Internal Revenue Manual - 10.8.34 Integrated Data Retrieval System (IDRS) Security Handbook (Cont. 2)

Part 10. Security, Privacy and Assurance
Chapter 8. Information Technology (IT) Security
Section 34. Integrated Data Retrieval System (IDRS) Security Handbook (Cont. 2)

10.8.34.7
IDRS Security Command Codes

10.8.34.7.34 (09-01-2007)
Command Codes Restricted to Computing Center Security Officer

Command codes TPFCN, UPHPW and UPHST shall only be used by each Computing Center Security Officer.

10.8.34.7.35 (09-01-2007)
Security Command Codes Authorized for Use by IDRS Users

Command codes CMODE, LOKME, PWACT, ROUTE, SFDIS, SINOF, SINON, STATS, and MESSG may be used by all IDRS users and are automatically assigned to user's profiles.
Command code FIEMP may be used by selected IDRS users with approval from their manager and USR. Managers/USRs also have the option of allowing some users to have secondary accounts on the partnering campus on the other computing center to enable users to identify IDRS users.

10.8.34.8 (09-01-2007)
IDRS Security Reports

The IDRS security system journals all transactions performed by IDRS users and most system transactions. Selected journalled transactions are used to produce batch security reports which are available via the IDRS Online Reports Services (IORS) Application for security personnel and managers of IDRS users to review and certify.

10.8.34.8.1 (09-01-2007)
Security Reports Access

IDRS security reports are generated daily for selected user transactions and system actions. In January 2004, the IDRS Online Reports Services (IORS) application became the primary repository for IDRS Security reports.
IORS is web based application that makes IDRS security reports available electronically to the IDRS security staffs, IRS business organization primary recipients, and other authorized reviewers (USRs and managers). IORS users are authorized to view security reports based on their permissions to view segments of the security reports.
Security staffs, primary recipients, USRs, and managers are encouraged to work within the IORS application to review user actions and activities.
Primary recipients, USRs and managers are not encouraged to print, save, or send security reports outside of the IORS applications unless unusual circumstances occur. If security reports are saved, printed, or transmitted, the report data must be protected. Report data that is saved electronically must be encrypted. Report data transmitted via e-mail must be transmitted using secured e-mail. If report data is printed, prints must be stored in a secured location.
IDRS security reports shall be made available to the IDRS Security National Office staff, IDRS Security Officers, designated IORS primary and secondary recipients, USRs, and unit managers for the timely review via the IORS application:
1. To have access to IORS, the user must have an accessible IDRS account with the command code REPTS in the user's profile. IORS can only be accessed via the web page. http://iors.web.irs.gov/.
2. For the business organizations, only the IORS primary recipient for the unit will certify that the security report has been reviewed and the necessary follow-up actions taken. However, primary recipients can based their certifications on the work of other users who have reviewed the security reports.
3. IORS will provide its users the ability to analyze data in the security reports via the sorting of data and structured query capability. These functions are designed to identify items of interest that the security staff may need to further review and to respond to questions about IDRS users, such as identifying the number of IDRS users or determining who has or is using specific command codes.
4. IORS uses the information from the IDRS Unit and USR Database to identify users who have been designated as primary recipients for one or more IDRS units.
5. Business organizations must ensure that all of their IDRS units have properly designated primary recipients.
6. The Campus IDRS Security Officers must notify the business organization when an IDRS unit does not have a designated primary recipient for 14 calendar days or when the security reports for the unit that require certification are not being reviewed or certified on a regular basis.
7. IDRS Security Officers have the option of locking an IDRS unit that has not designated a primary recipient to review/certify IDRS security reports or when a unit is inactive due to seasonal furloughs.
IDRS Security reports are made available to the business organization primary recipients and other authorized report reviewers when the reports are processed within IDRS. Weekly reports are loaded on Sunday for the previous week. IORS notifies primary and secondary recipients when reports are available for review. The primary recipient has 14 calendar days to timely certify the weekly reports. Four weekly reports are provided to the business organizations. These are the:
1. Employee Count Report;
2. Master Register of Active IDRS Users;
3. Access to Other Employee or Other Employee Spouse Accounts; and
4. Security Violation report.
Of the weekly reports, only the Access to Other Employee and Other Employee Spouse Accounts and the Security Violations reports require certification.
Primary recipients and authorized secondary recipients should also review the Master Register of Active Users to ensure that only authorized users are in their IDRS units and all information included in this report is complete and correct.
The Employee Count Report is provided for information purposes only and does not require any action. This report does provide information on IDRS units that are active, or inactive and do not have any users assigned is included in the report. The number of IDRS users assigned to each unit as of the report date.
The IDRS Security Profile report is provided to the primary and secondary recipients on a monthly and quarterly basis. Primary recipients are required to certify the monthly Security Profile Report for their unit(s) within 28 days of the report's availability for the certification to be identified as timely.
The IDRS Security Officer or his/her designated alternate is responsible for determining that security reports are made available to IORS primary and secondary recipients in a timely manner.
The IDRS Security Officer or his/her designated alternate is responsible for doing a preliminary review of the security data to determine quality and completeness. All concerns about the data must be reported to the National IDRS Security Program Manager for additional follow up with the IDRS technical staffs and/ or IORS Administrators for correction.
IDRS security reports must be reviewed to help detect unauthorized user activity or problems with IDRS. If the IDRS Security Officer, USR, manager, or other report reviewer encounters any indication of illegal or improper activity, he/she should refer the case and findings to the proper manager or TIGTA officials.
Security personnel must ensure that any IDRS user found not to be following proper security measures (based on examination of the security reports, audit trail, etc.) shall be advised through the proper organizational channels of the deficiency and of the appropriate action to be taken.
Appropriate managerial review and follow-up of the various security reports is essential to ensuring the integrity of IDRS. Managers/USRs have the option of forwarding a copy of all security reports via secured e-mail to upper management for oversight review.
The IORS application will be the official retention of security reports which will eliminate the need for USRs and managers to retain paper copies of the reports. IORS will retain electronic copies of prior reports that will be made available to authorized users upon request.
IORS users are expected to be non-bargaining personnel. However, report reviewers with large workloads may submit a request with a justification to Campus IDRS Security Officer to enable an experienced bargaining unit IDRS user with security background to assist in the review of the security reports for the primary recipient. If such a request is granted, the bargaining unit personnel may be given access to IORS to assists in the analyses of the reports. This option is only available when extreme workloads would prevent the timely review of security reports. Bargaining unit employees are not authorized to perform any follow-up action with IDRS users based on any security concern identified in the IDRS security reports.
The reviewer of a report must be independent. Reviewers shall not be the reviewer of their own transactions.

10.8.34.8.2 (09-01-2007)
Security Reports Description

IDRS has two types of security reports. Those that are only available to the MITS Cybersecurity National Office and Campus IDRS Security Staffs and those that are available to the MITS Cybersecurity staffs and to the other IRS Business organization security and manager personnel.
Security reports available to the MITS Cybersecurity security staffs support the IDRS Security Officer in determining if Unit Security Representatives (USRs) are performing their duties responsibly, in detecting trends, and in advising management of any deficiencies or questions on sensitive accesses. Other reports available to the MITS Cybersecurity security staffs identify whether IDRS users are adhering to requirements to sign-off of IDRS when IDRS will not be used for 120 minutes or more, whether IDRS units have large numbers of users with locked profiles, and whether business managers are submitting personnel action timely to ensure that SACS can take timely actions to delete or lock a user's profile when specific personnel actions are processed.
Security reports available to IRS Business Organizations identify security violations performed by IDRS users, selected user accesses, user identifications, and a summary of user activities.

10.8.34.8.2.1 (09-01-2007)
MITS Cybersecurity National Office and Campus Security Officer Reports

IDRS and SACS produce daily, monthly, and quarterly security reports that report security and system transactions performed during the previous day, errors performed by security, and selected attempted unauthorized transactions performed by IDRS users.

10.8.34.8.2.1.1 (09-01-2007)
Completed Security Command Codes Report for Security Officers and System and for USRs

Completed Security Command Code Reports are daily reports that provide a complete listing of transactions for security command codes used the previous day for command codes ADDEM, ADMAF, ADTRM, ADUNT, ASNPW, BYPAS, MRUPD, RSTRK, SETPW, UPEMP, UPMAF, and UPUNT.
These reports will also show system transactions that have been classified under command codes ENDAY, PWACT, PWMGT, and TAPXX.
IDRS Security Officers must review these reports to determine that appropriate and approved documentation is available to support all transactions for users who were added to IDRS, provided new temporary passwords, and given new capabilities to existing users. Reviewer of the previous day's transactions should be independent. Reviewers must not be the reviewer of their own inputs.
IDRS Security Officers must perform random reviews of other transactions in these reports where inappropriate activity could compromise the use of IDRS.

10.8.34.8.2.1.2 (09-01-2007)
Incomplete Security Command Code Report

This is a listing of the day's incomplete inputs of security command codes ADDEM, ADMAF, ADTRM, ADUNT, ASNPW, BYPAS, MDPCC, MRUPD, RSTRK, SECOP, SETPW, UPEMP, UPMAF, and UPUNT.
Each record shows the user's employee number, the command code used, the accessed SSN or terminal number, and the date and time of input.
The incomplete inputs must periodically be reviewed to ensure that all attempted inputs were made by authorized security personnel. If the inputs were attempted by an unauthorized employee, the IDRS Security Officer should investigate the action and refer it to the proper management official or TIGTA, as necessary.
If the IDRS Security Officer notices an excessive number of incomplete security command codes transactions are recorded for a specific USR, an explanation must be obtained or additional training should be provided to that individual.

10.8.34.8.2.1.3 (09-01-2007)
Terminal Lock/Unlock Report

The Terminal/Unlock Report identifies system transactions that have locked a user workstation/terminal because of three consecutive security violation.
The report also identifies who unlocked the locked workstation/terminal and when.
The IDRS Security Officer will analyze the lock-outs for each unit and if they appear to be excessive, will check with the USR in the unit to determine the cause.
The IDRS Security Officer should analyze the report for repeated lock-outs by the same employee and when locked terminals are not being either unlocked or unlocked timely (defined as within a 30 minute time frame).
If during a periodic review of the reports, the IDRS Security Officer determines that an excessive number of terminal locks has occurred or that a terminal was not unlocked timely, he/she may request that the USR explain the corrective actions taken concerning the excessive number of terminal locks or the circumstances preventing the terminal from being unlocked timely.
The IDRS Security Officer should also review the report to identify lockouts without a corresponding SECOP, particularly those occurring after normal work hours.

10.8.34.8.2.1.4 (09-01-2007)
TAPS Error Report

This report identifies IDRS users with personnel actions where the IDRS security system (SACS) did not take any action to delete or lock the user's account because although the SSNs on the TAPS and IDRS user account matched, a last name mismatch in the two files occurred.
The IDRS Security Officer, working with the USR, must determine whether the individual listed in this report should have been deleted, locked or transferred to another IDRS unit. Once determined, either the USR or the IDRS Security Officer will take the necessary action. The IDRS Security Officer is responsible for confirming that the appropriate action has occurred within three working days of the report date.

10.8.34.8.2.1.5 (09-01-2007)
Access to Own by Accessing Employee

This report identifies IDRS users with attempted and actual accesses to their tax records or to their current or former spouse’s tax records.
The IDRS Security Officer must report all accesses to own or own spouse/former spouse tax accounts to TIGTA and all attempted accesses to the Agency Wide Shared Services Labor Relations Office responsible for the accessing employee’s business division. All accesses must be sent to the appropriate Labor Relation office within five calendar days of the transaction occurrences.
Any attempted or actual access to own or own spouse/ex-spouse tax accounts by TIGTA IDRS users shall be reported to TIGTA SIID (Special Inquiries and Intelligence Division).

10.8.34.8.2.1.6 (09-01-2007)
Non-Processed Changing BOD

This is a daily report that identifies IDRS users who have changing Business Operating Division (BOD) personnel actions and IDRS security system (SACS) can not determine whether the user is in the appropriate IDRS Office Identifier/unit. These transactions pertain to users who transfer into AWSS, MITS, Criminal Investigation Fraud Detection, and National Office.
The IDRS Security Officer must contact the IDRS USR to determine whether the individual listed in this report is in the correct IDRS unit. IDRS users who are not in the correct unit or who no longer need access to IDRS must be deleted immediately by either the IDRS Security Officer or USR. IDRS Security Officers are responsible for ensuring that the appropriate action was performed within three working days of the report date.

10.8.34.8.2.1.7 (09-01-2007)
Same Terminal Report

This is a daily report that identifies any instance when a new temporary IDRS password was generated and then used to SINON IDRS at the same workstation.
The IDRS Security Officer needs to follow-up on the USR's generation of a temporary password to verify that the same user did not assigned a new temporary password and use it as the recipient of the password.
The IDRS Security Officer must confirm directly with the employee or employee's manager that a request was submitted for a new temporary password.

10.8.34.8.2.1.8 (09-01-2007)
Daily Reject Command Codes and Daily Summary of Rejected Command Codes

These are daily reports that identify executed command code transactions that contain invalid formats or incorrect error types.
National Office IDRS Security staff monitor these reports for command codes that appear on this report. Staff also create ITAMS tickets against the command code technical owners to have the problems corrected and then review subsequent reports to ensure that the errors do not reappear.

10.8.34.8.2.1.9 (09-01-2007)
Excessive Password Report

This is a daily report that identifies when a user has changed or attempted to change their IDRS password four or more times within the same processing day.
IDRS Security Officers should notify the user's USR to have that USR provide changing password instructions when the user has multiple change attempts that are not successful. If multiple changes have occurred within the same day, the IDRS Security Officer notifies the USR of the user to advise them not to circumvent the IDRS password requirements which states that a user must have a new password at least every 90 days.

10.8.34.8.2.1.10 (09-01-2007)
Security Violations by Unit and Site

This is a daily informational report that shows the total number of security violations by typed committed by members of each IDRS unit.
IDRS Security Officers perform periodic analyses to identify IDRS units that have high numbers of violations for additional training and high unauthorized accesses for additional training or follow-up with the USRs and managers.

10.8.34.8.2.1.11 (09-01-2007)
Automatic Sign-off Due to User Inactivity

This is a monthly report that identifies IDRS transactions for users who have been automatically signed-off IDRS because of inactivity for 120 or more minutes.
IDRS Security Officers may use this report to provide support to the USRs and managers concerning users who question why they are being advised about excessive automatic sign-offs.

10.8.34.8.2.1.12 (09-01-2007)
Detailed and Summary IDRS and TAPS (HR Connect) Personnel Actions

These are monthly and quarterly transaction reports that show IDRS users who had personnel actions (separation, leave without pay, non-pay, and changing BODs) during the period and how the transaction was handled by the IDRS security system. Summary reports are designed to show when business organizations/components are timely reporting personnel actions.
IDRS Security Officers should review summary reports to determine whether business organization managers are timely submitting personnel actions and thereby enabling SACS to timely delete or lock employee profiles, as appropriate.

10.8.34.8.2.2 (09-01-2007)
Business Organizations Security Reports

IDRS and SACS produce weekly, monthly, and quarterly security reports that are available to the MITS Cybersecurity National Office and IDRS Security Staffs and to the IRS business Organization security and managerial staffs.

10.8.34.8.2.2.1 (09-01-2007)
Access to Other Employee and Employee Spouse by Accessing Employee

This is a weekly report that identifies employee and employee’s spouse tax accounts that have been accessed by IDRS users during the reported week.
USRs or managers verify that all attempted or actual accesses to other employee’s or the spouse/former spouse of other employee’s accounts were performed for authorized business purposes. USRs and managers confirm that employees are adhering to requirements of not accessing any employee accounts who the user may know. Employees who accessed accounts of other employees in the same business division, organization location, or geographical area should be closely examined for appropriateness. USRs and managers may use whatever tools are available to determine that the access was performed for business reasons. This includes, but is not limited to, IDRS research, file source document reviews, and employee interviews.

10.8.34.8.2.2.2 (09-01-2007)
Security Violations Report

This is a weekly report that Identifies attempted user transactions that violated specific IDRS security rules.
USRs or managers will identify users having three or more same-type violations during the period and will advise them of proper procedures. USRs or managers will contact users having three or more Password Mismatch violations and determine whether the user has committed the errors. If the user does not agree to having committed the errors, the USR or managers should advise TIGTA of the user’s position that these were unauthorized attempts to access IDRS. The USR/manager should advise a user with the repeated error of "COMMAND CODE NOT IN PROFILE" to check his/ her profile using command code SFDISP. Managers and USRs also must determine that a user is not intentionally attempting to use unauthorized command codes.

10.8.34.8.2.2.3 (09-01-2007)
Master Register of Active IDRS Users

This is a weekly report that identifies active IDRS users by employee number, name, SSN, and SEID. The report also shows when the IDRS user was initially added to IDRS, when the user was assigned to the current unit number, and the user's background investigation status and date, as recorded in IDRS.
This report does not require an official certification, however IDRS Security Officers are to update background information based on AWSS information to ensure that IDRS information is correct and complete. IDRS Security Officers are to follow-up with the user's USR when the user's Entry on Duty (EOD) is greater than one year and AWSS is still showing the background investigation as initiated "I" or "E" for entry on duty (EOD). Note: "E" is used for nonpermanent employees. IDRS users who are permanent employees should have completed background investigations within a year of their EOD.
USRs and managers should use this report to determine that all users appropriately belong in the assigned IDRS unit and that all users have SEIDs and telephone numbers (employee's or manager's) correctly identified in their IDRS record.

10.8.34.8.2.2.4 (09-01-2007)
Employee Count by Site and Unit

This is a weekly informational report that identifies all active IDRS units and the total number of active IDRS users in each unit as of the report date.
No review action is required, however this report enables security staff to identify which IDRS units are active but do not have any users assigned.

10.8.34.8.2.2.5 (09-01-2007)
Monthly and Quarterly IDRS Security Profile Reports

These are monthly and quarterly reports that identify IDRS units, user information (including the user's name, IDRS employee number, SEID, grade and position series), and command codes in each unit’s and user’s profile. Reports show the number of times a user was automatically signed off IDRS because of 120 minutes or more of inactivity, a user's authorized foreign access locations, whether a user profile was locked or deleted as of the report date, and the types of active restrictions and bypasses placed against the user's profile. Reports show the command code usage by each user, by all users in the unit, and by all users in the Office Identifier. Reports also show the command codes deleted from the employee profiles and from the unit’s Maximum Profile Authorization File (MPAF).
For the Monthly Security Profile Report USRs/managers are required to:
1. determine whether the user's production command codes are appropriate for the user’s required work;
2. determine whether all attempted accesses to non-profiled command codes were valid errors;
3. determine whether all users are appropriately assigned to their IDRS unit(s);
4. determine whether users have excessive automatic inactivity sign-offs of IDRS,
5. determine whether users with locked profiles for 28 days or more due to system inactivity have been reviewed to determined the user's continuing need for IDRS access;
6. determine whether user profiles have the proper restrictions;
7. determine whether the Maximum Profile Authorization File (MPAF) is appropriate for the work performed by the users of that unit;
8. determine whether UCCP command codes are being used by 90 percent or more of the users in the unit and that any sensitive command code in the UCCP is used by 100 percent of users;
9. determine whether users with unused multiple accesses capabilities to other campus’ databases have a continuing need for these accesses;
10. ensure that users are advised of deleted command codes, as appropriate;
11. review users with command code REPTS in their profile, especially users in IORS specific units, to determine if IORS access is still needed; and
12. review users with sensitive command code combinations and sensitive connotation command codes in their profiles to help ensure that users are not performing unauthorized activities. USRs/managers must ensure that questionable actions have been reported to TIGTA, AWSS (Labor Relations) or upper management for follow-up evaluation.
13. Employees must not be the reviewer their own command code profile, command code usage, or any other report data pertaining to themselves.
The Quarterly Security Profile Report is a roll up of the three monthly reports for the quarter. It is provided for information purposes only.
Monthly and Quarterly Security Profile Reports reflect usage of Multi-Functional Equipment (MFE) command codes. These command codes represent activity by the employee when accessing IDRS via a MFE application. MFE command codes are usually non-profiled command codes and may not appear in the employee's IDRS profile. A percent sign (% ) appears before MFE command codes in the command code usage sections of the Security Profile Report. The MFE command codes are: ADDRS, AISDL, AMF24, AMFIE, AMFLS, AMFOC, AMFON, AMFTU, AMFXU, CFREE, CFUPE, DMSDL, DMSUL, EFTIA, ICPRQ, MFUIR, NAILD, REFOF, REMFE, REPTS, SCAPD, SIAPN, SIARF, SIRPC, VPMSG, VPPIN, VRIAG, VRIAO, VRIAR, VRINT, VRLET, VRLPG, VRSTA, and VRSUM.

10.8.34.8.3 (09-01-2007)
Certification of Security Reports in IORS

The Primary Recipient, who is usually an IDRS Security Officer, USR, or manager, must review IDRS Security reports in a timely and complete manner to help ensure that users are working within their required tax administration authorities. The review of security reports are important tools for detecting illegal or improper activities by the IDRS user. Any questionable transactions or activities should be reviewed or turned over to the proper authorities for full investigations.
With the automation of the security reports, for the business organizations either the USR, manager or a coordinator may be designated as the IORS primary recipient for the IDRS unit. The primary recipient is responsible for reporting actions taking on the security report and certifying that required activities were performed. When the primary recipient is different from the manager, the manager is still held accountable for ensuring that all activities were performed as required.
The IORS application will maintain a record of all certifications by the designated primary recipient for each report requiring certification and for each IDRS unit under the primary recipient's domain. At least quarterly, IDRS Security Staffs should provide their business organizations the results of the certifications performed, including the timeliness of the certifications. Additional information must include any units where a designated primary recipient or current USR had not been appointed as of the date of the report.
Executives of business organizations that do not have at least a 90% certification rate for their security reports by IRS campus must provide a response within 14 calendar days that identifies the nature and date of the actions to be taken to correct any deficiencies associated with the review and certification of security reports.
The reviewer of a report must be independent. Reviewers shall not be the reviewer of their own transactions.

10.8.34.8.4 (09-01-2007)
Security Reports Requiring Certifications

Within IORS, seven IDRS security reports have been specifically designated for certification by either the IDRS Security Officer or by the IRS business primary recipient for the IDRS units. IORS will retain a record of all certifications and associated comments.

10.8.34.8.4.1 (09-01-2007)
Security Reports Requiring Certification by an IDRS Security Officer

Four daily security reports must be timely certified by Campus IDRS Security Officers. These reports are the:
1. Access to Own and Own Spouse by Accessing Employee;
2. Completed Command Code Inputs by IDRS Security Officer and System;
3. TAPS Error Report; and
4. Non-Processed Changing BOD.
Campus IDRS Security Officers are encouraged to review these reports as they become available but must certify these reports within 7 calendar days for the certification to be marked as timely.
IORS will provide a reminder notification on the 5th calendar day when a report has not been certified.
IDRS Security Officers are required as of part of the certification to identify the report level actions taken and to include any additional comments that will further explain any overall actions. Only users authorized to view report level information can see these entries
IORS also provides the ability for the IDRS Security Officer to enter detailed status and comments next to the specific transaction or activity. IDRS Security Officers are encouraged to use the detailed status and comments sections to provide additional information about the action taken. Only users authorized to view the report can see the entered information.

10.8.34.8.4.2 (09-01-2007)
Security Reports Requiring Certification by an IRS Business Organization Primary Recipient

IRS business organization primary recipients are required to certify three security reports that include two weekly reports and one monthly report. These reports are:
1. The weekly Access to Employee and Employee Spouse by Accessing Employee;
2. The weekly Security Violations Report; and
3. The monthly IDRS Security Profile Report.
Business organization Primary Recipient and their designated secondary recipients are encouraged to review these reports as they become available but the Primary recipient must certify weekly reports within 14 calendar days and the monthly report within 28 days for the certifications to be marked as timely.
IORS will provide a reminder notification to the Primary Recipient on the 10th calendar day for weekly reports and on the 24th calendar day when a monthly report has not been certified.
Business Division Primary Recipients are required as part of the certification to identify the report level actions taken and to include any additional comments that will further explain any overall actions. Only the IDRS National Office and IDRS Security Staffs along with the primary recipient and their manager authorized oversight viewing rights can see entered report level information.
IORS also provides the ability for the Business organization Primary and secondary Recipients to enter detailed status and comments next to the specific transaction or activity. Secondary and Primary Recipients are encouraged to use the detailed status and comments sections to provide additional information about the action taken. Only users authorized to view the report for the specific IDRS unit can see the entered detailed information.

10.8.34.9 (09-01-2007)
IDRS Audit Trails and Audit Trail Requests

Audit trails are listings of user and system transactions performed in IDRS and SACS. All user transactions are maintained at the Martinsburg Computer Center (MCC) for user accounts on Andover, Austin, Brookhaven, Ogden, and Philadelphia campuses and at the Tennessee Computing Center (TCC) for user accounts on Atlanta, Cincinnati, Fresno, Kansas City, and Memphis campuses.
The capability of making online adjustments, credit transfers, and other actions that affect a taxpayer's account, without having some authorizing paper document, makes it essential that all actions taken by users are recorded including when the action was taken, what was done, which account was accessed and which workstation or terminal was used.
In addition, because the Taxpayer Browsing Protection Act of 1997 makes it a federal crime for users to willfully access and view taxpayer accounts for other than tax administrative purposes, the IDRS audit trail records all research transactions performed in IDRS even when no tax or other information has been modified.
Audit trail transactions consist of users and SACS actions that are performed, including the transaction date and time and terminal identifier that was used.
Accesses to training files are not recorded on the Audit Trail File.
Information available from the audit trail record includes the command code, the terminal identifier, employee identification, date and time of input, and account accessed to include the TIN, MFT and Tax Period, where applicable.
Audit trail records shall be retained for six years after the end of the processing year.
All audit trail records shall be stored in a security container when they are not in actual use. The Computing Center Security Officer is responsible for controlling access to the audit trail media by persons other than the Tape Library Staff.
Although SACS system transactions are not generally kept in the audit trails, these transactions are captured by SACS and many are routinely included in the IDRS Security reports sent to IORS. An example of a system transaction is when SACS deletes a user who has not signed onto IDRS for 60 days.
IDRS audit trails (user transactions) also are stored in the Security Audit and Analysis System (SAAS) database which will be used by TIGTA to investigate user unauthorized actions and activities on IDRS and will eventually be available to selected IDRS Security Officers to respond to limited request from managers for IDRS audit trail extracts.

10.8.34.9.1 (09-01-2007)
Request for Audit Trail Extracts

Audit Trail extracts are useful tools for managers and security staffs to identify what transactions have been performed in the past. However, with the establishment of TIGTA's all encompassing role for investigating UNAX related and suspected criminal activities, the security staff will no longer process or send forward for processing any request for extracts of audit trail when the purpose is to investigate a suspicious or a known unauthorized access to a taxpayer's record or potential criminal/fraudulent activities.
The IDRS Security Program, however, will provide limited search to IDRS audit trails via the Security Audit and Analysis System (SAAS) to enable a manager to confirm or refute an employee's explanation of the access. Such requests will be submitted to the Campus IDRS Security Officers via Form 9936, Audit Trail Extract Request, and data requests must be limited to show the employee activities before and after the transaction under review. Any accesses that can not be immediately determined to be appropriate by the manager must be forwarded to TIGTA for further review. See http://publish.no.irs.gov/FORMS/INTERNAL/PDF/22647A05.PDF.
Requests for extracts of audit trails for non-criminal activities include employee integrity issues, security concerns, and requests for information under the Freedom of Information Act will be submitted to the IDRS Security Staff/IDRS Security Officers for review and forwarding to the computing center for processing.

10.8.34.9.2 (09-01-2007)
Audit Trail Requests for UNAX Related and Suspected Criminal Activities

Managers should attempt to determine the appropriateness of any questionable accesses to taxpayer records by discussing the access with the employee who made the access and by reviewing transcripts, limited audit trail extracts, and other available documentation that could show the appropriateness of the access.
Management should refer cases to the local TIGTA Office if he or she is not satisfied with the employee's response or if transcripts and other available documentation fail to demonstrate that the access is valid.
TIGTA will perform extracts of audit trails when the reasons for the requests are to support the review of potential unauthorized accesses or other criminal activities.
Managers who submit requests to the local TIGTA office are encouraged to keep a record of all referrals to TIGTA including the date and the source of the information that resulted in the referral.
The IDRS Security Staff/IDRS Security Officer should immediately return audit trail extract requests to the authorizing manager with instructions to resubmit to the local TIGTA office if the manager:
1. believes the individual may have committed an unauthorized access; and
2. wants to determine whether the employee performed an unauthorized, inappropriate, or illegal action on IDRS, such as changing a taxpayer's address to redirect a refund.
The IDRS Security Officer may accept requests from managers who want to validate an employee's claim that the access to a taxpayer's account was the result of an error.
Managers are authorized to request audit extracts to support an employee's claim of an error. All other questionable accesses are to be referred to the local TIGTA staff.
The IDRS Security Staff/IDRS Security Officer should contact the IDRS Security Program Manager for determination on the appropriate routing of a request if he or she is uncertain whether a request for an audit trail extract should be returned to the authorizing manager for resubmitting to TIGTA.

10.8.34.9.3 (09-01-2007)
Audit Trail Requests for Non-UNAX or Non-Criminally Related Activities

Authorizing managers and USRs will submit all requests for audit trails to support work related activities, employee integrity issues, security concerns, and requests for information under the Freedom of Information Act to the IDRS Security Staff/IDRS Security Officer for review and forwarding to the appropriate computing center for processing.
Requests for extracts of audit trails must be sent to the IDRS Security Staff/IDRS Security Officer who is responsible for the databases where the access(es) or activities occurred. IDRS Security Officers should screen requests to ensure the requests apply to their IRS Campus IDRS database. Requests that apply to another campus' database should be forwarded to the appropriate IDRS Security Staff/IDRS Security Officer for processing.
The IDRS Security Officer will screen all requests for extracts of audit trails to determine if the purpose of the request is to follow-up on a questionable access reported as an error by the employee or for a noncriminal activity. The IDRS Security Officer may request to have the transaction processed internally via SAAS/IDRS analyst if the request is not complicated and can be easily resolved through a query against the IDRS database that resides in SAAS. Selected Campus IDRS Security Officers will be trained to perform IDRS audit trail extracts in SAAS. For questionable accesses other than a reported error, the IDRS Security Officer should return the request to the originator and advise the originator to send the request directly to the local TIGTA. The IDRS Security Officer should also advise the local TIGTA staff of the pending request.
When a request for an audit trail extract is to support work-related activities, employee integrity issues, or security concerns; the IDRS Security Officer will either have the requests processed internally via SAAS or send the request to the appropriate computing center using the required procedures.
1. Appropriate requests under work related activities include the need to identify other IRS employees who previously processed the tax case, or the need to determine statutory limitations associated with the tax case.
2. Employee integrity issues include the need to validate an employee's claim of having performed work on IDRS. Managers are to be discouraged from using extracts of audit trails to substitute for management oversight. However, these types of requests will be processed on an infrequent bases to support a manager's immediate need for information. Audit trail extracts can not be used for performance evaluations.
3. Security related issues include validations of user sign-offs when no other approach is available.
When a request for an audit trail extract occurs because of the Freedom of Information Act provisions, the Andover Campus Data Security Chief should coordinate with the submitting Disclosure Officer to determine the necessary requirements to satisfy the requests. All Freedom of Information Act (FOIA) requests must be submitted to the computing centers via the Andover Campus Data Security Chief or IDRS Security Staff:
1. If information for multi-years or on all accesses to the taxpayer's account is being requested, the IDRS Security Officer may have to ensure that the request is sent to both computing centers and that the appropriate years' data is sent to the computing center(s).
2. If FOIA request includes the conditions identified in section (5)a, the staffs in the IRS computing centers are to maintain a record of the actual personnel time (hours) and effort necessary to satisfy the FOIA request. Information on the actual personnel time and effort required will be provided to the Disclosure Officer along with the result of the request. If ad hoc queries against the SAAS IDRS database can be completed in timely and cost efficient manner, the Andover Campus Data Security Chief and the Disclosure Officer will determine whether SAAS should be used to respond to the request. It is the responsibility of the Disclosure Officer to determine the actual cost to the taxpayer and receive payment from the taxpayer for any FOIA information.
3. The IDRS Security Officer must include a statement to the Disclosure Officer with the results of the audit trail that "While information contained in the attached IDRS audit trail extract may be releasable, IDRS audit trails are an integral component of the IDRS security system. Therefore, the actual attachment, as presented, should not be released to the requesting taxpayer. Additional screening of the information contained in the report by the business function involved is mandatory."
4. The IDRS Security Officer must provide the actual personnel time and effort required to the IDRS Program Manager after the results of the request have been received.

10.8.34.9.4 (09-01-2007)
Requesting Audit Trail Extracts From the Computing Centers

Managers/USRs must submit all audit trail request on an Audit Trail Extract Request Form 9936 which is signed by the requestor (group manager or USR) and the approving manager at the next higher level. The Form 9936 will be submitted to the home Campus IDRS Security Officer and must contain the specific information and instructions for the search criteria including dates, SSN, command codes, etc. The form may be electronically sent to the home Campus IDRS Security Officer via secured e-mail and electronically signed. Otherwise, the form may be faxed or mailed to the IDRS Security Staff. Fax forms must adhere to procedures for faxing sensitive information, but do not need to be followed-up with the original copy.
Upon receipt of Form 9936, and the determination that the request is appropriate for submission to the computing center, the IDRS Security Officer shall call the help desk and request an ITAMS ticket be opened for a SACS audit trail request to the computing center. No details, such as name or SSN are given to the help desk.
The IDRS Security Officer may then notify the computing center's Computer Systems Analyst (CSA) by phone that a request has been made and gives the CSA the help desk ticket number. A copy of the Form 9936 is then mailed or faxed to the Computing Center Security Officer. For any Form 9936 that is faxed, the IDRS Security Officer/USR must adhere to the procedures for faxing sensitive information.
The Computing Center Security Officer will log all audit trails and forward them to the analyst/computer systems analyst to be run.
The audit trails will be run through multiple virtual system (MVS). The files are on one Logical Partition (LPAR), but in five different files, one for each IRS campus.
Upon completion of the extract, the Computing Center Security Officer or CSA will verify output of the audit trail job, notify the IDRS Security Officer that the request has been completed, and provide the job name and number of the audit trail output. The job will be loaded on Control-D web for retrieval by the IDRS Security Officer.
The IDRS Security Officer receives the audit trail output extract, validates that the appropriate search criteria was used, requests the Help Desk to close the ITAMS ticket, and mails the report to the original requestor.
Requestors of an audit trail extract should contact their IDRS Security Officer if they have any questions about the items contained in the printout. For information on the audit trail format, see Exhibit 10.8.34-16.

10.8.34.10 (09-01-2007)
Deviations

Deviations from this policy shall be submitted in accordance with IRM 10.8.1 and use Form 13125, as described in deviation Standard Operating Procedures (SOPs).
Refer to IRM 10.8.1 for additional information.

Exhibit 10.8.34-1 (09-01-2007)
Glossary

Following is the acronym list.

Acronym List
BI	Background Investigation
CFOL	Corporate Files On-Line
CSA	Computer Systems Analyst
DLN	Document Locator Number
EFT	Electronic Funds Transfer
EIN
EOD	Enter on Duty
ERS	Error Resolution System
ESRF	Employee Security Record File
FOIA	Freedom of Information Act
IDRS	Integrated Data Retrieval System
IORS	IDRS Online Reports Services
IRM	Internal Revenue Manual
IRS	Internal Revenue Service
IUUD	IDRS Unit and USR Database
LPAR	Logical Partition
MCC	Martinsburg Computing Center
MFT	Masterfile Transaction
MPAF	Maximum Profile Authorization File
MVS	Multiple Virtual System
POD	Post of Duty
PTI	Production/Training Indicator
SACS	Security and Communications System
SAAS	Security Audit and Analysis System
TAPS	Totally Automated Personnel System
TCC	Tennessee Computing Center
TIMIS	Treasury Integrated Management Information System
TIN	Taxpayer Identification Number
TNT	Terminal Name Table
TRDB	Tax Return Database
TSA	Terminal Security Administrator
TSID	Terminal Security Identification
TVRF	Terminal Vector Record File
TVT	Terminal Vector Table
UCCP	Unit Command Code Profile
USR	Unit Security Representative

Following are Disclosure definitions.

Disclosure	Making known confidential tax information to any person in any manner. Disclosures are usually made either orally or in writing, but disclosures can also be made by actions, e.g., when you show someone an IDRS printout when they do not have a "need-to-know" .
Self Disclosure (a.k.a. browsing)	An employee accessing information for other than work related purposes, but information is not shared.
Unauthorized Disclosure	The release of return or return information to taxpayers or general public that is specifically prohibited by the IRS and the Privacy Act.
Inadvertent Disclosure	An unauthorized disclosure made in the performance of official duties that results from a good faith, but erroneous, interpretation.
A "Return"	Any tax return or information return, or any schedules or attachments to it that are filed with the Service. A return also includes any amendments or supplements to the return filed by or on behalf of a taxpayer.
Return Information	Any information other than the taxpayer's return that IRS has obtained from any source or developed through any means concerning a person's tax affair. Information is return information if it relates to the liability or potential liability of any taxpayer for any penalty, interest, fine, forfeiture, or other imposition or offense.

Exhibit 10.8.34-2 (09-01-2007)
References

Other handbooks and Internal Revenue Manuals contain information relating to IDRS or security that may be helpful to IDRS security personnel. These include the following:

• IRM 2.11.1, IDRS Correspondence

• IRM LEM 2.3, IDRS Terminal Responses

• IRM 2.4, IDRS Terminal Input

• IRM 2.8, Audit Information Management System (AIMS)

• Document 6209, ADP and IDRS Information

• IRM 10.8.1, Information Technology (IT) Security Policy and Guidance

On November 1, 1982, the Commissioner approved Policy Statement P-1-144, Designing Safeguards for Computer Systems. It states, in part, "It is essential that these systems be protected from abuse, fraud or disruption … To provide such protection, employees who design computer systems must ensure that … security standards are part of that design."

Treasury Cyber Security Program (TD P 85-01), dated February 13, 2003, provides uniform policies, standards and general procedures to be used by the bureaus to carry out their respective responsibilities in the areas of telecommunications and information systems security.

Department of the Treasury Security Manual (TD P 15-71), effective on October 10, 2006, is a single reference source for non-cyber security programs and establishes the foundation for corresponding Treasury (Departmental Offices (DO)) and Bureau security programs.

OMB Circular No. A-130, Management of Federal Information Resources, dated November 30, 2000, establishes the policy for the management of Federal information resources. The circular states, in part, that it is the responsibility of agencies to develop management controls to safeguard personal, proprietary, and other sensitive data in information systems.

OMB Circular No. A-127, Financial Management Systems, dated July 23, 1993, prescribes policies and standards for executive departments and agencies to follow in developing, operating, evaluating and reporting on financial management systems. The circular also provides the requirements for agency financial management systems.

OMB Circular No. A-123, Management Accountability and Control, dated June 21, 1995, implements provisions of the Federal Managers' Financial Integrity Act. The circular also provides guidance to management on improving accountability and effectiveness of programs and operations by establishing, assessing, correcting, and reporting on management controls.

On August 5, 1997, President Clinton signed the Taxpayer Browsing Protection Act into law. Under the new law: a) Willful unauthorized access or inspection of non-computerized taxpayer records, including hard copies of returns - as well as computerized information - is a misdemeanor, punishable, upon conviction, by fines, prison terms and termination of employment. b) Taxpayers have the right to take legal action when they are victims of unlawful access or inspection even if a taxpayer's information is never revealed to a third-party. c) When managers or employees are criminally charged, we are required to notify taxpayers that their records have been accessed without authorization.

Exhibit 10.8.34-3 (09-01-2007)
Distribution Procedures

IRM 10.8.34 shall be available to all personnel responsible for ensuring that adequate security is provided for IDRS. IRM 10.8.34 will be distributed electronically via the IRS intranet. An electronic version of IRM 10.8.34 will be available for download from the IDRS Security intranet web site. http://mass.web.irs.gov/IDRS/default.asp

Exhibit 10.8.34-4 (09-01-2007)
Command Codes Marked as Sensitive in the IDRS Command Code Table

Following are the sensitive command codes.

ADJ54	EOCHG	RFUND
AMAXU	EFTOF	SCFAJ
AMCLS	EPLAN	SCFDL
AMSOC	ESAPL	SCFRQ
AMSTU	ESIGN	SCFRV
ASGNB	FRINQ	STATB
ASGNI	FRM14	STATI
BDADD	FRM34	STAUP
BDAPL	FRM49	STN90
BDENT	FRM77	TDIAD
BDOUT	FRM7A	TSIGN
BNCHG	IADFL	UPRES
BRCHG	IAORG	URADD
CCPYT	IAREV	URAPL
CHK64	INCHG	URENT
CRMNL	IPSAD	UROUT
DDBCK	IPSST	URREF
DELET	IPSUP	XSADD
DOALL	IRCHG	XSAPL
DRT24	LEVYD	XSENT
DRT48	NOREF	XSOUT
	PAYMT	XSREF
	REFAP	ZDJ54

Exhibit 10.8.34-5 (09-01-2007)
Sensitive Command Code Combinations

(Reference: Text 3.20.4)

ADJ54	AMCLS	DOALL	ESAPL
BNCHG	BNCHG	TSIGN	ADC24
DRT24	DRT24	ASGNI	ADC48
DRT48	DRT48	ASGNB	ADD24
ESAPL	ESAPL		ADD34
FRM34	FRM34		ADD48
INCHG	INCHG		ADJ54
PAYMT	PAYMT		AMCLS
SCFAJ	SCFAJ		BNCHG
URAPL	URAPL		DRT24
			DRT48
			INCHG

PAYMT	REFAP	RFUND	SCFAJ
ADC24	BNCHG	BNCHG	ADC24
ADC48	INCHG	INCHG	ADC48
ADD24	RFUND	REFAP	ADD24
ADD34			ADD34
ADD48			ADD48
ADJ54			ADJ54
AMCLS			AMCLS
BNCHG			BNCHG
DRT24			DRT24
DRT48			DRT48
INCHG			INCHG
URADD

STAUP	URAPL
TSIGN	ADC24
ASGNB	ADC48
ASGNI	ADD24
	ADD34
	ADD48
	ADJ54
	AMCLS
	BNCHG
	DRT24
	DRT48
	INCHG
	URADD

Exhibit 10.8.34-6 (09-01-2007)
Command Codes with Sensitive Connotation

A number of IDRS command code that do not meet the strict interpretation of a sensitive command code may allow for users to use data inappropriately. USRs and managers may need to do additional follow-up to ensure that users of these command codes are not performing unauthorized activities.

Command Code	Description
ASIGN	Research Adoption TINs
BSIGN	Bulk assignment of EINs
EFTOF	Stop EFT payment to bank
ESIGN	Assigns EINs
IMFOB	Research of bank account numbers
MSCHG	Mass changes on the Partnership Control File
QRACN	Accept/Reject quality review transactions
QRADD	Inputs employees to be quality reviewed
QRIND	Request summary of actions available for review
QRNCH	Cancels the quality review
TSCHG	Changes Partnership Control File
TSCLS	Closes Partnership Control File
UNLCE	Establish, change, or delete 100 percent penalties

Exhibit 10.8.34-7 (09-01-2007)
Restricted Command Code of Manual Refunds

The following command codes shall be restricted from an IDRS user profile when the individual has authority to sign for manual refunds.

ADC24	FRM34
ADC34	INCHG
ADC48	IRCHG
ADD24	REFAP
ADD34	REQ54
ADD48	RFUND
ADJ54	URAPL
AMCLS	URREF
BNCHG	XSAPL
DRT24	XSOUT
DRT48	XSREF

Exhibit 10.8.34-8 (09-01-2007)
Restricted Command Codes for Revenue Agents, Tax Compliance Officers, and Estate Tax Attorneys

The following command codes shall be restricted from IDRS user profiles when an IDRS user performs assignments as a revenue agent, tax compliance officer, or estate tax attorney.

ADC24	BDAPL	ESAPL	IPSST	STATB
ADC34	BDENT	ESIGN	IPSUP	STN90
ADC48	BDOUT	ESTAB	IRCHG	TDIAD
ADD24	BNCHG	FRINQ	LEVYD	TSIGN
ADD34	BRCHG	FRM14	NOREF	UPRES
ADD48	BSIGN	FRM34	PAYMT	URADD
ADJ54	CCPYT	FRM49	REFAP	URAPL
AMAXU	CHK64	FRM7A	REQ54	URENT
AMCLS	CRMNL	FRM77	REQ77	URREF
AM424	DELET	IADFL	RFUND	UROUT
AMNON	DOALL	IAORG	SCFAJ	XSADD
ASGNB	DRT24	IAGRE	SCFDL	XSAPL
ASGNI	DRT48	IAPND	SCFRQ	XSENT
AMSOC	ENREQ	IAREV	SCFRV	XSREF
AMSTU	EOCHG	INCHG	STAUP	XSOUT
BDADD	EPLAN	IPSAD	STATI

Exhibit 10.8.34-9 (09-01-2007)
Restricted Command Codes for 809 Receipt Book Users and Remittance Perfection Technicians

The following command codes shall be restricted from an IDRS user profile when the individual is an 809 Receipt Book User or a Remittance Perfection Technician.

ADC24	BDENT	ESAPL	IPSST	STATI
ADC34	BDOUT	ESIGN	IPSUP	STATB
ADC48	BNCHG	FRINQ	IRCHG	STN90
ADD24	BRCHG	FRM14	LEVYD	TDIAD
ADD34	BSIGN	FRM34	NOREF	TSIGN
ADD48	CCPYT	FRM49	PAYMT	UPRES
ADJ54	CHK64	FRM7A	REFAP	URADD
AMAXU	CRMNL	FRM77	REQ54	URAPL
AMCLS	DELET	IADFL	REQ77	URENT
AMSOC	DOALL	IAGRE	RFUND	URREF
AMSTU	DRT24	IAORG	SCFAJ	UROUT
ASGNB	DRT48	IAPND	SCFDL	XSADD
ASGNI	ENREQ	IAREV	SCFRQ	XSAPL
BDADD	EOCHG	INCHG	SCFRV	XSENT
BDAPL	EPLAN	IPSAD	STAUP	XSREF
				XSOUT

Exhibit 10.8.34-10 (09-01-2007)
IDRS Office Identifiers, Organization Code Ranges, and Unpostable Holding Units

This exhibit defines the series of organization codes, IDRS Office Identifiers and Unpostable Holding Units for use by IRS Business Divisions.