-8 Visitor/Vendor    Does the visitor access log contain the         Examine
                                    Access            following information?

                                                      (i) name and organization of the visitor;
                                                      (ii) signature of the visitor;
                                                      (iii) form of identification;
                                                      (iv) date of access;
                                                      (v) time of entry and departure;
                                                      (vi) purpose of visit; and
                                                      (vii) name and organization of person
                                                      visited.
FO49 Secure Storage    4.3.2   PE-8 Visitor/Vendor    Do designated officials or designees            Interview
                                    Access            within the agency review the visitor
                                                      access records, at least annually?
FO50 Secure Storage    4.3.2   PE-7 Visitor/Vendor    Are visitors/vendors escorted?                  Interview/
                                    Access                                                             Examine
                                                      If so, what are the escorting procedures?



FO51 Secure Storage    4.3.2   PE-7 Visitor/Vendor    Are visitors/vendors issued ID cards? Are       Interview/
                                    Access            ID cards turned in at end of day? Are ID         Examine
                                                      cards inventoried/monitored?
FO52 Secure Storage    4.3.1   PE-3 Restricted Area   Verify two barriers are present to access       Examine
                                                      FTI under normal security:
                                                      secured perimeter/locked container,
                                                      locked perimeter/secured interior, or
                                                      locked perimeter/security container.
FO53 Secure Storage    4.3.1   PE-3 Restricted Area   Specify the Restricted Access areas             Interview/
                                                      where FTI is located?                            Examine




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Field Office                                                                  37 of 78
                                                                                  IRS Safeguards
                                                              Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075 NIST   Test Objective                      Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF     ID                                                                      Method    Fail                                         Evidence
        Category
FO54 Secure Storage 4.3.1   PE-3 Restricted Area      How is access to the restricted areas           Interview
                                                      controlled?
FO55 Secure Storage    4.3.1   PE-2 Restricted Area   Who authorizes access to the restricted         Interview
                                                      areas?
FO56 Secure Storage    4.3.1   PE-2 Restricted Area   Are the names of departed/transferred           Interview/
                                                      employees removed? When are they                 Examine
                                                      removed?
FO57 Secure Storage    4.3.1   PE-2 Restricted Area   Is an access record review conducted to         Interview
                                                      update who can access certain areas?
                                                      How often?
FO58 Secure Storage    4.3.1   PE-6 Restricted Area   Who reviews electronic and paper audit          Interview
                                                      trails? How often are they reviewed?
FO59 Secure Storage    4.5     PE-16 Loading Docks    How are loading docks secured?                  Interview/
                                                                                                       Examine
FO60 Secure Storage    4.5     MP-4 Document          Are documents containing FTI stored in a         Examine
                                    Security          locked container until pick-up for
                                                      disposal?
FO61 Secure Storage    4.5     MP-5 Document          How is the paper waste material               Interview
                                    Security          transported?
FO62 Secure Storage    4.3.4   MP-2 Document          Is there a written “clean desk” policy        Examine
                                    Security          (should cover desktop, credenzas, and
                                                      in/out baskets)?
FO63 Secure Storage    4.3.4   MP-2 Document          Does management periodically conduct         Interview/
                                    Security          an after-hours check to ensure the clean      Examine
                                                      desk policy, i.e., locked containers, office
                                                      doors locked, etc. How often? When was
                                                      the last review? Were there any findings
                                                      and have there been any findings and
                                                      corrective actions taken?


FO64 Secure Storage    4.3.6   MP-4 Containers        What type of container is used to store         Examine
                       4.3.7                          FTI (i.e., lateral, upright, credenza,
                       4.3.8                          overhead, desk, safes, vaults)?
FO65 Secure Storage    4.3.6   MP-4 Containers        Do all containers have locks?                   Examine
                       4.3.7
                       4.3.8
FO66 Secure Storage    4.3.9   MP-4 Containers        What type of lock (i.e., lock bars, key lock, Examine
                                                      padlock, combination padlock)?
FO67 Secure Storage    4.3.6   MP-4 Containers        Is FTI stored in secure containers after      Interview/
                       4.3.7                          hours or when not in use?                      Examine
                       4.3.8
FO68 Secure Storage    4.3.4   PE-3 Office Security   How is access restricted to internal            Interview/
                                                      offices?                                         Examine




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Field Office                                                                  38 of 78
                                                                                   IRS Safeguards
                                                               Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075 NIST   Test Objective                       Test Steps                     Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF     ID                                                                          Method    Fail                                         Evidence
        Category
FO69 Secure Storage 4.3.4   PE-3 Office Security       Are integral office doors locked after           Interview/
                                                       hours?                                            Examine
FO70 Secure Storage    4.3.4   PE-2 Office Security    Who has access to the offices after               Interview
                                                       hours?

                                                       Cleaning Crews:
                                                       Landlord:
                                                       Maintenance Crews:
                                                       Security Guards:
                                                       Employees (i.e. all or management):
FO71 Secure Storage    4.3.4   MP-2 File Rooms         Does file room have its own staff? How           Interview
                                    Containing FTI     many employees?
FO72 Secure Storage    4.3.4   MP-2 File Rooms         Can only file room staff access client           Interview
                                    Containing FTI     files?
FO73 Secure Storage    4.3.4   MP-5 File Rooms         Are items removed/returned from the file         Examine
                                    Containing FTI     room logged or scanned?
FO74 Secure Storage    4.3.4   MP-4 File Rooms         Is there a follow-up for missing files           Interview
                                    Containing FTI     performed?
FO75 Secure Storage    4.3.4   MP-4 File Rooms         Is file room door locked at night?               Interview/
                                    Containing FTI                                                       Examine
FO76 Secure Storage    4.3.4   MP-2 File Rooms         If so, who can access the room after              Interview
                                    Containing FTI     normal working hours (i.e., cleaning,
                                                       guards, maintenance)?
FO77 Secure Storage    4.3.4   MP-4 Storage of Files   Are files stored at the field office/district    Interview/
                                    Containing FTI     office/agency?                                    Examine
FO78 Secure Storage    4.3.4   MP-4 Storage of Files   How long are files stored at the field            Interview
                                    Containing FTI     office/district office/agency?
FO79 Secure Storage    5.6.6   CP-6 Storage Off-Site   Are files stored at a alternate storage          Interview
                                                       facility?
FO80 Secure Storage    5.6.6   CP-6 Storage Off-Site   If this is a agency facility, do agency          Interview
                                                       employees work at the facility?
FO81 Secure Storage    5.6.6   CP-6 Storage Off-Site   If this is a facility administered by a          Interview
                                                       different state agency, how is access to
                                                       FTI controlled?
FO82 Secure Storage    5.6.6   CP-6 Storage Off-Site   If this is a Contractor Facility, how is         Interview
                                                       access FTI controlled?
FO83 Secure Storage     4.5    CP-6 Storage Off-Site   How is paper or electronic FTI shipped /         Interview
                       5.6.6   MP-5                    transfer to alternate storage facility?
FO84 Secure Storage     4.5    CP-6 Storage Off-Site   What type of container is used to ship the       Interview/
                       5.6.6   MP-5                    files?                                            Examine
FO85 Secure Storage     4.5    CP-6 Storage Off-Site   Is the container taped or locked?                Examine/
                       5.6.6   MP-5                                                                        Test




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Field Office                                                                    39 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST   Test Objective                       Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                        Method    Fail                                         Evidence
        Category
FO86 Secure Storage   4.5    CP-6 Storage Off-Site      For retrieval of a single                       Interview
                     5.6.6   MP-5                       documents/file/tape, containing FTI, is
                                                        entire container recalled or only the
                                                        individual item?
FO87 Secure Storage     4.5    CP-6 Storage Off-Site    Who is in charge of storage or shipping         Interview
                       5.6.6   MP-5                     files to storage facilities?
FO88 Secure Storage    5.6.6   CP-6 Storage of Files    Does the storage contractor have a sub-         Interview
                               MP-2 Containing FTI      contractor (e.g. responsible for disposal)?

FO89 Secure Storage   5.6.16   SI-12 Storage of Files   Is there a written policy on document           Examine
                                     Containing FTI     retention?
FO90 Secure Storage    4.7     PE-17 Alternate Work     Are employees allowed to work with FTI          Interview/
                                     Site               from an alternate work site (i.e., any           Examine
                                                        working area that is attached to the Wide
                                                        Area Network (WAN) either through a
                                                        Public Switched Data Network (PSDN) or
                                                        through the Internet)? Examples:
                                                        Working at home, working at a different
                                                        agency site, working at a contractor site.

FO91 Secure Storage    4.7     PE-17 Alternate Work     Does the agency have a documented plan Examine
                                     Site               for the security of alternative work site?

FO92 Secure Storage    4.7     PE-17 Alternate Work     Does the agency certify the security            Examine
                                     Site               controls of the alternate work site are
                                                        adequate for security needs. Additionally,
                                                        does the agency promulgate rules and
                                                        procedures to ensure that employees do
                                                        not leave computers unprotected at any
                                                        time. These rules should address brief
                                                        absences while employees are away from
                                                        the computer.

FO93 Secure Storage    4.7     PE-17 Alternate Work     Do all computers and mobile devices that        Examine/
                                     Site               contain FTI and are resident in an                Test
                                                        alternate work site employ encryption
                                                        mechanisms to ensure
                                                        that this data may not be accessed, if the
                                                        computer is lost and/or stolen? What is
                                                        the encryption strength?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Field Office                                                                   40 of 78
                                                                                   IRS Safeguards
                                                               Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                        Method    Fail                                         Evidence
        Category
FO94 Secure Storage   4.7    PE-17 Alternate Work      Does the agency provide specialized             Interview/
                                   Site                training in security, disclosure awareness,      Examine
                                                       and ethics for all participating employees
                                                       and managers? Does the training cover
                                                       situations that could occur as the result of
                                                       an interruption of work by family, friends,
                                                       or other sources?

FO95 Secure Storage     4.7    PE-17 Alternate Work    Does the agency conduct periodic                Interview/
                                     Site              inspections of alternative work sites            Examine
                                                       during the year to ensure that safeguards
                                                       are adequate. Are the results of each
                                                       inspection documented?

FO96 Secure Storage     4.7    PE-17 Alternate Work    Does the agency retain ownership and            Interview
                                     Site              control, for all hardware, software, and
                                                       telecommunications equipment
                                                       connecting to public communication
                                                       networks, where these are resident at all
                                                       alternate work sites.
FO97 Secure Storage    4.3.2   PE-5 Access Control     Are computer monitors or other display          Examine
                                    for Display        devices that display FTI positioned so as
                                    Medium             to not be visible to passers-by in hallways
                                                       or common areas?
FO98 Secure Storage     4.32   PE-18 Location of       For all areas that process FTI, does the        Examine
                        4.33         Information       agency position information system
                        4.34         System            components within the facility to minimize
                                     Components        potential damage from physical and
                                                       environmental hazards and to minimize
                                                       the opportunity for unauthorized access?

FO99 Secure Storage     4.4    PE-3 Security During    How is FTI protected during an office           Interview
                                    Office Moves       move? Is FTI kept in locked cabinets or
                                                       sealed packing cartons during the move?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                             Field Office                                                                    41 of 78
                                                                                  IRS Safeguards
                                                              Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST   Test Objective                   Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                   Method    Fail                                         Evidence
         Category
FO100 Secure Storage   4.4    PE-3 Security During    Is FTI mailed or transported between           Interview
                                   Office Moves       office locations?

                                                      Is this FTI placed in double-envelopes or
                                                      locked in a secure container during
                                                      transport?

                                                      Is a transmittal document used to track
                                                      the movement and receipt of FTI?

                                                      Is a transmittal document used to track
                                                      the movement and ensure the delivery of
                                                      FTI?
                                                                              IRC Section 6103(p)(4)(C)
FO101 Restricting       5.3    MP-2 Commingling       Describe how the agency labels paper      Interview
      Access                                          documents containing FTI.
FO102 Restricting       5.3    MP-2 Commingling       Describe how the agency labels case files Interview
      Access                                          containing paper FTI.
FO103 Restricting       5.3    MP-2 Commingling       Describe how the agency labels paper      Interview
      Access                                          documents containing FTI.
FO104 Restricting       5.3    MP-2 Commingling       How is paper FTI filed?                   Interview
      Access
FO105 Restricting       5.3    MP-2 Commingling       How can paper FTI be retrieved?                Interview
      Access
FO106 Restricting       5.3    MP-2 Commingling       What identifying information is used for     Interview
      Access                                          retrieval? Individual name?
FO107 Restricting       5.3    MP-2 Commingling       Is paper FTI kept separate or commingled Interview/
      Access                                          with other information?                      Examine
FO108 Restricting       5.3    MP-2 Commingling       If commingled, is commingled paper FTI      Interview/
      Access                                          identifiable?                                Examine
FO109 Restricting       5.3    MP-2 Commingling       Can paper FTI within agency records be       Interview
      Access                                          located and segregated?
FO110 Restricting       5.3    MP-2 Commingling       Please provide documents or letters          Examine
      Access                                          (Verification, Adjustment, Third Party)
                                                      used to obtain FTI verification from
                                                      clients, financial institutions and others.
FO111 Restricting       5.3    MP-2 Commingling       What specific data, from paper FTI, is         Interview
      Access                                          entered into the system after independent
                                                      verification has been received?

FO112 Restricting       5.3    MP-2 Commingling       How is electronic FTI filed?                   Interview
      Access




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                           Field Office                                                                  42 of 78
                                                                                        IRS Safeguards
                                                                    Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID      PUB 1075    PUB 1075 NIST     Test Objective                   Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
             Reporting     REF     ID                                                                     Method    Fail                                         Evidence
             Category
FO113     Restricting      5.3   MP-2 Commingling           How can electronic FTI be retrieved?           Interview
          Access
FO114     Restricting      5.3   MP-2 Commingling           What identifying information is used for       Interview
          Access                                            retrieval? Individual name?
FO115     Restricting      5.3   MP-2 Commingling           Is electronic FTI kept separate or             Interview/
          Access                                            commingled with other information?              Examine
FO116     Restricting      5.3   MP-2 Commingling           If commingled, is commingled electronic        Interview/
          Access                                            FTI identifiable?                               Examine
FO117     Restricting      5.3   MP-2 Commingling           Can electronic FTI within agency records        Interview
          Access                                            be located and segregated?
FO118     Restricting      5.3   MP-2 Commingling           What electronic FTI is either printed and      Interview
          Access                                            used in paper form?

                                                            What electronic FTI is referenced in
                                                            electronic or paper case notations? (e.g.
                                                            case history, source of information, or
                                                            comments section)
FO119 Restricting          5.5   AC-6 Computer Center If this is an agency facility, who works at          Interview
      Access                          Facility        the facility?
                                                      -Only agency employees?
                                                      -Other state agency employees?
                                                      -Contractors

                                                            How is access to FTI limited?
FO120 Restricting         11.0   MP-2 Contractor            Is data disclosed to any contractor?           Interview/
      Access              11.4   SA-9 Access                Identify the data disclosed and the             Examine
                                                            contractor.
FO121 Restricting         11.0   MP-2    Contractor         Provide a copy of the contractor's             Examine
      Access              11.4   SA-9    Access             contract.
FO122 Restricting         11.0   MP-2    Contractor         Does the contract include the required         Examine
      Access              11.4   SA-9    Access             Safeguards language in the contract?
                                                            (Publication 1075 Exhibit 7 Language)
FO123 Restricting         11.0   MP-2 Contractor            Does the contractor sub-contract any           Interview
      Access              11.4   SA-9 Access                work containing FTI?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                                 Field Office                                                                  43 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                  Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                      Method    Fail                                         Evidence
         Category
FO124 Restricting      11.0   SA-9 External        Does the agency outsource to a                       Interview/
      Access           11.4        Information     commercial vendor information system                  Examine
                                   System Services services for systems that store, process
                                                   or transmit FTI to provider external to the
                                                   agency (contractor)?

                                                        Does the contract include the required
                                                        Safeguards language in the contract?
                                                        (Publication 1075 Exhibit 7)

FO125 Restricting      11.0   SA-9 External        Do employees or contractors, at an off-              Interview
      Access           11.4        Information     site storage facility, have access to FTI?
                                   System Services If so, describe, by whom and how is FTI
                                                   access restricted?
FO126 Restricting      5.2    AC-6 Access               How is access limited to authorized             Interview
      Access                                            employees?
FO127 Restricting      5.2    AC-6 Access               Who designates authorized employees?            Interview
      Access
FO128 Restricting      5.2    AC-6 Access               Do all authorized employees have a need- Interview
      Access                                            to-know?
FO129 Restricting      5.2    AC-6 Access               Do state auditors or inspector generals   Interview
      Access                                            have access to case files?
FO130 Restricting      5.2    AC-6 Access               Provide the written procedures in effect  Examine
      Access                                            for specifying to whom disclosures of FTI
                                                        can be made.
FO131 Restricting      5.2    AC-6 Quality Control,     Do reviewers have access to FTI online?      Test
      Access                       Quality              In paper?
                                   Assurance,
                                   Quality Review
FO132 Restricting      5.2    AC-6 Quality Control,     Do reviewers send out verification letters      Interview
      Access                       Quality              on FTI?
                                   Assurance,
                                   Quality Review
FO133 Restricting      5.2    AC-6 Quality Control,     Are reviewers agency employees?                 Interview
      Access                       Quality
                                   Assurance,
                                   Quality Review
FO134 Restricting      5.2    AC-6 Other Entities       Do other entities (e.g., volunteers,            Interview
      Access                                            researchers, contractors, non-agency
                                                        employees, interns) have access to FTI?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Field Office                                                                  44 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075      PUB 1075 NIST   Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting       REF     ID                                                                      Method    Fail                                         Evidence
         Category
FO135 Restricting              AC-6 Federal Offset      Are Federal Offset Payments released to          Interview
      Access                        Payments            courts or other third parties, such as
                                                        custodial parents?
FO136 Restricting              AC-6 Federal Offset      Does the agency receive Federal Offset           Interview
      Access                        Payments            Payments (Applies to Revenue and Child
                                                        Support)?
FO137 Restricting              AC-6 Federal Offset      Does the agency use a contractor to              Interview
      Access                        Payments            process the Offset (Reconciliation of
                                                        payment or data processing)?
FO138 Restricting        5.4   AC-6 Sharing FTI         Is FTI shared between Child Support,             Interview
      Access                                            Human Services or Labor? Are
                                                        employees shared between these
                                                        agencies?
FO139 Restricting        5.4   AC-6 Sharing FTI         Does the agency share FTI with any               Interview
      Access                                            agency or entity e.g. tribes, cities/states,
                                                        other state agencies)? If yes, what data,
                                                        to whom and by what authority?

FO140 Restricting              AC-6 Client              Who can represent a client?                      Interview
      Access                        Representation
FO141 Reporting         10.1    IR-1 Incident           Is there a documented policy with steps          Examine
      Improper                       Response           for reporting unauthorized disclosure of
      Inspections or                                    FTI?
      Disclosures
FO142 Reporting         10.1    IR-1 Incident           Does the incident reporting policy contain       Examine
      Improper                       Response           the IRS and TIGTA contact information,
      Inspections or                                    coordination steps and detail when these
      Disclosures                                       entities should be notified of the incident?

FO143 Reporting         10.1    IR-2 Incident           Does the agency provide incident                 Interview/
      Improper                       Response           response training to all personnel with           Examine
      Inspections or                 Training           access to FTI and personnel with incident
      Disclosures                                       response responsibilities? Is Initial
                                                        training provided, and refresher training
                                                        provided at least annually?
FO144 Reporting         10.1    IR-7 Incident           Does the agency provide an incident              Interview
      Improper                       Response           response support resource for users?
      Inspections or                 Assistance         Possible implementations of incident
      Disclosures                                       response support resources include a
                                                        help desk or an assistance group, and
                                                        access to forensics services.




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                               Field Office                                                                   45 of 78
                                                                                       IRS Safeguards
                                                                   Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID   PUB 1075     PUB 1075 NIST      Test Objective                    Test Steps                     Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
          Reporting      REF     ID                                                                          Method    Fail                                         Evidence
          Category
FO145 Reporting         10.1      IR-3 Incident            Does the agency test/exercise the                Examine
      Improper                         Response            Disclosure aspect of its incident response
      Inspections or                   Testing and         capability at least annually? Review
      Disclosures                      Exercises           documented test results of prior incident
                                                           response tests.
FO146 Reporting         10.1      IR-4 Incident Handling Does the agency's incident response                Examine
      Improper                                           procedures address an incident handling
      Inspections or                                     capability for security incidents that
      Disclosures                                        includes preparation, detection and
                                                         analysis, containment, eradication, and
                                                         recovery and post-incident activity?


FO147 Reporting         10.1      IR-5 Incident            How is the incident documented, tracked          Interview/
      Improper                         Response            and monitored?                                    Examine
      Inspections or
      Disclosures
FO148 Reporting         10.1      IR-5 Incident            Does the agency document the incident            Examine
      Improper                         Response            search efforts? Do they notify the
      Inspections or                                       impacted Tax Payer(s)?
      Disclosures
FO149 Restricting      5.6.17.5    -    Electronic Mail    Does the agency have a policy that states        Examine
      Access                                               FTI shall not be transmitted or used on
                                                           email systems?
FO150 Restricting      5.6.17.5    -    Electronic Mail    If it is necessary to transmit FTI via email,    Interview
      Access                                               does the agency take the following
                                                           precautions to protect FTI sent via email?
                                                           - Email transmitting the FTI is encrypted
                                                           (i.e. Digital Certification encryption)
                                                           - Attachments containing FTI are
                                                           encrypted
                                                           - Ensure that all messages sent are to the
                                                           proper address
                                                           - Email stays within the agency email
                                                           system and is not sent outside the firewall
                                                           - Employees should log off the computer
                                                           when away from the area




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                                  Field Office                                                                    46 of 78
                                                                                      IRS Safeguards
                                                                  Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST       Test Objective                    Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                         Method    Fail                                         Evidence
         Category
FO151 Restricting    5.6.17.6     -    Fax Machines       If FAX machines are used to transmit FTI Interview/
      Access                                              does the agency take the following             Examine
                                                          precautions to protect Fax transmissions?
                                                          - A trusted staff member is located at both
                                                          the sending and receiving fax machines.
                                                          -Broadcast lists and other preset numbers
                                                          of frequent recipients of FTI are
                                                          maintained and periodically updated
                                                          - Fax machines are placed in a secured
                                                          area.
                                                          - A cover sheet is included on fax
                                                          transmissions that explicitly provides
                                                          guidance to the recipient, which includes:
                                                              - A notification of the sensitivity of the
                                                          data and the need for protection
                                                              - A notice to unintended recipients to
                                                          telephone the sender—collect if
                                                          necessary—to report the disclosure and
                                                          confirm destruction of the information.




FO152 Restricting    5.6.17.1     -    Data Warehouse Does the agency employ a data                       Interview
      Access                           Configuration  warehousing environment. If so, what FTI
                                                      resides there?

                                                          How is the FTI identified as FTI within the
                                                          data warehouse?

                                                          How is the use, movement, and
                                                          destruction tracked within the warehouse?


                                                                                 IRC Section 6103(p)(4)(D)
FO153 Other            6.2      AT-1   Employee           Does the agency have a security          Examine
      Safeguards                       Awareness          awareness and training policy?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                                Field Office                                                                   47 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                        Method    Fail                                         Evidence
          Category
FO154 Other            6.2    AT-1 Employee             Does the agency have security training          Examine
      Safeguards                   Awareness            and awareness procedures that address
                                                        the policy elements and is disseminated
                                                        to employees responsible for
                                                        implementing security training and
                                                        awareness?
FO155 Other            6.2    AT-2 Employee             Are new employees given a security              Interview
      Safeguards                   Awareness            orientation prior to having access to FTI?

FO156 Other            6.2    AT-2 Employee             Does the orientation specifically cover         Examine
      Safeguards                   Awareness            FTI?

FO157 Other            6.2    AT-2 Employee             Does the orientation cover Penalty              Examine
      Safeguards                   Awareness            Provisions under the Internal Revenue
                                                        Code (IRC) 7213, 7213A and 7431?
FO158 Other            6.2    AT-2 Employee             Do employees sign a certification at initial    Examine
      Safeguards                   Awareness            security awareness orientation (provide a
                                                        copy of agreement)?
FO159 Other            6.2    AT-2 Employee             Do employees sign a re-certification every        Test
      Safeguards                   Awareness            year thereafter?

FO160 Other            6.2    AT-2 Employee             Does the agency maintain training records       Examine
      Safeguards                   Awareness            for employees/contractors that identifies
                                                        the security and awareness training that
                                                        each user has completed?
FO161 Employee         6.2    MP-2 Document             Are employees aware of the need to              Interview
      Awareness                    Security             protect FTI against inadvertent disclosure
                                                        when visitors/maintenance
                                                        personnel/vendors are in work area?
FO162 Other            6.3    CA-2 Internal             Is the agency periodically audited by a         Interview
      Safeguards                   Inspections          third party (e.g. Internal Audit, Inspector
                                                        General (IG))?
FO163 Other            6.3    CA-2 Internal             When was the last audit conducted?              Examine
      Safeguards                   Inspections          Provide a copy of the audit report.
                                                                               IRC Section 6103(p)(4)(F)
FO164 Disposing        8.3    MP-6 Paper FTI            Where is paper FTI secured prior to      Examine
      Federal Tax                                       disposal?
      Information                                       -Recycle bins?
                                                        -Locking container?
                                                        -Waste paper basket?
                                                        -Container on desk?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Field Office                                                                    48 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID   PUB 1075    PUB 1075 NIST    Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
          Reporting     REF     ID                                                                       Method    Fail                                         Evidence
          Category
FO165 Disposing         8.3   MP-6 Paper FTI            How is paper FTI destroyed?                     Interview
      Federal Tax                                       -Shredding (i.e., are strips rendered
      Information                                       unreadable, size of strips, print
                                                        perpendicular to cutting line)?
                                                        -Pulping (i.e., what size is material
                                                        reduced to) ?
                                                        -Burning (i.e., is there complete
                                                        combustion)?
                                                        -Disintegration (how fine a screen is
                                                        used)?

FO166 Disposing         8.3   MP-6 Paper FTI            Who performs destruction of paper FTI?          Interview
      Federal Tax       8.4                             -Agency staff?
      Information                                       -Contractor?
FO167 Disposing         8.3   MP-6 Paper FTI            Who picks up/takes paper FTI for                Interview
      Federal Tax       8.4                             destruction?
      Information                                       -State Agency/Federal Agency?
                                                        -Contractor?
FO168 Restricting       8.3   AC-6 Destruction          If the destruction facility is a contractor     Interview
      Access            8.4        Facility             facility, how is access to paper FTI limited
                                                        to employees?
FO169 Disposing         8.3   MP-6 Paper FTI:           What is the name of the contractor used         Interview
      Federal Tax       8.4        Contractor           for pick up and destruction of paper FTI
      Information
FO170 Disposing         8.3   MP-6 Paper FTI:           Location of the contractor used for pick up     Interview
      Federal Tax       8.4        Contractor           and destruction of paper FTI?
      Information
FO171 Disposing         8.3   MP-6 Paper FTI:           Name and telephone number of contact            Interview
      Federal Tax       8.4        Contractor           person at the contractor used for pick up
      Information                                       and destruction of paper FTI

FO172 Disposing         8.3   MP-6 Paper FTI:           If the contractor does not have a               Interview
      Federal Tax       8.4        Contractor           destruction facility, where is the paper FTI
      Information                                       taken?
FO173 Disposing         8.3   MP-6 Paper FTI:           Does Agency staff accompany paper FTI           Interview
      Federal Tax       8.4        Contractor           and view destruction?
      Information
FO174 Disposing         8.3   MP-6 Paper FTI:           How is paper FTI packaged and secured? Interview/
      Federal Tax       8.4        Contractor                                                   Examine
      Information
FO175 Disposing         8.3   MP-6 Electronic Media     Is paper FTI shredded (size of shred)?            Test
      Federal Tax       8.4        Library:
      Information                  Procedures -
                                   Destruction



   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Field Office                                                                    49 of 78
                                                                            IRS Safeguards
                                                        Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID   PUB 1075    PUB 1075 NIST    Test Objective          Test Steps                Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
          Reporting     REF     ID                                                         Method    Fail                                         Evidence
          Category
                                                                       Other DES Observations
 220




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                   Field Office                                                                 50 of 78
                                                                                           IRS Safeguards
                                                                       Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID      PUB 1075      PUB 1075   NIST    Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
             Reporting       REF       ID                                                                       Method    Fail                                         Evidence
             Category
                                                                                       IRC Section 6103(p)(4)(A)
DC1       Record Keeping     3.0      MP-5 Electronic Media    Is electronic media generated upon        Interview
          Requirements                     Containing FTI      receipt?
                                           Processed
DC2       Record Keeping     3.0      MP-6 Electronic Media    What electronic media do you still have         Interview
          Requirements                     Containing FTI      and how are you planning disposal?
                                           Processed
DC3       Record Keeping     3.0      MP-5 Electronic Media    Is electronic media provided to a               Interview
          Requirements                     Containing FTI      contracted State Agency or Contractor?
                                           Processed
DC3       Record Keeping    11.3       -   Electronic Media    All agencies intending to disclose federal Interview/
          Requirements                     Containing FTI      tax information to contractors (including   Examine
                                           Processed           consolidated data centers, off-site storage
                                                               facilities, shred companies, information
                                                               technology support, and for tax modeling
                                                               or revenue forecasting purposes) must
                                                               notify the IRS prior to executing any
                                                               agreement to disclose to such a person
                                                               (contractor), but in no event less than 45
                                                               days prior to the disclosure of FTI.

                                                               Does such a documented policy and
                                                               process exist to address this?




DC4       Record Keeping     3.0      MP-5 Electronic Media    What safeguard controls are in place            Interview
          Requirements                     Containing FTI      when transmitting and processing
                                           Processed           electronic media at a contracted state
                                                               agency or contractor site?


DC5       Record Keeping     3.0      MP-2 Receipt FTI         If FTI is printed at data center what          Interview/
          Requirements                     Paper Reports       functions is it distributed to?                 Examine

DC6       Record Keeping     3.0      MP-4 Storage of IRS      Where is electronic media stored before         Interview
          Requirements                     FTI electronic      and after processing?
                                           media               -At Agency?
                                                               -At Data Center?
                                                               -Is electronic media with FTI stored with
                                                               other Agency data?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                                    Data Center                                                                     51 of 78
                                                                                         IRS Safeguards
                                                                     Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID      PUB 1075    PUB 1075   NIST     Test Objective                    Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
             Reporting     REF       ID                                                                       Method    Fail                                         Evidence
             Category
DC7       Record Keeping   3.2      MP-2 Electronic Files     Is a log kept or are transmittal documents    Interview/
          Requirements                                        retained? Documented receipt? Informal         Examine
                                                              receipt? By whom?
                                                              -In-house?
                                                              -Contractor?
                                                              -Outside of Agency?
DC8       Record Keeping    3.2     MP-2 Electronic Files     Are Electronic Media inventories               Examine
          Requirements                                        performed -- Periodic? Results of prior
                                                              inventories?

DC9       Record Keeping   5.6.16   SI-12 Stored in the       Are cycles documented and monitored to         Examine
          Requirements                    Media Library:      ensure destruction?
                                          Electronic Media
                                          Library:
                                          Procedures - File
                                          Retention Cycles
DC10 Record Keeping        5.6.6    CP-9 Stored in the        How are data files backed up, by whom,         Interview
     Requirements                         Media Library:      and on what type of media (e.g., data
                                          Electronic Media    center backup, agency programmer
                                          Library:            backup)?
                                          Procedures -
                                          Data Backup
DC11 Record Keeping        5.6.16   SI-12 Stored in the       What is retention period of backup media       Interview
     Requirements                         Media Library:      and how many generations of backup files
                                          Electronic Media    exist at the same time?
                                          Library:
                                          Procedures -
                                          Retention
DC12 Record Keeping        5.6.6    CP-6 Stored in the        Where are backup files stored? Are            Interview/
     Requirements                   MP-4 Media Library:       backup files stored off-site? If so, where?    Examine
                                          Electronic Media
                                          Library:
                                          Procedures -
                                          Retention
DC13 Record Keeping        5.6.6    CP-6 Stored in the        How are files protected? Who has access Interview/
     Requirements                   MP-4 Media Library:       to these files?                          Examine
                                          Electronic Media
                                          Library:
                                          Procedures -
                                          Retention




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                                  Data Center                                                                     52 of 78
                                                                                      IRS Safeguards
                                                                  Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075     NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF         ID                                                                        Method    Fail                                         Evidence
        Category
DC14 Record Keeping 5.6.6       CP-6 Stored in the        Is paper FTI printed at the Data Center?       Interview/
     Requirements               MP-4 Media Library:                                                       Examine
                                     Electronic Media     If so, is it tracked and logged from
                                     Library:             creation to destruction?
                                     Procedures -
                                     Retention
DC15 Record Keeping    5.6.6    CP-6 Stored in the        Does the agency label removable media          Interview/
     Requirements               MP-4 Media Library:       (CDs, magnetic tapes, external hard             Examine
                                     Electronic Media     drives, flash/thumb drives, DVDs) and
                                     Library:             information system output containing FTI
                                     Procedures -         (reports, documents, data files, back-up
                                     Retention            tapes) indicating “Federal Tax
                                                          Information”?
                                                                                 IRC Section 6103(p)(4)(B)
DC16 Secure Storage    4.3.2    PE-3   Guards             Guards: Contractor or Employee?          Interview
                       4.3.4
DC17 Secure Storage    4.3.2    PE-3   Guards             Guards: How many posts:                         Examine
                       4.3.4
                                                          -Main Entrance_____
                                                          -Rear Entrance_____
                                                          -Side Entrance_____
                                                          -Outside_____
                                                          -Inside_____

DC18 Secure Storage    4.3.2    PE-3   Guards             Guards: Hours on Duty?                          Interview
                       4.3.4
DC19 Secure Storage    4.3.12   PE-6   Alarms             Electronic Intrusion Alarm System?             Interview/
                                                                                                          Examine
DC20 Secure Storage    4.3.12   PE-6   Alarms             Motion Detectors?                              Interview/
                                                                                                          Examine
DC21 Secure Storage    4.3.12   PE-6   Alarms             Emergency Exit Alarm?                          Interview/
                                                                                                          Examine
DC22 Secure Storage    4.3.12   PE-6   Alarms             Who monitors the various alarms?                Interview

DC23 Secure Storage    4.3.2    PE-6   Cameras            Where are they placed?                          Examine
                                       (Outside/Inside)
DC24 Secure Storage    4.3.2    PE-6   Cameras            How many cameras?                               Examine
                                       (Outside/Inside)
DC25 Secure Storage    4.3.2    PE-6   Cameras            Who monitors the various cameras?               Interview
                                       (Outside/Inside)
DC26 Secure Storage    4.3.2    PE-6   Cameras            Are cameras recording their view?                 Test
                                       (Outside/Inside)




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                               Data Center                                                                     53 of 78
                                                                                     IRS Safeguards
                                                                 Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075     NIST     Test Objective                    Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF         ID                                                                       Method    Fail                                         Evidence
        Category
DC27 Secure Storage 4.3.2       PE-6   Cameras            How long are electronic media (Hard           Interview/
                                       (Outside/Inside)   Drive, DVR, Tapes) maintained?                 Examine
DC28 Secure Storage    4.3.2    PE-6   Access:            What controls are in place to monitor          Interview
                                       Monitoring         access to restricted area (i.e., logs,
                                                          electronic monitoring)?
DC29 Secure Storage    4.3.2    PE-6   Access:            How often are access control points            Interview
                                       Monitoring         monitored?
DC30 Secure Storage    4.3.2    PE-2   Access:            What is used to control access from the       Examine/
                                       Keys/Cards         outside: Keys or Electronic access              Test
                                                          control system?
DC31 Secure Storage    4.3.10   PE-2   Access:            What is used to control access from the       Examine/
                       4.3.11          Keys/Cards         inside: Keys or Electronic access control       Test
                                                          system?
DC32 Secure Storage    4.3.10   PE-2   Access:            Is a record maintained on the issuance of      Examine
                                       Keys/Cards         keys/key cards?

                                                          Buildings:
                                                          Offices:
                                                          Containers:
DC33 Secure Storage    4.3.10   PE-2   Access:            If so, how are records maintained (i.e.,       Examine
                                       Keys/Cards         custody receipt/automated file)?

                                                          Buildings:
                                                          Offices:
                                                          Containers:
DC34 Secure Storage    4.3.10   PE-2   Access:            Who is responsible for issuance of             Interview
                                       Keys/Cards         keys/key cards?

                                                          Buildings:
                                                          Offices:
                                                          Containers:
DC35 Secure Storage    4.3.10   PE-2   Access:            Who has access to keys/key cards?              Interview
                                       Keys/Cards
                                                          Buildings:
                                                          Offices:
                                                          Containers:
DC36 Secure Storage    4.3.10   PE-2   Access:            Are periodic reviews being conducted to       Interview/
                                       Keys/Cards         reconcile records?                             Examine

                                                          Buildings:
                                                          Offices:
                                                          Containers:

                                                          When was the last review?



    85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Data Center                                                                     54 of 78
                                                                                     IRS Safeguards
                                                                 Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075    NIST     Test Objective                   Test Steps                      Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF        ID                                                                         Method    Fail                                         Evidence
        Category
DC37 Secure Storage 4.3.10      PE-2   Access:            Is there a written policy on recovery of         Examine
                                       Keys/Cards         ID/keys/key cards after employee leaves?

DC38 Secure Storage    4.3.10   PE-2   Access:            Are the locking mechanisms checked for           Interview
                                       Keys/Cards         malfunctions?

                                                          Buildings:
                                                          Offices:
                                                          Containers:

                                                          By Whom?

                                                          How often?
DC39 Secure Storage    4.3.10   PE-2   Access:            Who controls the duplicate keys for:             Interview
                                       Keys/Cards
                                                          Buildings:
                                                          Offices:
                                                          Containers:
DC40 Secure Storage    4.3.10   PE-2   Access:            Are all employees given keys to:                 Interview
                                       Keys/Cards
                                                          Buildings:
                                                          Offices:
                                                          Containers:
DC41 Secure Storage    4.3.10   PE-2   Access:            What is the key reproducing policy?             Interview/
                                       Keys/Cards                                                          Examine
                                                          Buildings:
                                                          Offices:
                                                          Containers:
DC42 Secure Storage    4.3.10   PE-2   Access:            Who maintains the key to cabinet that            Interview
                                       Keys/Cards         contain(s) the electronic FTI?

                                                          Are there backup keys?

                                                          Where is the key kept during the day?

                                                          Where is the key kept at night?

                                                          How many keys are there in total?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                                Data Center                                                                     55 of 78
                                                                                     IRS Safeguards
                                                                 Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075    NIST     Test Objective                   Test Steps                      Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF        ID                                                                         Method    Fail                                         Evidence
        Category
DC43 Secure Storage 4.3.10      PE-2   Access:            Who maintains the key to cabinet that            Interview
                                       Keys/Cards         contain(s) the paper FTI?

                                                          Are there backup keys?

                                                          Where is the key kept during the day?

                                                          Where is the key kept at night?

                                                          How many keys are there in total?

DC44 Secure Storage    4.3.10   PE-2   Access:            Who maintains backup keys to cabinets            Interview
                                       Keys/Cards         that contain the IRS electronic media(s) or
                                                          FTI Reports?
DC45 Secure Storage    4.3.10   PE-3   Access:            How often are door/safe combinations             Interview
                                       Combinations       changed?
DC46 Secure Storage    4.3.10   PE-3   Access:            Who is responsible to change the                 Interview
                                       Combinations       combinations?
DC47 Secure Storage    4.3.10   PE-3   Access:            Who safeguards the combinations?                 Interview
                                       Combinations
DC48 Secure Storage    4.3.10   PE-3   Access:            Who controls (records)/safeguards                Interview
                                       Combinations       combinations?
DC49 Secure Storage    4.3.10   PE-3   Access:            How are combinations safeguarded?                Interview
                                       Combinations
DC50 Secure Storage    4.3.2    PE-2   ID Cards           Are employees wearing the agency                   Test
                                       (Badges)           authorized IDs?
DC51 Secure Storage    4.3.2    PE-2   ID Cards           Are lost ID cards reported?                      Interview
                                       (Badges)
DC52 Secure Storage    4.3.2    PE-2   ID Cards           How do employees enter the work area             Interview
                                       (Badges)           without an ID card?
DC53 Secure Storage    4.3.2    PE-2   ID Cards           Is there a written policy on ID cards?           Examine
                                       (Badges)
DC54 Secure Storage    4.3.2    PE-2   ID Cards           Are ID cards inventoried (i.e., automated,       Examine
                                       (Badges)           written down and placed in safe, etc.)?

DC55 Secure Storage    4.3.2    PE-2   ID Cards           Who has access to ID Card/Badge                  Interview
                                       (Badges)           inventory?
DC56 Secure Storage    4.3.2    PE-7   Visitor/Vendor     Do visitors/vendors sign a visitor access        Examine
                                       Access             log?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                                Data Center                                                                     56 of 78
                                                                                     IRS Safeguards
                                                                 Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075    NIST     Test Objective                    Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF        ID                                                                       Method    Fail                                         Evidence
        Category
DC57 Secure Storage 4.3.2      PE-8   Visitor/Vendor     Does the visitor access log contain the        Examine
                                      Access             following information?

                                                         (i) name and organization of the visitor;
                                                         (ii) signature of the visitor;
                                                         (iii) form of identification;
                                                         (iv) date of access;
                                                         (v) time of entry and departure;
                                                         (vi) purpose of visit; and
                                                         (vii) name and organization of person
                                                         visited.
DC58 Secure Storage    4.3.2   PE-8   Visitor/Vendor     Do designated officials or designees           Interview
                                      Access             within the agency review the visitor
                                                         access records, at least annually?
DC59 Secure Storage    4.3.2   PE-7   Visitor/Vendor     Are visitors/vendors escorted?                Interview/
                                      Access                                                            Examine
                                                         If so, what are the escorting procedures?



DC60 Secure Storage    4.3.2   PE-7   Visitor/Vendor     Are visitors/vendors issued ID cards? Are     Interview/
                                      Access             ID cards turned in at end of day? Are ID       Examine
                                                         cards inventoried/monitored?
DC61 Secure Storage    4.3.1   PE-3   Restricted Area    Verify two barriers are present to access      Examine
                                                         FTI under normal security:
                                                         secured perimeter/locked container,
                                                         locked perimeter/secured interior, or
                                                         locked perimeter/security container.
DC62 Secure Storage    4.3.1   PE-3   Restricted Area    Specify the Restricted Access areas           Interview/
                                                         where FTI is located?                          Examine
DC63 Secure Storage    4.3.1   PE-3   Restricted Area    How is access to the restricted areas          Interview
                                                         controlled?
DC64 Secure Storage    4.3.1   PE-2   Restricted Area    Who authorizes access to the restricted        Interview
                                                         areas?
DC65 Secure Storage    4.3.1   PE-2   Restricted Area    Are the names of departed/transferred         Interview/
                                                         employees removed? When are they               Examine
                                                         removed?
DC66 Secure Storage    4.3.1   PE-2   Restricted Area    Is an access record review conducted to        Interview
                                                         update who can access certain areas?
                                                         How often?
DC67 Secure Storage    4.3.1   PE-6   Restricted Area    Who reviews electronic and paper audit         Interview
                                                         trails? How often are they reviewed?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                             Data Center                                                                     57 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST    Test Objective                      Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                        Method    Fail                                         Evidence
        Category
DC68 Secure Storage   4.5    PE-16 Loading Docks        How are loading docks secured?                Interview/
                                                                                                       Examine
DC69 Secure Storage     4.5    MP-4 Document            Are documents containing FTI stored in a       Examine
                                    Security            locked container until pick-up for
                                                        disposal?
DC70 Secure Storage     4.5    MP-5 Document            How is the paper waste material               Interview
                                    Security            transported?
DC71 Secure Storage    4.3.4   MP-2 Document            Is there a written “clean desk” policy        Examine
                                    Security            (should cover desktop, credenzas, and
                                                        in/out baskets)?
DC72 Secure Storage    4.3.4   MP-2 Document            Does management periodically conduct         Interview/
                                    Security            an after-hours check to ensure the clean      Examine
                                                        desk policy, i.e., locked containers, office
                                                        doors locked, etc. How often? When was
                                                        the last review? Were there any findings
                                                        and have there been any findings and
                                                        corrective actions taken?


DC73 Secure Storage    4.3.6   MP-4 Containers          What type of container is used to store        Examine
                       4.3.7                            FTI (i.e., lateral, upright, credenza,
                       4.3.8                            overhead, desk, safes, vaults)?
DC74 Secure Storage    4.3.6   MP-4 Containers          Do all containers have locks?                  Examine
                       4.3.7
                       4.3.8
DC75 Secure Storage    4.3.9   MP-4 Containers          What type of lock (i.e., lock bars, key lock, Examine
                                                        padlock, combination padlock)?
DC76 Secure Storage    4.3.6   MP-4 Containers          Is FTI stored in secure containers after      Interview/
                       4.3.7                            hours or when not in use?                      Examine
                       4.3.8
DC77 Secure Storage    4.3.4   PE-3   Office Security   How is access restricted to internal          Interview/
                                                        offices?                                       Examine
DC78 Secure Storage    4.3.4   PE-3   Office Security   Are integral office doors locked after        Interview/
                                                        hours?                                         Examine
DC79 Secure Storage    4.3.4   PE-2   Office Security   Who has access to the offices after            Interview
                                                        hours?

                                                        Cleaning Crews:
                                                        Landlord:
                                                        Maintenance Crews:
                                                        Security Guards:
                                                        Employees (i.e. all or management):




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Data Center                                                                     58 of 78
                                                                                     IRS Safeguards
                                                                 Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075    NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF        ID                                                                        Method    Fail                                         Evidence
        Category
DC80 Secure Storage 5.6.6      CP-6 Storage Off-Site     Does the data center perform a nightly          Interview
                                                         dump that is separate from the daily,
                                                         weekly and monthly backups that are
                                                         performed by the agency that are sent to
                                                         a storage facility?
DC81 Secure Storage     4.7    PE-17 Alternate Work      Are employees allowed to work with FTI         Interview/
                                     Site                from an alternate work site (i.e., any          Examine
                                                         working area that is attached to the Wide
                                                         Area Network (WAN) either through a
                                                         Public Switched Data Network (PSDN) or
                                                         through the Internet)? Examples:
                                                         Working at home, working at a different
                                                         agency site, working at a contractor site.

DC82 Secure Storage     4.7    PE-17 Alternate Work      Does the agency have a documented plan Examine
                                     Site                for the security of alternative work site?

DC83 Secure Storage     4.7    PE-17 Alternate Work      Does the agency certify the security            Examine
                                     Site                controls of the alternate work site are
                                                         adequate for security needs. Additionally,
                                                         does the agency promulgate rules and
                                                         procedures to ensure that employees do
                                                         not leave computers unprotected at any
                                                         time. These rules should address brief
                                                         absences while employees are away from
                                                         the computer.

DC84 Secure Storage     4.7    PE-17 Alternate Work      Do all computers and mobile devices that       Examine/
                                     Site                contain FTI and are resident in an               Test
                                                         alternate work site employ encryption
                                                         mechanisms to ensure
                                                         that this data may not be accessed, if the
                                                         computer is lost and/or stolen? What is
                                                         the encryption strength?
DC85 Secure Storage     4.7    PE-17 Alternate Work      Does the agency provide specialized            Interview/
                                     Site                training in security, disclosure awareness,     Examine
                                                         and ethics for all participating employees
                                                         and managers? Does the training cover
                                                         situations that could occur as the result of
                                                         an interruption of work by family, friends,
                                                         or other sources?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                             Data Center                                                                      59 of 78
                                                                                   IRS Safeguards
                                                               Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST     Test Objective                     Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                        Method    Fail                                         Evidence
        Category
DC86 Secure Storage   4.7    PE-17 Alternate Work       Does the agency conduct periodic              Interview/
                                   Site                 inspections of alternative work sites          Examine
                                                        during the year to ensure that safeguards
                                                        are adequate. Are the results of each
                                                        inspection documented?

DC87 Secure Storage     4.7    PE-17 Alternate Work     Does the agency retain ownership and           Interview
                                     Site               control, for all hardware, software, and
                                                        telecommunications equipment
                                                        connecting to public communication
                                                        networks, where these are resident at all
                                                        alternate work sites.
DC88 Secure Storage            CP-7 Alternate           Does the agency have an alternate site        Interview/
                                    Processing Site     identified for business resumption when        Examine
                                                        the primary processing location (office
                                                        space) is unavailable? The alternate site
                                                        could be a (i) dedicated site owned or
                                                        operated by the agency, (ii) reciprocal
                                                        agreement or memorandum of agreement
                                                        with an internal or external entity, or (iii)
                                                        commercially leased facility.

DC89 Secure Storage            CP-7 Alternate           Does the agency have an alternate              Examine
                                    Processing Site     processing site agreement in place to
                                                        permit the resumption of operations?
                                                        Does the agreement define the time
                                                        period within which processing must be
                                                        resumed at the alternate processing site?

DC90 Secure Storage     4.32   PE-18 Location of        For all areas that process FTI, does the       Examine
                        4.33         Information        agency position information system
                        4.34         System             components within the facility to minimize
                                     Components         potential damage from physical and
                                                        environmental hazards and to minimize
                                                        the opportunity for unauthorized access?

DC91 Secure Storage     4.4    PE-3   Security During   How is FTI protected during an office          Interview
                                      Office Moves      move? Is FTI kept in locked cabinets or
                                                        sealed packing cartons during the move?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Data Center                                                                     60 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075   NIST     Test Objective                   Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF       ID                                                                       Method    Fail                                         Evidence
        Category
DC92 Secure Storage   4.4      PE-3   Security During    Is FTI mailed or transported between           Interview
                                      Office Moves       office locations?

                                                         Is this FTI placed in double-envelopes or
                                                         locked in a secure container during
                                                         transport?

                                                         Is a transmittal document used to track
                                                         the movement and receipt of FTI?

                                                         Is a transmittal document used to track
                                                         the movement and ensure the delivery of
                                                         FTI?
                                                                               IRC Section 6103(p)(4)(C)
DC93 Restricting        5.3    MP-2 Commingling     Is FTI kept separate or commingled with      Interview/
     Access                                         other information?                            Examine
DC94 Restricting        5.3    MP-2 Commingling     If commingled, is commingled FTI             Interview/
     Access                                         identifiable?                                 Examine
DC95 Restricting        5.5    AC-6 Computer Center If this is an agency facility, who works at   Interview
     Access                         Facility        the facility?
                                                    -Only agency employees?
                                                    -Other state agency employees?
                                                    -Contractors

                                                         How is access to FTI limited?
DC96 Restricting        11.0   MP-2 Contractor           Do contractors have access to FTI? Such Interview/
     Access             11.4   SA-9 Access               as serving as System Administrators,     Examine
                                                         Database Administrators, Network
                                                         Administrators, Maintenance personnel,
                                                         and Disposal personnel.


DC97 Restricting        11.0   MP-2   Contractor         Provide a copy of the contractor's             Examine
     Access             11.4   SA-9   Access             contract.
DC98 Restricting        11.0   MP-2   Contractor         Does the contract include the required         Examine
     Access             11.4   SA-9   Access             Safeguards language in the contract?
                                                         (Publication 1075 Exhibit 7 Language)
DC99 Restricting        11.0   MP-2 Contractor           Does the contractor sub-contract any           Interview
     Access             11.4   SA-9 Access               work containing FTI?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                             Data Center                                                                     61 of 78
                                                                                       IRS Safeguards
                                                                   Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075     PUB 1075   NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting      REF       ID                                                                        Method    Fail                                         Evidence
         Category
DC100 Restricting       11.0     SA-9   External        Does the agency outsource to a                    Interview/
      Access            11.4            Information     commercial vendor information system               Examine
                                        System Services services for systems that store, process
                                                        or transmit FTI to provider external to the
                                                        agency (contractor)?

                                                           Does the contract include the required
                                                           Safeguards language in the contract?
                                                           (Publication 1075 Exhibit 7)

DC101 Restricting       9.1      AC-8 IRS Approved         Are all systems that store, process, or         Examine
      Access                          Warning Banner       transmit FTI configured with an IRS
                                                           approved Warning Banner that meets the
                                                           requirements of Publication 1075 Section
                                                           5.6.1?
DC102 Restricting       5.2      AC-6 Access               How is access limited to authorized             Interview
      Access                                               employees?
DC103 Restricting       5.2      AC-6 Access               Who designates authorized employees?            Interview
      Access
DC104 Restricting       5.2      AC-6 Access               Do all authorized employees have a need- Interview
      Access                                               to-know?
DC105 Restricting       5.2      AC-6 Other Entities       Do other entities (e.g., volunteers,     Interview
      Access                                               researchers, contractors, non-agency
                                                           employees, interns) have access to FTI?

DC106 Restricting       5.4      AC-6 Sharing FTI          Is FTI shared between Child Support,            Interview
      Access                                               Human Services or Labor? Are
                                                           employees shared between these
                                                           agencies?
DC107 Restricting       5.4      AC-6 Sharing FTI          Does the agency share FTI with any              Interview
      Access                                               agency or entity e.g. tribes, cities/states,
                                                           other state agencies)? If yes, what data,
                                                           to whom and by what authority?

DC108 Restricting       5.5      AC-6 Computer Center If this is an Agency facility, who works at          Interview
      Access                          Facility        the facility?
                                                      -Only agency employees?
                                                      -Computer programmers?
                                                      -How is access to FTI limited to
                                                      contractors?
DC109 Restricting      5.6.2     AU-2 FTI Access Logs What data elements are captured on the               Examine
      Access                                          FTI access log reports?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                                Data Center                                                                     62 of 78
                                                                                        IRS Safeguards
                                                                    Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075      PUB 1075   NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting       REF       ID                                                                        Method    Fail                                         Evidence
         Category
DC110 Restricting       5.6.2     AU-6 FTI Access Logs Are FTI access log reports monitored to              Interview
      Access                                           detect unauthorized browsing?
DC111 Restricting       5.6.2     AU-6 FTI Access Logs What actions are taken when                          Interview
      Access                                           unauthorized action is found on an FTI
                                                       access log report?
DC112 Restricting       5.6.2     AU-2 FTI Access Logs Are FTI access logs maintained of                      Test
      Access                                           accesses or updates to electronic data?

DC113 Restricting       5.6.2     AU-2 FTI Access Logs Are access records or listings of FTI                  Test
      Access                                           extracts made?
DC114 Restricting       5.6.2     AU-2 FTI Access Logs Do these FTI access logs include:                      Test
      Access                                           -Reason for access?
                                                       -Current location of data?
                                                       -Final disposition?
                                                       -Who monitors?
                                                       -How often monitored?
                                                       -Any findings within the last two years?
                                                       -What action was taken?
DC115 Restricting       5.6.2     AC-20 Non-Agency          Can employees access agency systems,            Interview
      Access                            Computers           containing FTI, with personal computers.

DC116 Restricting       5.6.2     AC-20 Non-Agency          Can contractors access agency systems,          Interview
      Access                            Computers           containing FTI, with contractor equipment.

DC117 Reporting         10.1      IR-1   Incident           Is there a documented policy with steps         Examine
      Improper                           Response           for reporting unauthorized disclosure of
      Inspections or                                        FTI?
      Disclosures
DC118 Reporting         10.1      IR-1   Incident           Does the incident reporting policy contain      Examine
      Improper                           Response           the IRS and TIGTA contact information,
      Inspections or                                        coordination steps and detail when these
      Disclosures                                           entities should be notified of the incident?

DC119 Reporting         10.1      IR-2   Incident           Does the agency provide incident               Interview/
      Improper                           Response           response training to all personnel with         Examine
      Inspections or                     Training           access to FTI and personnel with incident
      Disclosures                                           response responsibilities? Is Initial
                                                            training provided, and refresher training
                                                            provided at least annually?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                                 Data Center                                                                     63 of 78
                                                                                       IRS Safeguards
                                                                   Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID   PUB 1075     PUB 1075   NIST     Test Objective                   Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
          Reporting      REF       ID                                                                      Method    Fail                                         Evidence
          Category
DC120 Reporting         10.1      IR-7   Incident          Does the agency provide an incident            Interview
      Improper                           Response          response support resource for users?
      Inspections or                     Assistance        Possible implementations of incident
      Disclosures                                          response support resources include a
                                                           help desk or an assistance group, and
                                                           access to forensics services.
DC121 Reporting         10.1      IR-3   Incident          Does the agency test/exercise the              Examine
      Improper                           Response          Disclosure aspect of its incident response
      Inspections or                     Testing and       capability at least annually? Review
      Disclosures                        Exercises         documented test results of prior incident
                                                           response tests.
DC122 Reporting         10.1      IR-4   Incident Handling Does the agency's incident response            Examine
      Improper                                             procedures address an incident handling
      Inspections or                                       capability for security incidents that
      Disclosures                                          includes preparation, detection and
                                                           analysis, containment, eradication, and
                                                           recovery and post-incident activity?
DC123 Reporting         10.1      IR-5   Incident          How is the incident documented, tracked       Interview/
      Improper                           Response          and monitored?                                 Examine
      Inspections or
      Disclosures
DC124 Reporting         10.1      IR-5   Incident           Does the agency document the incident         Examine
      Improper                           Response           search efforts? Do they notify the
      Inspections or                                        impacted Tax Payer(s)?
      Disclosures
DC125 Restricting       5.6.11    PS-2   Personnel          Does the agency have a personnel              Examine
      Access                             Security Policy    security policy that addresses position
                                         and Procedures     categorization, personnel screening,
                                                            personnel termination, personnel transfer,
                                                            and access agreements?

                                                            Who is responsible for implementation of
                                                            the policy?
DC126 Restricting      5.6.17.5    -     Electronic Mail    Does the agency have a policy that states     Examine
      Access                                                FTI shall not be transmitted or used on
                                                            email systems?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                               Data Center                                                                     64 of 78
                                                                                       IRS Safeguards
                                                                   Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075     PUB 1075   NIST     Test Objective                    Test Steps                     Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting      REF       ID                                                                         Method    Fail                                         Evidence
         Category
DC127 Restricting     5.6.17.5    -     Electronic Mail    If it is necessary to transmit FTI via email,    Interview
      Access                                               does the agency take the following
                                                           precautions to protect FTI sent via email?
                                                           - Email transmitting the FTI is encrypted
                                                           (i.e. Digital Certification encryption)
                                                           - Attachments containing FTI are
                                                           encrypted
                                                           - Ensure that all messages sent are to the
                                                           proper address
                                                           - Email stays within the agency email
                                                           system and is not sent outside the firewall
                                                           - Employees should log off the computer
                                                           when away from the area



DC128 Restricting     5.6.17.6    -     Fax Machines       If FAX machines are used to transmit FTI Interview/
      Access                                               does the agency take the following             Examine
                                                           precautions to protect Fax transmissions?
                                                           - A trusted staff member is located at both
                                                           the sending and receiving fax machines.
                                                           -Broadcast lists and other preset numbers
                                                           of frequent recipients of FTI are
                                                           maintained and periodically updated
                                                           - Fax machines are placed in a secured
                                                           area.
                                                           - A cover sheet is included on fax
                                                           transmissions that explicitly provides
                                                           guidance to the recipient, which includes:
                                                               - A notification of the sensitivity of the
                                                           data and the need for protection
                                                               - A notice to unintended recipients to
                                                           telephone the sender—collect if
                                                           necessary—to report the disclosure and
                                                           confirm destruction of the information.




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                                Data Center                                                                      65 of 78
                                                                                       IRS Safeguards
                                                                   Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075     PUB 1075    NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting      REF        ID                                                                        Method    Fail                                         Evidence
         Category
DC129 Restricting     5.6.17.1     -     Data Warehouse Does the agency employ a data                       Interview
      Access                             Configuration  warehousing environment. If so, what FTI
                                                        resides there?

                                                            How is the FTI identified as FTI within the
                                                            data warehouse?

                                                            How is the use, movement, and
                                                            destruction tracked within the warehouse?


                                                                                   IRC Section 6103(p)(4)(D)
DC130 Other             6.2      AT-1    Employee           Does the agency have a security          Examine
      Safeguards                         Awareness          awareness and training policy?

DC131 Other             6.2       AT-1   Employee           Does the agency have security training          Examine
      Safeguards                         Awareness          and awareness procedures that address
                                                            the policy elements and is disseminated
                                                            to employees responsible for
                                                            implementing security training and
                                                            awareness?
DC132 Other             6.2       AT-1   Employee           Does the awareness training cover               Interview
      Safeguards                         Awareness          internal inspection procedures and
                                                            requirements?




DC133 Other             6.2       AT-2   Employee           Are new employees given a security              Interview
      Safeguards                         Awareness          orientation prior to having access to FTI?

DC134 Other             6.2       AT-2   Employee           Does the orientation specifically cover         Examine
      Safeguards                         Awareness          FTI?

DC135 Other             6.2       AT-2   Employee           Does the orientation cover Penalty              Examine
      Safeguards                         Awareness          Provisions under the Internal Revenue
                                                            Code (IRC) 7213, 7213A and 7431?
DC136 Other             6.2       AT-2   Employee           Do employees sign a certification at initial    Examine
      Safeguards                         Awareness          security awareness orientation (provide a
                                                            copy of agreement)?
DC137 Other             6.2       AT-2   Employee           Do employees sign a re-certification every        Test
      Safeguards                         Awareness          year thereafter?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                                Data Center                                                                      66 of 78
                                                                                       IRS Safeguards
                                                                   Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075     PUB 1075   NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting      REF       ID                                                                        Method    Fail                                         Evidence
          Category
DC138 Other             6.2      AT-2   Employee           Are contractors with access to FTI              Interview
      Safeguards                        Awareness          included in the employee awareness
                                                           orientation?
DC139 Other             6.2      AT-2   Employee           Does the agency maintain training records       Examine
      Safeguards                        Awareness          for employees/contractors that identifies
                                                           the security and awareness training that
                                                           each user has completed?
DC140 Employee          6.2      MP-2 Document             Are employees aware of the need to              Interview
      Awareness                       Security             protect FTI against inadvertent disclosure
                                                           when visitors/maintenance
                                                           personnel/vendors are in work area?
DC141 Other             6.3      CA-2 Internal             Is the agency periodically audited by a         Interview
      Safeguards                      Inspections          third party (e.g. Internal Audit, Inspector
                                                           General (IG))?
                                                                                     IRC Section 6103(p)(4)(F)
DC142 Disposing         8.3      MP-6 Paper FTI            Where is paper FTI secured prior to         Examine
      Federal Tax                                          disposal?
      Information                                          -Recycle bins?
                                                           -Locking container?
                                                           -Waste paper basket?
                                                           -Container on desk?
DC143 Disposing         8.3      MP-6 Paper FTI            How is paper FTI destroyed?                 Interview
      Federal Tax                                          -Shredding (i.e., are strips rendered
      Information                                          unreadable, size of strips, print
                                                           perpendicular to cutting line)?
                                                           -Pulping (i.e., what size is material
                                                           reduced to) ?
                                                           -Burning (i.e., is there complete
                                                           combustion)?
                                                           -Disintegration (how fine a screen is
                                                           used)?

DC144 Disposing         8.3      MP-6 Paper FTI            Who performs destruction of paper FTI?          Interview
      Federal Tax       8.4                                -Agency staff?
      Information                                          -Contractor?
DC145 Disposing         8.3      MP-6 Paper FTI            Who picks up/takes paper FTI for                Interview
      Federal Tax       8.4                                destruction?
      Information                                          -State Agency/Federal Agency?
                                                           -Contractor?
DC146 Restricting       8.3      AC-6 Destruction          If the destruction facility is a contractor     Interview
      Access            8.4           Facility             facility, how is access to paper FTI limited
                                                           to employees?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                               Data Center                                                                      67 of 78
                                                                                      IRS Safeguards
                                                                  Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID   PUB 1075    PUB 1075   NIST    Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
          Reporting     REF       ID                                                                       Method    Fail                                         Evidence
          Category
DC147 Disposing         8.3      MP-6 Paper FTI:          What is the name of the contractor used         Interview
      Federal Tax       8.4           Contractor          for pick up and destruction of paper FTI
      Information
DC148 Disposing         8.3      MP-6 Paper FTI:          Location of the contractor used for pick up     Interview
      Federal Tax       8.4           Contractor          and destruction of paper FTI?
      Information
DC149 Disposing         8.3      MP-6 Paper FTI:          Name and telephone number of contact            Interview
      Federal Tax       8.4           Contractor          person at the contractor used for pick up
      Information                                         and destruction of paper FTI

DC150 Disposing         8.3      MP-6 Paper FTI:          If the contractor does not have a               Interview
      Federal Tax       8.4           Contractor          destruction facility, where is the paper FTI
      Information                                         taken?
DC151 Disposing         8.3      MP-6 Paper FTI:          Does Agency staff accompany paper FTI           Interview
      Federal Tax       8.4           Contractor          and view destruction?
      Information
DC152 Disposing         8.3      MP-6 Paper FTI:          How is paper FTI packaged and secured? Interview/
      Federal Tax       8.4           Contractor                                                  Examine
      Information
DC153 Disposing         8.3      MP-6 Electronic Media    Is paper FTI shredded (size of shred)?            Test
      Federal Tax       8.4           Library:
      Information                     Procedures -
                                      Destruction
DC154 Disposing         8.3      MP-6 Electronic Media    How is electronic FTI destroyed?                Interview
      Federal Tax       8.4           Library:            -Returned to the IRS?
      Information                     Procedures -        -Returned to scratch pool?
                                      Destruction
DC155 Disposing         8.3      MP-6 Electronic Media    How is FTI cleared from electronic media        Interview
      Federal Tax       8.4           Library:            (removable or non-removable; e.g.,
      Information                     Procedures -        primary or systemic backups) before
                                      Destruction         reallocation or destruction?
DC156 Disposing         8.3      MP-6 Electronic Media    Is FTI erased? If so, in what manner:           Interview
      Federal Tax       8.4           Library:
      Information                     Procedures -        -Degaussed (specify make and strength
                                      Destruction         of degaussed)?
                                                          -Written over with 0 (zero) and 1 (one)?
                                                          -Written over with new data?
                                                          -Written over with FTI only?




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Data Center                                                                      68 of 78
                                                                                     IRS Safeguards
                                                                 Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID   PUB 1075    PUB 1075   NIST    Test Objective                   Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
          Reporting     REF       ID                                                                      Method    Fail                                         Evidence
          Category
DC157 Disposing         8.3      MP-6 Electronic Media    Describe the method of verification for the    Interview
      Federal Tax       8.4           Library:            destruction of electronic media containing
      Information                     Procedures -        FTI.
                                      Destruction




                                                                                  Other DES Observations
DC158




    85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Data Center                                                                     69 of 78
                                                                                         IRS Safeguards
                                                                     Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID      PUB 1075      PUB 1075 NIST    Test Objective                   Test Steps                 Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
             Reporting       REF     ID                                                                   Method    Fail                                         Evidence
             Category
                                                                                       IRC Section 6103(p)(4)(A)
OS1       Record Keeping    5.6.6   CP-6 Stored in the       Where are backup files stored? Are          Interview/
          Requirements              MP-4 Media Library:      backup files stored off-site? If so, where?  Examine
                                         Electronic Media
                                         Library:
                                         Procedures -
                                         Retention
OS2       Record Keeping    5.6.6   CP-6 Stored in the       How are files protected? Who has access Interview/
          Requirements              MP-4 Media Library:      to these files?                          Examine
                                         Electronic Media
                                         Library:
                                         Procedures -
                                         Retention
                                                                                    IRC Section 6103(p)(4)(B)
OS3       Secure Storage    4.3.2   PE-3 Guards              Guards: Contractor or Employee?          Interview
                            4.3.4
OS4       Secure Storage    4.3.2   PE-3 Guards              Guards: How many posts:                     Examine
                            4.3.4
                                                             -Main Entrance_____
                                                             -Rear Entrance_____
                                                             -Side Entrance_____
                                                             -Outside_____
                                                             -Inside_____

OS5       Secure Storage   4.3.2    PE-3 Guards              Guards: Hours on Duty?                      Interview
                           4.3.4
OS6       Secure Storage   4.3.12   PE-6 Alarms              Electronic Intrusion Alarm System?          Interview/
                                                                                                          Examine
OS7       Secure Storage   4.3.12   PE-6 Alarms              Motion Detectors?                           Interview/
                                                                                                          Examine
OS8       Secure Storage   4.3.12   PE-6 Alarms              Emergency Exit Alarm?                       Interview/
                                                                                                          Examine
OS9       Secure Storage   4.3.12   PE-6 Alarms              Who monitors the various alarms?             Interview

OS10 Secure Storage         4.3.2   PE-6 Cameras             Where are they placed?                      Examine
                                         (Outside/Inside)
OS11 Secure Storage         4.3.2   PE-6 Cameras             How many cameras?                           Examine
                                         (Outside/Inside)
OS12 Secure Storage         4.3.2   PE-6 Cameras             Who monitors the various cameras?           Interview
                                         (Outside/Inside)
OS13 Secure Storage         4.3.2   PE-6 Cameras             Are cameras recording their view?               Test
                                         (Outside/Inside)
OS14 Secure Storage         4.3.2   PE-6 Cameras             How long are electronic media (Hard         Interview/
                                         (Outside/Inside)    Drive, DVR, Tapes) maintained?               Examine



   85901907-d61d-4d54-9a68-2e81241e0236.xls                                               Off Site Storage                                                                70 of 78
                                                                                IRS Safeguards
                                                            Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075 NIST   Test Objective                    Test Steps                 Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF     ID                                                                   Method    Fail                                         Evidence
        Category
OS15 Secure Storage 4.3.2   PE-6 Access:            What controls are in place to monitor        Interview
                                 Monitoring         access to restricted area (i.e., logs,
                                                    electronic monitoring)?
OS16 Secure Storage    4.3.2   PE-6 Access:         How often are access control points          Interview
                                    Monitoring      monitored?
OS17 Secure Storage    4.3.2   PE-2 Access:         What is used to control access from the     Examine/
                                    Keys/Cards      outside: Keys or Electronic access            Test
                                                    control system?
OS18 Secure Storage   4.3.10   PE-2 Access:         What is used to control access from the     Examine/
                      4.3.11        Keys/Cards      inside: Keys or Electronic access control     Test
                                                    system?
OS19 Secure Storage   4.3.10   PE-2 Access:         Is a record maintained on the issuance of    Examine
                                    Keys/Cards      keys/key cards?

                                                    Buildings:
                                                    Offices:
                                                    Containers:
OS20 Secure Storage   4.3.10   PE-2 Access:         If so, how are records maintained (i.e.,     Examine
                                    Keys/Cards      custody receipt/automated file)?

                                                    Buildings:
                                                    Offices:
                                                    Containers:
OS21 Secure Storage   4.3.10   PE-2 Access:         Who is responsible for issuance of           Interview
                                    Keys/Cards      keys/key cards?

                                                    Buildings:
                                                    Offices:
                                                    Containers:
OS22 Secure Storage   4.3.10   PE-2 Access:         Who has access to keys/key cards?            Interview
                                    Keys/Cards
                                                    Buildings:
                                                    Offices:
                                                    Containers:
OS23 Secure Storage   4.3.10   PE-2 Access:         Are periodic reviews being conducted to     Interview/
                                    Keys/Cards      reconcile records?                           Examine

                                                    Buildings:
                                                    Offices:
                                                    Containers:

                                                    When was the last review?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                       Off Site Storage                                                                71 of 78
                                                                                 IRS Safeguards
                                                             Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST   Test Objective                   Test Steps                 Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                  Method    Fail                                         Evidence
        Category
OS24 Secure Storage 4.3.10 PE-2 Access:              Is there a written policy on recovery of    Examine
                                  Keys/Cards         ID/keys/key cards after employee leaves?

OS25 Secure Storage   4.3.10   PE-2 Access:          Are the locking mechanisms checked for      Interview
                                    Keys/Cards       malfunctions?

                                                     Buildings:
                                                     Offices:
                                                     Containers:

                                                     By Whom?

                                                     How often?

OS26 Secure Storage   4.3.10   PE-2 Access:          Who controls the duplicate keys for:        Interview
                                    Keys/Cards
                                                     Buildings:
                                                     Offices:
                                                     Containers:
OS27 Secure Storage   4.3.10   PE-2 Access:          Are all employees given keys to:            Interview
                                    Keys/Cards
                                                     Buildings:
                                                     Offices:
                                                     Containers:
OS28 Secure Storage   4.3.10   PE-2 Access:          What is the key reproducing policy?        Interview/
                                    Keys/Cards                                                   Examine
                                                     Buildings:
                                                     Offices:
                                                     Containers:
OS29 Secure Storage   4.3.10   PE-2 Access:          Who maintains the key to cabinet that       Interview
                                    Keys/Cards       contain(s) the electronic FTI?

                                                     Are there backup keys?

                                                     Where is the key kept during the day?

                                                     Where is the key kept at night?

                                                     How many keys are there in total?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                       Off Site Storage                                                                72 of 78
                                                                                 IRS Safeguards
                                                             Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075    PUB 1075 NIST   Test Objective                   Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting     REF     ID                                                                     Method    Fail                                         Evidence
        Category
OS30 Secure Storage 4.3.10 PE-2 Access:              Who maintains the key to cabinet that          Interview
                                  Keys/Cards         contain(s) the paper FTI?

                                                     Are there backup keys?

                                                     Where is the key kept during the day?

                                                     Where is the key kept at night?

                                                     How many keys are there in total?

OS31 Secure Storage   4.3.10   PE-2 Access:          Who maintains backup keys to cabinets          Interview
                                    Keys/Cards       that contain the IRS electronic media(s) or
                                                     FTI Reports?
OS32 Secure Storage   4.3.10   PE-3 Access:          How often are door/safe combinations           Interview
                                    Combinations     changed?
OS33 Secure Storage   4.3.10   PE-3 Access:          Who is responsible to change the               Interview
                                    Combinations     combinations?
OS34 Secure Storage   4.3.10   PE-3 Access:          Who safeguards the combinations?               Interview
                                    Combinations
OS35 Secure Storage   4.3.10   PE-3 Access:          Who controls (records)/safeguards              Interview
                                    Combinations     combinations?
OS36 Secure Storage   4.3.10   PE-3 Access:          How are combinations safeguarded?              Interview
                                    Combinations
OS37 Secure Storage    4.3.2   PE-2 ID Cards         Are employees wearing the agency                 Test
                                    (Badges)         authorized IDs?
OS38 Secure Storage    4.3.2   PE-2 ID Cards         Are lost ID cards reported?                    Interview
                                    (Badges)
OS39 Secure Storage    4.3.2   PE-2 ID Cards         How do employees enter the work area           Interview
                                    (Badges)         without an ID card?
OS40 Secure Storage    4.3.2   PE-2 ID Cards         Is there a written policy on ID cards?         Examine
                                    (Badges)
OS41 Secure Storage    4.3.2   PE-2 ID Cards         Are ID cards inventoried (i.e., automated,     Examine
                                    (Badges)         written down and placed in safe, etc.)?

OS42 Secure Storage    4.3.2   PE-2 ID Cards         Who has access to ID Card/Badge                Interview
                                    (Badges)         inventory?
OS43 Secure Storage    4.3.2   PE-7 Visitor/Vendor   Do visitors/vendors sign a visitor access      Examine
                                    Access           log?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                        Off Site Storage                                                                  73 of 78
                                                                                  IRS Safeguards
                                                              Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075 NIST    Test Objective                     Test Steps                 Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF     ID                                                                     Method    Fail                                         Evidence
        Category
OS44 Secure Storage 4.3.2   PE-8 Visitor/Vendor       Does the visitor access log contain the      Examine
                                 Access               following information?

                                                      (i) name and organization of the visitor;
                                                      (ii) signature of the visitor;
                                                      (iii) form of identification;
                                                      (iv) date of access;
                                                      (v) time of entry and departure;
                                                      (vi) purpose of visit; and
                                                      (vii) name and organization of person
                                                      visited.
OS45 Secure Storage    4.3.2   PE-8 Visitor/Vendor    Do designated officials or designees         Interview
                                    Access            within the agency review the visitor
                                                      access records, at least annually?
OS46 Secure Storage    4.3.2   PE-7 Visitor/Vendor    Are visitors/vendors escorted?               Interview/
                                    Access                                                          Examine
                                                      If so, what are the escorting procedures?



OS47 Secure Storage    4.3.2   PE-7 Visitor/Vendor    Are visitors/vendors issued ID cards? Are    Interview/
                                    Access            ID cards turned in at end of day? Are ID      Examine
                                                      cards inventoried/monitored?
OS48 Secure Storage    4.3.1   PE-3 Restricted Area   Verify two barriers are present to access    Examine
                                                      FTI under normal security:
                                                      secured perimeter/locked container,
                                                      locked perimeter/secured interior, or
                                                      locked perimeter/security container.
OS49 Secure Storage    4.3.1   PE-3 Restricted Area   How is access to the restricted areas        Interview
                                                      controlled?
OS50 Secure Storage    4.3.1   PE-2 Restricted Area   Who authorizes access to the restricted      Interview
                                                      areas?
OS51 Secure Storage    4.3.1   PE-2 Restricted Area   Are the names of departed/transferred        Interview/
                                                      employees removed? When are they              Examine
                                                      removed?
OS52 Secure Storage    4.3.1   PE-2 Restricted Area   Is an access record review conducted to      Interview
                                                      update who can access certain areas?
                                                      How often?
OS53 Secure Storage    4.3.1   PE-6 Restricted Area   Who reviews electronic and paper audit       Interview
                                                      trails? How often are they reviewed?
OS54 Secure Storage    4.5     PE-16 Loading Docks    How are loading docks secured?               Interview/
                                                                                                    Examine




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                          Off Site Storage                                                               74 of 78
                                                                                      IRS Safeguards
                                                                  Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID PUB 1075   PUB 1075     NIST     Test Objective                    Test Steps                   Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
        Reporting    REF         ID                                                                       Method    Fail                                         Evidence
        Category
OS55 Secure Storage 4.3.6       MP-4 Containers           What type of container is used to store        Examine
                    4.3.7                                 FTI (i.e., lateral, upright, credenza,
                    4.3.8                                 overhead, desk, safes, vaults)?
OS56 Secure Storage 4.3.6       MP-4 Containers           Do all containers have locks?                  Examine
                    4.3.7
                    4.3.8
OS57 Secure Storage 4.3.9       MP-4 Containers           What type of lock (i.e., lock bars, key lock, Examine
                                                          padlock, combination padlock)?
OS58 Secure Storage    4.3.6    MP-4 Containers           Is FTI stored in secure containers after      Interview/
                       4.3.7                              hours or when not in use?                      Examine
                       4.3.8
OS59 Secure Storage    5.6.6    CP-6 Storage Off-Site     Are files stored at a alternate storage        Interview
                                                          facility?
OS60 Secure Storage    5.6.6    CP-6 Storage Off-Site     If this is a agency facility, do agency        Interview
                                                          employees work at the facility?
OS61 Secure Storage    5.6.6    CP-6 Storage Off-Site     If this is a facility administered by a        Interview
                                                          different state agency, how is access to
                                                          FTI controlled?
OS62 Secure Storage    5.6.6    CP-6 Storage Off-Site     If this is a Contractor Facility, how is       Interview
                                                          access FTI controlled?
OS63 Secure Storage     4.5     CP-6   Storage Off-Site   How is paper or electronic FTI shipped /       Interview
                       5.6.6    MP-5                      transfer to alternate storage facility?
OS64 Secure Storage     4.5     CP-6   Storage Off-Site   What type of container is used to ship the    Interview/
                       5.6.6    MP-5                      files?                                         Examine
OS65 Secure Storage     4.5     CP-6   Storage Off-Site   Is the container taped or locked?             Examine/
                       5.6.6    MP-5                                                                        Test
OS66 Secure Storage     4.5     CP-6   Storage Off-Site   For retrieval of a single                      Interview
                       5.6.6    MP-5                      documents/file/tape, containing FTI, is
                                                          entire container recalled or only the
                                                          individual item?
OS67 Secure Storage     4.5     CP-6 Storage Off-Site     Who is in charge of storage or shipping        Interview
                       5.6.6    MP-5                      files to storage facilities?
OS68 Secure Storage    5.6.6    CP-6 Storage of Files     Does the storage contractor have a sub-        Interview
                                MP-2 Containing FTI       contractor (e.g. responsible for disposal)?

OS69 Secure Storage    5.6.16   SI-12 Storage of Files    Is there a written policy on document       Examine
                                      Containing FTI      retention?
                                                                                    IRC Section 6103(p)(4)(D)
OS70      Other         6.2     AT-1   Employee           Does the agency have a security             Examine
          Safeguards                   Awareness          awareness and training policy?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                             Off Site Storage                                                                  75 of 78
                                                                                      IRS Safeguards
                                                                  Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID      PUB 1075    PUB 1075 NIST   Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
             Reporting     REF     ID                                                                      Method    Fail                                         Evidence
              Category
OS71      Other            6.2   AT-1 Employee            Does the agency have security training          Examine
          Safeguards                  Awareness           and awareness procedures that address
                                                          the policy elements and is disseminated
                                                          to employees responsible for
                                                          implementing security training and
                                                          awareness?
OS72      Other            6.2   AT-2 Employee            Are new employees given a security              Interview
          Safeguards                  Awareness           orientation prior to having access to FTI?

OS73      Other            6.2   AT-2 Employee            Does the orientation specifically cover         Examine
          Safeguards                  Awareness           FTI?

OS74      Other            6.2   AT-2 Employee            Does the orientation cover Penalty              Examine
          Safeguards                  Awareness           Provisions under the Internal Revenue
                                                          Code (IRC) 7213, 7213A and 7431?
OS75      Other            6.2   AT-2 Employee            Do employees sign a certification at initial    Examine
          Safeguards                  Awareness           security awareness orientation (provide a
                                                          copy of agreement)?
OS76      Other            6.2   AT-2 Employee            Do employees sign a re-certification every        Test
          Safeguards                  Awareness           year thereafter?

OS77      Other            6.2   AT-2 Employee            Are contractors with access to FTI           Interview
          Safeguards                  Awareness           included in the employee awareness
                                                          orientation?
OS78      Employee         6.2   MP-2 Document            Are employees aware of the need to           Interview
          Awareness                   Security            protect FTI against inadvertent disclosure
                                                          when visitors/maintenance
                                                          personnel/vendors are in work area?
OS79      Other            6.3   CA-2 Internal            Is the agency periodically audited by a      Interview
          Safeguards                  Inspections         third party (e.g. Internal Audit, Inspector
                                                          General (IG))?
                                                                                     IRC Section 6103(p)(4)(F)
OS80 Disposing             8.3   MP-6 Paper FTI           How is paper FTI destroyed?                  Interview
     Federal Tax                                          -Shredding (i.e., are strips rendered
     Information                                          unreadable, size of strips, print
                                                          perpendicular to cutting line)?
                                                          -Pulping (i.e., what size is material
                                                          reduced to) ?
                                                          -Burning (i.e., is there complete
                                                          combustion)?
                                                          -Disintegration (how fine a screen is
                                                          used)?




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                              Off Site Storage                                                                  76 of 78
                                                                                    IRS Safeguards
                                                                Safeguards Disclosure Security Evaluation Matrix (SDSEM)


Test ID  PUB 1075    PUB 1075 NIST     Test Objective                    Test Steps                    Assessment Pass /   Agency's Pre-review Answers   IRS Comments/Supporting
         Reporting     REF     ID                                                                        Method    Fail                                         Evidence
         Category
OS81 Disposing         8.3    MP-6 Paper FTI            Who performs destruction of paper FTI?          Interview
     Federal Tax       8.4                              -Agency staff?
     Information                                        -Contractor?
OS82 Disposing         8.3    MP-6 Paper FTI            Who picks up/takes paper FTI for                Interview
     Federal Tax       8.4                              destruction?
     Information                                        -State Agency/Federal Agency?
                                                        -Contractor?
OS83 Restricting       8.3    AC-6 Destruction          If the destruction facility is a contractor     Interview
     Access            8.4         Facility             facility, how is access to paper FTI limited
                                                        to employees?
OS84 Disposing         8.3    MP-6 Paper FTI:           What is the name of the contractor used         Interview
     Federal Tax       8.4         Contractor           for pick up and destruction of paper FTI
     Information
OS85 Disposing         8.3    MP-6 Paper FTI:           Location of the contractor used for pick up     Interview
     Federal Tax       8.4         Contractor           and destruction of paper FTI?
     Information
OS86 Disposing         8.3    MP-6 Paper FTI:           Name and telephone number of contact            Interview
     Federal Tax       8.4         Contractor           person at the contractor used for pick up
     Information                                        and destruction of paper FTI

OS87 Disposing         8.3    MP-6 Paper FTI:           If the contractor does not have a            Interview
     Federal Tax       8.4         Contractor           destruction facility, where is the paper FTI
     Information                                        taken?
OS88 Disposing         8.3    MP-6 Paper FTI:           How is paper FTI packaged and secured? Interview/
     Federal Tax       8.4         Contractor                                                        Examine
     Information
OS89 Disposing         8.3    MP-6 Electronic Media     Is paper FTI shredded (size of shred)?            Test
     Federal Tax       8.4         Library:
     Information                   Procedures -
                                   Destruction
                                                                                 Other DES Observations
 220




   85901907-d61d-4d54-9a68-2e81241e0236.xls                                            Off Site Storage                                                                  77 of 78
                                                                                   IRS Safeguards
                                                               Safeguards Disclosure Security Evaluation Matrix (SDSEM)


                                                                            IRS Safeguards SDSEM Legend

                                      Identification number of SCSEM test case that allows each DES to customize the SDSEM to fit the order in which the tests are actually
                  DES #
                                      executed on-site during a review.
      Pub 1075 Reporting Category IRC 6103 Category
             Pub 1075 REF             Reference to the Section in IRS Publication 1075 where the test maps to.
                NIST ID               NIST 800-53/PUB 1075 Control Identifier
             Test Objective           Objective of test procedure.
              Test Steps              Detailed test procedures to follow for test execution.
                                      The assessment methods define the nature of the actions that the assessor should take to execute the test case and obtain supporting
                                      evidence. The "Examine", "Interview" and "Test" assessment methods are used in the SDSEM. Definition of those assessment methods is
                                      provided below:

                                      Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing evidence (assessment objects) to support the
                                      determination of security control existence, functionality, correctness, completeness, and potential for improvement over time. Typical
                                      assessment objects for the Examine method include: Specifications (e.g., policies, plans, procedures, system requirements, designs);
                                      Mechanisms (e.g., functionality implemented in hardware, software, firmware) and Activities (e.g., system operations, administration,
                                      management; exercises).
          Assessment Method
                                      Interview: The process of conducting discussions with individuals or groups within an organization to facilitate support the determination of
                                      security control existence, functionality, correctness, completeness, and potential for improvement over time. Typical assessment objects for
                                      the Interview method include: Individuals or groups of individuals.

                                      Test: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior,
                                      the results of which are used to support the determination of security control existence, functionality, correctness, completeness,
                                      and potential for improvement over time. Typical assessment objects for the Test method include: Mechanisms (e.g., hardware, software,
                                      firmware) and Activities (e.g., system operations, administration, management; exercises).
                                      Reviewer to indicate if the test case passed, failed or is not applicable. Choose from the drop down list; accepted values are "P" (pass); "F"
                Pass/Fail
                                      (fail) and "N/A" (not applicable).
      Agency's Pre-review Answers Field for Agency answers only leading up to the review. Comments should be accompanied by the individuals name and title.
                                      Evidence to support the test result for the test case is documented here. As evidence, provide the following information for the following
                                      assessment methods:
                                      1. Interview - Name and title of the person providing information. Also provide the date when the interview occurred and an indication of
                                      whether or not the information provided by the interviewee meets the test objective.
       IRS Comments/Supporting        2. Examination - Provide the name, title, and date of the document referenced as the evidence. Also provide section number where the
              Evidence                pertinent information is resident within the document (if possible) and an indication of how the document examined does or does not meet the
                                      test objective.
                                      3. Test - Description of the condition observed during the test and how it does or does not meet the test objective.

                                      If the test case is marked as N/A, then provide appropriate justification as to why the control is considered N/A.




85901907-d61d-4d54-9a68-2e81241e0236.xls                                                Legend                                                                                   78 of 78

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:8/11/2011
language:English
pages:78
Description: Secure Area Access Agreement document sample